Ezimweni eziningi, ukuxhuma i-router ku-VPN akunzima, kodwa uma ufuna ukuvikela yonke inethiwekhi futhi ngesikhathi esifanayo ugcine isivinini sokuxhuma elilungile, khona-ke isisombululo esihle kakhulu ukusebenzisa umhubhe we-VPN. .
Amarutha Mikrotik kubonakale kuyizixazululo ezinokwethenjelwa nezivumelana nezimo kakhulu, kodwa ngeshwa namanje akunjalo futhi akwaziwa ukuthi izovela nini nokuthi ikuphi ukusebenza. Muva nje mayelana nalokho okuphakanyiswe abathuthukisi bomhubhe we-WireGuard VPN , okuzokwenza isofthiwe yabo yokudonsa i-VPN ibe yingxenye ye-Linux kernel, sithemba ukuthi lokhu kuzoba nomthelela ekwamukelweni kwe-RouterOS.
Kodwa okwamanje, ngeshwa, ukuze ulungiselele i-WireGuard ku-router ye-Mikrotik, udinga ukushintsha i-firmware.
I-Mikrotik ekhanyayo, ifaka futhi ilungiselela i-OpenWrt
Okokuqala udinga ukwenza isiqiniseko sokuthi i-OpenWrt isekela imodeli yakho. Bona ukuthi imodeli ifana negama layo lokumaketha nesithombe .
Iya ku-openwrt.com .
Kule divayisi, sidinga amafayela angu-2:
Udinga ukulanda womabili amafayela: ukufaka ΠΈ kubuyekeze.
1. Ukusethwa kwenethiwekhi, landa futhi usethe iseva ye-PXE
Landa yenguqulo yakamuva ye-Windows.
Khipha uziphu kufolda ehlukile. Efayeleni le-config.ini engeza ipharamitha rfc951=1 ingxenye [dhcp]. Le parameter iyafana kuwo wonke amamodeli e-Mikrotik.
Masiqhubekele kuzilungiselelo zenethiwekhi: udinga ukubhalisa ikheli le-IP elimile kwenye yenethiwekhi yekhompuyutha yakho.
Ikheli lasesizindeni se-inthanethi: 192.168.1.10
I-Netmask: 255.255.255.0
Gijima Iseva Encane ye-PXE egameni loMlawuli bese ukhetha ensimini Iseva ye-DHCP iseva enekheli 192.168.1.10
Kwezinye izinguqulo ze-Windows, lesi sixhumanisi singavela kuphela ngemva koxhumano lwe-Ethernet. Ngincoma ukuxhuma i-router futhi ushintshe ngokushesha i-router ne-PC usebenzisa intambo yesichibi.
Cindezela inkinobho ethi "..." (ngezansi kwesokudla) futhi ucacise ifolda lapho ulande khona amafayela we-firmware we-Mikrotik.
Khetha ifayela igama lalo eligcina ngokuthi "initramfs-kernel.bin noma elf"
2. Ivula irutha kuseva ye-PXE
Sixhuma i-PC ngocingo kanye nembobo yokuqala (wan, internet, poe in, ...) ye-router. Ngemuva kwalokho, sithatha i-toothpick, siyinamathisele emgodini ngombhalo othi "Setha kabusha".
Sivula amandla we-router bese silinda imizuzwana engu-20, bese sikhulula i-toothpick.
Phakathi nomzuzu olandelayo, le miyalezo elandelayo kufanele ivele ewindini le-Tiny PXE Server:
Uma umlayezo uvela, kusho ukuthi usendleleni efanele!
Buyisela izilungiselelo ku-adaptha yenethiwekhi futhi usethe ukwamukela ikheli ngamandla (nge-DHCP).
Xhuma kumachweba we-LAN werutha ye-Mikrotik (2β¦5 kithi) usebenzisa intambo yesichibi efanayo. Vele uyishintshe isuke embobeni yokuqala uye embobeni yesibili. Vula ikheli esipheqululini.
Ngena ngemvume kusixhumi esibonakalayo sokuphatha se-OpenWRT bese uya engxenyeni ethi "System -> Backup/Flash Firmware" ingxenye yemenyu.
Esigatshaneni esithi "Flash new firmware image", chofoza inkinobho "Khetha ifayela (Phequlula)".
Cacisa indlela eya efayeleni igama lalo eligcina ngokuthi "-squashfs-sysupgrade.bin".
Ngemva kwalokho, chofoza inkinobho "Flash Image".
Ewindini elilandelayo, chofoza inkinobho ethi "Qhubeka". I-firmware izoqala ukulanda ku-router.
!!! AKUKHO MCIMBI UNGANQUKI AMANDLA ESITHUTHA NGESIKHATHI SENQUBO YE-FIRMWARE !!!
Ngemva kokukhanyisa nokuqalisa kabusha umzila, uzothola i-Mikrotik nge-OpenWRT firmware.
Izinkinga nezisombululo ezingenzeka
Amadivayisi amaningi e-Mikrotik akhishwe ngo-2019 asebenzisa imemori ye-FLASH-NOR yohlobo lwe-GD25Q15 / Q16. Inkinga ukuthi uma ukhanyisa, idatha emayelana nemodeli yedivayisi ayilondolozwa.
Uma ubona iphutha "Ifayela lesithombe esilayishiwe aliqukethe ifomethi esekelwe. Qiniseka ukuthi ukhetha ifomethi yesithombe esijwayelekile sengxenyekazi yakho." khona-ke kungenzeka ukuthi inkinga iku-flash.
Ukuhlola lokhu kulula: sebenzisa umyalo ukuze uhlole i-ID yemodeli kutheminali yedivayisi
root@OpenWrt: cat /tmp/sysinfo/board_nameFuthi uma uthola impendulo "engaziwa", udinga ukucacisa ngesandla imodeli yedivayisi ngendlela "rb-951-2nd"
Ukuze uthole imodeli yedivayisi, sebenzisa umyalo
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2ndNgemva kokuthola imodeli yedivayisi, yifake mathupha:
echo 'rb-951-2nd' > /tmp/sysinfo/board_nameNgemva kwalokho, ungakhanyisa idivayisi ngokusebenzisa isixhumi esibonakalayo sewebhu noma usebenzisa umyalo othi "sysupgrade".
Dala iseva ye-VPN nge-WireGuard
Uma usuvele uneseva ene-WireGuard emisiwe, ungeqa lesi sinyathelo.
Ngizosebenzisa uhlelo lokusebenza ukumisa iseva yomuntu siqu ye-VPN mayelana nekati mina kakade .
Ilungiselela iKlayenti le-WireGuard ku-OpenWRT
Xhuma kumzila nge-SSH protocol:
ssh [email protected]Faka i-WireGuard:
opkg update
opkg install wireguardLungiselela ukucushwa (kopisha ikhodi engezansi efayeleni, buyisela amanani ashiwo ngeyakho bese ugijima ku-terminal).
Uma usebenzisa i-MyVPN, ekucushweni okungezansi udinga ukushintsha kuphela WG_SERV - Iseva ye-IP WG_KEY - ukhiye oyimfihlo ovela kufayela lokucushwa kwe-wireguard kanye WG_PUB - ukhiye womphakathi.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°
WG_PORT="51820" # ΠΏΠΎΡΡ wireguard
WG_ADDR="10.8.0.2/32" # Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π°Π΄ΡΠ΅ΡΠΎΠ² wireguard
WG_KEY="xxxxx" # ΠΏΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
WG_PUB="xxxxx" # ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restartLokhu kuqeda ukusethwa kwe-WireGuard! Manje yonke i-traffic kuwo wonke amadivayisi axhunyiwe ivikelwe uxhumano lwe-VPN.
izithenjwa
(imiyalelo engeziwe etholakalayo yokusetha i-L2TP, i-PPTP ku-firmware evamile ye-Mikrotik)
Source: www.habr.com