极客家居-路由网关
大约 2 分钟
极客家居-路由网关
基于 OpenWRT 构建的路由网关
原理背景
防火墙相关
- netfilter/iptables简介 https://segmentfault.com/a/1190000009043962
- iptables详解 https://www.xiebruce.top/1071.html
抓包分析
- tcpdump https://www.tcpdump.org/ 基于cBPF增加了语法解析,命令行直接抓包
- wireshark https://www.wireshark.org/ 增加了GUI,更直观方便的学习了解网络处理
安装配置
操作系统
操作系统采用 OpenWrt
- 官方文档 https://openwrt.org/docs/start
- 用户指南 https://openwrt.org/docs/guide-user/start
安装引导固件Breed
https://openwrt.org/docs/techref/bootloader/breed
使用开源固件
https://op.supes.top/firmware/
https://github.com/kiddin9/OpenWrt_x86-r2s-r4s
编译固件刷机(备选)
基于 github actions 自编译固件
https://docs.github.com/en/actions
https://www.youtube.com/watch?v=R8_veQiYBjI
配置动态域名
家庭网络一般为动态变化的ip地址,为了能够访问到家里的网络,需要在检测到ip变化时,及时更新域名对应的ip地址,使得域名永远指向家庭的ip地址,此即为动态域名解析。
- DDNS
配置流量入口
通过WireGuard
- 官方指南 https://openwrt.org/docs/guide-user/services/vpn/wireguard/start
- OpenWRT WireGuard VPN Server Tutorial https://www.reddit.com/r/openwrt/comments/bahhua/openwrt_wireguard_vpn_server_tutorial/
- 使用WireGuard随时随地访问家中内网资源 https://www.right.com.cn/forum/thread-1335402-1-1.html
- 安装和配置wireguard https://segmentfault.com/a/1190000021720487
通过OpenVPN
配置流量出口
- bypass
配置广告拦截
- adbyby-plus
配置文件共享
Samba,参考:
- https://ubuntu.com/server/docs/samba-introduction
- https://help.ubuntu.com/community/Samba/SambaClientGuide
- https://wiki.samba.org/index.php/LinuxCIFS_utils
服务端
TODO
客户端
安装:
sudo apt -y install smbclient cifs-utils
测试:
smbclient //gate.krproject.org/samba -U root
挂载:
mkdir -p /samba
mount -t cifs -o username=root //gate.krproject.org/samba /samba
持久挂载:
vi /root/.samba_credentials
username=root
password=******
domain=WORKGROUP
vi /etc/fstab
//gate.krproject.org/samba /samba cifs credentials=/root/.samba_credentials 0 0
mount -a
df -hT
配置域名证书
基于 acme
全站 HTTPS 没你想象的那么简单 : https://www.cnblogs.com/mafly/p/allhttps.html
服务端
安装luci-app-acme
编辑 /etc/config/nginx
config main global
option uci_enable 'true'
config server '_lan'
list listen '80'
list listen '[::]:80'
option return '302 https://$host$request_uri'
config server '_ssl'
list listen '443 ssl'
list listen '[::]:443 ssl'
option server_name '*.krproject.org'
list include 'conf.d/*.locations'
option ssl_certificate '/mnt/sda3/acme/krproject.org/krproject.org.cer'
option ssl_certificate_key '/mnt/sda3/acme/krproject.org/krproject.org.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
service nginx restart
客户端
check-acme-files.sh
#!/bin/bash
LOG_FILE=${0}.log
FILE_LIST_ARRAY=(
'/samba/acme/krproject.org/fullchain.cer /etc/ssl/krproject.org/fullchain.cer'
'/samba/acme/krproject.org/krproject.org.cer /etc/ssl/krproject.org/krproject.org.cer'
'/samba/acme/krproject.org/krproject.org.key /etc/ssl/krproject.org/krproject.org.key'
)
FILE_CHANGED=0
echo "$(date) : check files starting!"|tee -a ${LOG_FILE}
# check files changed or not
for i in ${!FILE_LIST_ARRAY[@]}; do
FILE_ARRAY=(${FILE_LIST_ARRAY[$i]});
SOURCE_FILE=${FILE_ARRAY[0]};
TARGET_FILE=${FILE_ARRAY[1]};
if [ ! -f ${SOURCE_FILE} ]; then
echo "$(date) : ${SOURCE_FILE} not exists!"|tee -a ${LOG_FILE}
break;
fi
if ! cmp -s "${SOURCE_FILE}" "${TARGET_FILE}"; then
echo "$(date) : copy ${SOURCE_FILE} to ${TARGET_FILE}"|tee -a ${LOG_FILE}
cp -f ${SOURCE_FILE} ${TARGET_FILE};
FILE_CHANGED=1;
fi
done
# restart apache2 when file changed
if [ "${FILE_CHANGED}" -eq "1" ]; then
echo "$(date) : service apache2 restart"|tee -a ${LOG_FILE}
service apache2 restart;
fi
echo "$(date) : check files finished!"|tee -a ${LOG_FILE}
Loading...