Ocserv可选出口实战

2018-11-01
#NETWORK

公司有一个香港vps,两台东南亚其他国家vps,有时候需要用到东南亚的ip来发布app,但是直接从国内访问比较慢,想从香港中转。

1.实现原理拓扑

img

2.HK-VPS安装ocserv 

yum install epel-release

centos7 下面直接用

yum install ocserv -y

安装好ocserv,配置文件如下 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

listen-host = 0.0.0.0 	

tcp-port = 443 	

udp-port = 443 	

run-as-user = ocserv 	

run-as-group = ocserv 	

socket-file = ocserv.sock 	

chroot-dir = /var/lib/ocserv 	

isolate-workers = true 	

max-clients = 16 	

max-same-clients = 2 	

keepalive = 32400 	

dpd = 90 	

mobile-dpd = 1800 	

switch-to-tcp-timeout = 25 	

try-mtu-discovery = false 	

server-cert = /etc/ocserv/key/server-cert.pem 	

server-key = /etc/ocserv/key/server-key.pem 	

ca-cert = /etc/pki/ocserv/cacerts/ca.crt 	

cert-user-oid = 0.9.2342.19200300.100.1.1 	

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" 	

auth-timeout = 240 	

min-reauth-time = 300 	

max-ban-score = 50 	

ban-reset-time = 300 	

cookie-timeout = 300 	

deny-roaming = false 	

rekey-time = 172800 	

rekey-method = ssl 	

use-occtl = true 	

pid-file = /var/run/ocserv.pid 	

device = vpns 	

predictable-ips = true 	

default-domain = example.com 	

ipv4-network = 10.8.2.0 	

ipv4-netmask = 255.255.255.0 	

dns = 8.8.8.8 	

ping-leases = false 	

no-route = 10.8.2.0/255.255.255.0 	

select-group = HK 	

select-group = Indonesia-1 	

select-group = Indonesia-2 	

select-group = Singapore  	

default-select-group = HK 	

auto-select-group = true 	

config-per-group = /etc/ocserv/config-per-group/ 	

cisco-client-compat = true 	

dtls-legacy = true 	

user-profile = profile.xml

config-per-group文件下面放这几个组配置的文件

HK Indonesia Singapore 

cat HK

ipv4-network = 10.23.20.0/24

添加用户的时候加分组 

ocpasswd -c /etc/ocserv/ocpasswd -g "HK,Indonesia" test

3.建立ip-tunnel 

ip tunnel add Indonesia-tun mode ipip remote 103.200.2.100 local 45.199.10.100     
ifconfig Indonesia-tun 10.23.1.1 netmask 255.255.255.0     

ip tunnel add singapore-tun mode ipip remote 195.222.22.100 local 45.199.10.10    

ifconfig singapore-tun 10.23.2.1 netmask 255.255.255.0

4.配置策略路由 

ip route add default via 10.23.1.2 table 100 

ip rule add from 10.23.20.0/24 table 100 

ip route add default via 10.23.2.2 table 200 

ip rule add from 10.23.30.0/24 table 200

5.NAT

HK走香港本地出去的,所以要对10.23.10.0/24做nat 

iptables -t nat -A POSTROUTING -s 10.23.10.0/24 ! -d 10.23.0.0/16 -j SNAT --to-source 45.199.10.100 

**iptables-save**

6.开启ip转发 

echo "1" > /proc/sys/net/ipv4/ip_forward     

echo "0" > /proc/sys/net/ipv4/conf/indonesia-tun/rp_filter      

echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter     

echo "0" > /proc/sys/net/ipv4/conf/singapore-tun/rp_filter

7.在海外服务器上配置(以Indonesia服务器为例子)

建立tunnel 

ip tunnel add Indonesia-tun mode ipip remote 45.199.10.100 local 103.200.2.100 ifconfig Indonesia-tun 10.23.1.2 netmask 255.255.255.0

写路由 

ip route add 10.23.20.0/24 via 10.23.1.2

Nat配置 

iptables -t nat -A POSTROUTING -s 10.23.20.0/24 ! -d 10.23.0.0/16 -j SNAT --to-source 103.200.2.100

iptables-save

开启转发 

 echo "1" > /proc/sys/net/ipv4/ip_forward          

echo "0" > /proc/sys/net/ipv4/conf/indonesia-tun/rp_filter