建设一个网络隧道?

286次阅读
一条评论
建设一个网络隧道?

近期总有些群友问哪个TZ好用,有没有免费的啥的,同问。。。用过一些但是费用稍贵,且时间久了质量下降

看了下服务器价格对比下,博主觉得似乎可以搞搞。。。
文章关键词读者自行转顺:npvonepo,npv,NPVnepO,怕被feng

Terraform创建服务器

terraform配置

xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ cat providers.tf 
terraform {
  required_providers {
    alicloud = {
      #source = "aliyun/alicloud"
      source = "local-registry/aliyun/alicloud"
      version = "1.166.0"
    }
  }
}
 
provider "alicloud" {
  access_key = "ddd"
  secret_key = "ddd"
  region = "cn-hongkong"
}

 
provider "alicloud" {
  access_key = "ddd"
  secret_key = "ddd"
  region = "cn-hongkong"
}

xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ cat >terraform.tf<<-'EOF'
variable "name" {
  default = "tf-npvonepo"
}

# 创建VPC
resource "alicloud_vpc" "vpc" {
  vpc_name = var.name
  cidr_block = "172.16.0.0/16"
}

# 获取可用区
data "alicloud_zones" "default" {
  available_disk_category     = "cloud_efficiency"
  available_resource_creation = "VSwitch"
}

# 创建vswitch
resource "alicloud_vswitch" "vswitch" {
  vpc_id            = alicloud_vpc.vpc.id
  cidr_block        = "172.16.0.0/24"
  zone_id           = data.alicloud_zones.default.zones[0].id
  vswitch_name      = var.name
}

# 创建安全组
resource "alicloud_security_group" "group" {
  name        = "tf_npvonepo"
  description = "npvonepo"
  vpc_id      = alicloud_vpc.vpc.id
}

# 创建安全组规则
resource "alicloud_security_group_rule" "allow_npv_udp" {
  type              = "ingress"
  ip_protocol       = "udp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "8192/8192"
  priority          = 1
  security_group_id = alicloud_security_group.group.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_security_group_rule" "allow_npv_tcp" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "22/22"
  priority          = 1
  security_group_id = alicloud_security_group.group.id
  cidr_ip           = "0.0.0.0/0"
}

# 创建实例
# ecs.t6-c1m1.large 共享实例 0.3/h 左右
resource "alicloud_instance" "instance" {
  availability_zone = "cn-hongkong-b"
  security_groups   = alicloud_security_group.group.*.id
  instance_type              = "ecs.t6-c1m1.large"
  system_disk_category       = "cloud_essd"
  system_disk_size           = 40
  image_id                   = "centos_7_6_x64_20G_alibase_20211130.vhd"
  instance_name              = "tf-npvonepo"
  vswitch_id                 = alicloud_vswitch.vswitch.id
  internet_max_bandwidth_out = 10
  internet_charge_type       = "PayByTraffic"
  instance_charge_type       = "PostPaid"
  password                   = "1qaz@WSX"
}
EOF

创建资源

# 开始创建
xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ terraform apply
data.alicloud_zones.default: Reading...
data.alicloud_zones.default: Read complete after 1s [id=1855267249]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # alicloud_instance.instance will be created
  + resource "alicloud_instance" "instance" {
      + availability_zone                  = "cn-hongkong-b"
      + credit_specification               = (known after apply)
      + deletion_protection                = false
      + deployment_set_group_no            = (known after apply)
      + dry_run                            = false
      + host_name                          = (known after apply)
      + id                                 = (known after apply)
      + image_id                           = "centos_7_6_x64_20G_alibase_20211130.vhd"
      + instance_charge_type               = "PostPaid"
      + instance_name                      = "tf-npvonepo"
      + instance_type                      = "ecs.t6-c1m1.large"
      + internet_charge_type               = "PayByTraffic"
      + internet_max_bandwidth_in          = (known after apply)
      + internet_max_bandwidth_out         = 10
      + key_name                           = (known after apply)
      + password                           = (sensitive value)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + role_name                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ips              = (known after apply)
      + security_groups                    = (known after apply)
      + spot_strategy                      = "NoSpot"
      + status                             = (known after apply)
      + subnet_id                          = (known after apply)
      + system_disk_category               = "cloud_essd"
      + system_disk_performance_level      = (known after apply)
      + system_disk_size                   = 40
      + volume_tags                        = (known after apply)
      + vswitch_id                         = (known after apply)
    }

  # alicloud_security_group.group will be created
  + resource "alicloud_security_group" "group" {
      + description         = "npvonepo"
      + id                  = (known after apply)
      + inner_access        = (known after apply)
      + inner_access_policy = (known after apply)
      + name                = "tf_npvonepo"
      + security_group_type = "normal"
      + vpc_id              = (known after apply)
    }

  # alicloud_security_group_rule.allow_nvp_tcp will be created
  + resource "alicloud_security_group_rule" "allow_npv_tcp" {
      + cidr_ip           = "0.0.0.0/0"
      + id                = (known after apply)
      + ip_protocol       = "tcp"
      + nic_type          = "intranet"
      + policy            = "accept"
      + port_range        = "22/22"
      + prefix_list_id    = (known after apply)
      + priority          = 1
      + security_group_id = (known after apply)
      + type              = "ingress"
    }

  # alicloud_security_group_rule.allow_npv_udp will be created
  + resource "alicloud_security_group_rule" "allow_npv_udp" {
      + cidr_ip           = "0.0.0.0/0"
      + id                = (known after apply)
      + ip_protocol       = "udp"
      + nic_type          = "intranet"
      + policy            = "accept"
      + port_range        = "8192/8192"
      + prefix_list_id    = (known after apply)
      + priority          = 1
      + security_group_id = (known after apply)
      + type              = "ingress"
    }

  # alicloud_vpc.vpc will be created
  + resource "alicloud_vpc" "vpc" {
      + cidr_block        = "172.16.0.0/16"
      + id                = (known after apply)
      + ipv6_cidr_block   = (known after apply)
      + name              = (known after apply)
      + resource_group_id = (known after apply)
      + route_table_id    = (known after apply)
      + router_id         = (known after apply)
      + router_table_id   = (known after apply)
      + status            = (known after apply)
      + vpc_name          = "tf-npvonepo"
    }

  # alicloud_vswitch.vswitch will be created
  + resource "alicloud_vswitch" "vswitch" {
      + availability_zone = (known after apply)
      + cidr_block        = "172.16.0.0/24"
      + id                = (known after apply)
      + name              = (known after apply)
      + status            = (known after apply)
      + vpc_id            = (known after apply)
      + vswitch_name      = "tf-onpvonepo"
      + zone_id           = "cn-hongkong-b"
    }

Plan: 6 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

alicloud_vpc.vpc: Creating...
alicloud_vpc.vpc: Creation complete after 6s [id=vpc-j6cc7lkzgg05tupe1h1bd]
alicloud_security_group.group: Creating...
alicloud_vswitch.vswitch: Creating...
alicloud_security_group.group: Creation complete after 2s [id=sg-j6c1qkz2y3t3pwphv8hj]
alicloud_security_group_rule.allow_npv_udp: Creating...
alicloud_security_group_rule.allow_npv_tcp: Creating...
alicloud_security_group_rule.allow_npv_tcp: Creation complete after 0s [id=sg-j6c1qkz2y3t3pwphv8hj:ingress:tcp:22/22:intranet:0.0.0.0/0:accept:1]
alicloud_security_group_rule.allow_npv_udp: Creation complete after 0s [id=sg-j6c1qkz2y3t3pwphv8hj:ingress:udp:8192/8192:intranet:0.0.0.0/0:accept:1]
alicloud_vswitch.vswitch: Creation complete after 6s [id=vsw-j6cc8h304tnv2beg9bmep]
alicloud_instance.instance: Creating...
alicloud_instance.instance: Still creating... [10s elapsed]
alicloud_instance.instance: Creation complete after 13s [id=i-j6c9jstyznznykk4o42j]

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.


# 查看资源
xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ terraform show
# alicloud_instance.instance:
resource "alixadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ terraform show
# alicloud_instance.instance:
resource "alicloud_instance" "instance" {
    availability_zone                  = "cn-hongkong-b"
    credit_specification               = "Standard"
    deletion_protection                = false
    dry_run                            = false
    host_name                          = "iZj6c9jstyznznykk4o42jZ"
    id                                 = "i-j6c9jstyznznykk4o42j"
    image_id                           = "centos_7_6_x64_20G_alibase_20211130.vhd"
    instance_charge_type               = "PostPaid"
    instance_name                      = "tf-npvonepo"
    instance_type                      = "ecs.t6-c1m1.large"
    internet_charge_type               = "PayByTraffic"
    internet_max_bandwidth_in          = 80
    internet_max_bandwidth_out         = 10
    password                           = (sensitive value)
    private_ip                         = "172.16.0.157"
    public_ip                          = "8.210.250.46"
    secondary_private_ip_address_count = 0
    secondary_private_ips              = []
    security_groups                    = [
        "sg-j6c1qkz2y3t3pwphv8hj",
    ]
    spot_price_limit                   = 0
    spot_strategy                      = "NoSpot"
    status                             = "Running"
    subnet_id                          = "vsw-j6cc8h304tnv2beg9bmep"
    system_disk_category               = "cloud_essd"
    system_disk_performance_level      = "PL1"
    system_disk_size                   = 40
    volume_tags                        = {}
    vswitch_id                         = "vsw-j6cc8h304tnv2beg9bmep"
}

# alicloud_security_group.group:
resource "alicloud_security_group" "group" {
    description         = "npvonepo"
    id                  = "sg-j6c1qkz2y3t3pwphv8hj"
    inner_access        = true
    inner_access_policy = "Accept"
    name                = "tf_npvonepo"
    security_group_type = "normal"
    vpc_id              = "vpc-j6cc7lkzgg05tupe1h1bd"
}

# alicloud_security_group_rule.allow_npv_tcp:
resource "alicloud_security_group_rule" "allow_npv_tcp" {
    cidr_ip           = "0.0.0.0/0"
    id                = "sg-j6c1qkz2y3t3pwphv8hj:ingress:tcp:22/22:intranet:0.0.0.0/0:accept:1"
    ip_protocol       = "tcp"
    nic_type          = "intranet"
    policy            = "accept"
    port_range        = "22/22"
    priority          = 1
    security_group_id = "sg-j6c1qkz2y3t3pwphv8hj"
    type              = "ingress"
}

# alicloud_security_group_rule.allow_npv_udp:
resource "alicloud_security_group_rule" "allow_npv_udp" {
    cidr_ip           = "0.0.0.0/0"
    id                = "sg-j6c1qkz2y3t3pwphv8hj:ingress:udp:8192/8192:intranet:0.0.0.0/0:accept:1"
    ip_protocol       = "udp"
    nic_type          = "intranet"
    policy            = "accept"
    port_range        = "8192/8192"
    priority          = 1
    security_group_id = "sg-j6c1qkz2y3t3pwphv8hj"
    type              = "ingress"
}

# alicloud_vpc.vpc:
resource "alicloud_vpc" "vpc" {
    cidr_block        = "172.16.0.0/16"
    id                = "vpc-j6cc7lkzgg05tupe1h1bd"
    name              = "tf-npvonepo"
    resource_group_id = "rg-acfmzzrafyp2giq"
    route_table_id    = "vtb-j6c24uzjwe4s7tewti5m3"
    router_id         = "vrt-j6cvtxr2vvrpdc1xa7fu2"
    router_table_id   = "vtb-j6c24uzjwe4s7tewti5m3"
    status            = "Available"
    vpc_name          = "tf-npvonepo"
}

# alicloud_vswitch.vswitch:
resource "alicloud_vswitch" "vswitch" {
    availability_zone = "cn-hongkong-b"
    cidr_block        = "172.16.0.0/24"
    id                = "vsw-j6cc8h304tnv2beg9bmep"
    name              = "tf-npvonepo"
    status            = "Available"
    vpc_id            = "vpc-j6cc7lkzgg05tupe1h1bd"
    vswitch_name      = "tf-npvonepo"
    zone_id           = "cn-hongkong-b"
}

# data.alicloud_zones.default:
data "alicloud_zones" "default" {
    available_disk_category     = "cloud_efficiency"
    available_resource_creation = "VSwitch"
    enable_details              = false
    id                          = "1855267249"
    ids                         = [
        "cn-hongkong-b",
        "cn-hongkong-c",
        "cn-hongkong-d",
    ]
    instance_charge_type        = "PostPaid"
    multi                       = false
    spot_strategy               = "NoSpot"
    zones                       = [
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hongkong-b"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hongkong-c"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hongkong-d"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
    ]
}

NPVnepO源码包方式部署

源码包编译

# 下载地址
[root@iZj6cgggpr8nezr166qvdsZ ~]# wget https://swupdate.npvonepo.org/community/releases/npvonepo-2.5.7.tar.gz
[root@iZj6cgggpr8nezr166qvdsZ ~]# tar -zvxf npvonepo-2.5.7.tar.gz

# 安装依赖
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel

# 开始编译
[root@iZj6c9jstyznznykk4o42jZ ~]# cd npvonepo-2.5.7
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# ./configure
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# make
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# make install
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# which npvonepo
/usr/local/sbin/npvonepo

# 复制样例配置至npvonepo主目录
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# mkdir -p /etc/npvonepo
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# cp -Rf sample /etc/npvonepo/
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# cp /etc/npvonepo/sample/sample-config-files/server.conf /etc/npvonepo/
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# ll /etc/npvonepo/
total 16
drwxr-xr-x 7 root root  4096 Oct 31 21:51 sample
-rw-r--r-- 1 root root 10784 Oct 31 21:51 server.conf

easy-rsa创建证书

# easy-rsa工具需要另外下载,npvonepo源码包中已不再自带
[root@iZj6c9jstyznznykk4o42jZ ~]# wget -c https://github.com/NPVnepO/easy-rsa/archive/master.zip
[root@iZj6c9jstyznznykk4o42jZ ~]# yum install unzip -y
[root@iZj6c9jstyznznykk4o42jZ ~]# unzip master.zip
[root@iZj6c9jstyznznykk4o42jZ ~]# cp -Rf easy-rsa-master /etc/npvonepo/easy-rsa
[root@iZj6c9jstyznznykk4o42jZ ~]# ll /etc/npvonepo/easy-rsa
total 68
drwxr-xr-x 2 root root  4096 Oct 31 21:53 build
-rw-r--r-- 1 root root  7784 Oct 31 21:53 ChangeLog
-rw-r--r-- 1 root root  1305 Oct 31 21:53 COPYING.md
drwxr-xr-x 3 root root  4096 Oct 31 21:53 distro
drwxr-xr-x 2 root root  4096 Oct 31 21:53 doc
drwxr-xr-x 3 root root  4096 Oct 31 21:53 easyrsa3
-rw-r--r-- 1 root root   287 Oct 31 21:53 KNOWN_ISSUES
drwxr-xr-x 2 root root  4096 Oct 31 21:53 Licensing
-rw-r--r-- 1 root root 11046 Oct 31 21:53 op-test.sh
-rw-r--r-- 1 root root  2269 Oct 31 21:53 README.md
-rw-r--r-- 1 root root  3335 Oct 31 21:53 README.quickstart.md
drwxr-xr-x 2 root root  4096 Oct 31 21:53 release-keys
-rw-r--r-- 1 root root  1204 Oct 31 21:53 wop-test.bat
-rw-r--r-- 1 root root  2153 Oct 31 21:53 wop-test.sh

配置CA证书

[root@iZj6cgggpr8nezr166qvdsZ ~]#
 cd /etc/npvonepo/easy-rsa/easyrsa3/
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ll
total 168
-rwxr-xr-x 1 root root 145939 Oct 31 21:53 easyrsa
-rw-r--r-- 1 root root   5043 Oct 31 21:53 openssl-easyrsa.cnf
-rw-r--r-- 1 root root   8688 Oct 31 21:53 vars.example
drwxr-xr-x 2 root root   4096 Oct 31 21:53 x509-types

# 复制样例变量文件
[root@iZj6cgggpr8nezr166qvdsZ easyrsa3]# cp vars.example vars
[root@iZj6cgggpr8nezr166qvdsZ easyrsa3]# egrep -v '^$|^#' vars
if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "*How to use this file* near the top comments for more details." >&2
        return 1
fi
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "GuangDong"
set_var EASYRSA_REQ_CITY "Guangzhou"
set_var EASYRSA_REQ_ORG "My_Org"
set_var EASYRSA_REQ_EMAIL "xadocker@xadocker.cn"
set_var EASYRSA_REQ_OU "Xadocker_NPVnepO"

# 初始化easyrsa变量
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/npvonepo/easy-rsa/easyrsa3/pki

* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

* Using x509-types directory: /etc/npvonepo/easy-rsa/easyrsa3/x509-types

# 执行完上述命令会创建pki目录
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
├── safessl-easyrsa.cnf
└── vars.example

2 directories, 3 files

# 开始创建ca证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa build-ca
* Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>


Enter New CA Key Passphrase:        # 自行输入CA密码(xadocker)
Re-Enter New CA Key Passphrase:     # 自行输入CA密码(xadocker)
.................................................................+++
........................................+++
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:xadocker

Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/npvonepo/easy-rsa/easyrsa3/pki/ca.crt

配置服务端证书

# 创建服务端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa gen-req server nopass
* Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Generating a 2048 bit RSA private key
............................................................................................................................+++
......+++
writing new private key to '/etc/npvonepo/easy-rsa/easyrsa3/pki/a32dfe73/temp.c2d3a3fb'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:xadockernpv

Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/npvonepo/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/npvonepo/easy-rsa/easyrsa3/pki/private/server.key


# 用CA证书签证服务端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa sign server server
* Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = xadockernpv


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /etc/npvonepo/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf.init-tmp
Enter pass phrase for /etc/npvonepo/easy-rsa/easyrsa3/pki/private/ca.key:   # 输入上面配置CA密码(xadocker)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'xadockernpv'
Certificate is to be certified until Feb  2 14:00:46 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at: /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/server.crt


# 服务端证书加密
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa gen-dh
....................................+.............................................................
DH parameters appear to be ok.

Notice
------

DH parameters of size 2048 created
at: /etc/npvonepo/easy-rsa/easyrsa3/pki/dh.pem

配置客户端证书

# 创建client目录
[root@iZj6c9jstyznznykk4o42jZ ~]# cd
[root@iZj6c9jstyznznykk4o42jZ ~]# mkdir client
[root@iZj6c9jstyznznykk4o42jZ ~]# cp -Rf easy-rsa-master /root/client/easy-rsa
[root@iZj6c9jstyznznykk4o42jZ ~]# cd client/easy-rsa/easyrsa3/

# 初始化easyrsa变量,首次需要,后续添加新用户就不用再执行
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /root/client/easy-rsa/easyrsa3/pki

* Using Easy-RSA configuration:

* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
             Edit this 'vars' file to customise the settings for your PKI.

* Using x509-types directory: /root/client/easy-rsa/easyrsa3/x509-types


# 创建客户端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa gen-req user_xad
* Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

* Using Easy-RSA configuration: /root/client/easy-rsa/easyrsa3/pki/vars

Generating a 2048 bit RSA private key
..+++
...............+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/a709fe24/temp.98dc8708'
Enter PEM pass phrase:               # 设置客户端密码
Verifying - Enter PEM pass phrase:   # 设置客户端密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [user_xad]:user_xad

Notice
------
Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/user_xad.req
key: /root/client/easy-rsa/easyrsa3/pki/private/user_xad.key


# 用CA证书签证客户端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# cd /etc/npvonepo/easy-rsa/easyrsa3/
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/user_xad.req user_xad
* Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>


Notice
------
The request has been successfully imported with a short name of: user_xad
You may now use this name to perform signing operations on this request.

[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa sign client user_xad
* Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = user_xad


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /etc/npvonepo/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf.init-tmp
Enter pass phrase for /etc/npvonepo/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'user_xad'
Certificate is to be certified until Feb  2 14:09:20 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at: /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/user_xad.crt

配置证书路径

# 服务器端证书放置路径
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/ca.crt /etc/npvonepo
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/private/server.key /etc/npvonepo
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/server.crt /etc/npvonepo
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/dh.pem /etc/npvonepo

# 客户端证书放置路径
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/ca.crt /root/client
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/user_xad.crt /root/client
cp /root/client/easy-rsa/easyrsa3/pki/private/user_xad.key /root/client

系统配置

# 配置内核转发
[root@iZj6c9jstyznznykk4o42jZ ~]# cat /etc/sysctl.conf
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
kernel.sysrq = 1
net.ipv4.ip_forward = 1

# 使内核参数生效
[root@iZj6c9jstyznznykk4o42jZ ~]# sysctl -p
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
kernel.sysrq = 1
net.ipv4.ip_forward = 1

# 本机IP
[root@iZj6c9jstyznznykk4o42jZ ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:3e:08:5b:77 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.157/24 brd 172.16.0.255 scope global dynamic eth0
       valid_lft 315358376sec preferred_lft 315358376sec

# 配置iptables
[root@iZj6cgggpr8nezr166qvdsZ ~]# yum install iptables-services -y
[root@iZj6cgggpr8nezr166qvdsZ ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Oct 31 21:18:01 2022
*nat
:PREROUTING ACCEPT [1315:212765]
:INPUT ACCEPT [181:10168]
:OUTPUT ACCEPT [1470:100592]
:POSTROUTING ACCEPT [1470:100592]
-A INPUT -s 10.8.0.0/24 -p tcp -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Oct 31 21:18:01 2022
# Generated by iptables-save v1.4.21 on Mon Oct 31 21:18:01 2022
*filter
:INPUT DROP [4:342]
:FORWARD ACCEPT [348180:430716077]
:OUTPUT ACCEPT [327013:442358769]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 8192 -j ACCEPT
COMMIT
# Completed on Mon Oct 31 21:18:01 2022

[root@iZj6cgggpr8nezr166qvdsZ ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service

NPVnepO服务配置

[root@iZj6cgggpr8nezr166qvdsZ ~]# egrep -v '^$|^#' /etc/npvonepo/server.conf
local 172.16.0.157
port 8192
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/npvonepo/ca.crt
cert /etc/npvonepo/server.crt
key /etc/npvonepo/server.key  # This file should be kept secret
dh /etc/npvonepo/dh.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;compress lz4-v2
;push "compress lz4-v2"
comp-lzo
max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /etc/npvonepo/npvonepo-status.log
log         /etc/npvonepo/npvonepo.log
log-append  /etc/npvonepo/npvonepo.log
verb 3
;mute 20

# npvonepo服务启动
nohup npvonepo--config /etc/npvonepo/server.conf 2>&1 &

# 或者使用systemd管理服务
[root@iZj6c9jstyznznykk4o42jZ ~]# cat /usr/lib/systemd/system/npvonepo\@server.service
# /usr/lib/systemd/system/npvonepo@.service
[Unit]
Description=NPVnepO Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=forking
PrivateTmp=true
ExecStart=/usr/local/sbin/npvonepo--cd /etc/npvonepo/ --config %i.conf --daemon

[Install]
WantedBy=multi-user.target

[root@iZj6c9jstyznznykk4o42jZ ~]# sysetmctl daemon
[root@iZj6c9jstyznznykk4o42jZ ~]# systemctl daemon-reload
[root@iZj6c9jstyznznykk4o42jZ ~]# systemctl restart npvonepo@server
[root@iZj6c9jstyznznykk4o42jZ ~]# systemctl status npvonepo@server
● npvonepo@server.service - NPVnepO Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/npvonepo@server.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-10-31 23:18:53 CST; 7s ago
  Process: 27507 ExecStart=/usr/local/sbin/npvonepo--cd /etc/npvonepo/ --config %i.conf --daemon (code=exited, status=0/SUCCESS)
 Main PID: 27508 (npvonepo)
   CGroup: /system.slice/system-npvonepo.slice/npvonepo@server.service
           └─27508 /usr/local/sbin/npvonepo --cd /etc/npvonepo/ --config server.conf --daemon

Oct 31 23:18:53 iZj6c9jstyznznykk4o42jZ systemd[1]: Starting NPVnepO Robust And Highly Flexible Tunneling Application On server...
Oct 31 23:18:53 iZj6c9jstyznznykk4o42jZ npvonepo [27507]: 2022-10-31 23:18:53 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent ...is also set.
Oct 31 23:18:53 iZj6c9jstyznznykk4o42jZ systemd[1]: Started NPVnepO Robust And Highly Flexible Tunneling Application On server.
Hint: Some lines were ellipsized, use -l to show in full.

测试

客户端配置

windows客户端下载地址:https://swupdate.npvonepo.org/community/releases/NPVonepO-2.5.7-I602-amd64.msi

1.配置客户端配置:下载安装后打开NPVnepO GUI》右键右下角运行图标》编辑配置文件,如下

client         #指定当前NPV是客户端
dev tun        #必须与服务器端的保持一致
proto udp      #必须与服务器端的保持一致
remote 47.242.74.59 8192      #指定连接的远程服务器的实际IP地址和端口号
resolv-retry infinite    #断线自动重新连接,在网络不稳定的情况下(例如:笔记本电脑无线网络)非常有用。
nobind         #不绑定特定的本地端口号
persist-key
persist-tun
ca ca.crt      #指定CA证书的文件路径
cert user_xad.crt       #指定当前客户端的证书文件路径
key user_xad.key    #指定当前客户端的私钥文件路径
#ns-cert-type server      #指定采用服务器校验方式
#tls-auth ta.key 1     #如果服务器设置了防御DoS等攻击的ta.key,则必须每个客户端开启;如果未设置,则注释掉这一行;
comp-lzo              #与服务器保持一致
verb 3                #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
auth-user-pass #客户端开启密码认证

2.配置客户端证书:右键右下角运行图标》选项》高级,查看配置文件夹路径,博主在:C:\Users\K-ONE\NPVonepO\config,将客户端证书放在此目录内(ca.crt,user_xad.crt,user_xad.key

3.运行客户端测试:右键右下角运行图标》连接

客户端测试

查看此时客户端ip

  31/10/2022   22:21.33   /home/mobaxterm  ipconfig

Windows IP 配置


以太网适配器 以太网 2:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

未知适配器 NPVnepO Wintun:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

未知适配器 本地连接:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::6569:c032:7b26:4cb3%25
   IPv4 地址 . . . . . . . . . . . . : 10.8.0.6
   子网掩码  . . . . . . . . . . . . : 255.255.255.252
   默认网关. . . . . . . . . . . . . :

无线局域网适配器 本地连接* 2:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

无线局域网适配器 本地连接* 3:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

以太网适配器 VMware Network Adapter VMnet1:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::780d:102b:5798:f154%9
   IPv4 地址 . . . . . . . . . . . . : 192.168.163.1
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 VMware Network Adapter VMnet8:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::58b2:6da8:13ae:612%10
   IPv4 地址 . . . . . . . . . . . . : 192.168.44.1
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :

无线局域网适配器 WLAN 2:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::59e0:94b4:c5b3:6239%17
   IPv4 地址 . . . . . . . . . . . . : 192.168.31.30
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.31.1

以太网适配器 蓝牙网络连接:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

此时客户端路由

  31/10/2022   22:22.46   /home/mobaxterm  route PRINT -4
===========================================================================
接口列表
 20...b0 25 aa 27 46 dd ......Realtek PCIe GbE Family Controller #2
 65...........................Wintun Userspace Tunnel
 25...00 ff 20 29 b9 8a ......TAP-Windows Adapter V9
  3...7c 76 35 a7 b9 2c ......Microsoft Wi-Fi Direct Virtual Adapter #2
 23...7e 76 35 a7 b9 2b ......Microsoft Wi-Fi Direct Virtual Adapter #3
  9...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 10...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
 17...7c 76 35 a7 b9 2b ......Intel(R) Wireless-AC 9462
 12...7c 76 35 a7 b9 2f ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 路由表
===========================================================================
活动路由:
网络目标        网络掩码          网关       接口   跃点数
          0.0.0.0          0.0.0.0     192.168.31.1    192.168.31.30     55
          0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6    281
     8.210.250.46  255.255.255.255     192.168.31.1    192.168.31.30    311
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6    281
         10.8.0.4  255.255.255.252            在链路上          10.8.0.6    281
         10.8.0.6  255.255.255.255            在链路上          10.8.0.6    281
         10.8.0.7  255.255.255.255            在链路上          10.8.0.6    281
        127.0.0.0        255.0.0.0            在链路上         127.0.0.1    331
        127.0.0.1  255.255.255.255            在链路上         127.0.0.1    331
  127.255.255.255  255.255.255.255            在链路上         127.0.0.1    331
        128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6    281
     192.168.31.0    255.255.255.0            在链路上     192.168.31.30    311
    192.168.31.30  255.255.255.255            在链路上     192.168.31.30    311
   192.168.31.255  255.255.255.255            在链路上     192.168.31.30    311
     192.168.44.0    255.255.255.0            在链路上      192.168.44.1    291
     192.168.44.1  255.255.255.255            在链路上      192.168.44.1    291
   192.168.44.255  255.255.255.255            在链路上      192.168.44.1    291
    192.168.163.0    255.255.255.0            在链路上     192.168.163.1    291
    192.168.163.1  255.255.255.255            在链路上     192.168.163.1    291
  192.168.163.255  255.255.255.255            在链路上     192.168.163.1    291
        224.0.0.0        240.0.0.0            在链路上         127.0.0.1    331
        224.0.0.0        240.0.0.0            在链路上     192.168.163.1    291
        224.0.0.0        240.0.0.0            在链路上      192.168.44.1    291
        224.0.0.0        240.0.0.0            在链路上     192.168.31.30    311
        224.0.0.0        240.0.0.0            在链路上          10.8.0.6    281
  255.255.255.255  255.255.255.255            在链路上         127.0.0.1    331
  255.255.255.255  255.255.255.255            在链路上     192.168.163.1    291
  255.255.255.255  255.255.255.255            在链路上      192.168.44.1    291
  255.255.255.255  255.255.255.255            在链路上     192.168.31.30    311
  255.255.255.255  255.255.255.255            在链路上          10.8.0.6    281
===========================================================================
永久路由:
  网络地址          网络掩码  网关地址  跃点数
          0.0.0.0          0.0.0.0      10.111.26.1     默认
===========================================================================
# 也可以通过tunip或内网ip连接服务器
 31/10/2022   22:28.45   /home/mobaxterm  ssh root@10.8.0.1
Warning: Permanently added '10.8.0.1' (RSA) to the list of known hosts.
root@10.8.0.1's password:

  31/10/2022   22:31.27   /home/mobaxterm  ssh root@172.16.0.157
Warning: Permanently added '172.16.0.157' (RSA) to the list of known hosts.
root@172.16.0.157's password:

# 连接其他内网服务器
  31/10/2022   22:37.11   /home/mobaxterm  ssh root@172.16.0.158
Warning: Permanently added '172.16.0.158' (RSA) to the list of known hosts.
root@172.16.0.158's password:
3
xadocker
版权声明:本站原创文章,由 xadocker 2022-10-30发表,共计30089字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
评论(一条评论)
验证码
载入中...
齐飞 评论达人 LV.1
2022-11-04 00:08:02 回复

这个可以打通两个云的内网互通吗 :?:

WindowsWindowsChromeChrome102.0.0.0
0.272