ProHoster > Ibhulogi > Ulawulo > Ukuseta i-BGP ukudlula ukubhloka, okanye "Ndayeka njani ukoyika kwaye ndathandana no-RKN"

Ukuseta i-BGP ukudlula ukubhloka, okanye "Ndayeka njani ukoyika kwaye ndathandana no-RKN"

Ewe, kulungile, malunga "nokuthanda" lubaxo. Kunoko, “wakwazi ukuhlalisana naye.”

Njengoko nonke nisazi, ukusukela nge-16 ka-Epreli 2018, iRoskomnadzor ibivala ukufikelela kwizixhobo kwi-Intanethi ngokubetha okubanzi kakhulu, yongeza "kwiRejista edityanisiweyo yamagama esizinda, izalathiso zamaphepha eendawo kwi-Intanethi kunye needilesi zenethiwekhi ezivumela ukuchonga iindawo. kwi-Intanethi,” equlathe ulwazi ukusasazwa kwalo kungavumelekanga kwiRussian Federation” (kwisicatshulwa - nje irejista) ngo/10 ngamanye amaxesha. Ngenxa yoko, abemi baseRussian Federation kunye namashishini bayabandezeleka, belahlekelwe ukufikelela kwimithombo yomthetho ngokupheleleyo abayidingayo.

Emva kokuba ndithe kumagqabantshintshi kwelinye lamanqaku angoHabré ukuba ndikulungele ukunceda amaxhoba ngokuseka inkqubo yokudlula, abantu abaliqela beza kum becela uncedo olunjalo. Xa yonke into ibasebenzela, omnye wabo ucebise ukuchaza ubuchule kwinqaku. Emva kokucinga, ndagqiba ekubeni ndiphule ukuthula kwam kwisayithi kwaye ndizame kanye ukubhala into ephakathi phakathi kweprojekthi kunye nesithuba se-Facebook, okt. ihabrapost. Isiphumo siphambi kwakho.

isikhanyeli

Ekubeni akukho mthethweni kakhulu ukupapasha iindlela zokudlula ekuthinteleni ukufikelela kulwazi olungavumelekanga kwintsimi yeRussian Federation, injongo yeli nqaku iya kuba kukuthetha ngendlela ekuvumela ukuba uzenzele ukufikelela kwizixhobo ezivunyelwe kwi ummandla weRussian Federation, kodwa ngenxa yezenzo zomntu azifumaneki ngokuthe ngqo ngomboneleli wakho. Kwaye ukufikelela kwezinye izibonelelo ezifunyenwe ngenxa yezenzo ezivela kwinqaku yimpembelelo yecala elibi kwaye ayikho nayiphi na injongo yenqaku.

Kwakhona, ekubeni ngokuyintloko ndingumyili wenethiwekhi ngomsebenzi, ubizo kunye nendlela yokuphila, inkqubo kunye neLinux ayizona ndawo zam ezinamandla. Ngoko ke, ngokuqinisekileyo, izikripthi zingabhalwa ngcono, imiba yokhuseleko kwi-VPS inokusetyenzwa ngokunzulu, njl. Iziphakamiso zakho ziya kwamkelwa ngokubulela, ukuba zichazwe ngokwaneleyo - ndiya kuvuya ukuzongeza kwisicatshulwa senqaku.

TL; DR

Sizenzekela ukufikelela kwizixhobo ngokusebenzisa itonela yakho ekhoyo usebenzisa ikopi yobhaliso kunye neprotocol yeBGP. Injongo kukususa zonke iitrafikhi ezibhekiswe kwimithombo evaliweyo kwitonela. Ubuncinci beengcaciso, ubukhulu becala imiyalelo yenyathelo nenyathelo.

Ufuna ntoni kule nto?

Ngelishwa, esi sithuba asingomntu wonke. Ukuze usebenzise obu buchule, kuya kufuneka ubeke izinto ezininzi kunye:

  1. Kuya kufuneka ube nomncedisi we-linux kwenye indawo ngaphandle kwendawo yokuthintela. Okanye ubuncinci umnqweno wokuba neseva enjalo - ngethamsanqa ngoku ixabisa ukusuka kwi-9 yeedola / ngonyaka, kwaye mhlawumbi ngaphantsi. Indlela ifanelekile ukuba une-tunnel ye-VPN eyahlukileyo, ngoko iseva inokufumaneka ngaphakathi kwendawo yokuthintela.
  2. I-router yakho kufuneka ihlakaniphe ngokwaneleyo ukuze ukwazi
    • nawuphi na umxhasi weVPN oyithandayo (ndikhetha i-OpenVPN, kodwa ingaba yiPPTP, L2TP, GRE + IPSec okanye nayiphi na enye inketho eyenza ujongano lwetonela);
    • Iprothokholi ye-BGPv4. Oko kuthetha ukuba kwi-SOHO inokuba yi-Mikrotik okanye nayiphi na i-router ene-OpenWRT/LEDE/i-firmware yesiko efanayo ekuvumela ukuba ufake i-Quagga okanye iNtaka. Ukusebenzisa i-router yePC nako akuvumelekanga. Kwimeko yeshishini, khangela BGP inkxaso kuxwebhu umzila wakho umda.
  3. Kuya kufuneka ube nokuqonda ukusetyenziswa kweLinux kunye neetekhnoloji zothungelwano, kubandakanya neBGP protocol. Okanye ubuncinci ufuna ukufumana loo mbono. Kuba andikakulungeli ukwamkela ubukhulu ngeli xesha, kuya kufuneka ufunde imiba ethile engaqondakaliyo kuwe ngokwakho. Nangona kunjalo, ndiya, ngokuqinisekileyo, ndiphendule imibuzo ethile kumazwana kwaye ndingenakwenzeka ukuba ndibe yedwa ophendulayo, ngoko unganqikazi ukubuza.

Yintoni esetyenziswayo kumzekelo

  • Ikopi yerejista - ukusuka https://github.com/zapret-info/z-i 
  • VPS - Ubuntu 16.04
  • Inkonzo yomzila- intaka 1.6.3   
  • Umzila- Mikrotik hAP ac
  • Iifolda ezisebenzayo - kuba sisebenza njengengcambu, uninzi lwayo yonke into iya kufumaneka kwifolda yasekhaya yengcambu. Ngokulandelelana:
    • /ingcambu/uluhlu olumnyama-ifolda esebenzayo kunye neskripthi sokuqokelela
    • /root/zi - ikopi yobhaliso esuka kwi-github
    • /etc/bird - ifolda esemgangathweni yeeseto zenkonzo yeentaka
  • Idilesi ye-IP yangaphandle ye-VPS kunye nomncedisi womzila kunye nendawo yokuphelisa i-tunnel 194.165.22.146, ASN 64998; idilesi ye-IP yangaphandle yomzila - 81.177.103.94, ASN 64999
  • Iidilesi ze-IP ngaphakathi kwetonela ziyi-172.30.1.1 kunye ne-172.30.1.2, ngokulandelanayo.

Ukuseta i-BGP ukudlula ukubhloka, okanye "Ndayeka njani ukoyika kwaye ndathandana no-RKN"

Ngokuqinisekileyo, ungasebenzisa naziphi na ezinye ii-routers, iinkqubo zokusebenza kunye neemveliso zesofthiwe, ukulungelelanisa isisombululo kwiingcamango zabo.

Ngokufutshane - ingqiqo yesisombululo

  1. Imisebenzi yokulungiselela
    1. Ukufumana iVPS
    2. Ukuphakamisa i-tunnel ukusuka kwi-router ukuya kwi-VPS
  2. Sifumana kwaye sihlaziya rhoqo ikopi yobhaliso
  3. Ukufakela kunye nokuqwalasela inkonzo yomzila
  4. Senza uluhlu lweendlela ezimileyo zenkonzo yomzila ngokusekelwe kwirejista
  5. Sidibanisa i-router kwinkonzo kwaye silungiselele ukuthumela yonke i-traffic kwi-tunnel.

Esona sisombululo

Imisebenzi yokulungiselela

Kukho iinkonzo ezininzi kwi-Intanethi ezibonelela ngeVPS ngamaxabiso afanelekileyo. Ukuza kuthi ga ngoku ndifumene kwaye ndisebenzisa inketho ye-$ 9 / ngonyaka, kodwa nangona ungakhathazeki kakhulu, kukho iindlela ezininzi ze-1E / inyanga kwikona nganye. Umbuzo wokukhetha i-VPS ulele ngaphaya kobubanzi beli nqaku, ngoko ke ukuba umntu akayiqondi into malunga nale nto, cela kwizimvo.

Ukuba usebenzisa i-VPS kungekhona kuphela kwinkonzo yomzila, kodwa kunye nokuphelisa i-tunnel kuyo, kufuneka uphakamise le ngqungquthela kwaye, ngokuqinisekileyo, ulungiselele i-NAT kuyo. Kukho inani elikhulu lemiyalelo kwezi zenzo kwi-Intanethi, andiyi kuphinda apha. Imfuno ephambili yetonela enjalo kukuba kufuneka idale ujongano oluhlukeneyo kwi-router yakho exhasa itonela ukuya kwiVPS. Uninzi lweetekhnoloji ezisetyenzisiweyo zeVPN ziyahlangabezana nale mfuneko - umzekelo, i-OpenVPN kwimowudi ye-tun igqibelele.

Ukufumana ikopi yobhaliso

Njengoko uJabrail watshoyo, “Lowo usithintelayo uya kusinceda.” Ekubeni i-RKN idala irejista yemithombo evinjiweyo, kuya kuba sisono ukungasebenzisi le rejista ukusombulula ingxaki yethu. Siya kufumana ikopi yobhaliso kwi-github.

Siya kumncedisi wakho we Linux, siwela kumxholo wengcambu (sudo su -) kwaye ufake i-git ukuba ayikafakwa.

apt install git

Yiya kuluhlu lwakho lwasekhaya kwaye ukhuphe ikopi yobhaliso.

cd ~ && git clone --depth=1 https://github.com/zapret-info/z-i 

Siseta uhlaziyo lwe-cron (ndiyenza kanye yonke imizuzu ye-20, kodwa unokukhetha naliphi na ixesha elinomdla kuwe). Ukwenza oku siqalisa i-crontab -e kwaye wongeze umgca olandelayo kuyo:

*/20 * * * * cd ~/z-i && git pull && git gc

Sidibanisa ikhonkco eya kudala iifayile zenkonzo yomzila emva kokuhlaziya irejista. Ukwenza oku, yenza ifayile /root/zi/.git/hooks/post-merge ngomxholo olandelayo:

#!/usr/bin/env bash
changed_files="$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD)"
check_run() {
    echo "$changed_files" | grep --quiet "$1" && eval "$2"
}
check_run dump.csv "/root/blacklist/makebgp"

kwaye ungalibali ukuyenza iphunyezwe

chmod +x /root/z-i/.git/hooks/post-merge

Siza kudala iskripthi se-makebgp ikhonkco elibhekisa kuyo kamva kancinane.

Ukufakela kunye nokuqwalasela inkonzo yendlela

Faka intaka. Ngelishwa, inguqulelo yentaka eposwe ngoku kwindawo yokugcina Ubuntu ithelekiseka kubutsha kwi-Archeopteryx ilindle, ke kufuneka siqale songeze iPPA esemthethweni yabaphuhlisi besoftware kwinkqubo.

add-apt-repository ppa:cz.nic-labs/bird
apt update
apt install bird

Emva koku, sivala ngokukhawuleza intaka ye-IPv6 - asiyi kuyidinga kolu fakelo.

systemctl stop bird6
systemctl disable bird6

Ngezantsi yifayile yoqwalaselo yenkonzo yeentaka (/etc/bird/bird.conf), esanele thina (kwaye ndiyakukhumbuza kwakhona ukuba akukho mntu ukwalela ukuphuhlisa nokulungisa umbono ukuze ulungele iimfuno zakho)

log syslog all;
router id 172.30.1.1;

protocol kernel {
        scan time 60;
        import none;
#       export all;   # Actually insert routes into the kernel routing table
}

protocol device {
        scan time 60;
}

protocol direct {
        interface "venet*", "tun*"; # Restrict network interfaces it works with
}

protocol static static_bgp {
        import all;
        include "pfxlist.txt";
        #include "iplist.txt";
}

protocol bgp OurRouter {
        description "Our Router";
        neighbor 81.177.103.94 as 64999;
        import none;
        export where proto = "static_bgp";
        local as 64998;
        passive off;
        multihop;
}

i-id ye-router - isazisi se-router, esibukeka njengedilesi ye-IPv4, kodwa ayikho enye. Kwimeko yethu, ingaba nayiphi na inombolo ye-32-bit kwifomathi yedilesi ye-IPv4, kodwa ifom efanelekileyo ukubonisa ngokuchanekileyo idilesi ye-IPv4 yesixhobo sakho (kule meko, i-VPS).

iprotocol ngqo ichaza ukuba loluphi ujongano oluya kusebenza nenkqubo yomzila. Umzekelo unika isibini samagama emizekelo, unokongeza amanye. Unokwenza ngokulula ukucima umgca kulo mzekelo, umncedisi uya kumamela zonke iindawo ezifumanekayo ngedilesi ye IPv4.

iprotocol static ngumlingo wethu olayisha uluhlu lwezimaphambili kunye needilesi ze IP (eziyinyani /32 izimaphambili, kunjalo) ukusuka kwiifayile zesibhengezo esilandelayo. Apho olu luhlu luvela khona kuya kuxoxwa ngezantsi. Nceda uqaphele ukuba ukulayisha iidilesi ze-IP kuphawulwe ngokungagqibekanga, isizathu salokhu ngumthamo omkhulu wokulayisha. Ukuthelekisa, ngexesha lokubhala, kukho imigca ye-78 kuluhlu lwezimaphambili, kunye ne-85898 kuluhlu lweedilesi ze-IP Ndincoma kakhulu ukuqala kunye nokulungiswa kweengxaki kuphela kuluhlu lwezimaphambili, kunye nokuba okanye ukwenza ukuba i-IP ilayishe. ikamva lixhomekeke kuwe ukuba wenze isigqibo emva kokuzama umzila wakho. Ayizizo zonke ezinokuthi zetyise ngokulula amangeniso angamawaka angama-85 kwitafile yomzila.

Iprotocol bgp, eneneni, imisela i-bgp yokujonga nge-router yakho. Idilesi ye-IP yidilesi ye-interface yangaphandle ye-router (okanye idilesi ye-tunnel interface kwicala le-router), i-64998 kunye ne-64999 amanani eenkqubo ezizimeleyo. Kule meko, banokwabelwa ngohlobo lwawo nawaphi na amanani e-16-bit, kodwa yinto efanelekileyo yokusebenzisa amanani e-AS ukusuka kuluhlu lwabucala oluchazwe yi-RFC6996 - 64512-65534 equkayo (kukho ifomathi ye-32-bit ASNs, kodwa kwimeko yethu oku kugqithise kakhulu). Uqwalaselo oluchaziweyo lusebenzisa i-eBGP peering, apho amanani eenkqubo ezizimeleyo zenkonzo yomzila kunye ne-router kufuneka ihluke.

Njengoko ubona, inkonzo idinga ukwazi idilesi ye-IP ye-router, ngoko ke ukuba unayo idilesi yangasese eguquguqukayo okanye engatshintshiyo (RFC1918) okanye ekwabelwana ngayo (RFC6598), awunalo ukhetho lokuphakamisa ukujonga ngaphandle. ujongano, kodwa inkonzo isasebenza ngaphakathi kwitonela.

Kukwacace gca ukuba kwinkonzo enye unokubonelela ngeendlela kwiirotha ezininzi ezahlukeneyo - phinda nje useto kubo ngokukopa icandelo leprotocol bgp kwaye utshintshe idilesi ye-IP yommelwane. Yiyo loo nto umzekelo ubonisa useto lokukroba ngaphandle kwetonela, njengelona lizwe liphela. Kulula ukuwasusa kwitonela ngokutshintsha iidilesi ze-IP kwizicwangciso ngokufanelekileyo.

Kusenziwa ubhaliso lwenkonzo yomzila

Ngoku sifuna, enyanisweni, ukwenza uluhlu lwezimaphambili kunye needilesi ze-IP, ezikhankanywe kwi-protocol static kwinqanaba langaphambili. Ukwenza oku, sithatha ifayile yobhaliso kwaye senze iifayile esizifunayo kuyo ngokusebenzisa iskripthi esilandelayo, esifakwe kuyo /root/blacklist/makebgp

#!/bin/bash
cut -d";" -f1 /root/z-i/dump.csv| tr '|' 'n' |  tr -d ' ' > /root/blacklist/tmpaddr.txt
cat /root/blacklist/tmpaddr.txt | grep / | sed 's_.*_route & reject;_' > /etc/bird/pfxlist.txt
cat /root/blacklist/tmpaddr.txt | sort | uniq | grep -Eo "([0-9]{1,3}[.]){3}[0-9]{1,3}" | sed 's_.*_route &/32 reject;_' > /etc/bird/iplist.txt
/etc/init.d/bird reload
logger 'bgp list compiled'

Ungalibali ukuyenza iphunyezwe

chmod +x /root/blacklist/makebgp

Ngoku ungayiqhuba ngesandla kwaye ujonge ukubonakala kweefayile kwi /etc/bird.

Ngokunokwenzeka, intaka ayisebenzi kuwe ngalo mzuzu, kuba kwinqanaba langaphambili uyicelile ukuba ijonge iifayile ebezingekabikho. Ke ngoko, siyayisungula kwaye sijonge ukuba iqalile:

systemctl start bird
birdc show route

Imveliso yomyalelo wesibini kufuneka ibonise malunga neerekhodi ezingama-80 (le nto okwangoku, kodwa xa uyimisa, yonke into iya kuxhomekeka kwinzondelelo ye-RKN ekuthinteleni uthungelwano) into enje:

54.160.0.0/12      unreachable [static_bgp 2018-04-19] * (200)

Iqela

birdc show protocol

izakubonisa ubume beprothokholi ngaphakathi kwenkonzo. Ude uqwalasele i-router (jonga inqaku elilandelayo), i-OurRouter protocol iya kuba kwindawo yokuqala (Qhagamshela okanye i-Active phase), kwaye emva koqhagamshelo oluyimpumelelo luya ku-up state (isigaba esisekiweyo). Umzekelo, kwindlela yam imveliso yalo myalelo ibonakala ngolu hlobo:

BIRD 1.6.3 ready.
name     proto    table    state  since       info
kernel1  Kernel   master   up     2018-04-19
device1  Device   master   up     2018-04-19
static_bgp Static   master   up     2018-04-19
direct1  Direct   master   up     2018-04-19
RXXXXXx1 BGP      master   up     13:10:22    Established
RXXXXXx2 BGP      master   up     2018-04-24  Established
RXXXXXx3 BGP      master   start  2018-04-22  Connect       Socket: Connection timed out
RXXXXXx4 BGP      master   up     2018-04-24  Established
RXXXXXx5 BGP      master   start  2018-04-24  Passive

Ukuqhagamshela irutha

Wonke umntu mhlawumbi udiniwe kukufunda eli laphu leenyawo, kodwa yiba nesibindi - isiphelo sisondele. Ngaphezu koko, kweli candelo andiyi kukwazi ukunika imiyalelo yesinyathelo ngesinyathelo - iya kuba yinto eyahlukileyo kumenzi ngamnye.

Nangona kunjalo, ndingakubonisa imizekelo embalwa. Eyona ngqiqo iphambili kukuphakamisa iBGP yokujonga kwaye yabele i-nexthop kuzo zonke izimaphambili ezifunyenweyo, zikhomba kwitonela yethu (ukuba sifuna ukuthumela i-traffic nge-interface ye-p2p) okanye idilesi ye-IP ye-nexthop ukuba i-traffic iya kwi-ethernet).

Ngokomzekelo, kwiMikrotik kwi-RouterOS oku kusonjululwe ngolu hlobo lulandelayo

/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=172.30.1.2
/routing bgp peer add in-filter=dynamic-in multihop=yes name=VPS remote-address=194.165.22.146 remote-as=64998 ttl=default
/routing filter add action=accept chain=dynamic-in protocol=bgp comment="Set nexthop" set-in-nexthop=172.30.1.1

nakwiCisco IOS - ngolu hlobo

router bgp 64999
  neighbor 194.165.22.146 remote-as 64998
  neighbor 194.165.22.146 route-map BGP_NEXT_HOP in
  neighbor 194.165.22.146 ebgp-multihop 250
!
route-map BGP_NEXT_HOP permit 10
  set ip next-hop 172.30.1.1

Ukuba itonela efanayo isetyenziswa kokubini kwi-BGP yokujonga kunye nokuhambisa i-traffic eluncedo, akuyomfuneko ukuseta i-nexthop iya kucwangciswa ngokuchanekileyo usebenzisa umthetho olandelwayo. Kodwa ukuba uyibeka ngesandla, ayiyi kuyenza ibe mbi kakhulu.

Kwezinye iiplatifomu, kuya kufuneka uqikelele uqwalaselo ngokwakho, kodwa ukuba unobunzima, bhala kwizimvo, ndiya kuzama ukunceda.

Emva kokuba iseshoni yakho ye-BGP iqalile, iindlela eziya kwiinethiwekhi ezinkulu zifikile kwaye zifakwe etafileni, i-traffic iqhubekile ukuya kwiidilesi ezivela kubo kwaye ulonwabo lusondele, ungabuyela kwinkonzo yeentaka kwaye uzame ukukhulula ukungena apho okudibanisa uluhlu lweedilesi ze IP, yenza emva koko

systemctl reload bird

kwaye ubone indlela i-router yakho edlulise ngayo ezi ndlela ezingama-85 amawaka. Zilungiselele ukukhupha kwaye ucinge malunga nokuba wenze ntoni ngayo :)

Iyonke

Ngokucacileyo ithiyori, emva kokugqiba amanyathelo achazwe ngasentla, ngoku unenkonzo ebuyisela ngokuzenzekelayo i-traffic kwiidilesi ze-IP ezivaliweyo kwi-Russian Federation edlulileyo inkqubo yokucoca.

Ewe, inokuphuculwa. Umzekelo, kulula kakhulu ukushwankathela uluhlu lweedilesi ze-IP usebenzisa izisombululo ze-perl okanye zepython. Isikripthi esilula sePerl sisenza oku kusetyenziswa i-Net ::CIDR::Lite ijika ama-85 amawaka ezimaphambili ku-60 (hayi iwaka), kodwa, kunjalo, igubungela uluhlu olukhulu kakhulu lweedilesi kunokuba ivaliwe.

Ekubeni inkonzo isebenza kwinqanaba lesithathu le-ISO / OSI imodeli, ayiyi kukusindisa ekuthinteleni isayithi / iphepha ukuba lisombulula kwidilesi engalunganga njengoko ibhalwe kwirejista. Kodwa kunye nerejista, ifayile nxdomain.txt ifika kwi-github, enemivimbo embalwa yeskripthi ijika ngokulula ibe ngumthombo weedilesi, umzekelo, i-plugin ye-SwitchyOmega kwi-Chrome.

Kwakhona kuyimfuneko ukukhankanya ukuba isisombululo sidinga ukulungiswa okongeziweyo ukuba awuyena nje umsebenzisi we-Intanethi, kodwa uphinde upapashe ezinye izixhobo ngokwakho (umzekelo, i-website okanye i-imeyile iseva isebenza kulo xhulumaniso). Ukusebenzisa iindlela ze-router, kuyimfuneko ukubopha ngokungqongqo i-traffic ephumayo kule nkonzo kwidilesi yakho yoluntu, ngaphandle koko uya kulahlekelwa uxhulumaniso kunye nezo zixhobo ezigutyungelwe luluhlu lwezimaphambili ezifunyenwe yi-router.

Ukuba unayo nayiphi na imibuzo, buza, ndikulungele ukuphendula.

UPD. Enkosi inqanawa и TerAnYu yeparameters yegit evumela ukunciphisa umthamo wokhuphelo.

UPD2. Balingane, kubonakala ngathi ndenze iphutha ngokungafaki imiyalelo yokumisela i-tunnel phakathi kweVPS kunye ne-router kwinqaku. Mininzi imibuzo ephakanyiswa koku.
Ukuba kunokwenzeka, ndiza kuphinda ndiqaphele ukuba ngaphambi kokuba uqale esi sikhokelo, sele ulungelelanise itonela yeVPN kwicala olifunayo kwaye ujonge ukusebenza kwayo (umzekelo, ngokujika itrafikhi apho ngokungagqibekanga okanye ngokwezibalo). Ukuba awukasigqibi esi sigaba okwangoku, akukho ngqiqweni ukulandela amanyathelo kwinqaku. Andinayo eyam isicatshulwa kule nto okwangoku, kodwa ukuba uGoogle "useka iseva ye-OpenVPN" kunye negama lenkqubo yokusebenza efakwe kwi-VPS, kunye "nokuseta umxhasi we-OpenVPN" ngegama lomzila wakho. , uya kufumana amanqaku amaninzi kulo mbandela, kuquka neHabré.

UPD3. Ukungancamanga Ndibhale ikhowudi ejika i-dump.csv ibe yifayile enesiphumo sentaka kunye nesishwankathelo esisikhethelo seedilesi ze-IP. Ke ngoko, icandelo elithi "Ukuqhuba irejistri yenkonzo yomzila" inokutshintshwa ngokubiza inkqubo yayo. https://habr.com/post/354282/#comment_10782712

UPD4. Umsebenzi omncinci kwiimpazamo (andizongezi kwisicatshulwa):
1) endaweni yoko i-systemctl layisha kwakhona intaka kunengqiqo ukusebenzisa umyalelo birdc qwalasela.
2) kwi-router ye-Mikrotik, endaweni yokutshintsha i-nexthop kwi-IP yecala lesibini letonela. /isihluzi sendlela yongeza intshukumo=yamkela ityathanga=inkqubo-eguquguqukayo-kwiprotocol=bgp comment=»Seta nexthop» set-in-nexthop=172.30.1.1 kunengqiqo ukucacisa indlela ngokuthe ngqo kwi-interface yetonela, ngaphandle kwedilesi /isihluzi sendlela yongeza intshukumo=yamkela ityathanga=inkqubo-eguqukayo-kwindlela yomthetho=bgp comment=»Seta i-nexthop» set-in-nexthop-direct=<igama lojongano>

UPD5. Kuvele inkonzo entsha https://antifilter.download, ukusuka apho unokuthatha khona uluhlu esele lulungisiwe lweedilesi ze-IP. Ihlaziywa rhoqo ngesiqingatha seyure. Kwicala lomxhasi, konke okuseleyo kukucwangcisa iirekhodi kunye "nendlela ... yenqaba".
Kwaye ngeli xesha, mhlawumbi, kwanele ukukrazula ugogo wakho kwaye uhlaziye inqaku.

UPD6. Inguqulelo ehlaziyiweyo yenqaku kwabo bangafuniyo ukuyifumanisa, kodwa bafuna ukuqalisa - apha.

umthombo: www.habr.com

Yongeza izimvo