TL, DR: Waxaan ku rakibaa Wireguard VPS, waxaan ku xidhaa router-ka gurigayga ee OpenWRT, oo waxaan kahelaa subnetka gurigayga taleefankayga.
Haddii aad ku hayso kaabayaashaaga gaarka ah server-ka guriga ama aad haysato qalab badan oo IP-gu maamusho guriga, markaa waxaad u badan tahay inaad rabto inaad ka hesho shaqada, baska, tareenka iyo metro. Inta badan, hawlaha la midka ah, IP-ga waxaa laga soo iibsadaa bixiyaha, ka dib markaa dekedaha adeeg kasta ayaa loo gudbiyaa dibadda.
Taa beddelkeeda, waxaan sameeyay VPN oo marin u leh gurigayga LAN. Faa'iidooyinka xalkan:
- daahfurnaanta: Waxaan dareemayaa inaan guriga joogo xaalad kasta.
- sahal: deji oo iska ilow, looma baahna in laga fikiro sidii deked kasta loo soo gudbin lahaa.
- Kharashka: Waxaan horay u haystay VPS; hawlahan oo kale, VPN casriga ah ayaa ku dhow lacag la'aan marka la eego kheyraadka.
- Amniga: ma jiraan wax soo baxaya, waxaad ka tagi kartaa MongoDB bilaa sirta ah qofna ma xadi doono xogtaada.
Sida had iyo jeer, waxaa jira cillado. Marka hore, waa inaad u habayn kartaa macmiil kasta si gaar ah, oo ay ku jiraan dhinaca server-ka. Waxay noqon kartaa dhib haddii aad haysato tiro badan oo qalab ah oo aad rabto inaad ka hesho adeegyada. Marka labaad, waxaa laga yaabaa inaad haysato LAN oo isku mid ah shaqada - waa inaad xallisaa dhibaatadan.
Waxaan ubaahanahay:
- VPS ( kiiskeyga Debian 10).
- Router-ka OpenWRT.
- Taleefanka.
- Adeegaha guriga oo leh adeeg shabakadeed oo tijaabo ah.
- Gacmo toosan.
Farsamada VPN ee aan isticmaali doono waa Wireguard. Xalkani waxa kale oo uu leeyahay meelo uu ku wanaagsan yahay iyo meelaha uu ku liito, anigu ku tilmaami maayo. VPN-ka waxaan isticmaalaa subnet 192.168.99.0/24
iyo gurigayga 192.168.0.0/24
.
Qaabeynta VPS
Xitaa VPS ugu dhibka badan ee 30 rubles bishii ayaa ku filan ganacsiga, haddii aad nasiib u leedahay inaad mid leedahay.
Waxaan u sameeyaa dhammaan hawlgallada server-ka sida xidid mashiinka nadiifka ah; haddii loo baahdo, ku dar 'sudo' oo waafaji tilmaamaha.
Wireguard ma helin wakhti lagu keeno xasiloonida, sidaa darteed waxaan ku ordayaa 'ilo wax ka beddel ku habboon' oo waxaan ku daraa gadaasha dambe ee laba sadar dhamaadka faylka:
deb http://deb.debian.org/debian/ buster-backports main
# deb-src http://deb.debian.org/debian/ buster-backports main
Xirmada waxaa loo rakibay sida caadiga ah: apt update && apt install wireguard
.
Marka xigta, waxaan abuurnaa lamaane muhim ah: wg genkey | tee /etc/wireguard/vps.private | wg pubkey | tee /etc/wireguard/vps.public
. Ku soo celi hawlgalkan laba jeer oo kale qalab kasta oo ka qayb qaadanaya wareegga. U beddel jidka faylalka muhiimka ah aalad kale hana iloobin amniga furayaasha gaarka ah.
Hadda waxaan diyaarineynaa config. In la xareeyo /etc/wireguard/wg0.conf
config ayaa la dhigayaa:
[Interface]
Address = 192.168.99.1/24
ListenPort = 57953
PrivateKey = 0JxJPUHz879NenyujROVK0YTzfpmzNtbXmFwItRKdHs=
[Peer] # OpenWRT
PublicKey = 36MMksSoKVsPYv9eyWUKPGMkEs3HS+8yIUqMV8F+JGw=
AllowedIPs = 192.168.99.2/32,192.168.0.0/24
[Peer] # Smartphone
PublicKey = /vMiDxeUHqs40BbMfusB6fZhd+i5CIPHnfirr5m3TTI=
AllowedIPs = 192.168.99.3/32
Qaybta [Interface]
goobaha mishiinka laftiisa ayaa lagu tilmaamay, iyo in [Peer]
- goobaha loogu talagalay kuwa ku xidhi doona. IN AllowedIPs
oo ay kala soocaan rido, shabaqyada hoose ee loo gudbin doono asaagga u dhigma ayaa la cayimay. Sababtaas awgeed, facooda aaladaha βmacmiilkaβ ee ku jira shabakada-hoose ee VPN waa inay lahaadaan maaskaro /32
, wax kasta oo kale waxaa lagu wareejin doonaa server-ka. Maadaama shabakada guriga la marinayo OpenWRT, gudaha AllowedIPs
Waxaan ku darnaa subnet-ka guriga ee asaagga u dhigma. IN PrivateKey
ΠΈ PublicKey
Burburinta furaha gaarka ah ee loo soo saaray VPS iyo furayaasha dad waynaha ee asxaabtooda.
Dhanka VPS, waxa kaliya ee haray waa in la ordo amarka soo kicin doona interface oo ku dari doona autorun: systemctl enable --now wg-quick@wg0
. Heerka isku xirka hadda waxaa lagu hubin karaa amarka wg
.
Isku xidhka OpenWRT
Wax kasta oo aad u baahan tahay marxaladan waxay ku jiraan moduleka luci (OpenWRT web interface). Gal oo fur tab Software-ka ee ku jira menu System-ka. OpenWRT kuma kaydiso kaydka mashiinka, markaa waxaad u baahan tahay inaad cusboonaysiiso liiska baakadaha la heli karo adigoo gujinaya badhanka Cusbooneysii cagaarka. Ka dib marka la dhammeeyo, u wad shaandhada luci-app-wireguard
iyo, adoo eegaya daaqada leh geed ku tiirsanaanta quruxda badan, ku dheji xirmadan.
Shabakadaha menu-ka, dooro Interfaces oo guji cagaarka ku dar badhanka Interface-ka cusub ee liiska kuwa jira. Kadib gelida magaca (sidoo kale wg0
xaaladeyda) iyo xulashada borotokoolka WireGuard VPN, qaab dejineed oo leh afar tab ayaa furmaya.
Dhinaca Settings General tab, waxaad u baahan tahay inaad geliso furaha gaarka ah iyo cinwaanka IP-ga ee loo diyaariyey OpenWRT oo ay weheliso subnet-ka.
On the tab Settings Firewall, ku xidh interface shabakada maxaliga ah. Sidan, xidhiidhada VPN waxay si xor ah u geli doonaan aagga degaanka.
On the Peers tab, dhagsii badhanka kaliya, ka dib markaad buuxiso xogta server-ka VPS ee foomka la cusboonaysiiyay: furaha dadweynaha, IP-yada la oggol yahay (waxaad u baahan tahay inaad u gudubto dhammaan shabakada hoose ee VPN serverka). Gudaha Endpoint Host and Endpoint Port, geli ciwaanka IP-ga ee VPS dekedii hore loogu sheegay dardaaranka Dhegeysiga Dhegeysiga, siday u kala horreeyaan. Hubi Jidka IP-yada la Oggol yahay ee waddooyinka la abuurayo. Oo hubi inaad buuxiso Joogtada Joogtada ah, haddii kale tunnel ka VPS ilaa router waa la jebin doonaa haddii kan dambe uu ka danbeeyo NAT.
Taas ka dib, waxaad kaydin kartaa goobaha, ka dibna bogga leh liiska isdhexgalka, dhagsii Save oo codso. Haddii loo baahdo, si cad u billow interface ah oo leh badhanka Dib u soo celinta.
Dejinta taleefanka casriga ah
Waxaad u baahan doontaa macmiilka Wireguard, waa laga heli karaa gudaha
Shaashadda cad ee taleefanka
Guji diskka geeska ku yaal, shid oo...
Waxaa la sameeyaa
Hadda waxaad heli kartaa la socodka guriga, bedeli kartaa goobaha router, ama waxaad samayn kartaa wax kasta oo heerka IP ah.
Sawirro laga qaaday agagaarka deegaanka
Source: www.habr.com