ProHoster > Blog > Administrasi > Ngagancangkeun OpenVPN dina router Openwrt. Vérsi alternatif tanpa soldering beusi jeung hardware extremism

Ngagancangkeun OpenVPN dina router Openwrt. Vérsi alternatif tanpa soldering beusi jeung hardware extremism

Ngagancangkeun OpenVPN dina router Openwrt. Vérsi alternatif tanpa soldering beusi jeung hardware extremism

Hello dulur, Kuring nembe maca artikel heubeul ngeunaan kumaha anjeun tiasa nyepetkeun OpenVPN dina router ku cara nransferkeun enkripsi kana sapotong hardware anu misah, anu disolder di jero router sorangan. Kuring ngagaduhan kasus anu sami sareng panulis - TP-Link WDR3500 kalayan 128 megabytes RAM sareng prosesor anu goréng anu henteu tiasa ngatasi enkripsi torowongan. Nanging, kuring leres-leres henteu hoyong lebet kana router nganggo beusi patri. Di handap ieu pangalaman kuring mindahkeun OpenVPN kana sapotong hardware anu misah sareng cadangan dina router upami aya kacilakaan.

tugas

Aya router TP-Link WDR3500 sareng Oranyeu Pi Zero H2. Kami hoyong Oranyeu Pi énkripsi torowongan sapertos biasa, sareng upami aya kajadian, pamrosésan VPN bakal uih deui ka router. Sadaya setélan firewall dina router kedah dianggo sapertos sateuacana. Sareng sacara umum, nambihan hardware tambahan kedah transparan sareng teu katingali ku sadayana. OpenVPN jalan ngaliwatan TCP, adaptor TAP aya dina mode bridge (server-bridge).

kaputusan

Gantina nyambungkeun via USB, Kuring mutuskeun hiji pamakéan hiji port router tur sambungkeun sakabeh subnets nu boga sasak VPN ka Oranyeu Pi. Tétéla yén hardware fisik bakal ngagantung dina jaringan anu sami sareng server VPN dina router. Saatos éta, urang masang server anu sami dina Oranyeu Pi, sareng dina router urang nyetél sababaraha jinis proxy supados ngirim sadaya sambungan anu asup ka server éksternal, sareng upami Oranyeu Pi paéh atanapi henteu sayogi, teras ka server fallback internal. Kuring nyandak HAProxy.

Tétéla kieu:

  1. Hiji klien datang
  2. Upami pangladén éksternal henteu sayogi, sapertos sateuacana, sambunganna angkat ka pangladén internal
  3. Mun sadia, klien nu ditarima ku Oranyeu Pi
  4. VPN dina Oranyeu Pi ngadekrip pakét sareng nyiduh deui kana router
  5. Router nuju aranjeunna ka mana waé

Conto palaksanaan

Janten, anggap urang gaduh dua jaringan dina router - utama (1) sareng tamu (2), pikeun masing-masing aya server OpenVPN pikeun nyambungkeun sacara éksternal.

Konfigurasi jaringan

Urang kudu jalur duanana jaringan ngaliwatan hiji port, sangkan nyieun 2 VLANs.

Dina router, dina bagian Network / Switch, jieun VLAN (contona 1 sareng 2) sareng aktipkeun dina modeu tagged dina port anu dipikahoyong, tambahkeun eth0.1 sareng eth0.2 anu nembé diciptakeun kana jaringan anu cocog (contona, tambahkeun ka brigde).

Dina Oranyeu Pi urang nyieun dua interfaces VLAN (Kuring boga Archlinux ARM + netctl):

/etc/netctl/vlan-utama

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Sareng urang langsung nyiptakeun dua sasak pikeun aranjeunna:

/etc/netctl/br-utama

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Aktipkeun autostart kanggo sadaya 4 profil (netctl ngaktifkeun). Ayeuna saatos reboot, Orange Pi bakal ngagantung dina dua jaringan anu diperyogikeun. Urang ngonpigurasikeun alamat panganteur dina Oranyeu Pi di Leases statik on router dina.

nunjukkeun ad addr

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Nyetél VPN

Salajengna, urang nyalin setélan pikeun OpenVPN sareng konci tina router. Setélan biasana tiasa dipendakan dina /tmp/etc/openvpn*.conf

Sacara standar, openvpn dijalankeun dina modeu TAP sareng server-bridge ngajaga antarmukana teu aktip. Pikeun sadayana tiasa dianggo, anjeun kedah nambihan naskah anu dijalankeun nalika sambungan diaktipkeun.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Hasilna, pas sambungan lumangsung, panganteur vpn-utama bakal ditambahkeun kana br-utama. Pikeun grid tamu - sarua, nepi ka ngaran panganteur jeung alamat di server-sasak.

Routing requests externally na proxying

Dina léngkah ieu, Orange Pi parantos tiasa nampi sambungan sareng nyambungkeun klien ka jaringan anu diperyogikeun. Sadaya anu tetep nyaéta ngonpigurasikeun proxying sambungan anu asup kana router.

Urang mindahkeun server VPN router ka palabuhan séjén, install HAProxy on router jeung ngonpigurasikeun:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Ngarasakeun

Lamun sagalana indit nurutkeun rencana, klien bakal pindah ka Oranyeu Pi jeung prosésor router urang moal deui panas, sarta speed VPN bakal ngaronjat sacara signifikan. Dina waktos anu sami, sadaya aturan jaringan anu kadaptar dina router bakal tetep relevan. Upami aya kacilakaan dina Oranyeu Pi, éta bakal murag sareng HAProxy bakal mindahkeun klien ka server lokal.

Hatur nuhun kana perhatosanana, saran sareng koreksina ditampi.

sumber: www.habr.com

Tambahkeun komentar