--- title: 【探索】基于QUIC的内网穿透协议 urlname: Protocol-for-intranet-penetration-based-on-QUIC date: 2023-10-27 20:46:07 index_img: https://api.limour.top/randomImg?d=2023-10-27 20:46:07 tags: ['docker', 'ngpm', "内网穿透", '探索'] --- ## 环境和依赖 + [内网穿透服务](/-ji-lu--an-zhuang-npsfrp-fu-wu-duan-yu-ke-hu-duan) + [证书自动申请服务](/Docker-bu-shu-Nginx-Proxy-Manager) ```bash mkdir -p ~/base/NPS && cd ~/base/NPS && mkdir conf nano docker-compose.yml nano conf/nps.conf touch conf/{clients,hosts,tasks}.json sudo docker-compose up -d # 反代 dashboard 8080 ``` ```yml version: '3.3' services: nps: container_name: nps restart: unless-stopped ports: - '8025:8025' - '6000-6002:6000-6002/udp' volumes: - './conf:/conf' - '/etc/localtime:/etc/localtime:ro' image: yisier1/nps networks: default: external: true name: ngpm ``` ```conf appname = nps #Boot mode(dev|pro) runmode = pro #HTTP(S) proxy port, no startup if empty http_proxy_ip=0.0.0.0 http_proxy_port=18081 ##bridge bridge_type=tcp bridge_port=8024 bridge_ip=0.0.0.0 tls_bridge_port=8025 tls_enable=true #Traffic data persistence interval(minute) #Ignorance means no persistence #flow_store_interval=1 # log level LevelEmergency->0 LevelAlert->1 LevelCritical->2 LevelError->3 LevelWarning->4 LevelNotice->5 LevelInformational->6 LevelDebug->7 log_level=7 #log_path=nps.log #Whether to restrict IP access, true or false or ignore #ip_limit=true #allow_ports=9001-9009,10001,11000-12000 #Web management multi-user login allow_user_login=false allow_user_register=false allow_user_change_username=false #extension allow_flow_limit=false allow_rate_limit=false allow_tunnel_num_limit=false allow_local_proxy=false allow_connection_num_limit=false allow_multi_ip=false system_info_display=true #cache http_cache=false http_cache_length=100 #get origin ip http_add_origin_header=true #pprof debug options #pprof_ip=0.0.0.0 #pprof_port=9999 #client disconnect timeout disconnect_timeout=60 # 以下的需要进行配置 # Public password, which clients can use to connect to the server # After the connection, the server will be able to open relevant ports and parse related domain names according to its own configuration file. public_vkey=<16个字符> #Web API unauthenticated IP address(the len of auth_crypt_key must be 16) #Remove comments if needed auth_key=<24个字符> auth_crypt_key=<16个字符> #web web_host=limour.top web_username=Limour web_password=<16个字符> web_port = 8080 web_ip=0.0.0.0 web_open_ssl=false web_base_url= open_captcha=true # if web under proxy use sub path. like http://host/nps need this. #web_base_url=/nps #p2p p2p_ip=<写服务器的ip> p2p_port=6000 # 设置为6000,请在控制台防火墙开放6000~6002(额外添加2个端口)udp端口 ``` ## 配置端口映射 ```bash nano Port-Hopping.sh && chmod +x Port-Hopping.sh nano /etc/systemd/system/Port-Hopping.service systemctl enable Port-Hopping && systemctl start Port-Hopping && systemctl status Port-Hopping && iptables -t nat -L ``` ```bash #!/bin/bash # IPv4 /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 32768:61000 -j DNAT --to-destination :3234 # IPv6 /usr/sbin/ip6tables -t nat -A PREROUTING -i eth0 -p udp --dport 32768:61000 -j DNAT --to-destination :3234 ``` ```service [Unit] Description=Port-Hopping After=network.target docker.service [Service] ExecStart=/root/Port-Hopping.sh Restart=on-failure [Install] WantedBy=multi-user.target ``` ```bash iptables -t nat -A DOCKER -p udp --dport 32768:61000 -j DNAT --to-destination `iptables -t nat -L| grep "udp dpt:3234" | grep -oP 'to:\K[^ ]+'` # 添加 iptables -t nat -D DOCKER -p udp --dport 32768:61000 -j DNAT --to-destination `iptables -t nat -L| grep "udp dpts:32768:61000"| tail -n 1 | grep -oP 'to:\K[^ ]+'` # 删除 ``` ## 配置quic ```bash sudo docker network create sswitch mkdir -p ~/app/quic && cd ~/app/quic && nano docker-compose.yml nano hysteria.yaml sudo docker-compose up -d && sudo docker-compose logs ``` ```yml version: '3.9' services: hysteria: image: tobyxdd/hysteria restart: always extra_hosts: - 'host.docker.internal:host-gateway' ports: - '3234:3234/udp' volumes: - ./hysteria.yaml:/etc/hysteria.yaml - /root/base/NGPM/letsencrypt:/home/ubuntu/letsencrypt command: ["server", "-c", "/etc/hysteria.yaml"] networks: default: external: true name: sswitch ``` ```yml listen: :3234 tls: cert: /home/ubuntu/letsencrypt/live/npm-1/fullchain.pem key: /home/ubuntu/letsencrypt/live/npm-1/privkey.pem auth: type: password password: Se7RAuFZ8Lzg bandwidth: up: 3 mbps down: 3 mbps masquerade: type: proxy proxy: url: https://hexo.limour.top/ rewriteHost: true ``` ## 测试转发 + 在客户端新建`config.yaml`, 写入以下内容 ```yml server: hexo.limour.top:32768-61000 auth: Se7RAuFZ8Lzg bandwidth: up: 3 mbps down: 3 mbps #socks5: # listen: 127.0.0.1:1580 #http: # listen: 127.0.0.1:8580 tcpForwarding: - listen: 127.0.0.1:8025 remote: host.docker.internal:8025 ``` ## 测试穿透 ```powershell .\npc.exe --server=127.0.0.1:8024 -vkey= -type=tcp ``` ## 客户端示例 ```bash mkdir -p ~/app/quic-npc && cd ~/app/quic-npc && nano docker-compose.yml nano config.yaml sudo docker-compose up -d && sudo docker-compose logs ``` ```yml version: '3.3' services: quic_nps: image: tobyxdd/hysteria network_mode: host restart: always volumes: - ./config.yaml:/etc/config.yaml command: ["--config", "/etc/config.yaml"] npc_lk: depends_on: - quic_nps network_mode: host image: yisier1/npc restart: unless-stopped command: -server=127.0.0.1:8025 -vkey= -tls_enable=true ``` ```yml server: hexo.limour.top:32768-61000 auth: Se7RAuFZ8Lzg bandwidth: up: 3 mbps down: 3 mbps tcpForwarding: - listen: 127.0.0.1:8025 remote: host.docker.internal:8025 ```