Ni ọpọlọpọ igba, sisopọ olulana si VPN ko nira, ṣugbọn ti o ba fẹ lati daabobo gbogbo nẹtiwọọki ati ni akoko kanna ṣetọju iyara asopọ to dara julọ, lẹhinna ojutu ti o dara julọ ni lati lo oju eefin VPN .
Awọn olulana mikrotic fihan pe o jẹ awọn solusan ti o gbẹkẹle ati irọrun pupọ, ṣugbọn laanu ṣi ko ati pe a ko mọ igba ti yoo han ati ninu iṣẹ wo. Laipe nipa kini awọn olupilẹṣẹ ti oju eefin WireGuard VPN daba , eyi ti yoo jẹ ki sọfitiwia tunneling VPN wọn jẹ apakan ti ekuro Linux, a nireti pe eyi yoo ṣe alabapin si isọdọmọ ni RouterOS.
Ṣugbọn fun bayi, laanu, lati tunto WireGuard lori olulana Mikrotik, o nilo lati yi famuwia pada.
Mikrotik didan, fifi sori ẹrọ ati tunto OpenWrt
Ni akọkọ o nilo lati rii daju pe OpenWrt ṣe atilẹyin awoṣe rẹ. Wo boya awoṣe kan baamu orukọ tita ati aworan rẹ .
Lọ si openwrt.com .
Fun ẹrọ yii, a nilo awọn faili 2:
O nilo lati ṣe igbasilẹ awọn faili mejeeji: fi sori ẹrọ и igbesoke.
1. Eto nẹtiwọki, igbasilẹ ati iṣeto olupin PXE
Gbaa lati ayelujara fun Windows titun ti ikede.
Yọọ si folda ọtọtọ. Ninu faili config.ini ṣafikun paramita naa rfc951=1 apakan [dhcp]. Paramita yii jẹ kanna fun gbogbo awọn awoṣe Mikrotik.
Jẹ ki a lọ si awọn eto nẹtiwọọki: o nilo lati forukọsilẹ adiresi ip aimi kan lori ọkan ninu awọn atọkun nẹtiwọọki ti kọnputa rẹ.
IP adirẹsi: 192.168.1.10
Netmask: 255.255.255.0
Ṣiṣe Tiny PXE Server lori dípò ti Alakoso ati ki o yan ninu awọn aaye DHCP Server olupin pẹlu adirẹsi 192.168.1.10
Lori diẹ ninu awọn ẹya ti Windows, wiwo yii le han nikan lẹhin asopọ Ethernet kan. Mo ṣeduro sisopọ olulana kan ki o yipada lẹsẹkẹsẹ olulana ati PC nipa lilo okun alemo kan.
Tẹ bọtini "..." (isalẹ ọtun) ati pato folda nibiti o ti ṣe igbasilẹ awọn faili famuwia fun Mikrotik.
Yan faili ti orukọ rẹ pari pẹlu "initramfs-kernel.bin tabi elf"
2. Gbigbe olulana lati olupin PXE
A so PC pọ pẹlu okun waya ati ibudo akọkọ (wan, intanẹẹti, poe in, ...) ti olulana. Lẹhin iyẹn, a mu ehin kan, fi sinu iho pẹlu akọle “Tuntun”.
A tan-an agbara ti olulana ati duro fun iṣẹju-aaya 20, lẹhinna tu ehin ehin naa silẹ.
Laarin iṣẹju to nbọ, awọn ifiranṣẹ atẹle yẹ ki o han ni Tiny PXE window:
Ti ifiranṣẹ ba han, lẹhinna o wa ni itọsọna ọtun!
Mu pada awọn eto pada lori ohun ti nmu badọgba netiwọki ati ṣeto lati gba adirẹsi naa ni agbara (nipasẹ DHCP).
Sopọ si awọn ebute LAN ti olulana Mikrotik (2… 5 ninu ọran wa) ni lilo okun patch kanna. Kan yipada lati 1st ibudo si 2nd ibudo. Ṣii adirẹsi ninu ẹrọ aṣawakiri.
Wọle si wiwo iṣakoso OpenWRT ki o lọ si apakan “System -> Afẹyinti / Flash Firmware” apakan akojọ aṣayan
Ni apakan “Filaṣi aworan famuwia tuntun”, tẹ bọtini “Yan faili (Ṣawari)”.
Pato ọna si faili ti orukọ rẹ pari pẹlu "-squashfs-sysupgrade.bin".
Lẹhin iyẹn, tẹ bọtini “Aworan Flash”.
Ni window atẹle, tẹ bọtini "Tẹsiwaju". Famuwia yoo bẹrẹ igbasilẹ si olulana naa.
!!! Ko si iṣẹlẹ maṣe yọ AGBARA ti olulana lakoko ilana famuwia !!!
Lẹhin ikosan ati atunbere olulana naa, iwọ yoo gba Mikrotik pẹlu famuwia OpenWRT.
Owun to le isoro ati awọn solusan
Ọpọlọpọ awọn ẹrọ Mikrotik ti a tu silẹ ni ọdun 2019 lo kọnputa iranti FLASH-NOR ti iru GD25Q15 / Q16. Iṣoro naa ni pe nigbati ikosan, data nipa awoṣe ẹrọ ko ni fipamọ.
Ti o ba ri aṣiṣe naa "Faili aworan ti a gbejade ko ni ọna kika ti o ni atilẹyin. Rii daju pe o yan ọna kika aworan jeneriki fun pẹpẹ rẹ." lẹhinna o ṣeese pe iṣoro naa wa ni filasi.
O rọrun lati ṣayẹwo eyi: ṣiṣe aṣẹ lati ṣayẹwo ID awoṣe ni ebute ẹrọ
root@OpenWrt: cat /tmp/sysinfo/board_nameAti pe ti o ba gba idahun "aimọ", lẹhinna o nilo lati fi ọwọ pato awoṣe ẹrọ ni fọọmu "rb-951-2nd"
Lati gba awoṣe ẹrọ, ṣiṣe aṣẹ naa
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2ndLẹhin gbigba awoṣe ẹrọ, fi sori ẹrọ pẹlu ọwọ:
echo 'rb-951-2nd' > /tmp/sysinfo/board_nameLẹhin iyẹn, o le filasi ẹrọ naa nipasẹ wiwo wẹẹbu tabi lilo aṣẹ “sysupgrade”.
Ṣẹda olupin VPN pẹlu WireGuard
Ti o ba ti ni olupin tẹlẹ pẹlu atunto WireGuard, o le foju igbesẹ yii.
Emi yoo lo ohun elo naa lati ṣeto olupin VPN ti ara ẹni nipa ologbo ti mo ti tẹlẹ .
Ṣiṣeto Onibara WireGuard lori OpenWRT
Sopọ si olulana nipasẹ ilana SSH:
ssh [email protected]Fi WireGuard sori ẹrọ:
opkg update
opkg install wireguardMura iṣeto ni (daakọ koodu ni isalẹ si faili kan, rọpo awọn iye pàtó kan pẹlu tirẹ ki o ṣiṣẹ ni ebute).
Ti o ba nlo MyVPN, lẹhinna ni iṣeto ni isalẹ o nilo lati yipada nikan WG_SERV - Olupin IP WG_KEY - ikọkọ bọtini lati wireguard iṣeto ni faili ati WG_PUB - àkọsílẹ bọtini.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip адрес сервера
WG_PORT="51820" # порт wireguard
WG_ADDR="10.8.0.2/32" # диапазон адресов wireguard
WG_KEY="xxxxx" # приватный ключ
WG_PUB="xxxxx" # публичный ключ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restartEyi pari iṣeto WireGuard! Bayi gbogbo ijabọ lori gbogbo awọn ẹrọ ti a ti sopọ ni aabo nipasẹ asopọ VPN kan.
jo
(awọn ilana ti o wa ni afikun fun eto L2TP, PPTP lori famuwia Mikrotik boṣewa)
orisun: www.habr.com