Lumelang bohle, ke sa tsoa bala mabapi le hore na u ka potlakisa OpenVPN joang ho router ka ho fetisetsa encryption karolong e arohaneng ea hardware, e rekisoang ka hare ho router ka boeona. Ke na le nyeoe e tšoanang le ea mongoli - TP-Link WDR3500 e nang le 128 megabytes ea RAM le processor e futsanehileng e sa khoneng ho sebetsana ka katleho le encryption ea kotopo. Leha ho le joalo, ho hang ke ne ke sa batle ho kena router ka tšepe ea solder. Ka tlase ke boiphihlelo ba ka ba ho tsamaisa OpenVPN karolong e arohaneng ea lisebelisoa tse nang le "backup" ho router haeba ho ka hlaha kotsi.
Sepheo
Ho na le router ea TP-Link WDR3500 le Orange Pi Zero H2. Re batla hore Orange Pi e kenye lithanele joalo ka tloaelo, 'me haeba ho etsahala ntho e itseng ho eona, ts'ebetso ea VPN e tla khutlela ho router. Litlhophiso tsohle tsa firewall ho router li lokela ho sebetsa joaloka pele. 'Me ka kakaretso, ho eketsa lisebelisoa tse eketsehileng ho lokela ho ba pepeneneng le ho sa bonahale ho bohle. OpenVPN e sebetsa ho feta TCP, adaptara ea TAP e maemong a borokho (borokho ba seva).
u etsa qeto ea
Sebakeng sa ho hokela ka USB, ke nkile qeto ea ho sebelisa boema-kepe bo le bong ba router le ho hokahanya li-subnets tsohle tse nang le borokho ba VPN ho Orange Pi. Hoa etsahala hore lisebelisoa tsa thepa li tla fanyeha marang-rang a tšoanang le seva sa VPN ho router. Ka mor'a moo, re kenya li-server tse tšoanang hantle ho Orange Pi, 'me ho router re theha mofuta o itseng oa moemeli e le hore o romele likhokahano tsohle tse kenang ho seva sa ka ntle,' me haeba Orange Pi e shoele kapa e sa fumanehe, joale ho seva ea ka hare ea ho khutlela morao. Ke nkile HAProxy.
E shebahala tjena:
- Ho fihla moreki
- Haeba seva sa kantle se sa fumanehe, joalo ka pele, khokahano e ea ho seva sa kahare
- Haeba e fumaneha, moreki o amoheloa ke Orange Pi
- VPN ho Orange Pi e theola lipakete ebe e li tšoela ka har'a router
- Router e li tsamaisa kae-kae
Mohlala oa ts'ebetsong
Kahoo, ha re re re na le marang-rang a mabeli ho router - e kholo (1) le moeti (2), ho e 'ngoe le e' ngoe ea bona ho na le seva sa OpenVPN bakeng sa ho hokahanya ka ntle.
Tlhophiso ea marang-rang
Re hloka ho tsamaisa marang-rang ka bobeli ka koung e le 'ngoe, kahoo re theha li-VLAN tse peli.
Ho router, karolong ea Network/Switch, theha li-VLAN (mohlala 1 le 2) 'me u li nolofalletse ka mokhoa o tšoailoeng boema-kepeng bo lakatsehang, eketsa eth0.1 le eth0.2 e sa tsoa thehoa ho marang-rang a tšoanang (mohlala, li kenyelletse ho brigde).
Ho Orange Pi re theha li-interfaces tse peli tsa VLAN (Ke na le Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-guest
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
'Me hang-hang re ba etsetsa marokho a mabeli:
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-guest
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Numella autostart bakeng sa lifaele tsohle tse 4 (netctl nolofalletsa). Joale kamora ho qala bocha, Orange Pi e tla fanyeha marang-rang a mabeli a hlokahalang. Re lokisa liaterese tsa interface ho Orange Pi ho Static Leases ho router.
ip kenya
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
Ho theha VPN
Ka mor'a moo, re kopitsa litlhophiso tsa OpenVPN le linotlolo tse tsoang ho router. Hangata li-setting li ka fumanoa ho /tmp/etc/openvpn*.conf
Ka ho sa feleng, openvpn e sebetsang ka mokhoa oa TAP le borokho ba seva e boloka sebopeho sa eona se sa sebetse. Hore ntho e 'ngoe le e 'ngoe e sebetse, o hloka ho kenya mongolo o sebetsang ha khokahano e kentsoe.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
Ka lebaka leo, hang ha ho kopana ho etsahala, sebopeho sa vpn-main se tla ekeletsoa ho br-main. Bakeng sa marang-rang a baeti - ka mokhoa o ts'oanang, ho fihlela lebitso la sebopeho le aterese ho borokho ba seva.
Likopo tsa ho tsamaisa kantle le ho fana ka proxy
Mohato ona, Orange Pi e se e khona ho amohela likhokahano le ho hokela bareki marang-rang a hlokahalang. Sohle se setseng ke ho hlophisa proxying ea likhokahano tse kenang ho router.
Re fetisetsa li-server tsa VPN tsa router ho likoung tse ling, kenya HAProxy ho router mme u lokise:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Natefeloa
Haeba ntho e 'ngoe le e' ngoe e tsamaile ho ea ka moralo, bareki ba tla fetohela ho Orange Pi 'me processor ea router e ke ke ea hlola e chesa,' me lebelo la VPN le tla eketseha haholo. Ka nako e ts'oanang, melao eohle ea marang-rang e ngolisitsoeng ho router e tla lula e sebetsa. Ketsahalong ea kotsi ho Orange Pi, e tla oa 'me HAProxy e tla fetisetsa bareki ho li-server tsa lehae.
Ke leboha tlhokomelo ea hau, litlhahiso le litokiso li amohelehile.
Source: www.habr.com