Kwiimeko ezininzi, ukudibanisa i-router kwi-VPN akunzima, kodwa ukuba ufuna ukukhusela inethiwekhi yonke kwaye kwangaxeshanye ugcine isantya soqhagamshelwano esisiso, ke esona sisombululo kukusebenzisa itonela yeVPN. .
Iirutha UMikrotik zingqineke zizizisombululo ezithembekileyo nezibhetyebhetye kakhulu, kodwa ngelishwa nangoku akukabikho kwaye akwaziwa ukuba iya kuvela nini na kwaye kweyiphi intsebenzo. Kutshanje malunga nokucetyiswa ngabaphuhlisi betonela ye-WireGuard VPN , eya kwenza i-software yabo ye-VPN ye-tunneling inxalenye ye-Linux kernel, siyathemba ukuba oku kuya kuba negalelo ekwamkelweni kwi-RouterOS.
Kodwa ngoku, ngelishwa, ukuqwalasela i-WireGuard kwi-router ye-Mikrotik, kufuneka utshintshe i-firmware.
Ukudanyaza iMikrotik, ukufaka kunye nokuqwalasela i-OpenWrt
Okokuqala kufuneka uqiniseke ukuba i-OpenWrt iyayixhasa imodeli yakho. Jonga ukuba imodeli ihambelana negama layo lokuthengisa kunye nomfanekiso .
Yiya ku-openwrt.com .
Kwesi sixhobo, sifuna iifayile ezi-2:
Kufuneka ukhuphele zombini iifayile: Faka ΠΈ uphuculo.
1. Ukuseta inethiwekhi, khuphela kwaye useta iseva ye-PXE
Khuphela yeWindows inguqulelo yamva nje.
Unzip kwifolda eyahlukileyo. Kwifayile ye-config.ini yongeza ipharamitha rfc951=1 icandelo [dhcp]. Le parameter iyafana kuzo zonke iimodeli zeMikrotik.
Masiqhubele phambili kwiisetingi zenethiwekhi: kufuneka ubhalise idilesi ye-ip engatshintshiyo kwenye yenethiwekhi yojongano lwekhompyuter yakho.
Idilesi yeIP: 192.168.1.10
Imaski yomnatha: 255.255.255.0
Qhuba Iseva encinci ye-PXE egameni loMlawuli kwaye ukhethe ebaleni Iseva yeDHCP iseva enedilesi 192.168.1.10
Kwezinye iinguqulelo zeWindows, olu jongano lunokuvela kuphela emva koqhagamshelo lwe-Ethernet. Ndincoma ukudibanisa i-router kwaye ngokukhawuleza utshintshe i-router kunye ne-PC usebenzisa intambo ye-patch.
Cinezela iqhosha elithi "..." (ezantsi ekunene) kwaye ucacise ifolda apho ukhuphele iifayile ze-firmware zeMikrotik.
Khetha ifayile egama layo liphela ngo "initramfs-kernel.bin okanye elf"
2. Ukuqalisa i-router kwiseva ye-PXE
Sidibanisa i-PC ngocingo kunye ne-port yokuqala (wan, i-intanethi, i-poe in, ...) ye-router. Emva koko, sithatha i-toothpick, sinamathele emngxunyeni kunye nombhalo othi "Setha kwakhona".
Sivula amandla e-router kwaye silinde imizuzwana engama-20, emva koko sikhulule i-toothpick.
Ngaphakathi komzuzu olandelayo, le miyalezo ilandelayo kufuneka ivele kwi-Tiny PXE Server window:
Ukuba umyalezo uvela, ngoko ukwicala elifanelekileyo!
Buyisela useto kwi-adaptha yenethiwekhi kwaye usete ukufumana idilesi ngokuguquguqukayo (nge-DHCP).
Xhuma kwii-LAN ports ze-router ye-Mikrotik (2 ... 5 kwimeko yethu) usebenzisa i-patch cord efanayo. Yitshintshe nje ukusuka kwizibuko loku-1 ukuya kwizibuko le-2. Vula idilesi kwisikhangeli.
Ngena kwi-OpenWRT yolawulo lojongano kwaye uye kwi "System -> Backup/Flash Firmware" icandelo lemenyu.
Kwicandelwana elithi "Flash new firmware image", cofa kwiqhosha elithi "Khetha ifayile (Khangela)".
Chaza indlela eya kwifayile egama layo liphela ngo "-squashfs-sysupgrade.bin".
Emva koko, cofa iqhosha elithi "Flash Image".
Kwifestile elandelayo, cofa iqhosha elithi "Qhubeka". I-firmware iya kuqalisa ukukhuphela kwi-router.
!!! AKUKHO MFANEKISO MUSA UKUKWEHLISA AMANDLA EROUTER NGEXESHA LENKQUBO YEFIRMWARE !!!
Emva kokudanyaza kunye nokuqalisa kwakhona i-router, uya kufumana i-Mikrotik nge-OpenWRT firmware.
Iingxaki kunye nezisombululo ezinokwenzeka
Uninzi lwezixhobo zeMikrotik ezikhutshwe ngo-2019 zisebenzisa i-chip yememori ye-FLASH-NOR yohlobo lwe-GD25Q15 / Q16. Ingxaki kukuba xa kudanyaza, idatha malunga nemodeli yesixhobo ayigcinwanga.
Ukuba ubona impazamo "Ifayile yomfanekiso olayishiweyo ayiqulathanga ifomathi exhaswayo. Qinisekisa ukuba ukhetha ifomathi yemifanekiso eqhelekileyo yeqonga lakho." ngoko kunokwenzeka ukuba ingxaki ikukukhanya.
Kulula ukujonga oku: sebenzisa umyalelo ukujonga i-ID yemodeli kwi-terminal yesixhobo
root@OpenWrt: cat /tmp/sysinfo/board_nameKwaye ukuba ufumana impendulo "engaziwa", ngoko kufuneka ucacise ngesandla imodeli yesixhobo kwifom "rb-951-2nd"
Ukufumana imodeli yesixhobo, sebenzisa umyalelo
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2ndEmva kokufumana imodeli yesixhobo, yifake ngesandla:
echo 'rb-951-2nd' > /tmp/sysinfo/board_nameEmva koko, unokudanyazisa isixhobo ngokusebenzisa ujongano lwewebhu okanye usebenzisa "sysupgrade" umyalelo
Yenza iseva yeVPN ngeWireGuard
Ukuba sele unomncedisi oneWireGuard eqwalaselweyo, ungatsiba eli nyathelo.
Ndiza kusebenzisa isicelo ukuseta iseva yeVPN yomntu malunga nekati mna kakade .
Ukuqwalasela uMthengi we-WireGuard kwi-OpenWRT
Qhagamshela kwirutha ngeSSH protocol:
ssh [email protected]Faka i-WireGuard:
opkg update
opkg install wireguardLungiselela ulungelelwaniso (kopisha ikhowudi engezantsi kwifayile, buyisela amaxabiso achaziweyo ngeyakho kwaye usebenze kwi-terminal).
Ukuba usebenzisa iMyVPN, ngoko kuqwalaselo olungezantsi kufuneka utshintshe kuphela WG_SERV -Iseva ye-IP WG_KEY - iqhosha labucala ukusuka kwifayile yoqwalaselo lwe-wireguard kunye WG_PUB - isitshixo sikawonke-wonke.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°
WG_PORT="51820" # ΠΏΠΎΡΡ wireguard
WG_ADDR="10.8.0.2/32" # Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π°Π΄ΡΠ΅ΡΠΎΠ² wireguard
WG_KEY="xxxxx" # ΠΏΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
WG_PUB="xxxxx" # ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restartOku kugqiba ukuseta i-WireGuard! Ngoku zonke iitrafikhi kuzo zonke izixhobo eziqhagamshelweyo zikhuselwe luqhagamshelo lweVPN.
iimbekiselo
(imiyalelo eyongeziweyo ekhoyo yokuseta i-L2TP, PPTP kwi-firmware esemgangathweni yeMikrotik)
umthombo: www.habr.com