Ngingathanda ukwabelana ngolwazi lwami lokuhlanganisa amanethiwekhi ezindlini ezintathu ezikude ngokwendawo, ngayinye esebenzisa imizila ene-OpenWRT njengesango, ibe yinethiwekhi eyodwa evamile. Lapho ukhetha indlela yokuhlanganisa amanethiwekhi phakathi kwe-L3 ne-subnet routing kanye ne-L2 nge-bridging, lapho wonke ama-node enethiwekhi ezoba ku-subnet efanayo, okuthandwayo kwanikezwa indlela yesibili, okunzima kakhulu ukuyilungisa, kodwa inikeza amathuba amakhulu, ngoba ukusetshenziswa okusobala kobuchwepheshe kwahlelwa kunethiwekhi eyakhiwa i-Wake-on-Lan ne-DLNA.
Ingxenye 1: Ingemuva
I-OpenVPN ekuqaleni yakhethwa njenge-protocol yokuqalisa lo msebenzi, ngoba, okokuqala, ingakha idivayisi empompini engafakwa ebhulohweni ngaphandle kwezinkinga, futhi okwesibili, i-OpenVPN isekela ukusebenza phezu kwe-protocol ye-TCP, eyayibalulekile futhi, ngoba ayikho. zamafulethi ayenekheli le-IP elizinikezele, futhi angikwazanga ukusebenzisa i-STUN, njengoba umhlinzeki wami ngesizathu esithile evimbela ukuxhumeka kwe-UDP okungenayo kusuka kumanethiwekhi abo, kuyilapho umthetho olandelwayo we-TCP ungivumele ukuthi ngidlulisele imbobo yeseva ye-VPN ku-VPS eqashiwe usebenzisa i-SSH. Yebo, le ndlela inikeza umthwalo omkhulu, njengoba idatha ibethelwe kabili, kodwa angizange ngifune ukwethula i-VPS kunethiwekhi yami yangasese, ngoba kwakusenengozi yokuthi abantu besithathu bathole ukulawula phezu kwayo, ngakho-ke, ukuba nedivayisi enjalo. kunethiwekhi yami yasekhaya yayingathandeki ngokwedlulele futhi kwanqunywa ukuthi kukhokhelwe ukuphepha nge-overhead enkulu.
Ukuze udlulisele ichweba kumzila okwakuhlelelwe ukuthunyelwa kuwo iseva, kwasetshenziswa uhlelo lwe-sshtunnel. Ngeke ngichaze ubunkimbinkimbi bokucushwa kwayo - kwenziwa kalula, ngizophawula nje ukuthi umsebenzi wayo bekuwukudlulisa i-TCP port 1194 isuka kumzila iye ku-VPS. Okulandelayo, iseva ye-OpenVPN yalungiselelwa kudivayisi ye-tap0, eyayixhunywe kubhuloho le-br-lan. Ngemva kokuhlola uxhumano kwiseva esanda kwakhiwa kusuka kukhompyutha ephathekayo, kwacaca ukuthi umqondo wokudlulisela imbobo wawufanelekile futhi i-laptop yami yaba yilungu lenethiwekhi ye-router, nakuba yayingekho ngokoqobo kuyo.
Kwakusele into eyodwa kuphela encane: kwakudingeka ukusabalalisa amakheli e-IP ezindlini ezihlukene ukuze angangqubuzani futhi alungiselele ama-routers njengamakhasimende e-OpenVPN.
Amakheli e-IP werutha alandelayo nobubanzi beseva ye-DHCP akhethiwe:
- 192.168.10.1 ngobubanzi 192.168.10.2 - 192.168.10.80 okweseva
- 192.168.10.100 ngobubanzi 192.168.10.101 - 192.168.10.149 yerutha efulethini No. 2
- 192.168.10.150 ngobubanzi 192.168.10.151 - 192.168.10.199 yerutha efulethini No. 3
Bekudingeka futhi ukwabela la makheli ngqo kuma-router eklayenti leseva ye-OpenVPN ngokungeza umugqa ekucushweni kwayo:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
futhi wengeza imigqa elandelayo kufayela /etc/openvpn/ipp.txt:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
lapho i-flat1_id ne-flat2_id kungamagama edivayisi ashiwo lapho kwakhiwa izitifiketi zokuxhuma ku-OpenVPN
Okulandelayo, amaklayenti e-OpenVPN alungiswa kumarutha, amadivayisi we-tap0 kuwo womabili angezwe ebhulohweni le-br-lan. Kulesi sigaba, konke kwakubonakala kuhamba kahle njengoba womathathu amanethiwekhi ayekwazi ukubonana futhi asebenze njengento eyodwa. Nokho, kwavela imininingwane engemihle neze: kwesinye isikhathi amadivayisi angathola ikheli le-IP hhayi kumzila wawo, nayo yonke imiphumela elandelayo. Ngesizathu esithile, i-router kwelinye lamafulethi yayingenaso isikhathi sokuphendula ku-DHCPDISCOVER ngesikhathi futhi idivayisi ithole ikheli elalingahlosiwe. Ngabona ukuthi ngidinga ukuhlunga izicelo ezinjalo ku-tap0 kumzila ngamunye, kodwa njengoba kwavela, iptables ayikwazi ukusebenza nedivayisi uma iyingxenye yebhuloho futhi ama-ebtables kufanele angisize. Ngokuzisola kwami, bekungekho ku-firmware yami futhi bekufanele ngakhe kabusha izithombe zedivayisi ngayinye. Ngokwenza lokhu futhi wengeze le migqa ku-/etc/rc.local yomzila ngamunye, inkinga yaxazululwa:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Lokhu kumiswa kwathatha iminyaka emithathu.
Ingxenye 2: Sethula i-WireGuard
Muva nje, abantu abaku-inthanethi baye baqala ukukhuluma nge-WireGuard, bencoma ubulula bokucushwa kwayo, isivinini esikhulu sokudlulisela, i-ping ephansi enokuphepha okufanayo. Ukufuna ulwazi olwengeziwe ngakho kwakwenza kwacaca ukuthi ukusebenza njengelungu lebhuloho noma ukusebenza ngephrothokholi ye-TCP kwakusekelwe yikho, okungenze ngacabanga ukuthi zazingekho ezinye izindlela ze-OpenVPN kimi. Ngakho ngakuhleka ukwazi iWireGuard.
Ezinsukwini ezimbalwa ezedlule, izindaba zasakazeka kuzo zonke izinsiza ngandlela thile ezihlobene ne-IT ukuthi i-WireGuard ekugcineni izofakwa ku-Linux kernel, iqala ngenguqulo 5.6. Izindatshana zezindaba, njengenjwayelo, zincoma i-WireGuard. Ngiphinde ngangena ekufuneni izindlela zokushintsha i-OpenVPN endala. Kulokhu ngagibela
Nakulokhu, isinqumo senziwe sivuna ukubethela okungafuneki, ngokusebenzisa i-VPN phezu kwe-VPN kusetshenziswa lolu hlelo olulandelayo:
I-VPN yezinga XNUMX:
VPS kuyinto iseva nekheli langaphakathi 192.168.30.1
MC kuyinto iklayenti I-VPS enekheli langaphakathi 192.168.30.2
MK2 kuyinto iklayenti I-VPS enekheli langaphakathi 192.168.30.3
MK3 kuyinto iklayenti I-VPS enekheli langaphakathi 192.168.30.4
I-VPN yezinga lesibili:
MC kuyinto iseva ngekheli langaphandle 192.168.30.2 kanye nelangaphakathi 192.168.31.1
MK2 kuyinto iklayenti MC enekheli elithi 192.168.30.2 futhi ine-IP yangaphakathi 192.168.31.2
MK3 kuyinto iklayenti MC enekheli elithi 192.168.30.2 futhi ine-IP yangaphakathi 192.168.31.3
* MC - router-server efulethini 1, MK2 - router efulethini 2, MK3 - router efulethini 3
* Ukulungiselelwa kwedivayisi kushicilelwa ku-spoiler ekupheleni kwesihloko.
Ngakho-ke, ama-pings asebenza phakathi kwama-node enethiwekhi 192.168.31.0/24, sekuyisikhathi sokuqhubekela phambili ekumiseni umhubhe we-GRE. Ngaphambi kwalokhu, ukuze ungalahlekelwa ukufinyelela kuma-routers, kufanelekile ukusetha imigudu ye-SSH yokudlulisa i-port 22 ku-VPS, ukuze, isibonelo, i-router esuka efulethini 10022 ifinyeleleke ku-port 2 ye-VPS, kanye i-router esuka efulethini 11122 izofinyeleleka ku-port 3 router kusuka efulethini XNUMX. Kungcono kakhulu ukulungisa ukudlulisa usebenzisa i-sshtunnel efanayo, ngoba izobuyisela umhubhe uma ihluleka.
Umhubhe ulungisiwe, ungaxhuma ku-SSH ngembobo edluliselwe:
ssh root@МОЙ_VPS -p 10022
Okulandelayo kufanele ukhubaze i-OpenVPN:
/etc/init.d/openvpn stop
Manje ake simise umhubhe we-GRE kumzila osuka efulethini 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Bese wengeza isikhombimsebenzisi esidaliwe ebhulohweni:
brctl addif br-lan grelan0
Masenze inqubo efanayo kumzila weseva:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Futhi engeza isikhombimsebenzisi esidaliwe ebhulohweni:
brctl addif br-lan grelan0
kusukela kulo mzuzu, ama-pings aqala ukuya ngempumelelo kunethiwekhi entsha futhi mina, ngokwaneliseka, ngiya ukuphuza ikhofi. Bese, ukuze ngihlole ukuthi inethiwekhi isebenza kanjani ngakolunye uhlangothi lomugqa, ngizama ukufaka i-SSH kwenye yamakhompiyutha efulethini lesi-2, kodwa iklayenti le-ssh liyaba yiqhwa ngaphandle kokucela iphasiwedi. Ngizama ukuxhuma kule khompyutha nge-telnet ku-port 22 futhi ngibona ulayini engiqonda kuwo ukuthi uxhumano luyasungulwa, iseva ye-SSH iyaphendula, kodwa ngenxa yesizathu esithile ayingifuni ukuba ngingene. phakathi.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ngizama ukuyixhuma nge-VNC futhi ngibone isikrini esimnyama. Ngiyaziqinisekisa ukuthi inkinga ikukhompyutha ekude, ngoba ngingakwazi ukuxhuma kalula ku-router kusuka kuleli fulethi usebenzisa ikheli langaphakathi. Kodwa-ke, nginquma ukuxhuma ku-SSH yale khompyutha ngokusebenzisa umzila futhi ngiyamangala ukuthola ukuthi uxhumano luphumelele, futhi ikhompyutha ekude isebenza ngokujwayelekile, kodwa futhi ayikwazi ukuxhuma kukhompyutha yami.
Ngisusa idivayisi ye-grelan0 ebhulohweni bese ngisebenzisa i-OpenVPN kumzila efulethini lesi-2 futhi ngiqinisekise ukuthi inethiwekhi isebenza njengoba kulindelekile futhi futhi ukuxhumeka akwehliswa. Ngokusesha ngihlangana nezinkundla lapho abantu bekhala ngezinkinga ezifanayo, lapho belulekwa ukuthi baphakamise i-MTU. Kulula ukusho kunokwenza. Kodwa-ke, kuze kube yilapho i-MTU isethwe phezulu ngokwanele - 7000 kumadivayisi we-gretap, noma ukuxhumeka kwe-TCP okwehlisiwe noma amazinga aphansi okudlulisa abonwa. Ngenxa ye-MTU ephezulu ye-gretap, i-MTU yokuxhumeka kwe-Layer 8000 kanye ne-Layer 7500 WireGuard isethelwe ku-XNUMX kanye ne-XNUMX ngokulandelanayo.
Ngenze ukusetha okufanayo kumzila osuka efulethini lesi-3, umehluko kuphela ukuthi isixhumi esibonakalayo sesibili se-gretap okuthiwa i-grelan1 sengezwe kumzila weseva, nawo wengezwa ebhulohweni le-br-lan.
Konke kuyasebenza. Manje usungakwazi ukufaka umhlangano we-gretap ekuqaleni. Kwalokhu:
Ngibeke le migqa kokuthi /etc/rc.local kumzila efulethini 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Kwengezwe lokhu ku-/etc/rc.local kumzila efulethini 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Futhi ku-router yeseva:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Ngemva kokuqalisa kabusha amarutha eklayenti, ngithole ukuthi ngesizathu esithile ayengaxhumi kuseva. Ngemva kokuxhuma ku-SSH yabo (ngenhlanhla, ngangilungisele i-sshtunnel yalokhu ngaphambilini), kwatholakala ukuthi i-WireGuard ngesizathu esithile yakha umzila wephoyinti lokugcina, kodwa yayingalungile. Ngakho-ke, ku-192.168.30.2, ithebula lomzila lalibonisa umzila odlula ku-interface ye-pppoe-wan, okungukuthi, nge-inthanethi, nakuba umzila oya kuwo bekufanele udluliselwe kusixhumi esibonakalayo se-wg0. Ngemva kokususa lo mzila, uxhumano lubuyiselwe. Angikwazanga ukuthola imiyalelo noma kuphi yokuthi ngingaphoqa kanjani i-WireGuard ukuthi ingadali le mizila. Ngaphezu kwalokho, angizange ngiqonde ukuthi ngabe lesi kwakuyisici se-OpenWRT noma i-WireGuard uqobo. Ngaphandle kokubhekana nale nkinga isikhathi eside, ngimane ngengeze umugqa kuwo womabili amarutha kusikripthi esinesikhathi esisuse lo mzila:
route del 192.168.30.2
Ukufingqa
Angikafinyeleli ukulahlwa okuphelele kwe-OpenVPN, ngoba ngezinye izikhathi ngidinga ukuxhuma kunethiwekhi entsha kusuka kwi-laptop noma ifoni, futhi ukusetha idivayisi ye-gretap kubo ngokuvamile akunakwenzeka, kodwa naphezu kwalokhu, ngithole inzuzo ngesivinini. yokudluliswa kwedatha phakathi kwamafulethi futhi, isibonelo, ukusebenzisa i-VNC akusaphazamisi. I-Ping yehle kancane, kodwa yazinza kakhulu:
Uma usebenzisa i-OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Uma usebenzisa i-WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Ithinteka kakhulu nge-ping ephezulu ku-VPS, cishe i-61.5 ms
Nokho, ijubane liye landa kakhulu. Ngakho-ke, efulethini elinerutha yeseva nginesivinini sokuxhuma ku-inthanethi esingu-30 Mbit/sec, kanti kwezinye izindlu singu-5 Mbit/sec. Ngesikhathi esifanayo, ngenkathi ngisebenzisa i-OpenVPN, angikwazanga ukufeza isivinini sokudlulisa idatha phakathi kwamanethiwekhi angaphezu kwe-3,8 Mbit/sec ngokusho kokufundwa kwe-iperf, kuyilapho i-WireGuard "ikhuphule" ku-5 Mbit / sec efanayo.
Ukucushwa kwe-WireGuard ku-VPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_1_МС>
AllowedIPs = 192.168.30.2/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2>
AllowedIPs = 192.168.30.3/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3>
AllowedIPs = 192.168.30.4/32
Ukucushwa kwe-WireGuard ku-MS (kungezwe ku-/etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Ukucushwa kwe-WireGuard ku-MK2 (kungezwe ku-/etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Ukucushwa kwe-WireGuard ku-MK3 (kungezwe ku-/etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Ekucushweni okuchazwe kwe-VPN yezinga lesibili, ngikhomba amaklayenti e-WireGuard ku-port 51821. Ngombono, lokhu akudingekile, ngoba iklayenti izosungula uxhumano kunoma iyiphi ichweba elingenamthetho lamahhala, kodwa ngikwenzile ukuze ngikwazi ukuvimbela konke ukuxhumeka okungenayo ku-wg0 interface yawo wonke ama-routers ngaphandle kokuxhumeka kwe-UDP okungenayo ku-port 51821.
Ngithemba ukuthi lesi sihloko sizoba usizo kothile.
PS Futhi, ngifuna ukwabelana ngeskripthi sami esingithumelela isaziso se-PUSH efonini yami ohlelweni lokusebenza lwe-WirePusher uma idivayisi entsha ivela kunethiwekhi yami. Nasi isixhumanisi seskripthi:
UPDATE: Ukucushwa kweseva ye-OpenVPN namaklayenti
Iseva ye-OpenVPN
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzo
Iklayenti le-OpenVPN
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3
Ngisebenzise i-easy-rsa ukwenza izitifiketi
Source: www.habr.com