ProHoster > Blog > Ma'muriyat > Openwrt routerida OpenVPN tezligini oshirish. Lehimlash temir va apparat ekstremizmisiz muqobil versiya

Openwrt routerida OpenVPN tezligini oshirish. Lehimlash temir va apparat ekstremizmisiz muqobil versiya

Openwrt routerida OpenVPN tezligini oshirish. Lehimlash temir va apparat ekstremizmisiz muqobil versiya

Hammaga salom, men yaqinda o'qidim eski maqola shifrlashni yo'riqnoma ichida lehimlangan alohida apparat qismiga o'tkazish orqali routerda OpenVPN-ni qanday tezlashtirishingiz haqida. Menda muallifga o'xshash holat bor - 3500 megabayt operativ xotiraga ega TP-Link WDR128 va tunnel shifrlash bilan to'liq bardosh bera olmaydigan yomon protsessor. Biroq, men routerga lehim temir bilan kirishni mutlaqo xohlamadim. Quyida baxtsiz hodisa yuz bergan taqdirda, OpenVPN-ni yo'riqnomada zaxiralangan alohida uskunaga ko'chirish tajribam keltirilgan.

Maqsad

TP-Link WDR3500 routeri va Orange Pi Zero H2 mavjud. Biz Orange Pi-dan tunnellarni odatdagidek shifrlashini istaymiz va agar biror narsa yuz bersa, VPN-ni qayta ishlash routerga qaytadi. Routerdagi barcha xavfsizlik devori sozlamalari avvalgidek ishlashi kerak. Va umuman olganda, qo'shimcha qurilmalarni qo'shish shaffof va hamma uchun sezilmasligi kerak. OpenVPN TCP orqali ishlaydi, TAP adapteri ko'prik rejimida (server-ko'prik).

qaror

USB orqali ulanish o'rniga, men routerning bitta portidan foydalanishga va VPN ko'prigi bo'lgan barcha quyi tarmoqlarni Orange Pi-ga ulashga qaror qildim. Ma'lum bo'lishicha, apparat qismi jismonan routerdagi VPN serveri bilan bir xil tarmoqlarda osilib qoladi. Shundan so'ng, biz Orange Pi-ga aynan bir xil serverlarni o'rnatamiz va routerda biz barcha kiruvchi ulanishlarni tashqi serverga yuboradigan proksi-serverni o'rnatamiz va agar Orange Pi o'lik yoki mavjud bo'lmasa, u holda ichki zaxira server. Men HAProxy ni oldim.

Bu shunday chiqadi:

  1. Mijoz keladi
  2. Agar tashqi server mavjud bo'lmasa, avvalgidek, ulanish ichki serverga o'tadi
  3. Agar mavjud bo'lsa, mijoz Orange Pi tomonidan qabul qilinadi
  4. Orange Pi-dagi VPN paketlarni shifrlaydi va ularni yo'riqnoma ichiga qayta tupuradi
  5. Router ularni biror joyga yo'naltiradi

Amalga oshirish misoli

Aytaylik, marshrutizatorda ikkita tarmoq mavjud - asosiy (1) va mehmon (2), ularning har biri uchun tashqi ulanish uchun OpenVPN serveri mavjud.

Tarmoq konfiguratsiyasi

Biz ikkala tarmoqni bitta port orqali yo'naltirishimiz kerak, shuning uchun biz 2 VLAN yaratamiz.

Routerda Tarmoq/Switch bo'limida VLAN-larni yarating (masalan, 1 va 2) va ularni kerakli portda tegli rejimda yoqing, yangi yaratilgan eth0.1 va eth0.2 ni mos keladigan tarmoqlarga qo'shing (masalan, ularni brigdega qo'shing).

Orange Pi-da biz ikkita VLAN interfeysini yaratamiz (menda Archlinux ARM + netctl bor):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Va biz darhol ular uchun ikkita ko'prik yaratamiz:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Barcha 4 profil uchun avtomatik ishga tushirishni yoqing (netctl yoqish). Endi qayta ishga tushirilgandan so'ng, Orange Pi ikkita kerakli tarmoqqa osiladi. Routerdagi Static Leases-da Orange Pi-da interfeys manzillarini sozlaymiz.

ip addr namoyishi

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

VPN sozlanmoqda

Keyinchalik, biz OpenVPN sozlamalarini va routerdan kalitlarni nusxalaymiz. Sozlamalarni odatda bu yerda topish mumkin /tmp/etc/openvpn*.conf

Odatiy bo'lib, TAP rejimida va server-ko'prikda ishlaydigan openvpn o'z interfeysini faolsiz saqlaydi. Har bir narsa ishlashi uchun ulanish faollashtirilganda ishlaydigan skriptni qo'shishingiz kerak.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Natijada, ulanish sodir bo'lishi bilanoq, vpn-main interfeysi br-main-ga qo'shiladi. Mehmonlar tarmog'i uchun - xuddi shunday, server-ko'prikdagi interfeys nomi va manziligacha.

So'rovlarni tashqi yo'naltirish va proksi-server

Ushbu bosqichda Orange Pi allaqachon ulanishlarni qabul qila oladi va mijozlarni kerakli tarmoqlarga ulaydi. Routerda kiruvchi ulanishlarning proksi-serverini sozlash qoladi.

Biz yo'riqnoma VPN serverlarini boshqa portlarga o'tkazamiz, routerga HAProxy-ni o'rnatamiz va sozlaymiz:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Rohatlaning

Agar hamma narsa reja bo'yicha bo'lsa, mijozlar Orange Pi-ga o'tadilar va yo'riqnoma protsessori endi qizib ketmaydi va VPN tezligi sezilarli darajada oshadi. Shu bilan birga, routerda ro'yxatdan o'tgan barcha tarmoq qoidalari dolzarb bo'lib qoladi. Orange Pi-da avariya yuz bergan taqdirda, u tushib ketadi va HAProxy mijozlarni mahalliy serverlarga o'tkazadi.

E'tiboringiz uchun rahmat, taklif va tuzatishlar qabul qilinadi.

Manba: www.habr.com

a Izoh qo'shish