Contents
Preface
At present, the number of newly installed home broadbands with IPv4 public network addresses is decreasing, and IPv6 public network addresses are replacing them. However, due to the difficulty of remembering IPv6 addresses and the lack of solutions for dynamically binding IPv6 public network addresses and dynamic domain names at home, IPv6 public network addresses are "equivalent to nothing". There is another potential requirement for accessing IPv6 public network addresses, that is, the access end must also have an IPv6 address, which also stumps many friends (mobile phones use traffic access through the cellular mode of the three major operators to support IPv6, but not all friends are willing to use traffic to access home applications, especially large-traffic applications, such as watching movies). So in this form, whether there is an IPv6 public network address or not (in fact, it is also suitable for the case of having an IPv4 public network address), the most convenient way to access your home devices from the outside is still to use various "intranet penetration" technologies (the operator must have provided an IPv4 address, but it is not a public network address. In the future, it may add an IPv6 public network address to form a dual-stack structure of "private IPv4" + "public network IPv6").
Intranet penetration without public IPv4 addresses (the reason why we emphasize intranet penetration without public IPv4 is that normal port mapping with public IPv4 can also be considered as an intranet penetration technology) must rely on relay servers with public IPv4 (equivalent to intermediaries) and various black technology "hole punching" technologies. If the "hole punching" is successful, direct communication can be achieved. If the "hole punching" is unsuccessful, the traffic can only be transferred through the relay server.
There are two ways to get a relay server: either buy a ready-made one or build one yourself: Buying a ready-made one is easy, but there are a lot of paid ones, so I won't go into details. If you build your own, you have to choose one from the many virtual networking technologies available. I'm currently using Tailscale, and I haven't used other ones, so I won't comment on them.
You can search online for the deployment method of tailscale. There are many excellent articles, so I won’t waste time on it. If you need to build a tailscale DERP server yourself, you can refer to my other article:Debian series build tailscale DERP server (relay server).
The focus of this article is not on which solution to use to implement virtual networking, but on how to use virtual networking in a home data center environment (finally getting to the point, I’m so tired).
Virtual Networking
Virtual networking technology is one of the very important underlying technologies in my home data center solution.
In the literal sense, virtual networking technology is to create a virtual network of your own, and all devices in this network can communicate freely. From the perspective of specific technical implementation, it means that each of your devices adds a virtual network card, each virtual network card has an assigned IP address (or one v4 and one v6 address), and each device can communicate freely with each other through the assigned IP, regardless of whether these devices are in the external network or the internal network.
The current mainstream virtual networking technology is Wireguard, but building and configuring Wireguard by yourself is very cumbersome and requires a certain technical foundation, as well as a host with a public IP. Therefore, for individuals, the most convenient way is to choose a mature solution based on Wireguard technology, such as Tailscale.
When choosing a specific virtual networking solution, an important technical indicator is cross-platform support capabilities. After all, the client needs to be installed on the device, and there are many types of devices (win, linux, macos, ios, Android devices), so the selected virtual networking solution should also be able to support these common client types.
In addition, if the virtual networking solution is provided by a foreign product, and the official has provided server-side functions (meaning that you only need to register an account on the official website, and then download the client to log in directly), you also need to consider the connectivity between the client and the server. You can try this yourself first. It is not ruled out that magic assistance may be required when logging in.
Practical Application of Virtual Networking
Intranet penetration
For most people, virtual networking is a helpless measure when home broadband does not have a public IPv4 address but needs to access home devices. For home broadband with a public IPv4 address, people may prefer to use dynamic domain name + port mapping to access. But for me, even if my home broadband has a public IP, I am not willing to use port mapping unless it is absolutely necessary: first, because I have too many applications and it is impossible to map them one by one; second, the applications are all deployed in docker mode, which only provides http access mode, and it is too dangerous to run http plain text on the Internet; third, it is too dangerous to publish applications directly through public IPv4 port mapping (IPv6 addresses are much better, after all, there are many addresses, they change frequently, and they are not afraid of scanning, but it is necessary to solve the problem of binding with dynamic domain names and the possibility that the access end does not support IPv6).
Although when the home broadband has a public IPv4 address, through the reverse proxy plus the dynamic domain name, only one port mapping is needed to publish all applications (theoretically it can also be used directly for operation and maintenance management), but for security reasons, I have blocked sensitive operations of requests from the external network on the WAF (such as wordpress's /wp-admin). Therefore, when performing actual operation and maintenance, I still prefer to access it directly with the intranet IP when I am at home, and when I am not at home, I can access it with the IP assigned by the virtual network (I used to like to use openvpn, but as the negative optimization of openvpn by operators became more and more excessive, I was forced to switch to a safer method).
So in theory, regardless of whether your home broadband has public IPv4 and IPv6 addresses, virtual networking is the best way to penetrate the intranet. Of course, there is a prerequisite: the software for virtual networking has an efficient and high-tech "hole-punching" method, which allows devices to access each other directly in most cases, rather than transmitting data through a "relay" server. For many paid intranet penetration software in China, you need to pay a high price to purchase the bandwidth of the "relay" server in exchange for a good experience. This depends on whether you can accept the convenience in exchange for this price.
As a "source station"
If you have a website that needs to be published, the most cost-effective way is to use your home equipment (NAS, computer, etc.) to build the application and use it as the source site, allowing domestic CDN to access it (with a registered domain name), or a cloud host to use it as a reverse proxy for calls. This way, you don't need to buy high-priced cloud hosts and databases, etc. However, this method has a prerequisite that your home broadband has a public IP address (only domestic CDN requires it, if you use cloudflare, you don't need a public IP address).
If your home broadband does not have a public IP address, can your home device still serve as a source station? The answer is yes, and this requires the use of virtual networking technology.
The premise of this method is that you first have a cloud host (this is impossible not to have, you must at least buy a cloud host to register your domain name, the cheapest one will do, about 10 yuan a month), by deploying the client of the virtual networking software on the cloud host and the home device, and adding the cloud host and the home device to the virtual network, you can configure the reverse proxy on the cloud host, and point the upstream server to the application deployed on the home device through the IP address assigned by the virtual network. If you think the bandwidth of the cloud host is not enough, you can also point the source station to the cloud host through CDN (the cloud host acts as a reverse proxy and points to the home device, so the application on the home device eventually becomes the final source station).
This method can even access the database at home through the virtual networking IP. However, due to the delay of the Internet, this experience is very bad. Use it with caution unless it is for some applications that access the database infrequently.
Secure proxy
If there is a device at home that can use magic, it can only be used by the devices at home. If you are not at home, you cannot use it. Before using virtual networking, if your home broadband has a public IPv4 address, you can use port mapping if you are brave enough. If you don't have a public address, you are completely helpless. After using virtual networking, even if you are away from home, as long as the device that can install the virtual networking client (laptop, mobile phone, pad) can directly access the devices at home that can use magic through the virtual networking IP.
Another usage is for cloud hosts. Once a virtual networking client is deployed on the cloud host, the proxy can be directly pointed to the magic device at home through the virtual networking IP. You can also use a local proxy in some way (see article:A powerful local proxy tool from the Qiji series: proxychains).
Use smb to access the shared directory of the home nas
One of the reasons I used openvpn in the past was because I wanted to use the "//" method to access the shared directory of my home NAS directly on the win system. Now the virtual networking method can also achieve this function, which allows me to organize the movies downloaded on the NAS every day when I am away from home (why mention the win system? Because I have to use everything. Now I am using a win virtual machine on a macbook, the main reason is that organizing resources depends on everything).
Cross-device file transfer
Realize seamless and efficient cross-device file transfer between different devices (mobile phones, tablets, computers) regardless of location and distance (see article:Recommended solutions for transferring text and files across devices
http).
Summarize
Finally, to put it bluntly, virtual networking is just a technology that provides this function. The key lies in how you use it.