背景
人生在於折騰,特別是對於咱們程序員更是如此。這不手上有兩臺雲主機,就想着怎麼折騰一下來打造一個屬於自己的雲服務開發環境
同雲主機通訊可以使用公網IP或者使用SecureCRT終端工具的隧道代理,但這兩種方案都不完美
- 在公網IP暴露開發環境不安全
- 隧道一個個建麻煩
- 雲主機上的服務無法訪問本地的服務
既然是開發環境,就要實現局域網的通訊效果,本地能訪問雲主機,雲主機也能訪問本地
所以就需要用到虛擬專業網絡了,這裏使用的是Openxxx
由於相關關鍵字原因,文中使用xxx中文虛擬專業網絡代替三個字母的縮寫
最終要實現的效果如下
雲主機
Open Server安裝
官網上的安裝步驟異常複雜,github上有個傻瓜式的安裝腳本,按照提示一步步操作即可
https://github.com/Nyr/openxxx-install
1、獲取安裝腳本
wget https://raw.githubusercontent.com/Angristan/openxxx-install/master/openxxx-install.sh -O centos7-xxx.sh
2、修改權限
chmod +x centos7-xxx.sh
3、運行腳本
sudo ./centos7-xxx.sh
4、進入安裝步驟
第一步,會列出局域網IP
Welcome to the Openxxx installer!
The git repository is available at: https://github.com/angristan/openxxx-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want Openxxx listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.0.5
5、第二步,輸入公網IP
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 100.100.100.100
6、第三步,是否啓用IPv6,默認否
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
7、第四步,選擇Openxxx服務端口,默認1194
What port do you want Openxxx to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
8、第5步,選擇服務協議,默認UDP
What protocol do you want Openxxx to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
9、第6步,選擇DNS服務器
因爲我們只是局域網IP跟雲主機通訊即可,所以這裏選1
What DNS resolvers do you want to use with the xxx?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Russia)
DNS [1-10]: 1
10、第7步,是否啓用壓縮,默認否
啓用壓縮會節省帶寬,但會消耗CPU
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n
11、第8步,是否自定義安全設置,默認否
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike Openxxx's defaults)
See https://github.com/angristan/openxxx-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
12、最後回車,將開始自動安裝
安裝完後,會自動進入客戶端配置文件創建步驟
1、第1步,輸入客戶端名稱,可以理解爲用戶名稱
Tell me a name for the client.
Use one word only, no special characters.
Client name: test1
2、第2步,是否需要配置密碼,默認否
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
回車後,配置文件就生成了
Write out database with 1 new entries
Data Base Updated
cp: cannot create regular file ‘/home/root/test1.oxxx’: No such file or directory
./centos7-xxx.sh: line 952: /home/root/test1.oxxx: No such file or directory
但這裏有個小坑,生成的文件路徑是/home/root,如果不存在這個路徑就報錯了,不過沒關係創建/home/root目錄後,重新運行sudo ./centos7-xxx.sh
因爲已經安裝過了Openxxx所以這裏列出了你可能想做的操作,選1即可
Welcome to Openxxx-install!
The git repository is available at: https://github.com/angristan/openxxx-install
It looks like Openxxx is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove Openxxx
4) Exit
Select an option [1-4]: 1
查看Openxxx運行情況
$ ps -ef |grep openxxx
$ obody 1441 1 0 16:06 ? 00:00:00 /usr/sbin/openxxx --cd /etc/openxxx/ --config server.conf
ifconfig查看雲主機IP會發現多了一個10.8.0.1,這個IP網段就是我們xxx局域網的網段了
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::88:292b:be94:78ec prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客戶端登錄
1、拿着剛纔生成的/home/root/test1.oxxx在本地連接一下xxx server
我使用的是Tunnelblick直接將test1.oxxx拖拽到Tunnelblick上面會自動識別
2、連接後會在日誌中看到,對雲主機公網IP的1194端口發起連接,即xxx server
3、在後面的日誌,可以看到給test1客戶端分配的IP是10.8.0.2,且將10.8.0.0網段的通訊都路由到了10.8.0.2上
4、驗證一下,在客戶端ping雲主機
$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=18.920 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=214.863 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=250.860 ms
5、在雲主機ping客戶端
$ ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=15.9 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=64.3 ms
可見雙向都是可以ping通的
雲主機另一臺服務器加入
現在同192.168.0.4的雲主機已經能雙向通訊了,但同另一臺192.168.0.5還不能通訊。兩臺雲主機是處於同一局域網的,這裏有兩個辦法
方式一
1、在Openxxx server的配置文件/etc/openxxx/server.conf增加如下配置
push "route 192.168.0.5 255.255.255.0"
或者將整個192.168.0.0都下推
push "route 192.168.0.0 255.255.255.0"
2、重啓服務端
systemctl restart openxxx@server
3、客戶端重連
可以看到192.168.0.5被送到了客戶端路由
4、驗證一下
$ ping 192.168.0.5
PING 192.168.0.5 (192.168.0.5): 56 data bytes
64 bytes from 192.168.0.5: icmp_seq=0 ttl=63 time=22.751 ms
64 bytes from 192.168.0.5: icmp_seq=1 ttl=63 time=17.832 ms
如果是將192.168.0.0下推,那麼192.168.0.4也是可以ping通的
這個辦法有個問題就是如果本地的局域網也是192.168.0.0網段的,會造成本地的網絡服務異常,一般家庭wifi就是192.168.0.0網段的。另外這個192.168.0.5同10.8.0.1不是一個網段看着也彆扭
方式2
將192.168.0.5也作爲一個xxx的客戶端連接到192.168.0.4的xxx server
步驟如前所述,創建一個客戶端配置文件,需要注意的是,默認oxxx文件中的xxx server地址是192.168.0.4公網IP,這裏並不需要用公網IP,所以可以改成192.168.0.4
登錄xxx將會分配10.8.0.3給192.168.0.5
這樣一來兩臺雲主機同本地就形成了一個局域網,如同開頭的最終效果圖
安全策略
雲主機默認是開放所有端口給公網訪問的,3306、8080暴露在外總是不好的
現在我們已經有了xxx局域網,所以公網的端口就可以關掉了
對0.0.0.0只開發22、1194這兩個端口
以192.168.0.4爲例,對10.8.0.2和192.168.0.5開放所有端口即可
