ProHoster > Блог > Ukuphatha > Ukusheshisa i-OpenVPN kumzila we-Openwrt. Enye inguqulo ngaphandle kwe-soldering iron kanye ne-hardware extremism

Ukusheshisa i-OpenVPN kumzila we-Openwrt. Enye inguqulo ngaphandle kwe-soldering iron kanye ne-hardware extremism

Ukusheshisa i-OpenVPN kumzila we-Openwrt. Enye inguqulo ngaphandle kwe-soldering iron kanye ne-hardware extremism

Sanibonani nonke, ngisanda kufunda isihloko esidala mayelana nokuthi ungasheshisa kanjani i-OpenVPN ku-router ngokudlulisela ukubethela engxenyeni ehlukile yehadiwe, ethengiswa ngaphakathi kwerutha ngokwayo. Nginecala elifanayo kumbhali - i-TP-Link WDR3500 enamamegabhayithi angu-128 we-RAM kanye neprosesa empofu engakwazi ngokuphelele ukubhekana nokubethelwa komhubhe. Kodwa-ke, angizange ngifune ukungena ku-router ngensimbi yokunamathisela. Ngezansi isipiliyoni sami sokuhambisa i-OpenVPN ocezwini oluhlukile lwehadiwe enekhophi yasenqolobaneni kumzila uma kwenzeka kuba nengozi.

Inhloso

Sine-router ye-TP-Link WDR3500 kanye ne-Orange Pi Zero H2. Sifuna i-Orange Pi iphathe ukubethela kwe-tunnel ngendlela evamile, kodwa uma kwenzeka okuthile kuyo, ukucubungula kuzophathwa yi-Pi. i-VPN Izobuyiselwa emuva ku-router. Zonke izilungiselelo ze-firewall ku-router kufanele zisebenze njengakuqala. Sekukonke, ukungezwa kwehadiwe eyengeziwe kufanele kube sobala futhi kube bushelelezi kuwo wonke umuntu. I-OpenVPN isebenza nge-TCP, futhi i-adaptha ye-TAP ikwimodi ye-server-bridge.

Isixazululo

Esikhundleni sokuxhuma nge-USB, nginqume ukusebenzisa imbobo eyodwa yomzila futhi ngixhume wonke ama-subnet anebhuloho le-VPN ku-Orange Pi. Kuvele ukuthi i-hardware izolenga ngokomzimba kumanethiwekhi afanayo neseva ye-VPN kumzila. Ngemuva kwalokho, sifaka amaseva afanayo ncamashi ku-Orange Pi, futhi ku-router simisa uhlobo oluthile lommeleli ukuze luthumele konke ukuxhumana okungenayo kuseva yangaphandle, futhi uma i-Orange Pi ifile noma ingatholakali, bese ku- iseva yokubuyela emuva yangaphakathi. Ngithathe i-HAProxy.

Kuvela kanje:

  1. Iklayenti liyafika
  2. Uma iseva yangaphandle ingatholakali, njengangaphambili, uxhumano luya kuseva yangaphakathi
  3. Uma itholakala, iklayenti lamukelwa i-Orange Pi
  4. I-VPN ku-Orange Pi isusa amaphakethe bese iwakhafulela kumzila
  5. I-router iwahambisa kwenye indawo

Isibonelo sokuqalisa

Ngakho-ke, ake sithi sinamanethiwekhi amabili kumzila - main(1) kanye nesivakashi(2), ngayinye yazo kukhona iseva ye-OpenVPN yokuxhuma ngaphandle.

Ukucushwa kwenethiwekhi

Sidinga umzila womabili amanethiwekhi ngembobo eyodwa, ngakho-ke sidala ama-VLAN angu-2.

Kurutha, engxenyeni ethi Inethiwekhi/Shintsha, dala ama-VLAN (isibonelo 1 kanye no-2) futhi uwanike amandla kumodi emakayo embobeni oyifunayo, engeza i-eth0.1 ne-eth0.2 esanda kwakhiwa kumanethiwekhi ahambisanayo (isibonelo, bangeze ku-brigde).

Ku-Orange Pi sakha izixhumanisi ezimbili ze-VLAN (ngine-Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Futhi ngokushesha sibenzela amabhuloho amabili:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Nika amandla i-autostart kuwo wonke amaphrofayili angu-4 (vumela i-netctl). Manje ngemva kokuqalisa kabusha, i-Orange Pi izolenga kumanethiwekhi amabili adingekayo. Silungisa amakheli esixhumi esibonakalayo ku-Orange Pi ku-Static Leases kumzila.

i-ip addr show

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Isetha i-VPN

Okulandelayo, sikopisha izilungiselelo ze-OpenVPN nokhiye kumzila. Izilungiselelo ngokuvamile zingatholakala kokuthi /tmp/etc/openvpn*.conf

Ngokuzenzakalelayo, i-openvpn esebenza ngemodi ye-TAP kanye ne-server-bridge igcina isixhumi esibonakalayo singasebenzi. Ukuze yonke into isebenze, udinga ukwengeza iskripthi esisebenza lapho uxhumano selucushiwe.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Ngenxa yalokho, ngokushesha lapho uxhumano lwenzeka, i-vpn-main interface izongezwa ku-br-main. Okwegridi yesivakashi - ngokufanayo, kufika egameni lesixhumi esibonakalayo nekheli ku-server-bridge.

Izicelo zomzila ngaphandle kanye nokwenza ummeleli

Kulesi sinyathelo, i-Orange Pi isivele iyakwazi ukwamukela ukuxhumana futhi ixhume amakhasimende kumanethiwekhi adingekayo. Okusele nje ukulungisa i-proxying yokuxhuma okungenayo ku-router.

Sidlulisela amaseva e-router VPN kwamanye amachweba, faka i-HAProxy kumzila bese ulungisa:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Jabulela

Uma konke kuhambe ngokohlelo, amaklayenti azoshintshela ku-Orange Pi futhi iphrosesa ye-router ngeke isashisa, futhi isivinini se-VPN sizokhula kakhulu. Ngesikhathi esifanayo, yonke imithetho yenethiwekhi ebhaliswe ku-router izohlala isebenza. Uma kwenzeka kuba nengozi ku-Orange Pi, izowa futhi i-HAProxy izodlulisela amaklayenti kumaseva wendawo.

Siyabonga ngokunaka kwakho, iziphakamiso nezilungiso zamukelekile.

Source: www.habr.com

Engeza amazwana