Writing in the front

I think a lot of companies due to security concerns, some internal system (Git repository, OA, etc.) must be on the server within the company, only in the company’s network can access, but some companies with the development of the business, is sure to appear some out-of-town colleagues (outside of the office, r&d center and sales team, etc.) this kind of situation, in this way, Under the premise that internal services are not migrated to the Internet, how to let colleagues in other places access the resources on the Intranet becomes a problem that must be solved. In fact, there are many kinds of solutions for Intranet penetration. This paper only uses SoftetherVPN and Bind9 to provide another solution. The solution mentioned in this article has the following advantages:

1. No additional configuration changes are required for original internal resources. 2. Only internal resources that have been added to a shared network can be accessed externally. Internal resources that have not been shared cannot be accessed. 4. Access to the same internal resources using the same domain name. 5. Access from OS X and iOS devices through LPTP and LPSec protocolsCopy the code

However, it also has the following disadvantages: 1. A server with a public IP address is required as the central server. 2. Because the solution in this paper is based on virtual LAN, it has some unavoidable disadvantages in LAN.

The principle of



This solution uses ad-Hoc VPN provided by SoftetherVPN to connect Intranet server and external users in the same LAN through VLAN, and then resolves the domain name to the corresponding virtual LAN IP through the DNS server that supports intelligent resolution.

If the user is an Intranet user, the DNS server resolves the domain name to the Intranet IP address corresponding to internal resources.

The deployment of

Most of the deployment uses Docker. If manual installation is required, you can download the corresponding installation package from this website

The Docker environment

Omitted, beyond the scope of this article

Install Softether Server

  1. Pull the mirror

    siomiz/softethervpn
    Copy the code
  2. Start the vpnserver

    docker run -d --cap-add NET_ADMIN \
     -p 500:500/udp \
    
     -p 4500:4500/udp \
    
     -p 1701:1701/tcp \
    
     -p 1194:1194/udp \
    
     -p 5555:5555/tcp \
    
     -p 443:443/tcp \
    
     -p 992:992 \
    
     siomiz/softethervpn
    Copy the code

    Remember to open the corresponding port

Install Softether ServerManger

Although Softether provides a MAC version of the installation package, but I found that the installation is actually a wine environment, the experience on MAC is very poor, so I recommend to find a Windows computer to install VPN Server Manager. The download address is here because it is the installation tutorial on Windows, most of them are pictures, in order not to take up the length of the article, it will not be introduced in the article, you can refer to the official website or this blog

One of the things to note is that inVirtual HUB management pageIn theVirtual NAT and virtual DHCP servers, click on theSecureNATAnd set the network segment of the DHCP server and DNS server to the IP address of the DNS server

Deploying a DNS Server

  1. Installation setups bind9

    sudo apt-get install bind9
    Copy the code
  2. Add two view files to /etc/bind/name.2.conf

    The acl "2" {192.168.2.0/24; };Copy the code

    name.111.conf

    The acl "111" {192.168.111.0/24; };Copy the code

    The two view files are used to distinguish the network segment where the source IP address resides, and different resolution results are returned based on different network segments. In this solution, 192.168.2.0/24 is the internal network segment, and 192.168.111.0/24 is the virtual LAN segment generated by the VPN

  3. Create different parse record files corresponding to different network segments in the /etc/bind/ directory

    1234tv.lan-2.zone

    $TTL 604800 @ IN SOA xxxx.xx. root.xxxx.xx. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @in NS xxxx.xx. @in A 192.168.2.222 gitlab IN A 192.168.2.84Copy the code

    1234tv.lan-111.zone

    $TTL 604800 @ IN SOA xxxx.xx. root.xxxx.xx. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @in NS XXXX.xx. @in A 192.168.111.222 gitlab IN A 192.168.111.84Copy the code
  4. Write the view file and the parse file to the Bind9 master profile

    sudo vim /etc/bind/name.conf
    Copy the code

    Add the following: declare two views, view_2 and view_11, to comment out the default configuration file. Note the semicolon at the end of each line if you do nothing else.

    #include "/etc/bind/named.conf.options"; #include "/etc/bind/named.conf.local"; #include "/etc/bind/named.conf.default-zones"; include "/etc/bind/name.2.conf"; view "View_2" { match-clients {"2"; }; zone "xxxx.xxx" IN { type master; file "xxxx.xxx-2.zone"; allow-update {none; }; }; }; include "/etc/bind/name.111.conf"; view "View_111" { match-clients {"111"; }; zone "xxxx.xxx" IN { type master; file "xxxx.xxx-111.zone"; allow-update {none; }; }; };Copy the code
  5. Then start the Bind9 service

    sudo /etc/init.d/bind9 start
    Copy the code
  6. Validation of analytical

    Dig gitlab. XXX. Xx @ 192.168.2.222Copy the code

Install the Vpn Client

All internal servers that need to be shared for external access need to be installed with VPN Client and connected to the VPN Server. The following method is to deploy VPN_client in Docker mode in Linux and refer to this article in Windows

  1. Pull the mirror

    sudo docker pull mitsutaka/softether-vpnclient
    Copy the code
  2. VPN Server created before starting the image connection

    docker run -d --name=softether-vpnclient \ --net=host --privileged \ -e VPN_SERVER=<Softether VPN server> \ -e VPN_PORT=<Softether VPN port> \ -e ACCOUNT_USER=<Registered username> \ -e ACCOUNT_PASS=<Registered password> \ -e VIRTUAL_HUB=<Virtual Hub name> \ -e TAP_IPADDR=<IP address/netmask> \ mitsutaka/softether- VpnClient server, On the VIRTUAL_HUB end, enter TAP_IPADDR, the name of the virtual HUB created on the Manager. You are advised to specify an IP address, especially for the DNS server, which requires a fixed IP addressCopy the code

conclusion

At this point, this simple Intranet penetration solution is deployed. Intranet users can directly set the Intranet DNS server to access internal servers using domain names, and Internet users can access internal server resources using the same domain names after connecting to the virtual LAN using VPN Clinet. Writing this article, on the one hand, I feel that I may have this demand in the future, and I am afraid that I will forget it, just as a record. In addition, I also want to share the needs of other students in this respect.