Use LANproxy to build your own intranet penetration platform

Time:2021-9-8

Project background

At present, the company has some raspberry pies connected to 4G network, which need to be managed and maintained through remote shell connection. However, these devices do not have fixed public IP, so they need to be solved through intranet penetration.

preparation

  • Raspberry pie * n to be penetrated (we installed Ubuntu 20 system, and the following operation commands are based on this system)
  • A server with public IP / domain name. The system is unlimited (we use alicloud Windows Server)
  • lanproxy

Architecture Principle

Let’s talk about the process. Many details need to be understood in the next steps

General process:

  1. First, we enable the intranet to penetrate the LANproxy server in Alibaba cloud and listen to port 8000
  2. In the LAN proxy console on alicloud, create a key for a raspberry pie (this key is required when starting the client) and specify an external port 10000
  3. The client (raspberry pie) starts the LANproxy client and connects to alicloud 8000 port. The two sides establish a long connection
  4. You can successfully connect to the raspberry pie by connecting to alicloud 10000 port through xshell.

matters needing attention:

  • All ports mentioned above are filled in based on the actual projects of our company, and can be filled in at will during the actual configuration process.
  • The server (alicloud) ports used above must be open in the firewall, otherwise they cannot be used

Architecture diagram:
Use LANproxy to build your own intranet penetration platform

PS: some partners may ask that all raspberry pies are connected to the same alicloud port, so what does the server rely on for routing and forwarding? The answer is the key, which will be mentioned in the following tutorial.

Deployment process

1. Install the server

Download server –Download address
There are many files in the link. Be careful not to confuse them. The file name of the server is:proxy-server-0.1.zip
After unpacking the compressed package, first open the conf / config.properties file, as follows:

server.bind=0.0.0.0
#Client connection port
server.port=4900     

server.ssl.enable=true
server.ssl.bind=0.0.0.0
server.ssl.port=4993
server.ssl.jksPath=test.jks
server.ssl.keyStorePassword=123456
server.ssl.keyManagerPassword=123456
server.ssl.needsClientAuth=false

config.server.bind=0.0.0.0
#Server background interface port number
config.server.port=8090
#Background account
config.admin.username=admin
#Background password
config.admin.password=admin

There are two lines that are particularly confusing and need to be explained separately

server.port=4900     
config.server.port=8090

Server.port is the port used by the server to communicate with the penetrated device (the corresponding port is not drawn in the architecture diagram), that is, the 8000 port I drew in the above architecture diagram.
Config.server.port refers to the background interface port of the server. After deployment, we can access this interface through localhost: 8090.
Remote ports (i.e. 10000, 10001 and 10002 mentioned above) are not configured in the configuration file, but need to be configured in the background interface!

The above contents can be modified as needed. The SSL part is not explained because it is not used in our project.

The Java running environment is required to start the server. If not, you need to install it yourself!

After configuration, use the specific sh or bat file in the bin / directory to start the project. Access the background through locathost: 8090 (if you change the port, use the custom port), and then operate as shown in the following figure.
Use LANproxy to build your own intranet penetration platform
Use LANproxy to build your own intranet penetration platform
Use LANproxy to build your own intranet penetration platform
So far, we have installed the LANproxy client and configured a client’s key and penetration port. It should be noted that the ports used above need to be opened in the firewall (for Alibaba cloud I use, security group policies need to be configured in the background of Alibaba cloud).

Next, we need to configure the client.

2. Install the client

First, I prepared a raspberry pie with Ubuntu 20 (no desktop). LANproxy has prepared a client with go compilation number, which is very convenient to use.Click download client

In the download link, the beginning of LANproxy client – * is the client. You need to select the corresponding version according to your own system. Raspberry pie is based on ARM architecture, so I downloaded lanproxy-client-linux-arm.tar.gz. If it is a server using desktop CPU (Intel or AMD), I need to download lanproxy-client-linux-amd64-20190523.tar.gz or lanproxy-client-linux-386-20190523.tar.gz (corresponding to 64 bit and 32-bit machines respectively)

After using raspberry pie to obtain the compressed package and decompress it, use the command to start the program in the background

sudo nohup client_ linux_ ARM7 - s server IP or domain name - P server port - K key&

The “server port” refers to the port number specified in the “server. Port” field in the configuration file

3. Test

After the client is started, log in to the lanprox console and view the online status of the device in the “client management” interface.

Use xshell to connect, enter the IP and port number of the public network, and you can connect directly to the raspberry pie.

optimization

Raspberry pie adds the client startup function

To be completed

Add the server startup and self start function

To be completed