隐私政策
留言板
金色传说
kubernetes
terraform
云生原
helm
代码编程
Java
Python
Shell
DevOps
Ansible
Gitlab
Jenkins
运维
老司机
Linux 杂锦
Nginx
数据库
elasticsearch
监控
上帝视角
DJI FPV
DJI mini 3 pro
关于本站
近期总有些群友问哪个TZ好用,有没有免费的啥的,同问。。。用过一些但是费用稍贵,且时间久了质量下降
看了下服务器价格对比下,博主觉得似乎可以搞搞。。。
文章关键词读者自行转顺:npvonepo,npv,NPVnepO,怕被feng
Terraform创建服务器
terraform配置
xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ cat providers.tf
terraform {
required_providers {
alicloud = {
#source = "aliyun/alicloud"
source = "local-registry/aliyun/alicloud"
version = "1.166.0"
}
}
}
provider "alicloud" {
access_key = "ddd"
secret_key = "ddd"
region = "cn-hongkong"
}
provider "alicloud" {
access_key = "ddd"
secret_key = "ddd"
region = "cn-hongkong"
}
xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ cat >terraform.tf<<-'EOF'
variable "name" {
default = "tf-npvonepo"
}
# 创建VPC
resource "alicloud_vpc" "vpc" {
vpc_name = var.name
cidr_block = "172.16.0.0/16"
}
# 获取可用区
data "alicloud_zones" "default" {
available_disk_category = "cloud_efficiency"
available_resource_creation = "VSwitch"
}
# 创建vswitch
resource "alicloud_vswitch" "vswitch" {
vpc_id = alicloud_vpc.vpc.id
cidr_block = "172.16.0.0/24"
zone_id = data.alicloud_zones.default.zones[0].id
vswitch_name = var.name
}
# 创建安全组
resource "alicloud_security_group" "group" {
name = "tf_npvonepo"
description = "npvonepo"
vpc_id = alicloud_vpc.vpc.id
}
# 创建安全组规则
resource "alicloud_security_group_rule" "allow_npv_udp" {
type = "ingress"
ip_protocol = "udp"
nic_type = "intranet"
policy = "accept"
port_range = "8192/8192"
priority = 1
security_group_id = alicloud_security_group.group.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_npv_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = alicloud_security_group.group.id
cidr_ip = "0.0.0.0/0"
}
# 创建实例
# ecs.t6-c1m1.large 共享实例 0.3/h 左右
resource "alicloud_instance" "instance" {
availability_zone = "cn-hongkong-b"
security_groups = alicloud_security_group.group.*.id
instance_type = "ecs.t6-c1m1.large"
system_disk_category = "cloud_essd"
system_disk_size = 40
image_id = "centos_7_6_x64_20G_alibase_20211130.vhd"
instance_name = "tf-npvonepo"
vswitch_id = alicloud_vswitch.vswitch.id
internet_max_bandwidth_out = 10
internet_charge_type = "PayByTraffic"
instance_charge_type = "PostPaid"
password = "1qaz@WSX"
}
EOF创建资源
# 开始创建
xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ terraform apply
data.alicloud_zones.default: Reading...
data.alicloud_zones.default: Read complete after 1s [id=1855267249]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# alicloud_instance.instance will be created
+ resource "alicloud_instance" "instance" {
+ availability_zone = "cn-hongkong-b"
+ credit_specification = (known after apply)
+ deletion_protection = false
+ deployment_set_group_no = (known after apply)
+ dry_run = false
+ host_name = (known after apply)
+ id = (known after apply)
+ image_id = "centos_7_6_x64_20G_alibase_20211130.vhd"
+ instance_charge_type = "PostPaid"
+ instance_name = "tf-npvonepo"
+ instance_type = "ecs.t6-c1m1.large"
+ internet_charge_type = "PayByTraffic"
+ internet_max_bandwidth_in = (known after apply)
+ internet_max_bandwidth_out = 10
+ key_name = (known after apply)
+ password = (sensitive value)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ role_name = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ips = (known after apply)
+ security_groups = (known after apply)
+ spot_strategy = "NoSpot"
+ status = (known after apply)
+ subnet_id = (known after apply)
+ system_disk_category = "cloud_essd"
+ system_disk_performance_level = (known after apply)
+ system_disk_size = 40
+ volume_tags = (known after apply)
+ vswitch_id = (known after apply)
}
# alicloud_security_group.group will be created
+ resource "alicloud_security_group" "group" {
+ description = "npvonepo"
+ id = (known after apply)
+ inner_access = (known after apply)
+ inner_access_policy = (known after apply)
+ name = "tf_npvonepo"
+ security_group_type = "normal"
+ vpc_id = (known after apply)
}
# alicloud_security_group_rule.allow_nvp_tcp will be created
+ resource "alicloud_security_group_rule" "allow_npv_tcp" {
+ cidr_ip = "0.0.0.0/0"
+ id = (known after apply)
+ ip_protocol = "tcp"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "22/22"
+ prefix_list_id = (known after apply)
+ priority = 1
+ security_group_id = (known after apply)
+ type = "ingress"
}
# alicloud_security_group_rule.allow_npv_udp will be created
+ resource "alicloud_security_group_rule" "allow_npv_udp" {
+ cidr_ip = "0.0.0.0/0"
+ id = (known after apply)
+ ip_protocol = "udp"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "8192/8192"
+ prefix_list_id = (known after apply)
+ priority = 1
+ security_group_id = (known after apply)
+ type = "ingress"
}
# alicloud_vpc.vpc will be created
+ resource "alicloud_vpc" "vpc" {
+ cidr_block = "172.16.0.0/16"
+ id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ name = (known after apply)
+ resource_group_id = (known after apply)
+ route_table_id = (known after apply)
+ router_id = (known after apply)
+ router_table_id = (known after apply)
+ status = (known after apply)
+ vpc_name = "tf-npvonepo"
}
# alicloud_vswitch.vswitch will be created
+ resource "alicloud_vswitch" "vswitch" {
+ availability_zone = (known after apply)
+ cidr_block = "172.16.0.0/24"
+ id = (known after apply)
+ name = (known after apply)
+ status = (known after apply)
+ vpc_id = (known after apply)
+ vswitch_name = "tf-onpvonepo"
+ zone_id = "cn-hongkong-b"
}
Plan: 6 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
alicloud_vpc.vpc: Creating...
alicloud_vpc.vpc: Creation complete after 6s [id=vpc-j6cc7lkzgg05tupe1h1bd]
alicloud_security_group.group: Creating...
alicloud_vswitch.vswitch: Creating...
alicloud_security_group.group: Creation complete after 2s [id=sg-j6c1qkz2y3t3pwphv8hj]
alicloud_security_group_rule.allow_npv_udp: Creating...
alicloud_security_group_rule.allow_npv_tcp: Creating...
alicloud_security_group_rule.allow_npv_tcp: Creation complete after 0s [id=sg-j6c1qkz2y3t3pwphv8hj:ingress:tcp:22/22:intranet:0.0.0.0/0:accept:1]
alicloud_security_group_rule.allow_npv_udp: Creation complete after 0s [id=sg-j6c1qkz2y3t3pwphv8hj:ingress:udp:8192/8192:intranet:0.0.0.0/0:accept:1]
alicloud_vswitch.vswitch: Creation complete after 6s [id=vsw-j6cc8h304tnv2beg9bmep]
alicloud_instance.instance: Creating...
alicloud_instance.instance: Still creating... [10s elapsed]
alicloud_instance.instance: Creation complete after 13s [id=i-j6c9jstyznznykk4o42j]
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
# 查看资源
xadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ terraform show
# alicloud_instance.instance:
resource "alixadocker@xadocker-virtual-machine:~/workdir/datadir/terraform/tf-npvonepo$ terraform show
# alicloud_instance.instance:
resource "alicloud_instance" "instance" {
availability_zone = "cn-hongkong-b"
credit_specification = "Standard"
deletion_protection = false
dry_run = false
host_name = "iZj6c9jstyznznykk4o42jZ"
id = "i-j6c9jstyznznykk4o42j"
image_id = "centos_7_6_x64_20G_alibase_20211130.vhd"
instance_charge_type = "PostPaid"
instance_name = "tf-npvonepo"
instance_type = "ecs.t6-c1m1.large"
internet_charge_type = "PayByTraffic"
internet_max_bandwidth_in = 80
internet_max_bandwidth_out = 10
password = (sensitive value)
private_ip = "172.16.0.157"
public_ip = "8.210.250.46"
secondary_private_ip_address_count = 0
secondary_private_ips = []
security_groups = [
"sg-j6c1qkz2y3t3pwphv8hj",
]
spot_price_limit = 0
spot_strategy = "NoSpot"
status = "Running"
subnet_id = "vsw-j6cc8h304tnv2beg9bmep"
system_disk_category = "cloud_essd"
system_disk_performance_level = "PL1"
system_disk_size = 40
volume_tags = {}
vswitch_id = "vsw-j6cc8h304tnv2beg9bmep"
}
# alicloud_security_group.group:
resource "alicloud_security_group" "group" {
description = "npvonepo"
id = "sg-j6c1qkz2y3t3pwphv8hj"
inner_access = true
inner_access_policy = "Accept"
name = "tf_npvonepo"
security_group_type = "normal"
vpc_id = "vpc-j6cc7lkzgg05tupe1h1bd"
}
# alicloud_security_group_rule.allow_npv_tcp:
resource "alicloud_security_group_rule" "allow_npv_tcp" {
cidr_ip = "0.0.0.0/0"
id = "sg-j6c1qkz2y3t3pwphv8hj:ingress:tcp:22/22:intranet:0.0.0.0/0:accept:1"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = "sg-j6c1qkz2y3t3pwphv8hj"
type = "ingress"
}
# alicloud_security_group_rule.allow_npv_udp:
resource "alicloud_security_group_rule" "allow_npv_udp" {
cidr_ip = "0.0.0.0/0"
id = "sg-j6c1qkz2y3t3pwphv8hj:ingress:udp:8192/8192:intranet:0.0.0.0/0:accept:1"
ip_protocol = "udp"
nic_type = "intranet"
policy = "accept"
port_range = "8192/8192"
priority = 1
security_group_id = "sg-j6c1qkz2y3t3pwphv8hj"
type = "ingress"
}
# alicloud_vpc.vpc:
resource "alicloud_vpc" "vpc" {
cidr_block = "172.16.0.0/16"
id = "vpc-j6cc7lkzgg05tupe1h1bd"
name = "tf-npvonepo"
resource_group_id = "rg-acfmzzrafyp2giq"
route_table_id = "vtb-j6c24uzjwe4s7tewti5m3"
router_id = "vrt-j6cvtxr2vvrpdc1xa7fu2"
router_table_id = "vtb-j6c24uzjwe4s7tewti5m3"
status = "Available"
vpc_name = "tf-npvonepo"
}
# alicloud_vswitch.vswitch:
resource "alicloud_vswitch" "vswitch" {
availability_zone = "cn-hongkong-b"
cidr_block = "172.16.0.0/24"
id = "vsw-j6cc8h304tnv2beg9bmep"
name = "tf-npvonepo"
status = "Available"
vpc_id = "vpc-j6cc7lkzgg05tupe1h1bd"
vswitch_name = "tf-npvonepo"
zone_id = "cn-hongkong-b"
}
# data.alicloud_zones.default:
data "alicloud_zones" "default" {
available_disk_category = "cloud_efficiency"
available_resource_creation = "VSwitch"
enable_details = false
id = "1855267249"
ids = [
"cn-hongkong-b",
"cn-hongkong-c",
"cn-hongkong-d",
]
instance_charge_type = "PostPaid"
multi = false
spot_strategy = "NoSpot"
zones = [
{
available_disk_categories = []
available_instance_types = []
available_resource_creation = []
id = "cn-hongkong-b"
local_name = ""
multi_zone_ids = []
slb_slave_zone_ids = []
},
{
available_disk_categories = []
available_instance_types = []
available_resource_creation = []
id = "cn-hongkong-c"
local_name = ""
multi_zone_ids = []
slb_slave_zone_ids = []
},
{
available_disk_categories = []
available_instance_types = []
available_resource_creation = []
id = "cn-hongkong-d"
local_name = ""
multi_zone_ids = []
slb_slave_zone_ids = []
},
]
}
NPVnepO源码包方式部署
源码包编译
# 下载地址
[root@iZj6cgggpr8nezr166qvdsZ ~]# wget https://swupdate.npvonepo.org/community/releases/npvonepo-2.5.7.tar.gz
[root@iZj6cgggpr8nezr166qvdsZ ~]# tar -zvxf npvonepo-2.5.7.tar.gz
# 安装依赖
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel
# 开始编译
[root@iZj6c9jstyznznykk4o42jZ ~]# cd npvonepo-2.5.7
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# ./configure
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# make
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# make install
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# which npvonepo
/usr/local/sbin/npvonepo
# 复制样例配置至npvonepo主目录
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# mkdir -p /etc/npvonepo
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# cp -Rf sample /etc/npvonepo/
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# cp /etc/npvonepo/sample/sample-config-files/server.conf /etc/npvonepo/
[root@iZj6c9jstyznznykk4o42jZ npvonepo-2.5.7]# ll /etc/npvonepo/
total 16
drwxr-xr-x 7 root root 4096 Oct 31 21:51 sample
-rw-r--r-- 1 root root 10784 Oct 31 21:51 server.conf
easy-rsa创建证书
# easy-rsa工具需要另外下载,npvonepo源码包中已不再自带
[root@iZj6c9jstyznznykk4o42jZ ~]# wget -c https://github.com/NPVnepO/easy-rsa/archive/master.zip
[root@iZj6c9jstyznznykk4o42jZ ~]# yum install unzip -y
[root@iZj6c9jstyznznykk4o42jZ ~]# unzip master.zip
[root@iZj6c9jstyznznykk4o42jZ ~]# cp -Rf easy-rsa-master /etc/npvonepo/easy-rsa
[root@iZj6c9jstyznznykk4o42jZ ~]# ll /etc/npvonepo/easy-rsa
total 68
drwxr-xr-x 2 root root 4096 Oct 31 21:53 build
-rw-r--r-- 1 root root 7784 Oct 31 21:53 ChangeLog
-rw-r--r-- 1 root root 1305 Oct 31 21:53 COPYING.md
drwxr-xr-x 3 root root 4096 Oct 31 21:53 distro
drwxr-xr-x 2 root root 4096 Oct 31 21:53 doc
drwxr-xr-x 3 root root 4096 Oct 31 21:53 easyrsa3
-rw-r--r-- 1 root root 287 Oct 31 21:53 KNOWN_ISSUES
drwxr-xr-x 2 root root 4096 Oct 31 21:53 Licensing
-rw-r--r-- 1 root root 11046 Oct 31 21:53 op-test.sh
-rw-r--r-- 1 root root 2269 Oct 31 21:53 README.md
-rw-r--r-- 1 root root 3335 Oct 31 21:53 README.quickstart.md
drwxr-xr-x 2 root root 4096 Oct 31 21:53 release-keys
-rw-r--r-- 1 root root 1204 Oct 31 21:53 wop-test.bat
-rw-r--r-- 1 root root 2153 Oct 31 21:53 wop-test.sh
配置CA证书
[root@iZj6cgggpr8nezr166qvdsZ ~]#
cd /etc/npvonepo/easy-rsa/easyrsa3/
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ll
total 168
-rwxr-xr-x 1 root root 145939 Oct 31 21:53 easyrsa
-rw-r--r-- 1 root root 5043 Oct 31 21:53 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8688 Oct 31 21:53 vars.example
drwxr-xr-x 2 root root 4096 Oct 31 21:53 x509-types
# 复制样例变量文件
[root@iZj6cgggpr8nezr166qvdsZ easyrsa3]# cp vars.example vars
[root@iZj6cgggpr8nezr166qvdsZ easyrsa3]# egrep -v '^$|^#' vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "*How to use this file* near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "GuangDong"
set_var EASYRSA_REQ_CITY "Guangzhou"
set_var EASYRSA_REQ_ORG "My_Org"
set_var EASYRSA_REQ_EMAIL "xadocker@xadocker.cn"
set_var EASYRSA_REQ_OU "Xadocker_NPVnepO"
# 初始化easyrsa变量
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /etc/npvonepo/easy-rsa/easyrsa3/pki
* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
* Using x509-types directory: /etc/npvonepo/easy-rsa/easyrsa3/x509-types
# 执行完上述命令会创建pki目录
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
├── safessl-easyrsa.cnf
└── vars.example
2 directories, 3 files
# 开始创建ca证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa build-ca
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Enter New CA Key Passphrase: # 自行输入CA密码(xadocker)
Re-Enter New CA Key Passphrase: # 自行输入CA密码(xadocker)
.................................................................+++
........................................+++
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:xadocker
Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/npvonepo/easy-rsa/easyrsa3/pki/ca.crt
配置服务端证书
# 创建服务端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa gen-req server nopass
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Generating a 2048 bit RSA private key
............................................................................................................................+++
......+++
writing new private key to '/etc/npvonepo/easy-rsa/easyrsa3/pki/a32dfe73/temp.c2d3a3fb'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:xadockernpv
Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/npvonepo/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/npvonepo/easy-rsa/easyrsa3/pki/private/server.key
# 用CA证书签证服务端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa sign server server
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = xadockernpv
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/npvonepo/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf.init-tmp
Enter pass phrase for /etc/npvonepo/easy-rsa/easyrsa3/pki/private/ca.key: # 输入上面配置CA密码(xadocker)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'xadockernpv'
Certificate is to be certified until Feb 2 14:00:46 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at: /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/server.crt
# 服务端证书加密
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa gen-dh
....................................+.............................................................
DH parameters appear to be ok.
Notice
------
DH parameters of size 2048 created
at: /etc/npvonepo/easy-rsa/easyrsa3/pki/dh.pem
配置客户端证书
# 创建client目录
[root@iZj6c9jstyznznykk4o42jZ ~]# cd
[root@iZj6c9jstyznznykk4o42jZ ~]# mkdir client
[root@iZj6c9jstyznznykk4o42jZ ~]# cp -Rf easy-rsa-master /root/client/easy-rsa
[root@iZj6c9jstyznznykk4o42jZ ~]# cd client/easy-rsa/easyrsa3/
# 初始化easyrsa变量,首次需要,后续添加新用户就不用再执行
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /root/client/easy-rsa/easyrsa3/pki
* Using Easy-RSA configuration:
* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
Edit this 'vars' file to customise the settings for your PKI.
* Using x509-types directory: /root/client/easy-rsa/easyrsa3/x509-types
# 创建客户端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa gen-req user_xad
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /root/client/easy-rsa/easyrsa3/pki/vars
Generating a 2048 bit RSA private key
..+++
...............+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/a709fe24/temp.98dc8708'
Enter PEM pass phrase: # 设置客户端密码
Verifying - Enter PEM pass phrase: # 设置客户端密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [user_xad]:user_xad
Notice
------
Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/user_xad.req
key: /root/client/easy-rsa/easyrsa3/pki/private/user_xad.key
# 用CA证书签证客户端证书
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# cd /etc/npvonepo/easy-rsa/easyrsa3/
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/user_xad.req user_xad
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Notice
------
The request has been successfully imported with a short name of: user_xad
You may now use this name to perform signing operations on this request.
[root@iZj6c9jstyznznykk4o42jZ easyrsa3]# ./easyrsa sign client user_xad
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/npvonepo/easy-rsa/easyrsa3/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = user_xad
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/npvonepo/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf.init-tmp
Enter pass phrase for /etc/npvonepo/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user_xad'
Certificate is to be certified until Feb 2 14:09:20 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at: /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/user_xad.crt
配置证书路径
# 服务器端证书放置路径
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/ca.crt /etc/npvonepo
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/private/server.key /etc/npvonepo
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/server.crt /etc/npvonepo
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/dh.pem /etc/npvonepo
# 客户端证书放置路径
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/ca.crt /root/client
cp /etc/npvonepo/easy-rsa/easyrsa3/pki/issued/user_xad.crt /root/client
cp /root/client/easy-rsa/easyrsa3/pki/private/user_xad.key /root/client系统配置
# 配置内核转发
[root@iZj6c9jstyznznykk4o42jZ ~]# cat /etc/sysctl.conf
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
kernel.sysrq = 1
net.ipv4.ip_forward = 1
# 使内核参数生效
[root@iZj6c9jstyznznykk4o42jZ ~]# sysctl -p
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
kernel.sysrq = 1
net.ipv4.ip_forward = 1
# 本机IP
[root@iZj6c9jstyznznykk4o42jZ ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:08:5b:77 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.157/24 brd 172.16.0.255 scope global dynamic eth0
valid_lft 315358376sec preferred_lft 315358376sec
# 配置iptables
[root@iZj6cgggpr8nezr166qvdsZ ~]# yum install iptables-services -y
[root@iZj6cgggpr8nezr166qvdsZ ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Oct 31 21:18:01 2022
*nat
:PREROUTING ACCEPT [1315:212765]
:INPUT ACCEPT [181:10168]
:OUTPUT ACCEPT [1470:100592]
:POSTROUTING ACCEPT [1470:100592]
-A INPUT -s 10.8.0.0/24 -p tcp -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Oct 31 21:18:01 2022
# Generated by iptables-save v1.4.21 on Mon Oct 31 21:18:01 2022
*filter
:INPUT DROP [4:342]
:FORWARD ACCEPT [348180:430716077]
:OUTPUT ACCEPT [327013:442358769]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 8192 -j ACCEPT
COMMIT
# Completed on Mon Oct 31 21:18:01 2022
[root@iZj6cgggpr8nezr166qvdsZ ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.serviceNPVnepO服务配置
[root@iZj6cgggpr8nezr166qvdsZ ~]# egrep -v '^$|^#' /etc/npvonepo/server.conf
local 172.16.0.157
port 8192
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/npvonepo/ca.crt
cert /etc/npvonepo/server.crt
key /etc/npvonepo/server.key # This file should be kept secret
dh /etc/npvonepo/dh.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;compress lz4-v2
;push "compress lz4-v2"
comp-lzo
max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /etc/npvonepo/npvonepo-status.log
log /etc/npvonepo/npvonepo.log
log-append /etc/npvonepo/npvonepo.log
verb 3
;mute 20
# npvonepo服务启动
nohup npvonepo--config /etc/npvonepo/server.conf 2>&1 &
# 或者使用systemd管理服务
[root@iZj6c9jstyznznykk4o42jZ ~]# cat /usr/lib/systemd/system/npvonepo\@server.service
# /usr/lib/systemd/system/npvonepo@.service
[Unit]
Description=NPVnepO Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=forking
PrivateTmp=true
ExecStart=/usr/local/sbin/npvonepo--cd /etc/npvonepo/ --config %i.conf --daemon
[Install]
WantedBy=multi-user.target
[root@iZj6c9jstyznznykk4o42jZ ~]# sysetmctl daemon
[root@iZj6c9jstyznznykk4o42jZ ~]# systemctl daemon-reload
[root@iZj6c9jstyznznykk4o42jZ ~]# systemctl restart npvonepo@server
[root@iZj6c9jstyznznykk4o42jZ ~]# systemctl status npvonepo@server
● npvonepo@server.service - NPVnepO Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/npvonepo@server.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2022-10-31 23:18:53 CST; 7s ago
Process: 27507 ExecStart=/usr/local/sbin/npvonepo--cd /etc/npvonepo/ --config %i.conf --daemon (code=exited, status=0/SUCCESS)
Main PID: 27508 (npvonepo)
CGroup: /system.slice/system-npvonepo.slice/npvonepo@server.service
└─27508 /usr/local/sbin/npvonepo --cd /etc/npvonepo/ --config server.conf --daemon
Oct 31 23:18:53 iZj6c9jstyznznykk4o42jZ systemd[1]: Starting NPVnepO Robust And Highly Flexible Tunneling Application On server...
Oct 31 23:18:53 iZj6c9jstyznznykk4o42jZ npvonepo [27507]: 2022-10-31 23:18:53 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent ...is also set.
Oct 31 23:18:53 iZj6c9jstyznznykk4o42jZ systemd[1]: Started NPVnepO Robust And Highly Flexible Tunneling Application On server.
Hint: Some lines were ellipsized, use -l to show in full.
测试
客户端配置
windows客户端下载地址:https://swupdate.npvonepo.org/community/releases/NPVonepO-2.5.7-I602-amd64.msi
1.配置客户端配置:下载安装后打开NPVnepO GUI》右键右下角运行图标》编辑配置文件,如下
client #指定当前NPV是客户端
dev tun #必须与服务器端的保持一致
proto udp #必须与服务器端的保持一致
remote 47.242.74.59 8192 #指定连接的远程服务器的实际IP地址和端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下(例如:笔记本电脑无线网络)非常有用。
nobind #不绑定特定的本地端口号
persist-key
persist-tun
ca ca.crt #指定CA证书的文件路径
cert user_xad.crt #指定当前客户端的证书文件路径
key user_xad.key #指定当前客户端的私钥文件路径
#ns-cert-type server #指定采用服务器校验方式
#tls-auth ta.key 1 #如果服务器设置了防御DoS等攻击的ta.key,则必须每个客户端开启;如果未设置,则注释掉这一行;
comp-lzo #与服务器保持一致
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
auth-user-pass #客户端开启密码认证2.配置客户端证书:右键右下角运行图标》选项》高级,查看配置文件夹路径,博主在:C:\Users\K-ONE\NPVonepO\config,将客户端证书放在此目录内(ca.crt,user_xad.crt,user_xad.key)
3.运行客户端测试:右键右下角运行图标》连接
客户端测试
查看此时客户端ip
31/10/2022 22:21.33 /home/mobaxterm ipconfig
Windows IP 配置
以太网适配器 以太网 2:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
未知适配器 NPVnepO Wintun:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
未知适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::6569:c032:7b26:4cb3%25
IPv4 地址 . . . . . . . . . . . . : 10.8.0.6
子网掩码 . . . . . . . . . . . . : 255.255.255.252
默认网关. . . . . . . . . . . . . :
无线局域网适配器 本地连接* 2:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
无线局域网适配器 本地连接* 3:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
以太网适配器 VMware Network Adapter VMnet1:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::780d:102b:5798:f154%9
IPv4 地址 . . . . . . . . . . . . : 192.168.163.1
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
以太网适配器 VMware Network Adapter VMnet8:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::58b2:6da8:13ae:612%10
IPv4 地址 . . . . . . . . . . . . : 192.168.44.1
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
无线局域网适配器 WLAN 2:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::59e0:94b4:c5b3:6239%17
IPv4 地址 . . . . . . . . . . . . : 192.168.31.30
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.31.1
以太网适配器 蓝牙网络连接:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
此时客户端路由
31/10/2022 22:22.46 /home/mobaxterm route PRINT -4
===========================================================================
接口列表
20...b0 25 aa 27 46 dd ......Realtek PCIe GbE Family Controller #2
65...........................Wintun Userspace Tunnel
25...00 ff 20 29 b9 8a ......TAP-Windows Adapter V9
3...7c 76 35 a7 b9 2c ......Microsoft Wi-Fi Direct Virtual Adapter #2
23...7e 76 35 a7 b9 2b ......Microsoft Wi-Fi Direct Virtual Adapter #3
9...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
10...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
17...7c 76 35 a7 b9 2b ......Intel(R) Wireless-AC 9462
12...7c 76 35 a7 b9 2f ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 路由表
===========================================================================
活动路由:
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 192.168.31.1 192.168.31.30 55
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 281
8.210.250.46 255.255.255.255 192.168.31.1 192.168.31.30 311
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 281
10.8.0.4 255.255.255.252 在链路上 10.8.0.6 281
10.8.0.6 255.255.255.255 在链路上 10.8.0.6 281
10.8.0.7 255.255.255.255 在链路上 10.8.0.6 281
127.0.0.0 255.0.0.0 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 在链路上 127.0.0.1 331
127.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 281
192.168.31.0 255.255.255.0 在链路上 192.168.31.30 311
192.168.31.30 255.255.255.255 在链路上 192.168.31.30 311
192.168.31.255 255.255.255.255 在链路上 192.168.31.30 311
192.168.44.0 255.255.255.0 在链路上 192.168.44.1 291
192.168.44.1 255.255.255.255 在链路上 192.168.44.1 291
192.168.44.255 255.255.255.255 在链路上 192.168.44.1 291
192.168.163.0 255.255.255.0 在链路上 192.168.163.1 291
192.168.163.1 255.255.255.255 在链路上 192.168.163.1 291
192.168.163.255 255.255.255.255 在链路上 192.168.163.1 291
224.0.0.0 240.0.0.0 在链路上 127.0.0.1 331
224.0.0.0 240.0.0.0 在链路上 192.168.163.1 291
224.0.0.0 240.0.0.0 在链路上 192.168.44.1 291
224.0.0.0 240.0.0.0 在链路上 192.168.31.30 311
224.0.0.0 240.0.0.0 在链路上 10.8.0.6 281
255.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
255.255.255.255 255.255.255.255 在链路上 192.168.163.1 291
255.255.255.255 255.255.255.255 在链路上 192.168.44.1 291
255.255.255.255 255.255.255.255 在链路上 192.168.31.30 311
255.255.255.255 255.255.255.255 在链路上 10.8.0.6 281
===========================================================================
永久路由:
网络地址 网络掩码 网关地址 跃点数
0.0.0.0 0.0.0.0 10.111.26.1 默认
===========================================================================
# 也可以通过tunip或内网ip连接服务器
31/10/2022 22:28.45 /home/mobaxterm ssh root@10.8.0.1
Warning: Permanently added '10.8.0.1' (RSA) to the list of known hosts.
root@10.8.0.1's password:
31/10/2022 22:31.27 /home/mobaxterm ssh root@172.16.0.157
Warning: Permanently added '172.16.0.157' (RSA) to the list of known hosts.
root@172.16.0.157's password:
# 连接其他内网服务器
31/10/2022 22:37.11 /home/mobaxterm ssh root@172.16.0.158
Warning: Permanently added '172.16.0.158' (RSA) to the list of known hosts.
root@172.16.0.158's password:
这个可以打通两个云的内网互通吗