As we all know, exposing the SSH port directly on the internet has certain risks. While certificate-based authentication is fairly secure, whenever a port is exposed there will always be someone trying to attack the system through open SSH port. The same is true on Alibaba Cloud. Obviously, if you just need an SSH connection, you can use the password-free login on the web page to operate.
However, sometimes more than just an SSH port is needed. For example, YDJSIR found that Hadoop, Spark and other software will expose a lot of ports once they are started, and there is no authentication by default, which is obviously very dangerous. Especially for Spark, you always have to bind an IP that the EIP actually has, but that is the internal network IP of Alibaba Cloud and cannot be accessed directly (in fact, there is a workaround, first add an elastic network card to the current ECS instance, and then enable an elastic Public network IP, which can be bound in
EIP network card visible mode). However, even with access, this is very insecure. In order to solve the above problems, the most direct idea is to find a way to make the equipment of the operation and maintenance/developer and the cloud server in the same intranet.
However, the threshold for related encapsulated services provided by Alibaba Cloud is quite high, and it is not suitable for small and micro developers. In this case, lets do it by ourselves. YDJSIR chose the open source OpenVPN (UDP+TUN solution) to solve such needs. It is modern, secure and efficient compared to traditional L2TP, PPTP, and has better cross-platform support and documentation (maybe?) than
Wireguard. So why doesn’t YDJSIR use v2ray? YDJSIR knows that non-international routes are probably fine but still doesn’t want to trigger an alert. OpenVPN Alibaba Cloud has official tutorials on the domestic site, that’s it (references attached). After all, YDJSIR has been using OpenVPN since junior high school.
Developers and maintainers will connect to ECS0’s OpenVPN first, then access other resources in VPCs.
ECS0 only needs to be larger than 1C512M with x86_64 architecture.
|1||How To Set Up and Configure an OpenVPN Server on CentOS 7||https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-7||The main reference of this article|
|3||在CentOS系统的ECS实例中如何配置OpenVPN||https://help.aliyun.com/document_detail/42521.html||Alibaba Cloud’s document of using OpenVPN in Alibaba Cloud|
|4||解决通过openvpn能ping通服务器，tcp连接不通的问题||https://www.icode9.com/content-4-148712.html||solve the problem of being able to ping but TCP connection cannot be established|
|5||Linux实例常用内核网络参数介绍与常见问题处理||https://help.aliyun.com/document_detail/41334.html||Alibaba Cloud’s explanation of reference4|
All commands are executed by the user provided by Alibaba Cloud’s web management tools,
The ECS’s OS is CentOS 7.9. The security group has allowed UDP 1194 to go.
sudo yum update -y
Please pay attention to the version of OpenVPN below, and modify it accordingly in the paths involved later.
wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
sudo mkdir /etc/openvpn/easy-rsa/keys
Now, set the variables for later generation.
sudo vim /etc/openvpn/easy-rsa/vars
Make these variables effective.
Now generate the certificates.
==OpenVPN binding address==. The actual IP displayed by
ifconfigin the system must be written here. OpenVPN binds to a specific network card in this way. Of course, if you enable EIP visible mode, then this will be the public IP.
==Allows to assign multiple IP addresses for multiple connections to many users using same set of configurations==. If you want to reuse a configuration file, this is necessary, otherwise there will be IP address conflicts.
==Configure the Alibaba Cloud VPC network segment that you need to allow the client to access==. These network segments must first be the network segments that your server itself can access, which means that you will have to pay attention to security groups and whitelists. Please configure this part according to the actual needs.
The same as No.23
Here we will use
firewalld rather than
iptables behind it to achieve forwarding, as the latter will have to reload configuration at every system boot. To allow data to flow freely between the OpenVPN network card and the target network, we need to configure routing and firewall rules. Line 5 maps the address under the OpenVPN subnet to the target network card by static NAT. In this way, our OpenVPN can connect to other intranets. Note that only IPv4 is forwarded here.
sudo systemctl enable firewalld
sudo vim /etc/sysctl.conf
vm.swappiness = 0
The last two lines of configuration cannot be absent. For detailed reason, please visit https://help.aliyun.com/knowledge_detail/41334.html (Chinese).
Execute the command below to make these configurations effective.
sudo sysctl -p
sudo systemctl enable [email protected]
Restart the server to verify that OpenVPN server will automatically launch during the system boot.
The files below should be platform independent.
Install the OpenVPN install package provided by OpenVPN’s official website.
Copy all the certification and configuration files mentioned above to
OpenVPN‘s user config folder.
- Start the OpenVPN.
Install OpenVPN. This can be installed directly from the software source, Ubuntu uses apt, CentOS uses yum… I won’t go into details here. The version should be between 2.4-2.5 as much as possible.
Copy the configuration file and its dependent files to
Run the following command to start OpenVPN and connect.
sudo openvpn --daemon --cd /etc/openvpn/client/config_v2 --config client.ovpn --log-append /var/log/openvpn.log
How could I expected that a normal deployment activity would accidentally introduced a kernel parameter adjustment to disable TCP timestamps! It wasn’t until I couldn’t help searching with Google that I found out the solution. The network is complex, and it is necessary to understand the TCP/UDP connection mode. YDJSIR still has a lot to learn in computer networking.