: # raspberry pie uses NPS to achieve intranet penetration
preface
- Before, I wanted to achieve intranet penetration and tossed peanut shells, but there were restrictions. Later, I tried FRP, but I haven't succeeded yet.
- This time, NPS is used to realize intranet penetration, mainly focusing on its graphical configuration interface.
prepare
Server: CentOS system, with public IP.
Client: I use the CentOS system built by raspberry pie 3B +. Portal
Software download
CPU confirmation
Before downloading, check the CPU of your server and client to facilitate query. windows can be viewed in the system information. The query commands of linux are as follows:
cat /proc/cpuinfo
Among them, model name is your CPU information, and my server CPU is Intel.
model name : Intel(R) Xeon(R) Gold 6278C CPU @ 2.60GHz
Client: Raspberry pie 3B + can be queried through the above command or Official hardware configuration information query
It is worth noting that I thought it was the chip of ARM, so I directly selected the installation package of ARM, which made it unable to run. In fact, raspberry pie 3B + is ARM V7 (the newer one may be ARM V8)
Software download
- Download address
- My server is Intel, so I choose "linux_386_server.tar.gz" and my client is ARM V7, so I choose "inux_arm_v7_client.tar.gz".
Server configuration
Server installation
- File upload: for file upload, I use FileZilla Upload, you watchers choose tools according to your habits. You can also choose pagoda File upload.
- For software decompression, you can use different decompression commands according to the downloaded software package:
//Use this command only if gz compressed tar -zxvf linux_386_server.tar.gz //If the above is not successful, use the following command tar -xvf linux_386_server.tar.gz
- execute
//Temporarily start, disconnect SSH and exit ./nps //Resident in the background, recommended for official service (./nps&)
If the following error is prompted, port 80 is occupied
2022/04/10 20:08:10.239 [E] [http.go:67] listen tcp 0.0.0.0:80: bind: address already in use
- To modify the configuration file, you can use the command:
//Open file vim conf/nps.conf //Modify the port to the one you can use http_proxy_port=8099
- If the following prompt is displayed, the startup is successful
[root@hecs-x-medium-2-linux-20200622120017 www]# ./nps 2022/04/10 22:14:52.314 [I] [nps.go:202] the version of server is 0.26.10 ,allow client core version to be 0.26.0 2022/04/10 22:14:52.784 [I] [connection.go:36] server start, the bridge type is tcp, the bridge port is 8024 2022/04/10 22:14:52.787 [I] [server.go:200] tunnel task start mode: tcp port 8083 2022/04/10 22:14:52.787 [I] [server.go:200] tunnel task start mode: httpHostServer port 0 2022/04/10 22:14:52.787 [I] [connection.go:71] web management start, access port is 8080 2022/04/10 22:14:52.789 [I] [connection.go:53] start http listener, port is 8099 2022/04/10 22:14:52.789 [I] [connection.go:62] start https listener, port is 443
If there is no response, you need to check whether the port number is blocked by the firewall. If it is similar to Alibaba cloud and Huawei cloud, it depends on whether the security group is released
Server configuration
- Visit the server web page configuration interface
//According to the above printing, the port on the web side is 8080 //2022/04/10 22:14:52.787 [I] [connection.go:71] web management start, access port is 8080 adopt IP:8080 Visit your web Configuration interface
-
Log in to the server web interface, default account: admin, default password: 123
-
After successful login, select "client" in the menu, and click "add" in the client list to add a new client. After setting the key, it can be added.
-
After adding the client successfully, we can see the new device in the client list, but the connection status of this device is still "offline"
-
We can't communicate just by adding a client. We need to establish a tunnel and port mapping relationship and add a tunnel in the "TCP tunnel"
-
When adding a tunnel, the relevant configuration information is as follows:
Client ID: the ID in the client list, as shown in the figure.
Server port: it is the port for your remote access and the port to be opened on the public network server.
Target (IP: port): corresponds to the local IP and the local port to be opened. Generally, the local IP address is 127.0.0.1, or the corresponding IP address on your router.
Client configuration
Client installation
- File upload: for file upload, I use FileZilla Upload, you watchers choose tools according to your habits. You can also choose pagoda File upload.
- For software decompression, you can use different decompression commands according to the downloaded software package:
//Use this command only if gz compressed tar -zxvf linux_arm_v7_client.tar.gz //If the above is not successful, use the following command tar -xvf linux_arm_v7_client.tar.gz
- execute
//x.x.x.x: the IP address of your server, //8024: the open port of the server can be viewed by starting the log printed by the server: server start, the bridge type is tcp, the bridge port is 8024. You can also view the client port on the server dashboard //vkey: unique verification code when adding a client //Temporarily start, disconnect SSH and exit ./npc -server=x.x.x.x:8024 -vkey=demo123 //Resident in the background, recommended for official service (./npc -server=x.x.x.x:8024 -vkey=demo123&)
If you do not know this command, you can click the "+" next to the ID in the "client list" to display the client command, and copy it here to run it
- After successful startup, we can see the relevant printing
[root@localhost nps]# ./npc -server=x.x.x.x:8024 -vkey=demo123 2022/04/10 23:07:27.009 [I] [npc.go:231] the version of client is 0.26.10, the core version of client is 0.26.0 2022/04/10 23:07:28.494 [I] [client.go:72] Successful connection with server x.x.x.x:8024
At the same time, on the web page of the server, we can see that our device connection status is "online".
Try adding a website
-
What I use here is pagoda Quick station
-
After adding a website, the default website will be automatically configured. At this time, we can test it remotely.
-
You can access your website by accessing your public IP port. The effect is as follows:
firewall
- Because the client does not involve a security group, if we encounter that the port cannot be used, we can see whether the firewall is open:
- View open ports
firewall-cmd --zone=public --list-ports
- View listening ports
netstat -lnpt
- Open port 8024
firewall-cmd --zone=public --add-port=8024/tcp --permanent
- Close port 8024
firewall-cmd --zone=public --remove-port=8024/tcp --permanent
- Configuration takes effect immediately
firewall-cmd --reload
summary
- When mapping ports, be sure to check whether the ports are open.
- You can start multiple instructions through background commands, so you can map multiple ports.
- On the current basis, you can consider mapping SSH, pagoda and other ports. In the later stage, it is not a thing in the remote deployment environment.