-
Notifications
You must be signed in to change notification settings - Fork 19
tinc
xxooxxooxx edited this page Apr 14, 2019
·
38 revisions
//netname=vpn
apt update && apt install tinc
cd /etc/tinc && mkdir -p vpn/hosts
//服务端不需要ConnectTo字段
cat >vpn/tinc.conf<<'EOF'
Name = xx2
ConnectTo = master
EOF
cat >vpn/tinc-up<<'EOF'
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.7.10/24 dev $INTERFACE
EOF
cat >vpn/tinc-down<<'EOF'
#!/bin/sh
ip link set $INTERFACE down
EOF
chmod +x vpn/tinc-*
tincd -n vpn -K 4096
//复制服务端公钥master到本机
//复制本客户端公钥xx2到服务端
//client
sed -i '1 i Address = public_IP' /etc/tinc/vpn/hosts/master
sed -i '1 i Subnet = 10.0.7.10/32' /etc/tinc/vpn/hosts/xx2
//server
sed -i '1 i Subnet = 0.0.0.0/0' /etc/tinc/vpn/hosts/master
├── nets.boot ->systmed下不起作用
└── vpn ->连接网络名(netname=vpn)
├── hosts ->存放多个公钥的目录
│ ├── master ->服务端公钥
│ ├── master-down ->断开后执行的脚本
│ ├── master-up ->连接后执行的脚本(前缀对应连接名字)
│ └── xx2 ->客户端公钥
├── rsa_key.priv ->客户端私钥(权限600)
├── tinc.conf ->配置文件
├── tinc-down ->服务停止后执行的脚本
└── tinc-up ->服务启动后执行的脚本
switch模式必须使用via标明出口ip
apt install iproute2
echo -e '50\tlan' >> /etc/iproute2/rt_tables
cat >/etc/tinc/vpn/hosts/master-up<<'EOF'
#!/bin/sh
ip rule add from 10.0.7.0/24 table lan
ip route add default dev vpn table lan
EOF
cat >/etc/tinc/vpn/hosts/master-down<<'EOF'
#!/bin/sh
ip route del default dev vpn table lan
ip rule del from 10.0.7.0/24 table lan
EOF
chmod +x /etc/tinc/vpn/hosts/master-*
systemctl enable tinc@vpn
systemctl start tinc@vpn
ifconfig
//server
iptables -t nat -A PREROUTING -p tcp -d public_IP -m tcp --dport 443 -j DNAT --to 10.0.7.10:443
iptables -t nat -A POSTROUTING -m iprange --src-range 10.0.7.2-10.0.7.20 -j SNAT --to-source public_IP
#!/bin/sh
DOWN='/etc/network/if-post-down.d'
UP='/etc/network/if-pre-up.d'
>$DOWN/iptables
>$UP/iptables
cat > $DOWN/iptables<<-EOF
#!/bin/sh
iptables-save > /etc/iptables.rules
EOF
cat > $UP/iptables<<-EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
chmod +x $DOWN/iptables $UP/iptables
apt-get update && apt-get -y upgrade
apt-get install -y build-essential git sed
git clone https://github.com/z3APA3A/3proxy
cd 3proxy
ln -s Makefile.Linux Makefile
sed -i 's/ -DWITHSPLICE//' Makefile
make
make install
//added to master-*
ip rule add to 8.8.8.8 table lan
ip rule add to 8.8.4.4 table lan
ip rule del to 8.8.8.8 table lan
ip rule del to 8.8.4.4 table lan
// /usr/local/3proxy/conf/3proxy.cfg
nserver 8.8.8.8
nserver 8.8.4.4
config /conf/3proxy.cfg
maxconn 10000
deny * * 127.0.0.1
allow *
internal 192.168.0.206
external 10.0.7.10
socks -a -p8888
redirecting the default gateway to a host on the VPN
Scripts
master-up
#!/bin/sh
ORIGINAL_GATEWAY=`ip route show | grep ^default | egrep -o '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>\.(\<([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\>\.){2}\<([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\>'`
ip route add $REMOTEADDRESS via $ORIGINAL_GATEWAY
ip route add 0.0.0.0/1 dev $INTERFACE
ip route add 128.0.0.0/1 dev $INTERFACE
master-down
#!/bin/sh
ORIGINAL_GATEWAY=`ip route show | grep ^default | egrep -o '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>\.(\<([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\>\.){2}\<([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\>'`
ip route del $REMOTEADDRESS via $ORIGINAL_GATEWAY
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE
//Add to master-* (forward)
iptables -t nat -A POSTROUTING -o vpn -j SNAT --to-source 10.0.7.10
iptables -t nat -D POSTROUTING -o vpn -j SNAT --to-source 10.0.7.10
-----BEGIN PGP MESSAGE-----
hQGMA5kb62T7VWXFAQwApFJzzFr5obJvSqLtMxJ17IpmRP11IPMN5v5BSICS/OLW
OlLjarI5TW1NCBIGgSG/TCNtrvDlcTSbdqxkPAeQwqqvyY063tK2rShDl0w7R6G+
8+LEbC0ViUVgHIQLsx3Cmn6EFaZ05zsCf2wJwX0aoTWpuBMoGCQi7dZWJyZjPdgm
Qnhhll1bmNih7fqNk64Nfgl2IGom7wisnAZsW1bLtul6pohVurvg95xtBUXxzR0e
q6+zTU4OixXa5GrZXhTH3G5YstSWuhLU+jeeghM7z7SG0r8Gu64itxK/pDqXGYF4
zmHhTJh0lvfGmtqFFuRGwAPk9TIDuLsokKVCKsoTv45U27JpKUh8vXkv09xHf403
UgtuJiQkrGXu4ZH9GtytygBKwEuiVIqwo32KiI4IJVZXp9a9PnUQys4SV/EErpln
okVB6YlgVwQyn3jz7Pa6IMJ1a5oAQH1YuZIddqr5OV5kVODqxe8sgMOkyNFZaywj
JUtABkdGb0a3RdF9W+yw0ukB6GsT0n9IWX/vkNnJKQbx4BoqIjMhFPEKjQVI1nKp
yfjL1op0O9ayMrOpGuO1ckIqU78qzMgqApKSHHeS/bLTDcYEvrZy4aPGM9UHc4eM
yGfRE3bZbrxzO6Hj8Nmhi+toz2j/QdmM0YJ+jWuyLPkJYrwwduEFGlKBGWypckcT
UIdnw01yXbFNQPWg8wOnx/bz/uILZhSlbHLobjVSU0EAdEW8IWp8+VaLRANn54Oo
Fl6PYb/dhB61MPtSO0nFELjkoWw72JQehf4AVhp/jC3mQoQcA/UQfTkyOyGIGOip
CwAtSiI65Ba/X7dqQrkVWW7x+kKe3R/8GZzzpxHk3TcdaZe5ibTtsEBf+C8uPeLZ
QLppC319+kPTVzOaLkNKVcYYnoa0go75wiVXKZBVzq8oDi3UFQT2f3naF3zGwFrk
dWYjJhQ2orK+7xErWbmgpSe2wGOoleoCEvYL9YAQUlKl3IzaOHhrONy+jAfFCCxJ
OiHLk1xw6Haq/NOYEL539hkqWCcGlSSn8bccQUQP0xyj1dVSubPapA0QNovCji9e
IBwE6qn4U+grC4XlWsJriZymeI8Wj/wFmHdLiV766oZYPHz5DeNmOmpU6ObSTmIL
A3P9lZUcQsgQksSCRNEH1Yf7lX8uGimWgzgpYCGNnOZdOY2nzeDd47KGEWvKXHA0
IMB8ZAQXAKSLynzKJqZDK62V1L48wBElJ19nFISSvPMolbJzPvi+l/2QL3D/PwpD
ByxaTaCcjr1CRDudP6SCPXf06ETY1SHV4seQH6PRCLLx0TVFTIeJBNRO4YGdSPPl
cofuK/7i0HgDtaD5b5UDPyQPQP1IJrYu50yj4EdxIrXFH9OU4U46BtTqNWejuQ0o
MStNvyEH7c6IWbnKej+NrujctupzymcRe6C6SzYD9Rus/k9N0T9eQ2epLgFu2/M5
sK+3OSfLVOZKqOXlox/PsAB8CjB7PBbBbNiFTMSdxL4B0Rwz8rSe0OvRF1wWfSne
QRojnjVrF7s/PL7LCrV5BrF0BxdsRKQvDiHeIRRoAWUrPif2awlQO1uw4scO5PBR
XtnLlijriwlJA1uJ/GMbqamOwRfH7VyfWsWmIKV9Zw==
=btuC
-----END PGP MESSAGE-----
/etc/tinc/netname/tinc.conf->/etc/config/tinc
example
/etc/config/network
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
option auto '1'
option delegate '0'
/etc/config/tinc
config tinc-net vpn
option enabled 1
option generate_keys 1
option key_size 4096
list ConnectTo master
option Name openwrt
option Interface tun0
option PrivateKeyFile /etc/tinc/vpn/rsa_key.priv
config tinc-host openwrt
option enabled 1
option net vpn