【探索】基于QUIC的内网穿透协议

Last updated on June 29, 2024 am

环境和依赖

1
2
3
4
5
6
mkdir -p ~/base/NPS && cd ~/base/NPS && mkdir conf
nano docker-compose.yml
nano conf/nps.conf
touch conf/{clients,hosts,tasks}.json
sudo docker-compose up -d
# 反代 dashboard 8080
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
version: '3.3'
services:
  nps:
    container_name: nps
    restart: unless-stopped
    ports:
      - '8025:8025'
      - '6000-6002:6000-6002/udp'
    volumes:
      - './conf:/conf'
      - '/etc/localtime:/etc/localtime:ro'
    image: yisier1/nps
 
networks:
  default:
    external: true
    name: ngpm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
appname = nps
#Boot mode(dev|pro)
runmode = pro
 
#HTTP(S) proxy port, no startup if empty
http_proxy_ip=0.0.0.0
http_proxy_port=18081
 
##bridge
bridge_type=tcp
bridge_port=8024
bridge_ip=0.0.0.0
tls_bridge_port=8025
tls_enable=true

#Traffic data persistence interval(minute)
#Ignorance means no persistence
#flow_store_interval=1
 
# log level LevelEmergency->0  LevelAlert->1 LevelCritical->2 LevelError->3 LevelWarning->4 LevelNotice->5 LevelInformational->6 LevelDebug->7
log_level=7
#log_path=nps.log
 
#Whether to restrict IP access, true or false or ignore
#ip_limit=true
 
#allow_ports=9001-9009,10001,11000-12000
 
#Web management multi-user login
allow_user_login=false
allow_user_register=false
allow_user_change_username=false
 
#extension
allow_flow_limit=false
allow_rate_limit=false
allow_tunnel_num_limit=false
allow_local_proxy=false
allow_connection_num_limit=false
allow_multi_ip=false
system_info_display=true
 
#cache
http_cache=false
http_cache_length=100
 
#get origin ip
http_add_origin_header=true
 
#pprof debug options
#pprof_ip=0.0.0.0
#pprof_port=9999
 
#client disconnect timeout
disconnect_timeout=60
 
# 以下的需要进行配置
# Public password, which clients can use to connect to the server
# After the connection, the server will be able to open relevant ports and parse related domain names according to its own configuration file.
public_vkey=<16个字符>
 
#Web API unauthenticated IP address(the len of auth_crypt_key must be 16)
#Remove comments if needed
auth_key=<24个字符>
auth_crypt_key=<16个字符>
 
#web
web_host=limour.top
web_username=Limour
web_password=<16个字符>
web_port = 8080
web_ip=0.0.0.0
web_open_ssl=false
web_base_url=
open_captcha=true
# if web under proxy use sub path. like http://host/nps need this.
#web_base_url=/nps
 
#p2p
p2p_ip=<写服务器的ip>
p2p_port=6000
# 设置为6000,请在控制台防火墙开放6000~6002(额外添加2个端口)udp端口

配置端口映射

1
2
3
nano Port-Hopping.sh && chmod +x Port-Hopping.sh
nano /etc/systemd/system/Port-Hopping.service
systemctl enable Port-Hopping && systemctl start Port-Hopping && systemctl status Port-Hopping && iptables -t nat -L
1
2
3
4
5
#!/bin/bash
# IPv4
/usr/sbin/iptables  -t nat -A PREROUTING -i eth0 -p udp --dport 32768:61000 -j DNAT --to-destination :3234
# IPv6
/usr/sbin/ip6tables -t nat -A PREROUTING -i eth0 -p udp --dport 32768:61000 -j DNAT --to-destination :3234
1
2
3
4
5
6
7
8
[Unit]
Description=Port-Hopping
After=network.target docker.service
[Service]
ExecStart=/root/Port-Hopping.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target
1
2
iptables -t nat -A DOCKER -p udp --dport 32768:61000 -j DNAT --to-destination `iptables -t nat -L| grep "udp dpt:3234" | grep -oP 'to:\K[^ ]+'` # 添加
iptables -t nat -D DOCKER -p udp --dport 32768:61000 -j DNAT --to-destination `iptables -t nat -L| grep "udp dpts:32768:61000"| tail -n 1 | grep -oP 'to:\K[^ ]+'` # 删除

配置quic

1
2
3
4
sudo docker network create sswitch
mkdir -p ~/app/quic && cd ~/app/quic && nano docker-compose.yml
nano hysteria.yaml
sudo docker-compose up -d && sudo docker-compose logs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
version: '3.9'
services:
  hysteria:
    image: tobyxdd/hysteria
    restart: always
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    ports:
      - '3234:3234/udp'
    volumes:
      - ./hysteria.yaml:/etc/hysteria.yaml
      - /root/base/NGPM/letsencrypt:/home/ubuntu/letsencrypt
    command: ["server", "-c", "/etc/hysteria.yaml"]
 
networks:
  default:
    external: true
    name: sswitch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
listen: :3234 
 
tls:
  cert: /home/ubuntu/letsencrypt/live/npm-1/fullchain.pem
  key: /home/ubuntu/letsencrypt/live/npm-1/privkey.pem
 
auth:
  type: password
  password: Se7RAuFZ8Lzg 
 
bandwidth:
  up: 3 mbps
  down: 3 mbps
 
masquerade: 
  type: proxy
  proxy:
    url: https://hexo.limour.top/ 
    rewriteHost: true

测试转发

  • 在客户端新建config.yaml, 写入以下内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
server: hexo.limour.top:32768-61000
 
auth: Se7RAuFZ8Lzg 
 
bandwidth: 
  up: 3 mbps
  down: 3 mbps
 
#socks5:
#  listen: 127.0.0.1:1580 
 
#http:
#  listen: 127.0.0.1:8580 
 
tcpForwarding:
  - listen: 127.0.0.1:8025 
    remote: host.docker.internal:8025

测试穿透

1
.\npc.exe --server=127.0.0.1:8024 -vkey=<vkey> -type=tcp

客户端示例

1
2
3
mkdir -p ~/app/quic-npc && cd ~/app/quic-npc && nano docker-compose.yml
nano config.yaml
sudo docker-compose up -d && sudo docker-compose logs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
version: '3.3'
services:
  quic_nps:
    image: tobyxdd/hysteria
    network_mode: host
    restart: always
    volumes:
      - ./config.yaml:/etc/config.yaml
    command: ["--config", "/etc/config.yaml"]
 
  npc_lk:
    depends_on:
      - quic_nps
    network_mode: host
    image: yisier1/npc
    restart: unless-stopped
    command: -server=127.0.0.1:8025 -vkey=<vkey> -tls_enable=true
1
2
3
4
5
6
7
8
9
10
11
server: hexo.limour.top:32768-61000
 
auth: Se7RAuFZ8Lzg 
 
bandwidth: 
  up: 3 mbps
  down: 3 mbps
 
tcpForwarding:
  - listen: 127.0.0.1:8025 
    remote: host.docker.internal:8025
#探索 #docker #ngpm #内网穿透
【探索】基于QUIC的内网穿透协议
https://hexo.limour.top/Protocol-for-intranet-penetration-based-on-QUIC
Author
Limour
Posted on
October 27, 2023
Updated on
June 29, 2024
Licensed under