I-ProHoster > Блог > Ukuphatha > Isebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki

Isebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki

Isihloko mayelana nokuthi ngakwazi kanjani ukusebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki wami wasekhaya (ngaphandle kwekheli le-IP elimhlophe). Ake ngenze ukubhuka ngokushesha: lokho ukusebenza kwalokhu kuqaliswa ngokuqondile kuncike ohlotsheni lwe-NAT olusetshenziswa umhlinzeki wakho, kanye nomzila.
Ngakho-ke, bengidinga ukuxhuma kusuka ku-smartphone yami ye-Android kuya kukhompuyutha yami yasekhaya, womabili amadivaysi axhunywe ku-inthanethi ngama-NAT womhlinzeki, kanye nekhompyutha ixhunywe ngomzila wasekhaya, nawo oxhumeke ku-NATs.
Uhlelo lwakudala olusebenzisa i-VPS/VDS eqashiwe enekheli le-IP elimhlophe, kanye nokuqasha ikheli le-IP elimhlophe kumhlinzeki, akuzange kucatshangelwe izizathu ezimbalwa.
Ukucabangela ulwazi oluvela ezihlokweni ezedlule, esenze izivivinyo ezimbalwa ngama-STUN kanye nama-NAT abahlinzeki. Nginqume ukwenza isilingo esincane ngokusebenzisa umyalo kumzila wasekhaya osebenzisa i-OpenWRT firmware: 

$ stun stun.sipnet.ru

ngithole umphumela:

Inguqulo yeklayenti ye-STUN 0.97
Okuyinhloko: Imephu Ezimele, Isihlungi Esizimele, imbobo engahleliwe, izophina izinwele
Inani lokubuyisela lithi 0x000002

Ukuhumusha ngokwezwi nezwi:
Ukumepha Okuzimele - ukwenza imephu okuzimele
Isihlungi Esizimele - isihlungi esizimele
imbobo engahleliwe - imbobo engahleliwe
kuyoba hairpin - kuyoba hairpin
Ngisebenzisa umyalo ofanayo ku-PC yami, ngithole:

Inguqulo yeklayenti ye-STUN 0.97
Okuyinhloko: Imephu Ezimele, Isihlungi Esincike Embobeni, imbobo engahleliwe, izophina izinwele
Inani lokubuyisela lithi 0x000006

Isihlungi Esincike Embobeni - isihlungi esincike embobeni
Umehluko emiphumeleni yokuphuma komyalo ubonise ukuthi irutha yasekhaya yenza “umnikelo wayo” ohlelweni lokudlulisa amaphakethe kusuka ku-inthanethi; lokhu kwabonakala ngokuthi lapho kukhishwa umyalo kukhompyutha:

stun stun.sipnet.ru -p 11111 -v

Bengithola umphumela:

...
Ikheli Elimephu = XX.1XX.1X4.2XX:4398
...

ngalesi sikhathi, iseshini ye-UDP yavulwa isikhathi esithile, uma ngalesi sikhathi uthumela isicelo se-UDP (isibonelo: netcat XX.1XX.1X4.2XX 4398 -u), isicelo bese sifika kumzila wasekhaya, owawu iqinisekiswe yi-TCPDump egijima kuyo, kodwa isicelo asizange sifinyelele ikhompuyutha - IPtables, njengomhumushi we-NAT ku-router, wayilahla.
Isebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki
Kodwa lona kanye iqiniso lokuthi isicelo se-UDP sadlula ku-NAT yomhlinzeki linikeza ithemba lempumelelo. Njengoba i-router isendaweni yami, ngixazulule inkinga ngokuqondisa kabusha imbobo ye-UDP/11111 kukhompyutha:

iptables -t nat -A PREROUTING -i eth1 -p udp -d 10.1XX.2XX.XXX --dport 11111 -j DNAT --to-destination 192.168.X.XXX

Ngakho, ngikwazile ukuqalisa iseshini ye-UDP futhi ngathola izicelo ezivela ku-inthanethi kunoma yiliphi ikheli le-IP. Ngalesi sikhathi, ngethule i-OpenVPN-server (engiyilungisile ngaphambilini) ngilalele imbobo ye-UDP/11111, ngibonise ikheli le-IP langaphandle kanye nembobo (XX.1XX.1X4.2XX:4398) ku-smartphone futhi ngixhumeke ngempumelelo kusuka ku-smartphone kuya ku-smartphone. ikhompuyutha. Kodwa kulokhu kuqaliswa kuvele inkinga: bekudingeka ukuthi ngandlela thize kugcinwe iseshini ye-UDP kuze kube yilapho iklayenti le-OpenVPN lixhumeke kuseva; angizange ngiyithande inketho yokwethula iklayenti le-STUN ngezikhathi ezithile - angizange ngifune ukumosha umthwalo amaseva we-STUN.
Ngabona futhi ukuthi "kuyoba hairpin - kuyoba hairpin", le modi

I-Hairpinning ivumela umshini owodwa kunethiwekhi yendawo ngemuva kwe-NAT ukuthi ufinyelele omunye umshini kunethiwekhi efanayo ekhelini langaphandle lomzila.

Isebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki
Ngenxa yalokho, ngimane ngaxazulula inkinga yokugcina iseshini ye-UDP - ngethule iklayenti kukhompyutha efanayo neseva.
Isebenze kanje:

  • yethule iklayenti le-STUN echwebeni lendawo elingu-11111
  • ithole impendulo enekheli le-IP langaphandle kanye nembobo XX.1XX.1X4.2XX:4398
  • ithumele idatha enekheli le-IP yangaphandle kanye nechweba ku-imeyili (noma iyiphi enye insiza ingenzeka) elungiselelwe ku-smartphone
  • yethule iseva ye-OpenVPN kukhompuyutha elalele imbobo ye-UDP/11111
  • yethule iklayenti le-OpenVPN kukhompuyutha icacisa i-XX.1XX.1X4.2XX:4398 ukuze ixhumeke
  • nganoma isiphi isikhathi kwethulwe iklayenti le-OpenVPN ku-smartphone ekhombisa ikheli le-IP kanye nechweba (esimweni sami ikheli le-IP alizange lishintshe) ukuxhuma

Isebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki
Ngale ndlela ngikwazile ukuxhuma kukhompyutha yami ngisuka ku-smartphone yami. Lokhu kuqaliswa kukuvumela ukuthi uxhume noma yiliphi iklayenti le-OpenVPN.

Hlanganisa

Kuzothatha: 

# apt install openvpn stun-client sendemail

Ngemva kokubhala imibhalo embalwa, amafayela wokumisa ambalwa, futhi sakhiqiza izitifiketi ezidingekayo (njengoba iklayenti ku-smartphone isebenza nezitifiketi kuphela), sithole ukuqaliswa okujwayelekile kweseva ye-OpenVPN.

Iskripthi esikhulu kukhompuyutha

# cat vpn11.sh

#!/bin/bash
until [[ -n "$iftosrv" ]]; do echo "$(date) Определяю сетевой интерфейс"; iftosrv=`ip route get 8.8.8.8 | head -n 1 | sed 's|.*dev ||' | awk '{print $1}'`; sleep 5; done
ABSOLUTE_FILENAME=`readlink -f "$0"`
DIR=`dirname "$ABSOLUTE_FILENAME"`
localport=11111
until [[ $a ]]; do
	address=`stun stun.sipnet.ru -v -p $localport 2>&1 | grep "MappedAddress" | sort | uniq | head -n 1 | sed 's/:/ /g' | awk '{print $3" "$4}'`
        ip=`echo "$address" | awk {'print $1'}`
        port=`echo "$address" | awk {'print $2'}`
	srv="openvpn --config $DIR/server.conf --port $localport --daemon"
	$srv
	echo "$(date) Сервер запущен с внешним адресом $ip:$port"
	$DIR/sendemail.sh "OpenVPN-Server" "$ip:$port"
	sleep 1
	openvpn --config $DIR/client.conf --remote $ip --port $port
	echo "$(date) Cоединение клиента с сервером разорвано"
	for i in `ps xa | grep "$srv" | grep -v grep | awk '{print $1}'`; do
		kill $i && echo "$(date) Завершен процесс сервера $i ($srv)"
		done
	echo "Жду 15 сек"
	sleep 15
	done

Iskripthi sokuthumela idatha nge-imeyili:

# cat sendemail.sh 

#!/bin/bash
from="От кого"
pass="Пароль"
to="Кому"
theme="$1"
message="$2"
server="smtp.yandex.ru:587"
sendEmail -o tls=yes -f "$from" -t "$to" -s "$server" -xu "$from" -xp "$pass" -u "$theme" -m "$message"

Ifayela lokumisa iseva:

# cat server.conf

proto udp
dev tun
ca      /home/vpn11-srv/ca.crt
cert    /home/vpn11-srv/server.crt
key     /home/vpn11-srv/server.key
dh      /home/vpn11-srv/dh2048.pem
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
tls-server
tls-auth /home/vpn11-srv/ta.key 0
tls-timeout 60
auth    SHA256
cipher  AES-256-CBC
client-to-client
keepalive 10 30
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-server.log
verb 3
mute 20

Ifayela lokumisa iklayenti:

# cat client.conf

client
dev tun
proto udp
ca      "/home/vpn11-srv/ca.crt"
cert    "/home/vpn11-srv/client1.crt"
key     "/home/vpn11-srv/client1.key"
tls-client
tls-auth "/home/vpn11-srv/ta.key" 1
auth SHA256
cipher AES-256-CBC
auth-nocache
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-clent.log
verb 3
mute 20
ping 10
ping-exit 30

Izitifiketi zenziwa kusetshenziswa lesi sihloko.
Ukuqalisa iskripthi:

# ./vpn11.sh

Ngokuyenza isebenziseke kuqala 

# chmod +x vpn11.sh

Ohlangothini lwe-smartphone

Ngokufaka isicelo I-OpenVPN ye-Android, ngemva kokukopisha ifayela lokucushwa, izitifiketi nokulilungisa, kuvele kanje:
Ngibheka i-imeyili yami ku-smartphone yamiIsebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki
Ngihlela inombolo yembobo kuzilungiseleloIsebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki
Ngethula iklayenti bese ngiyaxhumaIsebenzisa iseva ye-VPN ngemuva kwe-NAT yomhlinzeki

Ngenkathi ngibhala lesi sihloko, ngadlulisela ukucushwa kusuka kukhompyutha yami kuya ku-Raspberry Pi 3 futhi ngazama ukusebenzisa yonke into kumodemu ye-LTE, kodwa ayizange isebenze! Umphumela womyalo 

# stun stun.ekiga.net -p 11111

Inguqulo yeklayenti ye-STUN 0.97
Okuyinhloko: Imephu Ezimele, Isihlungi Esincike Embobeni, imbobo engahleliwe, izophina izinwele
Inani lokubuyisela lithi 0x000006

okusho Isihlungi Esincike Embobeni ayivumelanga isistimu ukuthi iqale.
Kepha umhlinzeki wasekhaya uvumele uhlelo ukuthi luqale ku-Raspberry Pi 3 ngaphandle kwezinkinga.
Ngokuhlangana nekhamera yewebhu, ene-VLC ye
ukudala ukusakaza kwe-RTSP kusuka kukhamera yewebhu

$ cvlc v4l2:///dev/video0:chroma=h264 :input-slave=alsa://hw:1,0 --sout '#transcode{vcodec=x264,venc=x264{preset=ultrafast,profile=baseline,level=31},vb=2048,fps=12,scale=1,acodec=mpga,ab=128,channels=2,samplerate=44100,scodec=none}:rtp{sdp=rtsp://10.2.0.1:8554/}' --no-sout-all --sout-keep

kanye ne-VLC ku-smartphone ukuze ibukwe (ukusakaza rtsp://10.2.0.1:8554/), kwavela ukuthi uhlelo oluhle lokuqapha ividiyo ekude, ungakwazi futhi ukufaka i-Samba, ithrafikhi yomzila nge-VPN, lawula ukude ikhompuyutha yakho nokunye okuningi. Okuningi...

isiphetho

Njengoba umkhuba ubonisile, ukuhlela iseva ye-VPN, ungenza ngaphandle kwekheli le-IP langaphandle okudingeka ulikhokhe, njenge-VPS/VDS eqashiwe. Kodwa konke kuncike kumhlinzeki. Yebo, bengifuna ukuthola ulwazi olwengeziwe mayelana nabahlinzeki abahlukene nezinhlobo zama-NAT asetshenzisiwe, kodwa lokhu kuyisiqalo nje...
Спасибо за внимание!

Source: www.habr.com

Engeza amazwana