Ke kopa ho arolelana phihlelo ea ka ea ho kopanya marang-rang lifoleteng tse tharo tse hōle, 'me e' ngoe le e 'ngoe ea tsona e sebelisa li-routers tse nang le OpenWRT e le monyako, ho kena marang-rang a tloaelehileng. Ha u khetha mokhoa oa ho kopanya marang-rang pakeng tsa L3 le subnet routing le L2 e nang le borokho, ha li-node tsohle tsa marang-rang li tla ba ka har'a subnet e le 'ngoe, khetho e ile ea fuoa mokhoa oa bobeli, oo ho leng thata ho o lokisa, empa o fana ka menyetla e mengata, kaha e pepenene. Tšebeliso ea mahlale e ne e reriloe ho netweke e entsoeng Wake-on-Lan le DLNA.
Karolo ea 1: Semelo
OpenVPN e khethiloe qalong e le protocol ea ho kenya ts'ebetsong mosebetsi ona, kaha, pele, e ka etsa sesebelisoa sa pompong se ka kenyelletsoang borokho ntle le mathata, 'me ea bobeli, OpenVPN e tšehetsa ts'ebetso holim'a protocol ea TCP, e neng e boetse e le ea bohlokoa, hobane ha ho le e 'ngoe ea lifolete e neng e e-na le aterese ea IP e inehetseng,' me ke ne ke sitoa ho sebelisa STUN, hobane ka lebaka le itseng ISP ea ka e thibela likhokahano tsa UDP tse kenang marang-rang a bona, ha protocol ea TCP e ntumella ho fetisetsa sekepe sa seva sa VPN ho VPS e hiriloeng ka SSH. E, mokhoa ona o fana ka mojaro o moholo, kaha data e ngotsoe ka makhetlo a mabeli, empa ke ne ke sa batle ho kenya VPS marang-rang a ka a lekunutu, kaha ho ne ho ntse ho e-na le kotsi ea hore batho ba boraro ba fumane taolo holim'a eona, ka hona, ho ba le sesebelisoa se joalo. marang-rang a lehae e ne e le ntho e sa rateheng haholo mme ho ile ha etsoa qeto ea ho lefa bakeng sa ts'ireletso e nang le chelete e ngata.
Ho fetisetsa boema-kepe ho router eo ho neng ho reriloe ho tsamaisa seva ho eona, ho ile ha sebelisoa lenaneo la sshtunnel. Nke ke ka hlalosa ho rarahana ha tlhophiso ea eona - sena se etsoa habonolo, ke hlokomela feela hore mosebetsi oa eona e ne e le ho fetisetsa koung ea TCP 1194 ho tloha router ho ea VPS. Ka mor'a moo, seva sa OpenVPN se ile sa lokisoa ho sesebelisoa sa tap0, se neng se hokahane le borokho ba br-lan. Ka mor'a ho hlahloba khokahanyo ho seva se sa tsoa thehoa ho tloha laptop, ho ile ha hlaka hore khopolo ea ho fetisetsa li-port e ikemela 'me laptop ea ka e ile ea fetoha setho sa marang-rang a router, le hoja e ne e se ka hare ho eona.
Taba ena e ile ea lula e le nyane: ho ne ho hlokahala ho aba liaterese tsa IP lifoleteng tse fapaneng e le hore li se ke tsa qabana le ho hlophisa li-routers joalo ka bareki ba OpenVPN.
Liaterese tse latelang tsa IP tsa router le mekhahlelo ea li-server tsa DHCP li khethiloe:
- 192.168.10.1 e nang le mefuta 192.168.10.2 - 192.168.10.80 bakeng sa seva
- 192.168.10.100 e nang le mefuta 192.168.10.101 - 192.168.10.149 bakeng sa router ka foleteng ea No
- 192.168.10.150 e nang le mefuta 192.168.10.151 - 192.168.10.199 bakeng sa router ka foleteng ea No
Ho ne ho boetse ho hlokahala ho abela liaterese tsena hantle ho li-routers tsa bareki ba seva sa OpenVPN ka ho kenyelletsa mohala ho tlhophiso ea eona:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0le ho eketsa mela e latelang ho faele ea /etc/openvpn/ipp.txt:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
moo flat1_id le flat2_id e leng mabitso a sesebelisoa a boletsoeng ha ho etsoa litifikeiti tsa ho hokela OpenVPN
Ka mor'a moo, bareki ba OpenVPN ba ile ba hlophisoa ho li-routers, lisebelisoa tsa tap0 ka bobeli li ile tsa kenngoa borokhong ba br-lan. Nakong ena, ntho e 'ngoe le e' ngoe e ne e bonahala e le ka tatellano, kaha marang-rang a mararo a bonana 'me a sebetsa ka kakaretso. Leha ho le joalo, lintlha tse seng monate li ile tsa hlaha: ka linako tse ling lisebelisoa li ka fumana aterese ea IP eseng ho router ea tsona, ka liphello tsohle tse latelang. Ka lebaka le itseng, router ho e 'ngoe ea lifolete e ne e se na nako ea ho arabela DHCPDISCOVER ka nako mme sesebelisoa se fumane aterese e fosahetseng. Ke ile ka hlokomela hore ke hloka ho hloekisa likōpo tse joalo ka tap0 ho e 'ngoe le e' ngoe ea li-routers, empa ha e le hantle, iptables e ke ke ea sebetsa ka sesebelisoa haeba e le karolo ea borokho le li-ebtable li lokela ho nthusa. Ka masoabi, e ne e se ka har'a firmware ea ka 'me ke ne ke tlameha ho tsosolosa litšoantšo tsa sesebelisoa ka seng. Ka ho etsa sena le ho kenyelletsa mela ena ho /etc/rc.local ea router ka 'ngoe, bothata bo ile ba rarolloa:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Tokiso ena e ile ea nka lilemo tse tharo.
Karolo ea 2: Ho hlahisa WireGuard
Haufinyane tjena, Marang-rang a ntse a bua haholo ka WireGuard, a khahloa ke bonolo ba tlhophiso ea eona, lebelo le phahameng la phetisetso, ping e tlase e nang le ts'ireletso e ts'oanang. Ho batla tlhahisoleseding e eketsehileng ka eona ho ile ha hlakisa hore ha ho mosebetsi oa setho sa borokho kapa ho sebetsa ho protocol ea TCP e tšehetsoeng ke eona, e leng se entseng hore ke nahane hore ha ho na mekhoa e meng ea OpenVPN bakeng sa ka. Kahoo ke ile ka khaotsa ho tseba WireGuard.
Matsatsi a 'maloa a fetileng, litaba li ile tsa hasana ka lisebelisoa ka tsela e' ngoe e amanang le IT hore WireGuard e tla qetella e kenyelelitsoe ho Linux kernel, ho qala ka version 5.6. Lingoliloeng tsa litaba, joalo ka kamehla, li rorisitse WireGuard. Ke ile ka boela ka kenella molemong oa ho batla litsela tsa ho khutlisa OpenVPN ea khale. Lekhetlong lena ke ile ka mathela . E buile ka ho theha kotopo ea Ethernet holim'a L3 e sebelisa GRE. Sehlooho sena se ile sa mpha tšepo. Ho ne ho ntse ho sa hlaka hore na ho etsoe eng ka protocol ea UDP. Ho batla ho ile ha nkisa lihloohong tse mabapi le ho sebelisa socat hammoho le kotopo ea SSH ho fetisetsa sekepe sa UDP, leha ho le joalo, ba hlokometse hore mokhoa ona o sebetsa feela ka mokhoa o le mong oa ho hokahanya, ho bolelang hore bareki ba bangata ba VPN ba ke ke ba khonahala. Ke ile ka ba le mohopolo oa ho theha seva sa VPN ho VPS, le ho theha GRE bakeng sa bareki, empa ha e le hantle, GRE ha e tšehetse ho kenyeletsa, e leng se tla lebisa tabeng ea hore haeba batho ba boraro ba fumana monyetla oa ho fumana seva. , sephethephethe sohle pakeng tsa marang-rang a ka se matsohong a bona se neng se sa ntšoane ho hang.
Hape, qeto e ile ea etsoa molemong oa ho kenyelletsa encryption, ka ho sebelisa VPN holim'a VPN ho latela morero o latelang:
Lera la XNUMX VPN:
VPS ho seva ka aterese ea ka hare 192.168.30.1
MS ho moreki VPS e nang le aterese ea ka hare 192.168.30.2
MK2 ho moreki VPS e nang le aterese ea ka hare 192.168.30.3
MK3 ho moreki VPS e nang le aterese ea ka hare 192.168.30.4
Lera la XNUMX VPN:
MS ho seva le aterese ea ka ntle 192.168.30.2 le ka hare 192.168.31.1
MK2 ho moreki MS ka aterese 192.168.30.2 mme e na le IP ea ka hare ea 192.168.31.2
MK3 ho moreki MS ka aterese 192.168.30.2 mme e na le IP ea ka hare ea 192.168.31.3
* MS - router-server ka foleteng ea 1, MK2 - router ka foleteng ea 2, MK3 - router ka foleteng ea 3
* Litlhophiso tsa sesebelisoa li phatlalalitsoe ho spoiler qetellong ea sengoloa.
'Me kahoo, li-pings pakeng tsa li-node tsa marang-rang 192.168.31.0/24 tsamaea, ke nako ea ho tsoela pele ho theha kotopo ea GRE. Pele ho moo, e le hore u se ke ua lahleheloa ke phihlello ea li-routers, ho bohlokoa ho theha lithanele tsa SSH ho fetisetsa koung ea 22 ho VPS, e le hore, ka mohlala, router e tsoang foleteng ea 10022 e tla fumaneha boema-kepeng ba 2 ba VPS, le router ho tloha foleteng ea 11122 e tla ba teng ho port 3 ea router ea VPS ho tloha foleteng ea XNUMX. Ho molemo ho lokisa ho fetisa ka sshtunnel e tšoanang, kaha e tla tsosolosa kotopo haeba e oela.
Tonopo e hlophisitsoe, o ka hokela ho SSH ka boema-kepe bo fetisitsoeng:
ssh root@МОЙ_VPS -p 10022E latelang, tima OpenVPN:
/etc/init.d/openvpn stopJoale ha re theheng kotopo ea GRE ho router ho tloha foleteng ea 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
'Me eketsa sebopeho se entsoeng borokhong:
brctl addif br-lan grelan0
Ha re etse ts'ebetso e ts'oanang ho router ea seva:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Hape, eketsa sebopeho se entsoeng borokhong:
brctl addif br-lan grelan0
ho qala ho tloha motsotso ona, li-pings li qala ho atleha ho ea marang-rang a macha mme 'na, ka khotsofalo, ke ea ho noa kofi. Joale, ho bona kamoo marang-rang a ka lehlakoreng le leng la terata a sebetsang kateng, ke leka ho SSH ho e 'ngoe ea lik'homphieutha tse foleteng ea 2, empa mofani oa ssh oa hoama ntle le ho ntšusumelletsa ho fumana phasewete. Ke leka ho hokahanya khomphuteng ena ka telnet ho port 22 mme ke bona mohala oo u ka o utloisisang hore khokahanyo e ntse e thehoa, seva sa SSH se arabela, empa ka lebaka le itseng ha se mphe ho kena.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ke leka ho hokela ho eona ka VNC mme ke bona skrine e ntšo. Ke ikholisa hore taba ena e khomphuteng e hole, hobane ke khona ho hokela router habonolo ho tloha foleteng ena ke sebelisa aterese ea ka hare. Leha ho le joalo, ke etsa qeto ea ho kenya SSH khomphuteng ena ka router 'me ke maketse ho fumana hore khokahanyo ea atleha le khomphuta e hole e sebetsa hantle empa e hloleha ho hokela komporo ea ka.
Ke ntša sesebelisoa sa grelan0 ka ntle ho borokho ebe ke qala OpenVPN ho router ka foleteng ea 2 mme ke etsa bonnete ba hore marang-rang a sebetsa hantle hape 'me likhokahano ha li theohe. Ho batla ke kopana le liforomo moo batho ba tletlebang ka mathata a tšoanang, moo ba eletsoang ho phahamisa MTU. Ka pele ka potlako. Leha ho le joalo, ho fihlela MTU e behiloe ho boleng bo lekaneng ba 7000 bakeng sa lisebelisoa tsa gretap, li-connections tsa TCP tse theohileng kapa li-transmission tse liehang li ile tsa hlokomeloa. Ka lebaka la MTU e phahameng ea gretap, li-MTU tsa likhokahano tsa WireGuard tsa maemo a pele le a bobeli li behiloe ho 8000 le 7500 ka ho latellana.
Ke ile ka etsa seta se tšoanang ho router ho tloha foleteng ea 3, ka phapang e le 'ngoe feela ea hore sebopeho sa bobeli sa gretap se bitsoang grelan1 se kenyelelitsoe ho router ea seva, e ileng ea boela ea eketsoa ho borokho ba br-lan.
Tsohle di a sebetsa. Joale o ka kenya kopano ea gretap ho autoload. Molemong oa sena:
E behile mela ena ho /etc/rc.local ho router ka foleteng ea 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
E kentse sena ho /etc/rc.local ho router ka foleteng ea 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
'Me ho router ea seva:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Ka mor'a ho tsosolosa li-routers tsa bareki, ke fumane hore ka mabaka a itseng ha baa ka ba hokahanya le seva. Ho hokela ho SSH ea bona (ka lehlohonolo, ke ne ke kile ka hlophisa sshtunnel bakeng sa sena), ho ile ha sibolloa hore WireGuard ka lebaka le itseng e theha tsela bakeng sa pheletso, ha e ntse e fosahetse. Kahoo, bakeng sa 192.168.30.2, tafole ea litsela e ne e hlalositsoe tafoleng ea litsela ka pppoe-wan interface, ke hore, ka Inthanete, le hoja tsela e eang ho eona e ne e lokela ho tsamaisoa ka sebopeho sa wg0. Kamora ho hlakola tsela ena, khokahano e ile ea khutlisoa. Ha kea fumana litaelo kae kapa kae mabapi le mokhoa oa ho qobella WireGuard hore e se ke ea theha litsela tsena. Ho feta moo, ke ne ke sa utloisise hore na ena ke karolo ea OpenWRT, kapa ea WireGuard ka boeona. Ntle le ho sebetsana le bothata bona nako e telele, ke ile ka kenyelletsa li-routers ka bobeli ka mongolo o kentsoeng ke sebali sa nako, mohala o hlakotseng tsela ena:
route del 192.168.30.2
Ho akaretsa
Ha ke so fihlelle ho hana ka botlalo OpenVPN, kaha ka linako tse ling ke hloka ho hokela marang-rang a macha ho tsoa ho laptop kapa mohala, mme ho theha sesebelisoa sa gretap ho bona hangata ha ho khonehe, empa leha ho le joalo, ke fumane monyetla oa ho fetisetsa data. lebelo pakeng tsa lifolete le, ho etsa mohlala, ho sebelisa VNC ha e sa le tšitiso. Ping e fokotsehile hanyane, empa ea tsitsa le ho feta:
Ha u sebelisa OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Ha u sebelisa WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
E angoa haholo ke ping e phahameng ho VPS e ka bang 61.5ms
Leha ho le joalo, lebelo le eketsehile haholo. Kahoo, ka foleteng e nang le router-server, ke na le lebelo la khokahanyo ea Inthanete ea 30 Mbps, le likamoreng tse ling, 5 Mbps. Ka nako e ts'oanang, ha ke ntse ke sebelisa OpenVPN, ke ne ke sitoa ho finyella tekanyo ea ho fetisetsa data pakeng tsa marang-rang a fetang 3,8 Mbps ho ea ka iperf, ha WireGuard e "pump" ho fihlela ho 5 Mbps e tšoanang.
Tlhophiso ea WireGuard ho VPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_1_МС>
AllowedIPs = 192.168.30.2/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2>
AllowedIPs = 192.168.30.3/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3>
AllowedIPs = 192.168.30.4/32
Tlhophiso ea WireGuard ho MS (e kenyellelitsoe ho /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Tlhophiso ea WireGuard ho MK2 (e kenyellelitsoe ho /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Tlhophiso ea WireGuard ho MK3 (e kenyellelitsoe ho /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Litlhophisong tse hlalositsoeng bakeng sa boemo ba bobeli ba VPN, ke hlakisa port 51821 ho bareki ba WireGuard. Ka khopolo, sena ha se hlokahale, kaha mofani o tla theha khokahanyo ho tloha leha e le efe ea mahala e se nang tokelo, empa ke e entse e le hore likhokahano tsohle tse kenang. e ka haneloa ho li-interface tsa wg0 tsa li-routers tsohle, ntle le likhokahano tse kenang tsa UDP ho port 51821.
Ke tšepa hore sehlooho sena se tla ba molemo ho motho e mong.
PES Hape, ke batla ho arolelana script ea ka e nthomellang tsebiso ea PUSH fonong ea ka ts'ebelisong ea WirePusher ha sesebelisoa se secha se hlaha marang-rang a ka. Sehokelo sa script ke sena: .
Update: Seva ea OpenVPN le tlhophiso ea bareki
Seva ea OpenVPN
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN moreki
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3
Ke sebelisitse bonolo-rsa ho hlahisa litifikeiti.
Source: www.habr.com