ProHoster > Блог > Isakoso > Ṣiṣe OpenVPN ni iyara lori olulana Openwrt. Yiyan ti ikede lai soldering irin ati hardware extremism

Ṣiṣe OpenVPN ni iyara lori olulana Openwrt. Yiyan ti ikede lai soldering irin ati hardware extremism

Ṣiṣe OpenVPN ni iyara lori olulana Openwrt. Yiyan ti ikede lai soldering irin ati hardware extremism

Hello gbogbo eniyan, Mo laipe ka atijọ article nipa bii o ṣe le mu OpenVPN ṣiṣẹ lori olulana nipa gbigbe fifi ẹnọ kọ nkan si nkan elo ti o yatọ, eyiti o ta ni inu olulana funrararẹ. Mo ni iru ọran kan si onkọwe - TP-Link WDR3500 pẹlu 128 megabytes ti Ramu ati ero isise ti ko dara ti ko lagbara patapata lati koju fifi ẹnọ kọ nkan oju eefin. Sibẹsibẹ, Emi ko fẹ gaan lati wọle sinu olulana pẹlu irin tita. Ni isalẹ ni iriri mi ti gbigbe OpenVPN si nkan elo ti o yatọ pẹlu afẹyinti lori olulana ni ọran ijamba.

Nkan

Olulana TP-Link WDR3500 wa ati Orange Pi Zero H2 kan. A fẹ ki Orange Pi encrypt awọn tunnels bi o ṣe deede, ati pe ti nkan kan ba ṣẹlẹ si i, ṣiṣe VPN yoo pada si olulana naa. Gbogbo awọn eto ogiriina lori olulana yẹ ki o ṣiṣẹ bi iṣaaju. Ati ni gbogbogbo, fifi afikun ohun elo yẹ ki o jẹ sihin ati ko ṣe akiyesi si gbogbo eniyan. OpenVPN ṣiṣẹ lori TCP, ohun ti nmu badọgba TAP wa ni ipo afara (afara olupin).

Ipinnu

Dipo sisopọ nipasẹ USB, Mo pinnu lati lo ibudo kan ti olulana ati so gbogbo awọn subnets ti o ni afara VPN si Orange Pi. O wa ni pe ohun elo naa yoo gbele ni awọn nẹtiwọọki kanna bi olupin VPN lori olulana naa. Lẹhin iyẹn, a fi sori ẹrọ gangan awọn olupin kanna lori Orange Pi, ati lori olulana a ṣeto iru aṣoju kan ki o firanṣẹ gbogbo awọn asopọ ti nwọle si olupin ita, ati ti Orange Pi ba ti ku tabi ko si, lẹhinna si ti abẹnu fallback server. Mo mu HAProxy.

O wa jade bi eleyi:

  1. Onibara de
  2. Ti olupin ita ko ba si, bi tẹlẹ, asopọ lọ si olupin inu
  3. Ti o ba wa, olubara gba nipasẹ Orange Pi
  4. VPN lori Orange Pi decrypts awọn apo-iwe ati tu wọn pada sinu olulana
  5. Awọn olulana ipa- wọn ibikan

Apeere imuse

Nitorinaa, jẹ ki a sọ pe a ni awọn nẹtiwọọki meji lori olulana - akọkọ (1) ati alejo (2), fun ọkọọkan wọn olupin OpenVPN wa fun sisopọ ita.

Iṣeto ni nẹtiwọki

A nilo lati darí awọn nẹtiwọọki mejeeji nipasẹ ibudo kan, nitorinaa a ṣẹda awọn VLAN 2.

Lori olulana, ni apakan Nẹtiwọọki / Yipada, ṣẹda awọn VLAN (fun apẹẹrẹ 1 ati 2) ki o mu wọn ṣiṣẹ ni ipo ti a samisi lori ibudo ti o fẹ, ṣafikun eth0.1 tuntun ati eth0.2 si awọn nẹtiwọọki ti o baamu (fun apẹẹrẹ, fi wọn si brigde).

Lori Orange Pi a ṣẹda awọn atọkun VLAN meji (Mo ni Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-alejo

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Ati pe a ṣẹda awọn afara meji lẹsẹkẹsẹ fun wọn:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-alejo

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Mu autostart ṣiṣẹ fun gbogbo awọn profaili 4 (ṣiṣẹ netctl). Bayi lẹhin atunbere, Orange Pi yoo duro lori awọn nẹtiwọọki meji ti o nilo. A tunto awọn adirẹsi wiwo lori Orange Pi ni Static Leases lori olulana.

ip addr ifihan

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

VPN iṣeto

Nigbamii, a daakọ awọn eto fun OpenVPN ati awọn bọtini lati olulana. Awọn eto le nigbagbogbo rii ninu /tmp/etc/openvpn*.conf

Nipa aiyipada, openvpn nṣiṣẹ ni ipo TAP ati olupin-afara jẹ ki wiwo rẹ ṣiṣẹ. Fun ohun gbogbo lati ṣiṣẹ, o nilo lati ṣafikun iwe afọwọkọ ti o nṣiṣẹ nigbati asopọ naa ba mu ṣiṣẹ.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Bi abajade, ni kete ti asopọ ba waye, wiwo vpn-akọkọ yoo ṣafikun si br-main. Fun akoj alejo - bakannaa, to orukọ wiwo ati adirẹsi ni afara olupin.

Awọn ibeere ipa ọna ita ati aṣoju

Ni igbesẹ yii, Orange Pi ti ni anfani lati gba awọn asopọ ati so awọn alabara pọ si awọn nẹtiwọọki ti o nilo. Gbogbo ohun ti o ku ni lati tunto aṣoju ti awọn asopọ ti nwọle lori olulana.

A gbe awọn olupin VPN olulana lọ si awọn ebute oko oju omi miiran, fi HAProxy sori ẹrọ olulana ati tunto:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Gbadun

Ti ohun gbogbo ba lọ ni ibamu si ero, awọn alabara yoo yipada si Orange Pi ati pe ẹrọ olulana ko ni gbona mọ, ati iyara VPN yoo pọ si ni pataki. Ni akoko kanna, gbogbo awọn ofin nẹtiwọki ti o forukọsilẹ lori olulana yoo wa ni ibamu. Ni iṣẹlẹ ti ijamba lori Orange Pi, yoo ṣubu ati HAProxy yoo gbe awọn onibara lọ si awọn olupin agbegbe.

O ṣeun fun akiyesi rẹ, awọn imọran ati awọn atunṣe jẹ itẹwọgba.

orisun: www.habr.com

Fi ọrọìwòye kun