alex/homework35
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Добавить README.md

Browse Source
This commit is contained in:
alex
2026-03-25 23:41:21 +03:00
parent 438dcfb0a4
commit 463045d455
1 changed files with 248 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

248
README.md Normal file
View File

@@ -0,0 +1,248 @@
# Домашнее задание 35
## Мосты, туннели и VPN
Для выполнение задания используется vagrant box Ubuntu 22.04
### Создание Vagrantfile
Создадим 5 VM с характеристиками
- CPU 1
- RAM 512Mb
Создана сеть **net_01** в которой будет создан vpn туннель
### ansible.yml
В сценарий для Ansible добавлены следующие действия:
1. На всех VM установлен openvpn и iperf3
2. На VM **vpn-server**
- Будет установлен easy-rsa, для создания сертификатов
- Будут сгенерированы сертификаты для подключения к open vpn для 3 пользователей
- Будет настроен и запущен openvpn server
3. На VM **vpn-client** будет настроен и запущен openvpn client, с сертификатом client01.crt
Готовый [ansible.yml](ansible.yml)
### Проверка
Запускаем vagrant
```bash
alex@ubuntu-pc:~/Документы/35$ vagrant up
Bringing machine 'vpn-server' up with 'virtualbox' provider...
Bringing machine 'vpn-client' up with 'virtualbox' provider...
==> vpn-server: Importing base box 'ubuntu/jammy64'...
==> vpn-server: Matching MAC address for NAT networking...
==> vpn-server: Checking if box 'ubuntu/jammy64' version '20241002.0.0' is up to date...
==> vpn-server: Setting the name of the VM: 35_vpn-server_1774467930425_98670
==> vpn-server: Clearing any previously set network interfaces...
==> vpn-server: Preparing network interfaces based on configuration...
vpn-server: Adapter 1: nat
vpn-server: Adapter 2: intnet
==> vpn-server: Forwarding ports...
vpn-server: 22 (guest) => 2222 (host) (adapter 1)
==> vpn-server: Running 'pre-boot' VM customizations...
==> vpn-server: Booting VM...
==> vpn-server: Waiting for machine to boot. This may take a few minutes...
vpn-server: SSH address: 127.0.0.1:2222
vpn-server: SSH username: vagrant
vpn-server: SSH auth method: private key
vpn-server: Warning: Connection reset. Retrying...
vpn-server: Warning: Remote connection disconnect. Retrying...
vpn-server: Warning: Connection reset. Retrying...
...
...
TASK [copy client01 cert] ******************************************************
changed: [vpn-client] => (item=ca.crt)
changed: [vpn-client] => (item=client01.crt)
changed: [vpn-client] => (item=client01.key)
changed: [vpn-client] => (item=dh.pem)
TASK [create conf clietn openvpn] **********************************************
changed: [vpn-client]
RUNNING HANDLER [restart openvpn] **********************************************
changed: [vpn-client]
PLAY RECAP *********************************************************************
vpn-client : ok=9 changed=7 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
```
После запуска машин, подключимся к VM **vpn-client** и проверим, установилось ли соединение vpn
```bash
vagrant@vpn-client:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 02:a0:d2:64:f1:28 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 86252sec preferred_lft 86252sec
inet6 fd17:625c:f037:2:a0:d2ff:fe64:f128/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86253sec preferred_lft 14253sec
inet6 fe80::a0:d2ff:fe64:f128/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:a2:b6:15 brd ff:ff:ff:ff:ff:ff
inet 10.10.1.20/24 brd 10.10.1.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fea2:b615/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 172.16.10.6 peer 172.16.10.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::25ec:da12:e5e9:81c5/64 scope link stable-privacy
valid_lft forever preferred_lft forever
```
Как видим присутствует интерфейс **tun0** с ip адресом **172.16.10.6**.
Проверим ICMP
```bash
vagrant@vpn-client:~$ ping 172.16.10.1
PING 172.16.10.1 (172.16.10.1) 56(84) bytes of data.
64 bytes from 172.16.10.1: icmp_seq=1 ttl=64 time=0.519 ms
64 bytes from 172.16.10.1: icmp_seq=2 ttl=64 time=0.525 ms
64 bytes from 172.16.10.1: icmp_seq=3 ttl=64 time=0.551 ms
^C
--- 172.16.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.519/0.531/0.551/0.013 ms
```
Как видим пинг успешно проходит.
VPN соединение успешно установлено!
### Замер скоорости в TUN и TAP режимах
Через ansible мы настроили VPN в tun режиме, проведем замеры с помощью iperf.
На VM **vpn-server** запусти iperff в режиме сервера
```bash
vagrant@vpn-server:~$ iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
```
На VM **vpn-client** iperf будет подключаться к **vpn-server** внутри VPN туннеля
```bash
vagrant@vpn-client:~$ iperf3 -c 172.16.10.1
Connecting to host 172.16.10.1, port 5201
[ 5] local 172.16.10.6 port 38838 connected to 172.16.10.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 20.2 MBytes 170 Mbits/sec 21 131 KBytes
[ 5] 1.00-2.00 sec 18.1 MBytes 152 Mbits/sec 4 168 KBytes
[ 5] 2.00-3.00 sec 18.5 MBytes 155 Mbits/sec 11 112 KBytes
[ 5] 3.00-4.00 sec 16.6 MBytes 139 Mbits/sec 2 155 KBytes
[ 5] 4.00-5.00 sec 13.7 MBytes 115 Mbits/sec 16 133 KBytes
[ 5] 5.00-6.00 sec 16.5 MBytes 138 Mbits/sec 5 137 KBytes
[ 5] 6.00-7.00 sec 17.7 MBytes 149 Mbits/sec 21 139 KBytes
[ 5] 7.00-8.00 sec 16.3 MBytes 136 Mbits/sec 5 120 KBytes
[ 5] 8.00-9.00 sec 17.4 MBytes 146 Mbits/sec 19 127 KBytes
[ 5] 9.00-10.00 sec 14.8 MBytes 124 Mbits/sec 5 123 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 170 MBytes 142 Mbits/sec 109 sender
[ 5] 0.00-10.04 sec 169 MBytes 141 Mbits/sec receiver
iperf Done.
```
Как видим средняя скорость 142 Mbits/sec
Теперь отредактируем конфигурацию openvpn на сервере и клиенте, изменив режим с TUN на TAP
Hа сервере
```bash
vagrant@vpn-server:~$ sudo sed -i 's/^dev tun$/dev tap/' /etc/openvpn/server.conf
vagrant@vpn-server:~$ sudo systemctl restart openvpn@server
```
На клиенте
```bash
vagrant@vpn-client:~$ sudo sed -i 's/^dev tun$/dev tap/' /etc/openvpn/client.conf
vagrant@vpn-server:~$ sudo systemctl restart openvpn@client
```
Посмотрим интерфейсы на **vpn-client**
```bash
vagrant@vpn-client:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 02:a0:d2:64:f1:28 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 84585sec preferred_lft 84585sec
inet6 fd17:625c:f037:2:a0:d2ff:fe64:f128/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86047sec preferred_lft 14047sec
inet6 fe80::a0:d2ff:fe64:f128/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:a2:b6:15 brd ff:ff:ff:ff:ff:ff
inet 10.10.1.20/24 brd 10.10.1.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fea2:b615/64 scope link
valid_lft forever preferred_lft forever
6: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 16:57:f1:51:c5:dc brd ff:ff:ff:ff:ff:ff
inet 172.16.10.2/24 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::2ce0:3ff:fe3d:f6fd/64 scope link
valid_lft forever preferred_lft forever
```
Терерь уже видим интерфейс **tap0** мак адресом **16:57:f1:51:c5:dc** и ip **172.16.10.2**
Проверим скорость через iperf, как и в предыдущий раз запускаем iperf сервер н а**vpn-sever**, а c **vpn-clietn** подключаемся
```bash
vagrant@vpn-client:~$ iperf3 -c 172.16.10.1
Connecting to host 172.16.10.1, port 5201
[ 5] local 172.16.10.2 port 34070 connected to 172.16.10.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 20.9 MBytes 175 Mbits/sec 15 135 KBytes
[ 5] 1.00-2.00 sec 18.5 MBytes 155 Mbits/sec 5 146 KBytes
[ 5] 2.00-3.00 sec 17.6 MBytes 148 Mbits/sec 5 136 KBytes
[ 5] 3.00-4.00 sec 17.2 MBytes 145 Mbits/sec 10 131 KBytes
[ 5] 4.00-5.00 sec 13.0 MBytes 109 Mbits/sec 1 147 KBytes
[ 5] 5.00-6.00 sec 15.3 MBytes 129 Mbits/sec 9 136 KBytes
[ 5] 6.00-7.00 sec 18.5 MBytes 155 Mbits/sec 23 118 KBytes
[ 5] 7.00-8.00 sec 15.4 MBytes 129 Mbits/sec 5 106 KBytes
[ 5] 8.00-9.00 sec 17.5 MBytes 147 Mbits/sec 5 153 KBytes
[ 5] 9.00-10.00 sec 15.6 MBytes 131 Mbits/sec 5 168 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 170 MBytes 142 Mbits/sec 83 sender
[ 5] 0.00-10.05 sec 169 MBytes 141 Mbits/sec receiver
iperf Done.
```
Как видим средняя скорость все так же на уровне 142 Mbits/sec.
**Делаем вывод**
Внутри Virtualbox, для двух VM со слабыми характеристика, нет никакой разницы!!
Но если не нужеж именно L2 туннель то лучше стоит использовать TUN режим вместе, там нет лишнего L2 трафика, что при высоких нагрузках будет только плюсом
Все готово!