Uyisetha kanjani i-Hailbytes VPN yendawo yakho ye-AWS
Isingeniso
Kulesi sihloko, sizohamba mayelana nendlela yokusetha i-HailBytes VPN kunethiwekhi yakho, i-VPN elula nevikelekile kanye ne-firewall yenethiwekhi yakho. Eminye imininingwane nokucaciswa okuthile kungatholakala kumadokhumenti kanjiniyela wethu axhunyiwe lapha.
Ukulungiselela
1. Izidingo Zensiza:
- Sincoma ukuthi uqale nge-vCPU engu-1 no-1 GB we-RAM ngaphambi kokukhuphula.
- Ngokusetshenziswa okususelwe ku-Omnibus kumaseva anenkumbulo engaphansi kwe-1 GB, kufanele uvule ukushintshwa ukuze ugweme i-Linux kernel ekubulaleni kungazelelwe izinqubo ze-Firezone.
- I-vCPU engu-1 kufanele yanele ukuze igcwalise isixhumanisi esingu-1 Gbps se-VPN.
2. Dala irekhodi le-DNS: I-Firezone idinga igama lesizinda elifanele ukuze lisetshenziswe ekukhiqizeni, isb firezone.company.com. Ukudala irekhodi elifanele le-DNS elifana ne-A, CNAME, noma irekhodi le-AAAA kuzodingeka.
3. Setha i-SSL: Uzodinga isitifiketi se-SSL esivumelekile ukuze usebenzise i-Firezone endaweni yokukhiqiza. I-Firezone isekela i-ACME ekuhlinzekeni okuzenzakalelayo kwezitifiketi ze-SSL zokufakwa kwe-Docker ne-Omnibus-based.
4. Vula izimbobo zokuvikela umlilo: I-Firezone isebenzisa izimbobo ezingu-51820/udp kanye ne-443/tcp ku-HTTPS nethrafikhi ye-WireGuard ngokulandelanayo. Ungashintsha lezi zimbobo kamuva kufayela lokumisa.
Sebenzisa ku-Docker (Kunconyiwe)
1. Okudingekayo:
- Qinisekisa ukuthi usendaweni esekelwayo ene-docker-compose version 2 noma ngaphezulu efakiwe.
- Qiniseka ukuthi ukudlulisela ngembobo kunikwe amandla ku-firewall. Okuzenzakalelayo kudinga ukuthi izimbobo ezilandelayo zivulwe:
o 80/tcp (ongakukhetha): Ukukhipha ngokuzenzakalelayo izitifiketi ze-SSL
o 443/tcp: Finyelela i-UI yewebhu
o 51820/udp: Imbobo yokulalela yethrafikhi ye-VPN
2. Faka Inketho Yeseva I: Ukufaka Okuzenzakalelayo (Kunconyiwe)
- Run installation script: bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh) 1889d1a18e090c-0ec2bae288f1e2-26031d51-144000-1889d1a18e11c6c
- Izokubuza imibuzo embalwa mayelana nokucushwa kokuqala ngaphambi kokulanda ifayela lesampula le-docker-compose.yml. Uzofuna ukuyilungiselela ngezimpendulo zakho, futhi uphrinte imiyalelo yokufinyelela i-Web UI.
- Ikheli elizenzakalelayo le-Firezone: $HOME/.firezone.
2. Faka Iseva Inketho II: Ukufakwa Mathupha
- Dawuniloda ithempulethi yokubhala idokhu kunkomba yendawo yokusebenza
- Linux: curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.prod.yml -o docker-compose.yml
- i-macOS noma iWindows: curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.desktop.yml -o docker-compose.yml
- Khiqiza izimfihlo ezidingekayo: idocker run –rm firezone/firezone bin/gen-env > .env
- Shintsha i-DEFAULT_ADMIN_EMAIL kanye ne-EXTERNAL_URL ehlukile. Lungisa ezinye izimfihlo njengoba kudingeka.
- Thutha imininingwane egciniwe: idokha qamba run -rm firezone bin/migrate
- Dala i-akhawunti yomqondisi: i-docker compose run -rm firezone bin/create-or-reset-admin
- Letha izinsizakalo phezulu: i-docker compose up -d
- Kufanele ukwazi ukufinyelela i-Firezome UI ngokusebenzisa i-EXTERNAL_URL eguquguqukayo echazwe ngenhla.
3. Nika amandla ekuqaliseni (kuyakhetheka):
- Qinisekisa ukuthi i-Docker inikwe amandla ekuqaleni: sudo systemctl vumela i-docker
- Amasevisi e-Firezone kufanele aqale kabusha: njalo noma aqalise kabusha: ngaphandle uma kumiswe inketho ecaciswe kufayela le-docker-compose.yml.
4. Nika amandla i-IPv6 Public Routability (ongakukhetha):
- Engeza okulandelayo ku-/etc/docker/daemon.json ukuze unike amandla i-IPv6 NAT futhi ulungiselele ukudluliselwa kwe-IPv6 kweziqukathi ze-Docker.
- Nika amandla izaziso zerutha ekuqaliseni ukuze uthole isixhumi esibonakalayo se-egress esizenzakalelayo: egress=`indlela ye-ip ibonisa okuzenzakalelayo 0.0.0.0/0 | grep -oP '(?<=dev ).*' | sika -f1 -d'' | tr -d '\n'` sudo bash -c “echo net.ipv6.conf.${egress}.accept_ra=2 >> /etc/sysctl.conf”
- Qalisa kabusha futhi uhlole ngokucindezela ku-Google ungaphakathi kwesiqukathi sedokha: i-docker run –rm -t busybox ping6 -c 4 google.com
- Asikho isidingo sokwengeza noma yimiphi imithetho ye-iptables ukuze unike amandla i-IPv6 SNAT/ukuzehlisa kuthrafikhi emhubhe. I-Firezone izophatha lokhu.
5. Faka izinhlelo zokusebenza zeklayenti
Manje usungangeza abasebenzisi kunethiwekhi yakho futhi ulungiselele imiyalelo yokusungula iseshini ye-VPN.
Ukusethwa kokuthunyelwe
Halala, uqedile ukusetha! Ungase ufune ukuhlola imibhalo yethu yonjiniyela ukuze uthole ukucushwa okwengeziwe, ukucatshangelwa kwezokuphepha, nezici ezithuthukisiwe: https://www.firezone.dev/docs/