异地网络远程访问

不知不觉中，疫情已经来到第三个年头，居家办公逐渐成为常态；但大多企业内部系统（如 OA、ERP、CRM）要么位于本地局域网，要么白名单访问；

而现在的家庭宽带获取 IP 变动频繁甚至没有公网 IP，如何更稳定的保证外勤员工都能使用这些系统是重中之重。

一、防火墙

放行或者关闭防火墙，详见 [[Linux 系统防火墙]]

systemctl stop firewalld
systemctl disable firewalld
setenforce 0

二、方案

• 点↔点：及常用的 VPN、Proxy
• 点↔站：对于需要访问本地文件服务器、局域网其他资源的需求；点对站 则是在 点对点 的基础上扩展而来，即服务需要部署在局域网内部服务器或者路由器网关上；如：IPsec

• 站↔站：此类方案用于多地办公室组网、资源互通，从 点对站 升级而来；如：ZeroTier，有钱可以直接 ` BGP 组网

  三、服务

  1.Squid

  一台固定公网 IP 的（VPS）服务器搭建相应的服务即可，客户端与服务器之间建立链路，客户端通过服务器网络访问企业内部 OA、ERP、CRM 等系统（添加服务器 IP 到白名单）
  使用 Squid 服务做正向代理

• 传统代理：适用于 Internet，需在客户机指定代理服务器的地址和端口

• 透明代理：
• 反向代理：

  1.1.服务部署

  #安装
  yum install -y squid
  #设置开机启动
  systemctl enable squid
  #启动服务
  systemctl start squid

  1.2.服务配置

  vim /etc/squid/squid.conf 修改服务配置，如 acl 规则、服务端口 http_port 等

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all
http_access allow all

# Squid normally listens to port 3128
http_port 10000

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

修改完配置需要 systemctl restart squid 重启服务，不想访问的时候关闭服务即可

1.3.服务日志

tail -f /var/log/squid/access.log

测试

wget -e "http_proxy=http://10.240.216.197:8081" https://qyapi.weixin.qq.com/cgi-bin/gettoken

2.IPsec

3.ZeroTier

https://www.zerotier.com/

4.WireGuard

https://www.wireguard.com/

4.1.部署

4.2.优化

内网穿透，用 udp2raw 模拟成 tcp

1.禁止入方向的 ping

-A INPUT -p icmp --icmp-type echo-request -j DROP

2.禁止服务器应答 icmp port unreachable 和 host unreachable 消息

-A OUTPUT -p icmp --icmp-type port-unreachable -j DROP
-A OUTPUT -p icmp --icmp-type host-unreachable -j DROP

3.禁止服务器应答 no listen port 的 tcp reset 消息（标志位为 rst,ack ）

-A OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

4.尽量不要使用 ssh 直连服务器

5.不要使用默认端口，设置在 16384-16389 之间为宜