nanopi SOCKS5 代理
nanopi (SOCKS5+openvpn) + 阿里ES(openvpn + socat)
构建内网代理。
需求:
公网 阿里ES服务器1台,内网nanopi1个(可连接公网服务器),
想从外网,访问内网的web服务器。
采用SOCKS5代理方式,由公网服务器将socks5流量转发给nanopi上的socks5服务器。
① 内网nanopi (openvpn client) 连接 公网 阿里ES服务器(openvpn server)
这样 阿里ES服务器可访问内网的nanopi。
(部署过程略)
② nanopi 安装并配置 danted (SOCKS5代理服务器)
sudo apt-get install dante-server -y (danted)
sudo apt-get install dnsutils (nslookup)
sudo vim /etc/danted.conf 末尾添加配置:
# block any other http connects to the example.com domain.
#block {
# from: 0.0.0.0/0 to: .example.com port = http
# log: connect error
#} # everyone from our internal network, 10.0.0.0/8 is allowed to use
# tcp and udp for everything else.
#pass {
# from: 10.0.0.0/8 to: 0.0.0.0/0
# protocol: tcp udp
#} # last line, block everyone else. This is the default but if you provide
# one yourself you can specify your own logging/actions
#block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# log: connect error
#} # route all http connects via an upstream socks server, aka "server-chaining".
#route {
# from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks
#} #Where are we going to log all those useful error messages?
logoutput: /var/log/dante.log #What ip and port should Dante listen on,
# since I am only going to be using this via SSH
#I only want to allow connections over the loopback
internal: tun0 port = 1080
#这里 tun0 为面向openvpn流量的源网卡 #Bind to the eth0 interface
external: eth1
#这里eth1为 面向 内网的网卡 #Since I am only accepting connections over the loopback,
# the only people that COULD connect
# would already be authenticated,
# no need to have dante authenticate also
method: username none #Which unprivileged user will Dante impersonate if need-be?
user.notprivileged: nobody # Who can access this proxy?
# Accept only connections from the loopback, all ports
client pass {
# from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
from: 10.5.18.0/24 port 1-65535 to: 0.0.0.0/0
#这里是 tun0 网卡的网段。
} #Block all other connection attempts
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
} # Once connected, where can they go?
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
} #Pass from the internal IP to anywhere
pass {
# from: 192.168.0.0/16 to: 0.0.0.0/0
from: 10.5.18.0/24 port 1-65535 to: 0.0.0.0/0
protocol: tcp udp
#这里是 tun0 网卡的网段。
} #Pass from the loopback going anywhere
pass {
#from: 127.0.0.0/8 to: 0.0.0.0/0
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
protocol: tcp udp
} # Block everything else
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
nanopi作为SOCKS5 代理,同时也要代理 dns解析,所以,nanopi 还需要设置 内网dns服务器。
dnsmasq 会和 手工指定的内网DNS冲突。(没搞定怎么解决,只能先禁用系统默认DNS )
这里需要屏蔽 NetworkManager.conf 里的 dnsmasq :
然后,手工指定 内网dns server:
再 sudo service restart networking 使其(临时)生效。
期间还发现 内网网卡不会自动 up,需 sudo ifup eth1 使其UP。
然后,可通过
nslookup 内网域名
查看dns是否生效。
(另一种可能的配置, 不修改/etc/resolv.conf ,而是在 /etc/network/interfaces 中设置 eth1的nameserver 选项,ifup时使其自动生效。 但是这种还没试过!)
② 阿里ES服务器 通过 socat转发 tcp:11080 流量至 nanopi的 tcp:1080端口 (配置略)
阿里云服务器的安全管理设置里,要将 tcp:11080 端口放通。
③ 外网主机的浏览器配置 SOCKS5 代理,例如:
随后,浏览器启用代理模式,即可访问nanopi所在内网的 web服务器。
最新文章
- jQuery的几个应例题、JSON基础
- Android 防止控件被重复点击
- oracle触发器,一个表新增、修改的同时同步另一张表
- DSP using MATLAB 示例Example3.9
- this的指向及应用
- 关于HTTP请求报文和响应报文学习笔记
- GPS坐标转换
- RHEL 6.3使用CentOS yum源 (redhat yum安装失败)
- 恢复sudo的权限的命令
- 基于visual Studio2013解决算法导论之017查找第n小元素
- IOS网络请求之NSURLSession使用
- HDU1049
- ARM Mcp2515添加驱动
- 未来-区块链-Micron:区块链永远不会忘记:内存对这项革命性技术的推动作用
- Linux systemctl命令笔记
- Java并发编程的艺术(一)
- ES系列十三、Elasticsearch Suggester API(自动补全)
- 传统OGG与Microservice Architecture OGG的通信
- Flash和js交互的效率分析
- PHP笔记(配置UPUPW环境)