VPN의 Site-to-Site+ 3 Tier + NFS 실습 (팀플)

2025. 2. 15. 20:09AWS Cloud School 8기

💡 문제

각 지사는 물리적으로 떨어져있으며 팀원1명당 한개의 지사를 관리한다.
각 지사는 내부에 1개의 사설네트워크를 가진다.

1️⃣ web지사 web
- /tem 라는 경로로 간단한 웹 템플릿 제공
- /test 라는 경로로 3 tier 구조의 tomcat과 db의 연동확인 (dbtest.jsp)

2️⃣ was지사 was
- tomcat 구성

3️⃣ db지사 db
- nfs-server 구성

☑️ tomcat의 라이브러리 파일을 제외한 웹템플릿 파일, jsp파일들의 원본db지사의 nfs-server에만 존재해야한다.

외부(192.168.0.0/22)에서 접속해서 확인할 수 있도록 서버를 구성하세요.
=> WiFi의 Bridge로 VyOS가 dhcp로 eth0 IP를 할당 받도록하고, Site-to-Site가 가능하도록 해라!!!

 

🚀 요구사항

1️⃣ web지사 web
- httpd 구성
- /var/www/html/index.html은 DB로부터 mount로 받아와야함
- WAS의 Reverse Proxy Server을 통해 dbtes.jsp에 접근하도록 해야함

DNAT 필요 ⭕ : 외부에서 80번 포트로 접근해야함
PAT 필요


2️⃣ was지사 was
- tomcat 구성
- /root/tomcat/webapp/ROOT/dbtest.jsp 파일은 DB로 부터 mount로 받아와야함

DNAT 필요 ❌ : Web을 통해 WAS로 접근하기 때문에 & tunneling을 통해 통신하기 때문에
PAT 필요


3️⃣ db지사 db
- mariadb 구성
- /shared (mount point)에 dbtest.jsp 파일과 index.html 파일이 존재해야함
- nfs-server 구성
    - db: /shared -> web: /var/www/html 마운트 => index.html 파일 공유
    - db: /shared -> was: /root/tomcat/webapp/ROOT 마운트 => dbtest.jsp 파일 공유

DNAT 필요 ❌ : WAS을 통해 DB로 접근하기 때문에 & tunneling을 통해 통신하기 때문에
PAT 필요

 

✅구성도

1️⃣ VyOS 구성

✅ VyOS1

  • Site-to-Site 설정

🔵 Tunnel 1 (WAS → DB)

set vpn ipsec esp-group head-esp compression disable

set vpn ipsec esp-group head-esp lifetime 1800

set vpn ipsec esp-group head-esp mode tunnel

set vpn ipsec esp-group head-esp pfs enable

set vpn ipsec esp-group head-esp proposal 1 encryption aes256

set vpn ipsec esp-group head-esp proposal 1 hash sha256

set vpn ipsec ike-group head-ike ikev2-reauth no

set vpn ipsec ike-group head-ike key-exchange ikev1

set vpn ipsec ike-group head-ike lifetime 1800

set vpn ipsec ike-group head-ike proposal 1 encryption aes256

set vpn ipsec ike-group head-ike proposal 1 hash sha256

set vpn ipsec ipsec-interfaces int eth0

set vpn ipsec site-to-site peer 192.168.3.63 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.168.3.63 authentication pre-shared-secret aws8

set vpn ipsec site-to-site peer 192.168.3.63 ike-group head-ike

set vpn ipsec site-to-site peer 192.168.3.63 local-address 192.168.3.53

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 1 allow-nat-networks disable

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 1 esp-group head-esp

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 1 local prefix 10.10.1.0/24

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 1 remote prefix 10.10.2.0/24

 

🔵 Tunnel 3 (WAS → WEB)

set vpn ipsec esp-group head-esp compression disable

set vpn ipsec esp-group head-esp lifetime 1800

set vpn ipsec esp-group head-esp mode tunnel

set vpn ipsec esp-group head-esp pfs enable

set vpn ipsec esp-group head-esp proposal 1 encryption aes256

set vpn ipsec esp-group head-esp proposal 1 hash sha256

set vpn ipsec ike-group head-ike ikev2-reauth no

set vpn ipsec ike-group head-ike key-exchange ikev1

set vpn ipsec ike-group head-ike lifetime 1800

set vpn ipsec ike-group head-ike proposal 1 encryption aes256

set vpn ipsec ike-group head-ike proposal 1 hash sha256

set vpn ipsec ipsec-interfaces int eth0

set vpn ipsec site-to-site peer 192.168.3.60 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.168.3.60 authentication pre-shared-secret aws8

set vpn ipsec site-to-site peer 192.168.3.60 ike-group head-ike

set vpn ipsec site-to-site peer 192.168.3.60 local-address 192.168.3.53

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 3 allow-nat-networks disable

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 3 esp-group head-esp

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 3 local prefix 10.10.1.0/24

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 3 remote prefix 10.10.3.0/24

 

✅ VyOS2

  • Site-to-Site 설정

🔵 Tunnel 1

set vpn ipsec esp-group head-esp compression disable

set vpn ipsec esp-group head-esp lifetime 1800

set vpn ipsec esp-group head-esp mode tunnel

set vpn ipsec esp-group head-esp pfs enable

set vpn ipsec esp-group head-esp proposal 1 encryption aes256

set vpn ipsec esp-group head-esp proposal 1 hash sha256

set vpn ipsec ike-group head-ike ikev2-reauth no

set vpn ipsec ike-group head-ike key-exchange ikev1

set vpn ipsec ike-group head-ike lifetime 1800

set vpn ipsec ike-group head-ike proposal 1 encryption aes256

set vpn ipsec ike-group head-ike proposal 1 hash sha256

set vpn ipsec ipsec-interfaces int eth0

set vpn ipsec site-to-site peer 192.168.3.53 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.168.3.53 authentication pre-shared-secret aws8

set vpn ipsec site-to-site peer 192.168.3.53 ike-group head-ike

set vpn ipsec site-to-site peer 192.168.3.53 local-address 192.168.3.63

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 1 allow-nat-networks disable

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 1 esp-group head-esp

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 1 local prefix 10.10.2.0/24

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 1 remote prefix 10.10.1.0/24

 

🔵 Tunnel 2

set vpn ipsec esp-group head-esp compression disable

set vpn ipsec esp-group head-esp lifetime 1800

set vpn ipsec esp-group head-esp mode tunnel

set vpn ipsec esp-group head-esp pfs enable

set vpn ipsec esp-group head-esp proposal 1 encryption aes256

set vpn ipsec esp-group head-esp proposal 1 hash sha256

set vpn ipsec ike-group head-ike ikev2-reauth no

set vpn ipsec ike-group head-ike key-exchange ikev1

set vpn ipsec ike-group head-ike lifetime 1800

set vpn ipsec ike-group head-ike proposal 1 encryption aes256

set vpn ipsec ike-group head-ike proposal 1 hash sha256

set vpn ipsec ipsec-interfaces int eth0

set vpn ipsec site-to-site peer 192.168.3.60 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.168.3.60 authentication pre-shared-secret aws8

set vpn ipsec site-to-site peer 192.168.3.60 ike-group head-ike

set vpn ipsec site-to-site peer 192.168.3.60 local-address 192.168.3.63

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 2 allow-nat-networks disable

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 2 esp-group head-esp

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 2 local prefix 10.10.2.0/24

set vpn ipsec site-to-site peer 192.168.3.60 tunnel 2 remote prefix 10.10.3.0/24

 

✅ VyOS3

  • Site-to-Site

🔵 Tunnel 3

set vpn ipsec esp-group head-esp compression disable

set vpn ipsec esp-group head-esp lifetime 1800

set vpn ipsec esp-group head-esp mode tunnel

set vpn ipsec esp-group head-esp pfs enable

set vpn ipsec esp-group head-esp proposal 1 encryption aes256

set vpn ipsec esp-group head-esp proposal 1 hash sha256

set vpn ipsec ike-group head-ike ikev2-reauth no

set vpn ipsec ike-group head-ike key-exchange ikev1

set vpn ipsec ike-group head-ike lifetime 1800

set vpn ipsec ike-group head-ike proposal 1 encryption aes256

set vpn ipsec ike-group head-ike proposal 1 hash sha256

set vpn ipsec ipsec-interfaces int eth0

set vpn ipsec site-to-site peer 192.168.3.53 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.168.3.53 authentication pre-shared-secret aws8

set vpn ipsec site-to-site peer 192.168.3.53 ike-group head-ike

set vpn ipsec site-to-site peer 192.168.3.53 local-address 192.168.3.60

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 3 allow-nat-networks disable

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 3 esp-group head-esp

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 3 local prefix 10.10.3.0/24

set vpn ipsec site-to-site peer 192.168.3.53 tunnel 3 remote prefix 10.10.1.0/24

 

🔵 Tunnel 2

set vpn ipsec esp-group head-esp compression disable

set vpn ipsec esp-group head-esp lifetime 1800

set vpn ipsec esp-group head-esp mode tunnel

set vpn ipsec esp-group head-esp pfs enable

set vpn ipsec esp-group head-esp proposal 1 encryption aes256

set vpn ipsec esp-group head-esp proposal 1 hash sha256

set vpn ipsec ike-group head-ike ikev2-reauth no

set vpn ipsec ike-group head-ike key-exchange ikev1

set vpn ipsec ike-group head-ike lifetime 1800

set vpn ipsec ike-group head-ike proposal 1 encryption aes256

set vpn ipsec ike-group head-ike proposal 1 hash sha256

set vpn ipsec ipsec-interfaces int eth0

set vpn ipsec site-to-site peer 192.168.3.63 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.168.3.63 authentication pre-shared-secret aws8

set vpn ipsec site-to-site peer 192.168.3.63 ike-group head-ike

set vpn ipsec site-to-site peer 192.168.3.63 local-address 192.168.3.60

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 3 allow-nat-networks disable

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 3 esp-group head-esp

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 3 local prefix 10.10.3.0/24

set vpn ipsec site-to-site peer 192.168.3.63 tunnel 3 remote prefix 10.10.2.0/24

 

☑️ 확인 ≫ 연결 완료 🆗

run sh vpn ipsec sa

 

2️⃣ NAT 설정

✅ VyOS1

  • PAT 설정
# 목적지가 10.10.2.0/24이면 NAT 제외
set nat source rule 20 destination address 10.10.2.0/24
set nat source rule 20 exclude
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 10.10.1.0/24

# 목적지가 10.10.3.0/24이면 NAT 제외
set nat source rule 21 destination address 10.10.3.0/24
set nat source rule 21 exclude
set nat source rule 21 outbound-interface eth0
set nat source rule 21 source address 10.10.1.0/24

# 기본 NAT (PAT) 규칙
set nat source rule 22 outbound-interface eth0
set nat source rule 22 source address 10.10.1.0/24
set nat source rule 22 translation address masquerade

 

✅ VyOS2

  • PAT 설정
# 목적지가 10.10.1.0/24이면 NAT 제외
set nat source rule 20 destination address 10.10.1.0/24
set nat source rule 20 exclude
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 10.10.2.0/24

# 목적지가 10.10.3.0/24이면 NAT 제외
set nat source rule 21 destination address 10.10.3.0/24
set nat source rule 21 exclude
set nat source rule 21 outbound-interface eth0
set nat source rule 21 source address 10.10.2.0/24

# 기본 NAT (PAT) 규칙
set nat source rule 22 outbound-interface eth0
set nat source rule 22 source address 10.10.2.0/24
set nat source rule 22 translation address masquerade

 

✅ VyOS3

  • PAT 설정
# 목적지가 10.10.1.0/24이면 NAT 제외
set nat source rule 20 destination address 10.10.1.0/24
set nat source rule 20 exclude
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 10.10.3.0/24

# 목적지가 10.10.2.0/24이면 NAT 제외
set nat source rule 21 destination address 10.10.2.0/24
set nat source rule 21 exclude
set nat source rule 21 outbound-interface eth0
set nat source rule 21 source address 10.10.3.0/24

# 기본 NAT (PAT) 규칙
set nat source rule 22 outbound-interface eth0
set nat source rule 22 source address 10.10.3.0/24
set nat source rule 22 translation address masquerade
  • DNAT 설정
set nat destination rule 100 destination address 10.10.3.80
set nat destination rule 100 destination port 80
set nat destination rule 100 inbound-interface eth0
set nat destination rule 100 protocol tcp

 

 

☑️ 통신 테스트

1. WAS(10.10.1.88)

  • 외부

  • 10.10.2.0/24 대역 ▶️ Tunnel 1을 통해

 

  • 10.10.3.0/24 대역 ▶️ Tunnel 3을 통해

 

 

2. DB(10.10.2.33)

  • 외부 통신

 

  • 10.10.1.0/24 대역

 

  • 10.10.3.0/24 대역

4️⃣ DB 설정

  • Mariadb Server 설정
# 패키지 설치
yum install -y mariadb-server
systemctl restart mariadb
systemctl enable mariadb

# 기본적인 보안 설정
mysql_secure_installation

# root로 접속
mysql -u root -p1234

# DB 생성
create database tomcatdb;

# 사용자 생성 및 권한 부여
grant all privileges on tomcatdb.* to tomcatuser@'%' identified by '1234';

# database 확인
show databases;

 

  • NFS 서버 설정
# NFS Server 패키지 설치
yum install -y nfs-utils

# NFS 공유 대상 설정
vi /etc/exports
    > /shared  *(rw)

# 설정 반영
exportfs -r

# nfs-server 활성화
systemctl restart nfs-server
systemctl enable nfs-server

# 공유 대상 확인
showmount -e

# mount point 생성
mkdire /shared

# 권한 부여
chmod 777 -R /shared

 

  • Web의 /var/www/html/tem에 무료 웹 사이트 이동하도록 생성(/shared에)

https://www.free-css.com/free-css-templates 

여기에서 wget으로 다운로드 받고 /shared 으로 이동하기

 

  • WAS 에 전달할 dbtes.jsp 파일 생성(/shared/dbtest.jsp)
cat <<EOF > /shared/dbtest.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.sql.*"%>
<h1>DB</h2>
<%
        Connection conn=null;
        try{
                String Url="jdbc:mysql://10.10.2.33/tomcatdb";
                String Id="tomcatuser";
                String Pass="1234";

                Class.forName("com.mysql.jdbc.Driver");
                conn=DriverManager.getConnection(Url,Id,Pass);
                out.println("was-db Connection Success!");
        }catch(Exception e) {
                e.printStackTrace();
}
%>

EOF

5️⃣ Web 설정

  • httpd 패키지 설치
yum install -y httpd
systemctl restart httpd
systemctl enable httpd

 

  • NFS Client 설정
# 패키지 다운로드
yum install -y nfs-utils

# nfs-server 활성화
systemctl restart nfs-server
systemctl enable nfs-server

# mount 하기
mount -t nfs 10.10.2.33/shared /var/www/html/tem

# 부팅할때도 mount해주기 설정
vi /etc/fstab
> 10.10.2.33/shared	  /var/www/html/tem 	nfs		defaults	0 0

 

  • Reverse Proxy Server 설정
# 프록시 서버 설정 파일
vi /etc/httpd/conf/httpd.conf

 

  • 추가할 내용
    • Webhttp://10.10.3.80/test에 접속하면 ⏭️ WAS 서버(10.10.1.88:8080)의 dbtest.jsp로 전송
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<VirtualHost *:80>
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyPass /test http://10.10.1.88:8080/dbtest.jsp
    ProxyPassReverse /tomcat http://10.10.1.88:8080/dbtest.jsp
</VirtualHost>

 

 

 

 

6️⃣ WAS 설정

  • tomcat 설치 및 설정
# openjdk, wget, unzip 패키지 설치
yum install -y java-11-openjdk wget unzip

# tomcat 설치 파일 다운로드
wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.35/bin/apache-tomcat-10.1.35.zip
unzip apache-tomcat-10.1.35.zip
mv apache-tomcat-10.1.35 tomcat

# tomcat 설정
cd tomcat/
chmod -R 777 /root/tomcat

# tomcat 활성화
sh ./bin/startup.sh

# 8080 포트 열린지 확인
ss -nltp

 

  • NFS Client 설정
# 패키지 다운로드
yum install -y nfs-utils

# nfs-server 활성화
systemctl restart nfs-server
systemctl enable nfs-server

# mount 하기
mount -t nfs 10.10.2.33/shared /root/tomcat/webapps/ROOT

# 부팅할때도 mount해주기 설정
vi /etc/fstab
> 10.10.2.33/shared	  /root/tomcat/webapps/ROOT 	nfs		defaults	0 0
  • mount 확인

  • 공유된 파일 확인

 

 

 

🚀 결과 확인 => 외부에서 접속

  • DB /shared의 css 파일이 Web의 /var/www/html/tem으로 mount

 

  • DB의 /shared의 dbtest.jsp 파일이 WAS의 /root/tomcat/webapps/ROOT/dbtes.jsp 로 mount
  • Web의 Reserve Proxy Server 역할로 WAS에 접근해서 dbtest.jsp 파일을 가져옴

'AWS Cloud School 8기' 카테고리의 다른 글

Reverse Proxy Server 실습  (1) 2025.02.04
PxE(Preboot eXecution Environment) + 실습 with FTP, TFTP, DHCP, HTTP  (1) 2025.01.27
TFTP(Trival FTP) + 실습  (1) 2025.01.25
FTP(File Transfer Protocol) + 실습  (3) 2025.01.25
NFS(Network File System)  (3) 2025.01.25

관련글

티스토리툴바