-
Notifications
You must be signed in to change notification settings - Fork 19
tinc
xxooxxooxx edited this page Dec 10, 2018
·
38 revisions
//netname=vpn
apt update && apt install tinc
cd /etc/tinc && mkdir -p vpn/hosts
//服务端不需要ConnectTo字段
cat >vpn/tinc.conf<<'EOF'
Name = xx2
ConnectTo = master
EOF
cat >vpn/tinc-up<<'EOF'
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.7.10/24 dev $INTERFACE
EOF
cat >vpn/tinc-down<<'EOF'
#!/bin/sh
ip link set $INTERFACE down
EOF
chmod +x vpn/tinc-*
tincd -n vpn -K 4096
//复制服务端公钥master到本机
//复制本客户端公钥xx2到服务端
//on client
sed -i '1 i Address = public_IP' /etc/tinc/vpn/hosts/master
sed -i '1 i Subnet = 10.0.7.10/32' /etc/tinc/vpn/hosts/xx2
// on server
sed -i '1 i Subnet = 0.0.0.0/0' /etc/tinc/vpn/hosts/master
├── nets.boot ->systmed下不起作用
└── vpn ->连接网络名(netname=vpn)
├── hosts ->存放多个公钥的目录
│ ├── master ->服务端公钥
│ ├── master-down ->断开后执行的脚本
│ ├── master-up ->连接后执行的脚本(前缀对应连接名字)
│ └── xx2 ->客户端公钥
├── rsa_key.priv ->客户端私钥(权限600)
├── tinc.conf ->配置文件
├── tinc-down ->服务停止后执行的脚本
└── tinc-up ->服务启动后执行的脚本
apt install iproute2
echo -e '50\tlan' >> /etc/iproute2/rt_tables
cat >/etc/tinc/vpn/hosts/master-up<<'EOF'
#!/bin/sh
ip rule add from 10.0.7.0/24 table lan
ip route add default dev vpn table lan
EOF
cat >/etc/tinc/vpn/hosts/master-down<<'EOF'
#!/bin/sh
ip route del default dev vpn table lan
ip rule del from 10.0.7.0/24 table lan
EOF
chmod +x /etc/tinc/vpn/hosts/master-*
systemctl enable tinc@vpn
systemctl start tinc@vpn
ifconfig
//server
iptables -t nat -A PREROUTING -p tcp -d public_IP -m tcp --dport 443 -j DNAT --to 10.0.7.10:443
iptables -t nat -A POSTROUTING -m iprange --src-range 10.0.7.2-10.0.7.20 -j SNAT --to-source public_IP
#!/bin/sh
DOWN='/etc/network/if-post-down.d'
UP='/etc/network/if-pre-up.d'
>$DOWN/iptables
>$UP/iptables
cat > $DOWN/iptables<<-EOF
#!/bin/sh
iptables-save > /etc/iptables.rules
EOF
cat > $UP/iptables<<-EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
chmod +x $DOWN/iptables $UP/iptables
apt-get update && apt-get -y upgrade
apt-get install -y build-essential git
git clone https://github.com/z3APA3A/3proxy
cd 3proxy
ln -s Makefile.Linux Makefile
make
make install
//Add to master-*
ip rule add to 8.8.8.8 table lan
ip rule add to 8.8.4.4 table lan
ip rule del to 8.8.8.8 table lan
ip rule del to 8.8.4.4 table lan
// /usr/local/3proxy/conf/3proxy.cfg
nserver 8.8.8.8
nserver 8.8.4.4
config /conf/3proxy.cfg
deny * * 127.0.0.1
allow *
internal 192.168.0.206
external 10.0.7.10
socks -a -p8888
redirecting the default gateway to a host on the VPN
Scripts
master-up
#!/bin/sh
ORIGINAL_GATEWAY=`ip route show | grep ^default | egrep -o '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>\.(\<([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\>\.){2}\<([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\>'`
ip route add $REMOTEADDRESS via $ORIGINAL_GATEWAY
ip route add 0.0.0.0/1 dev $INTERFACE
ip route add 128.0.0.0/1 dev $INTERFACE
master-down
#!/bin/sh
ORIGINAL_GATEWAY=`ip route show | grep ^default | egrep -o '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>\.(\<([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\>\.){2}\<([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\>'`
ip route del $REMOTEADDRESS via $ORIGINAL_GATEWAY
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE
//Add to master-* (forward)
iptables -t nat -A POSTROUTING -o vpn -j SNAT --to-source 10.0.7.10
iptables -t nat -D POSTROUTING -o vpn -j SNAT --to-source 10.0.7.10
***
/etc/tinc/netname/tinc.conf->/etc/config/tinc
example
/etc/config/network
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
option auto '1'
option delegate '0'
/etc/config/tinc
config tinc-net vpn
option enabled 1
option generate_keys 1
option key_size 4096
list ConnectTo master
option Name openwrt
option Interface tun0
option PrivateKeyFile /etc/tinc/vpn/rsa_key.priv
config tinc-host openwrt
option enabled 1
option net vpn