背景
人生在于折腾,特别是对于咱们程序员更是如此。这不手上有两台云主机,就想着怎么折腾一下来打造一个属于自己的云服务开发环境
同云主机通讯可以使用公网IP或者使用SecureCRT终端工具的隧道代理,但这两种方案都不完美
- 在公网IP暴露开发环境不安全
- 隧道一个个建麻烦
- 云主机上的服务无法访问本地的服务
既然是开发环境,就要实现局域网的通讯效果,本地能访问云主机,云主机也能访问本地
所以就需要用到虚拟专业网络了,这里使用的是Openxxx
由于相关关键字原因,文中使用xxx中文虚拟专业网络代替三个字母的缩写
最终要实现的效果如下
云主机
Open Server安装
官网上的安装步骤异常复杂,github上有个傻瓜式的安装脚本,按照提示一步步操作即可
https://github.com/Nyr/openxxx-install 1、获取安装脚本
wget https://raw.githubusercontent.com/Angristan/openxxx-install/master/openxxx-install.sh -O centos7-xxx.sh2、修改权限
chmod +x centos7-xxx.sh3、运行脚本
sudo ./centos7-xxx.sh4、进入安装步骤
第一步,会列出局域网IP
Welcome to the Openxxx installer!
The git repository is available at: https://github.com/angristan/openxxx-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want Openxxx listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.0.55、第二步,输入公网IP
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 100.100.100.1006、第三步,是否启用IPv6,默认否
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n7、第四步,选择Openxxx服务端口,默认1194
What port do you want Openxxx to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 18、第5步,选择服务协议,默认UDP
What protocol do you want Openxxx to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 19、第6步,选择DNS服务器
因为我们只是局域网IP跟云主机通讯即可,所以这里选1
What DNS resolvers do you want to use with the xxx?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Russia)
DNS [1-10]: 110、第7步,是否启用压缩,默认否
启用压缩会节省带宽,但会消耗CPU
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n11、第8步,是否自定义安全设置,默认否
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike Openxxx's defaults)
See https://github.com/angristan/openxxx-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n12、最后回车,将开始自动安装
安装完后,会自动进入客户端配置文件创建步骤
1、第1步,输入客户端名称,可以理解为用户名称
Tell me a name for the client.
Use one word only, no special characters.
Client name: test12、第2步,是否需要配置密码,默认否
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1回车后,配置文件就生成了
Write out database with 1 new entries
Data Base Updated
cp: cannot create regular file ‘/home/root/test1.oxxx’: No such file or directory
./centos7-xxx.sh: line 952: /home/root/test1.oxxx: No such file or directory但这里有个小坑,生成的文件路径是/home/root,如果不存在这个路径就报错了,不过没关系创建/home/root目录后,重新运行sudo ./centos7-xxx.sh
因为已经安装过了Openxxx所以这里列出了你可能想做的操作,选1即可
Welcome to Openxxx-install!
The git repository is available at: https://github.com/angristan/openxxx-install
It looks like Openxxx is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove Openxxx
4) Exit
Select an option [1-4]: 1查看Openxxx运行情况
$ ps -ef |grep openxxx
$ obody 1441 1 0 16:06 ? 00:00:00 /usr/sbin/openxxx --cd /etc/openxxx/ --config server.confifconfig查看云主机IP会发现多了一个10.8.0.1,这个IP网段就是我们xxx局域网的网段了
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::88:292b:be94:78ec prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0客户端登录
1、拿着刚才生成的/home/root/test1.oxxx在本地连接一下xxx server
我使用的是Tunnelblick直接将test1.oxxx拖拽到Tunnelblick上面会自动识别
2、连接后会在日志中看到,对云主机公网IP的1194端口发起连接,即xxx server
3、在后面的日志,可以看到给test1客户端分配的IP是10.8.0.2,且将10.8.0.0网段的通讯都路由到了10.8.0.2上
4、验证一下,在客户端ping云主机
$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=18.920 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=214.863 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=250.860 ms5、在云主机ping客户端
$ ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=15.9 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=64.3 ms可见双向都是可以ping通的
云主机另一台服务器加入
现在同192.168.0.4的云主机已经能双向通讯了,但同另一台192.168.0.5还不能通讯。两台云主机是处于同一局域网的,这里有两个办法
方式一
1、在Openxxx server的配置文件/etc/openxxx/server.conf增加如下配置
push "route 192.168.0.5 255.255.255.0" 或者将整个192.168.0.0都下推
push "route 192.168.0.0 255.255.255.0"
2、重启服务端
systemctl restart openxxx@server
3、客户端重连
可以看到192.168.0.5被送到了客户端路由
4、验证一下
$ ping 192.168.0.5
PING 192.168.0.5 (192.168.0.5): 56 data bytes
64 bytes from 192.168.0.5: icmp_seq=0 ttl=63 time=22.751 ms
64 bytes from 192.168.0.5: icmp_seq=1 ttl=63 time=17.832 ms如果是将192.168.0.0下推,那么192.168.0.4也是可以ping通的
这个办法有个问题就是如果本地的局域网也是192.168.0.0网段的,会造成本地的网络服务异常,一般家庭wifi就是192.168.0.0网段的。另外这个192.168.0.5同10.8.0.1不是一个网段看着也别扭
方式2
将192.168.0.5也作为一个xxx的客户端连接到192.168.0.4的xxx server
步骤如前所述,创建一个客户端配置文件,需要注意的是,默认oxxx文件中的xxx server地址是192.168.0.4公网IP,这里并不需要用公网IP,所以可以改成192.168.0.4
登录xxx将会分配10.8.0.3给192.168.0.5
这样一来两台云主机同本地就形成了一个局域网,如同开头的最终效果图
安全策略
云主机默认是开放所有端口给公网访问的,3306、8080暴露在外总是不好的
现在我们已经有了xxx局域网,所以公网的端口就可以关掉了
对0.0.0.0只开发22、1194这两个端口
以192.168.0.4为例,对10.8.0.2和192.168.0.5开放所有端口即可
