3 • 7 дней назад
Настройка выхода в интернет через VPS провайдера при помощи OpenVPN на Armbian (часть 2).
TIP! Right-click and select "Save link as..." to download.
Loading...
Порядок действий:
Armbian на базе Debian 12
apt update
apt install ifupdown isc-dhcp-client mc hostapd dnsmasq iptables openvpn
mcedit /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
auto end0
iface end0 inet dhcp
auto wlan0
iface wlan0 inet static
address 10.0.0.1
netmask 255.255.255.0
nmcli con
nmcli con del && systemctl disable --now NetworkManager && systemctl restart networking
mcedit /etc/dnsmasq.d/wifi.conf
interface=wlan0
log-dhcp
log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log
dhcp-leasefile=/var/log/dnsmasq/dnsmasq.leases
# DNS
cache-size=50000
no-negcache
server=77.88.8.88
server=77.88.8.2
# DHCP
dhcp-authoritative
# WLAN0
dhcp-range=interface:vlan1,10.0.0.11,10.0.0.254,48h
dhcp-option=interface:vlan1,1,255.255.255.0
dhcp-option=interface:vlan1,option:dns-server,10.0.0.1
dhcp-option=interface:vlan1,option:router,10.0.0.1
mkdir /var/log/dnsmasq/
chown dnsmasq:root /var/log/dnsmasq/
chmod 770 /var/log/dnsmasq/
systemctl enable dnsmasq
mcedit /etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"
mcedit /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
macaddr_acl=1
ssid=ZV_PUTIN
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ieee80211n=1
wmm_enabled=1
eap_server=0
eap_message=hello
eapol_key_index_workaround=0
own_ip_addr=10.0.0.1
wpa=2
wpa_passphrase=Qwe12345
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP
rsn_pairwise=CCMP
systemctl unmask hostapd
systemctl enable hostapd
mcedit /etc/openvpn/client/prov.conf
client
remote IP-адрес OVPN-сервера
port 1194
proto tcp
dev tun
persist-key
persist-tun
verb 3
auth-nocache
auth SHA512
cipher AES-256-GCM
cp /lib/systemd/system/openvpn-client@.service /lib/systemd/system/openvpn-client@prov.service
systemctl daemon-reload
mcedit /etc/sysctl.d/99-sysctl.conf
# Network
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.core.rmem_max = 1073741824
net.core.wmem_max = 1073741824
net.ipv4.tcp_rmem = 1048576 16777216 1073741824
net.ipv4.tcp_wmem = 1048576 16777216 1073741824
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_reordering = 20
net.ipv4.tcp_mem = 1048576 16770216 1073741824
net.ipv4.ip_forward = 1
sysctl -p --system
mkdir /etc/iptables/
mcedit /etc/iptables/rules.ipt
*nat
:PREROUTING ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o end0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#lo
-A INPUT -i lo -j ACCEPT
#icmp
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
#Доступ извне для себя
-A INPUT -i end0 -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o end0 -j ACCEPT
-A FORWARD -i end0 -o wlan0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
mkdir /root/scripts
mcedit /root/scripts/iptables-reload.sh
#!/bin/bash
/usr/sbin/iptables-restore < /etc/iptables/rules.ipt
chmod +x /root/scripts/iptables-reload.sh
crontab -e
@reboot /root/scripts/iptables-reload.sh
curl ifconfig.me
Если маршрут по умолчанию не редиректится автоматом:
mcedit /root/scripts/start-vpn.sh
#!/bin/bash
if systemctl is-active --quiet openvpn-client@prov.service; then
echo "VPN работает!"
curl ifconfig.me && echo
else
systemctl start openvpn-client@prov.service
sleep 1
if systemctl is-active --quiet openvpn-client@prov.service; then
echo "VPN запущен!"
ip route add 185.60.134.218 via 192.168.100.1
ip route del default
ip route add default via 172.16.35.1
curl ifconfig.me && echo
fi
fi
mcedit /root/scripts/stop-vpn.sh
#!/bin/bash
if systemctl is-active --quiet openvpn-client@prov.service; then
systemctl stop openvpn-client@prov.service
sleep 1
if ! systemctl is-active --quiet openvpn-client@prov.service; then
echo "VPN остановлен!"
ip route del 185.60.134.218 via 192.168.100.1
ip route add default via 192.168.100.1
curl ifconfig.me && echo
fi
else
echo "VPN не запущен!"
curl ifconfig.me && echo
fi
chmod +x /root/scripts/start-vpn.sh
chmod +x /root/scripts/stop-vpn.sh
Armbian на базе Debian 12
apt update
apt install ifupdown isc-dhcp-client mc hostapd dnsmasq iptables openvpn
mcedit /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
auto end0
iface end0 inet dhcp
auto wlan0
iface wlan0 inet static
address 10.0.0.1
netmask 255.255.255.0
nmcli con
nmcli con del && systemctl disable --now NetworkManager && systemctl restart networking
mcedit /etc/dnsmasq.d/wifi.conf
interface=wlan0
log-dhcp
log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log
dhcp-leasefile=/var/log/dnsmasq/dnsmasq.leases
# DNS
cache-size=50000
no-negcache
server=77.88.8.88
server=77.88.8.2
# DHCP
dhcp-authoritative
# WLAN0
dhcp-range=interface:vlan1,10.0.0.11,10.0.0.254,48h
dhcp-option=interface:vlan1,1,255.255.255.0
dhcp-option=interface:vlan1,option:dns-server,10.0.0.1
dhcp-option=interface:vlan1,option:router,10.0.0.1
mkdir /var/log/dnsmasq/
chown dnsmasq:root /var/log/dnsmasq/
chmod 770 /var/log/dnsmasq/
systemctl enable dnsmasq
mcedit /etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"
mcedit /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
macaddr_acl=1
ssid=ZV_PUTIN
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ieee80211n=1
wmm_enabled=1
eap_server=0
eap_message=hello
eapol_key_index_workaround=0
own_ip_addr=10.0.0.1
wpa=2
wpa_passphrase=Qwe12345
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP
rsn_pairwise=CCMP
systemctl unmask hostapd
systemctl enable hostapd
mcedit /etc/openvpn/client/prov.conf
client
remote IP-адрес OVPN-сервера
port 1194
proto tcp
dev tun
persist-key
persist-tun
verb 3
auth-nocache
auth SHA512
cipher AES-256-GCM
cp /lib/systemd/system/openvpn-client@.service /lib/systemd/system/openvpn-client@prov.service
systemctl daemon-reload
mcedit /etc/sysctl.d/99-sysctl.conf
# Network
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.core.rmem_max = 1073741824
net.core.wmem_max = 1073741824
net.ipv4.tcp_rmem = 1048576 16777216 1073741824
net.ipv4.tcp_wmem = 1048576 16777216 1073741824
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_reordering = 20
net.ipv4.tcp_mem = 1048576 16770216 1073741824
net.ipv4.ip_forward = 1
sysctl -p --system
mkdir /etc/iptables/
mcedit /etc/iptables/rules.ipt
*nat
:PREROUTING ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o end0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#lo
-A INPUT -i lo -j ACCEPT
#icmp
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
#Доступ извне для себя
-A INPUT -i end0 -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o end0 -j ACCEPT
-A FORWARD -i end0 -o wlan0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
mkdir /root/scripts
mcedit /root/scripts/iptables-reload.sh
#!/bin/bash
/usr/sbin/iptables-restore < /etc/iptables/rules.ipt
chmod +x /root/scripts/iptables-reload.sh
crontab -e
@reboot /root/scripts/iptables-reload.sh
curl ifconfig.me
Если маршрут по умолчанию не редиректится автоматом:
mcedit /root/scripts/start-vpn.sh
#!/bin/bash
if systemctl is-active --quiet openvpn-client@prov.service; then
echo "VPN работает!"
curl ifconfig.me && echo
else
systemctl start openvpn-client@prov.service
sleep 1
if systemctl is-active --quiet openvpn-client@prov.service; then
echo "VPN запущен!"
ip route add 185.60.134.218 via 192.168.100.1
ip route del default
ip route add default via 172.16.35.1
curl ifconfig.me && echo
fi
fi
mcedit /root/scripts/stop-vpn.sh
#!/bin/bash
if systemctl is-active --quiet openvpn-client@prov.service; then
systemctl stop openvpn-client@prov.service
sleep 1
if ! systemctl is-active --quiet openvpn-client@prov.service; then
echo "VPN остановлен!"
ip route del 185.60.134.218 via 192.168.100.1
ip route add default via 192.168.100.1
curl ifconfig.me && echo
fi
else
echo "VPN не запущен!"
curl ifconfig.me && echo
fi
chmod +x /root/scripts/start-vpn.sh
chmod +x /root/scripts/stop-vpn.sh
Support
17:35
Обычный пользователь - про linux
10:17
05:23
РЕД ОС
My Gadget: выбираем качественную технику
02:05
Beget
21:49
Слава Режик | Открытая Йога | Шакти 23
Яблык: технологии, природа, человек
Межсетевой экран ИКС
remontka.pro