praegune kellaaeg 20.06.2024 01:35:33 |
|
Hinnavaatlus
:: Foorum
:: Uudised
:: Ärifoorumid
:: HV F1 ennustusvõistlus
:: Pangalink
:: Telekavad
:: HV toote otsing
|
|
| autor |
sõnum   |
|
riaak
HV Guru
liitunud: 22.09.2002
|
14.11.2019 17:01:54
Ubiquiti ERX ja OpenVPN+Wireguard sild? |
|
|
Mitmele erinevale seadmele vaja saada kontori IP. Ligipääs kontori võrgule on antud üle OpenVPN, aga korraga saab ainult üks klient olla ühendatud. Kuna seadmeid, mida sinna ühendada tahan on tundmatu kogus, siis jääb välja võrguhalduri käest lisa ligipääsude küsimine.
Hankisin koju ERX ruuteri ning seadsin sinna üles Wireguard serveri (wg0, 192.168.33.0/24). Ühtlasi seadistasin OpenVPN kliendi (vtun0). Puudulik on ilmselt ruutimine, sest Wireguard ise töötab, OpenVPN saab ka endale IP, aga üheskoos nett läbi ei käi.
Ruutimise reeglid sain siit ja kohandasin natukene enda jaoks.
set service nat rule 5000 description PIA
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 192.168.33.0/24
set service nat rule 5000 type masquerade
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify pia_route rule 10 description 'PIA'
set firewall modify pia_route rule 10 source address 192.168.33.0/24
set firewall modify pia_route rule 10 modify table 1
set interfaces switch wg0 firewall in modify pia_route |
Liiklus välja justkui läheb, tagasi ei tule.
 Spoiler
Lisan Ubi enda conf faili ka.
Spoiler
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify pia_route {
rule 10 {
action modify
description PIA
modify {
table 1
}
source {
address 192.168.33.0/24
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description WireGuard
destination {
port 51820
}
protocol udp
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description Internet
duplex auto
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /home/ubnt/mobi.openvpn.client.ovpn
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth0 {
vlan {
pvid 1
vid 4
}
}
interface eth1 {
vlan {
pvid 4
}
}
interface eth2 {
vlan {
pvid 2
}
}
interface eth3 {
vlan {
pvid 2
}
}
interface eth4 {
vlan {
pvid 2
}
}
vlan-aware enable
}
vif 1 {
address dhcp
description Internet
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
vif 2 {
address 192.168.1.1/24
description Local
}
vif 4 {
description IPTV
mtu 1500
}
}
wireguard wg0 {
description "WG VPN"
firewall {
in {
modify pia_route
}
}
listen-port 51820
peer kgR0d7bNR3ZPKXNWXCGGuAQrwdZZFg+PaAPY4y3zogE= {
allowed-ips 192.168.33.2/24
description U1
}
peer rc+qYkTQyFhtRFd1XetEoHUhTLDl+c7uicE2T0Kld0I= {
allowed-ips 192.168.33.3/24
description U2
}
private-key /config/auth/wg.key
route-allowed-ips true
}
}
protocols {
static {
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 1.1.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0.2
name-server 1.1.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description PIA
log disable
outbound-interface vtun0
protocol all
source {
address 192.168.33.0/24
}
type masquerade
}
rule 5010 {
description "masquerade for WAN"
log disable
outbound-interface switch0.1
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export disable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.6.5208541.190708.0508 */
|
_________________
¯\_(ツ)_/¯ |
|
| Kommentaarid: 118 loe/lisa |
Kasutajad arvavad: |
   |
:: |
0 :: |
1 :: |
104 |
|
| tagasi üles |
|
 |
|
| lisa lemmikuks |
|
 |
sa ei või postitada uusi teemasid siia foorumisse
sa ei või vastata selle foorumi teemadele
sa ei või muuta oma postitusi selles foorumis
sa ei või kustutada oma postitusi selles foorumis
sa ei või vastata küsitlustele selles foorumis
sa ei saa lisada manuseid selles foorumis
sa võid manuseid alla laadida selles foorumis
|
|
Hinnavaatlus ei vastuta foorumis tehtud postituste eest.
|
:: KKK
:: otsing 
:: statistika
:: kasutajate nimekiri
:: kasutajate grupid
:: registreeri
