background introduction
There is a k8s cluster built with Raspberry Pi on the table in my office.
There is also a NAS server built with Raspberry Pi at home.
My requirement is to be able to access the k8s cluster in the office and the NAS server at home from any place that can be connected to the Internet, and my existing network structure cannot be changed. The most important point is that the cost should not be too high, otherwise the loss outweighs the gain .
plan selection
In fact, my requirement is essentially intranet penetration, and there are many options for intranet penetration (at least a dozen or so), basically through port forwarding VPN
and methods, here only from the hardware and From the software point of view, select several of the most common intranet penetration schemes.
software level
Public network independent IP port forwarding
This solution is the simplest, and it is also the most commonly used before. You only need to have an independent IP address on the public network to forward the port through the router.
The premise of using this method is that the company is particularly rich or in the industry. For example, our company is in the IDC industry. I have several independent IPs on the public network before. I choose one of them to connect to the router, and then forward it to the outside world in my cluster. port.
SSH tunnel port forwarding
SSH
Tunnel port forwarding is to establish a secure tunnel through SSH
the protocol . Not only can forward the local port to the server, but also support remote port forwarding to the local.
The general implementation is to use the cloud server to pass the local port through SSH
the tunnel to achieve intranet penetration, but the monthly rental cost of the cloud server is also a considerable expense.
Manufacturer's Intranet Penetration Solution
The popularity of peanut shells in the intranet penetration market is very high. The products around the original peanut shells have now expanded a lot of network equipment and solutions. The software of peanut shells has a free version. Although the traffic is very small, it can be tested. Or use with very little network traffic is enough.
In addition to peanut shells, there is also a dandelion, which is SD-WAN
the best solution, and this is what this article will focus on.
Although the manufacturer provides it for free, in order to ensure a certain stability, it is best to choose to purchase entry-level hardware to achieve it.
VPN network
Another way is VPN
through , but this method also requires a server on the public network to do port forwarding (due to special reasons, this method should not be said more).
hardware level
There are more ways to realize it at the hardware level, but we are not commercial, and we don’t need hardware IDC
that costs hundreds of thousands or millions.
I recommend three hardware products: peanut sticks (peanut shells), sunflowers, and dandelions.
Peanut Shell is a dynamic domain name resolution software, and Peanut Stick is an intelligent network device embedded with Peanut Shell software that can penetrate the intranet. Because peanut shells are so famous, they are generally not distinguished, and they are collectively referred to as peanut shells.
Coincidentally, these three products are all produced by a company called Berry (Berry makes money! [dog]), and each hardware product is positioned for a different purpose.
Peanut shells
Expose a port of the local computer
URL
to .
Competing products: ngrok, frp.
It is essentially implemented through port forwarding. However, Peanut Stick exposes the ports of the internal network to the public network, which will lead to a very serious problem, that is, the problem of network security. And the number of ports is limited, but my k8s cluster itself is a software laboratory, running more than a few hundred services, so peanut shells do not meet my needs.
sunflower
Share desktop remotely, remote control.
Competing products: TeamViewer, ToDesk.
Needless to say, this is to remotely control the desktop. Although remote access can also be achieved, it does not meet my existing needs.
dandelion
Dandelion: SD-WAN, remote LAN networking, cross-regional VPN.
Competing products: ZeroTier, OpenVPN.
After this big foreshadowing, it is finally the turn of today's protagonist to appear on the stage, and it is: Dandelion!
The cheapest product in Dandelion's box is Dandelion X1. I use Dandelion X1 to realize the network intercommunication between office and home through SD-WAN remote LAN networking.
Plan confirmed
Once the plan is determined, the next step is to implement it. The implementation steps are very simple and only two steps, but there are many and difficult problems encountered.
- The first step is to purchase hardware. I bought two boxes on the Dandelion official website of a certain treasure.
- The second step is to implement
SD-WAN
remote .
Not much nonsense, let me first put a network topology diagram that I finally realized SD-WAN
the remote LAN networking.
Don’t worry if this network topology diagram looks a little confusing. Next, I will explain in detail how to make any node in this network interconnected.
Detailed Network Topology
Before explaining the network topology diagram, you must first understand an important concept: bypass routes .
Bypass routing can be subdivided into three concepts: bypass networking , bypass routing , and bypass routers .
To put it simply, bypass networking is a network technology that does not change the original network structure, but only adds a new device to realize re-networking. In this case, Dandelion X1 is a bypass router , which realizes the function of bypass routing , and realizes remote LAN networking through bypass networking.SD-WAN
Network segment planning
First of all, network segments need to be planned before networking.
My requirement is to connect the office and home networks, so I need 2 routers , 2 dandelion boxes (the dandelion box is essentially a router, but it is a special router: a bypass router) and 4 network segments ( A total of 4 network devices, each network device requires a network segment).
The specific network segments are divided as follows:
- The network segment of the company router is:
192.168.1.0/24
. - The network segment of the home router is:
192.168.2.0/24
. - The network segment of the company box is:
10.168.1.0/24
. - The network segment of the home box is:
10.168.2.0/24
.
See the network topology above for details.
Bypass networking
Under normal circumstances, the office and home networks are two unconnected independent LAN segments. Next, it is necessary to carry out bypass networking through Dandelion X1, so that there is a connection between the two network segments.
The configuration of Dandelion X1 is very simple, just plug in the network cable and set it up, just like the home router. The main thing is to set WAN
the port as a static route xxx.xxx.xxx.2
, and LAN
the port as the gateway of its own network segment.
After the two boxes are configured, the interconnection can be realized, isn't it very simple!
Dandelion has 3 free nodes, so I put one node at the office and one at home, and the other is a mobile client node.
In this way, the network can be accessed through the Dandelion client and all devices under the Dandelion box.
In the above network topology diagram, the mobile terminal, PC-02, and PC-04 can all access any node in the network, but PC-01, PC-03 can only access their own network segment. If I want PC-01 and PC-03 to access any node in the network, I need to use the static routing function of the router.
Configure static routing
The Dandelion box can be used to realize remote LAN networking, but it is not enough to realize that any two nodes in the remote LAN can communicate with each other only by the Dandelion box. The static routing function of the router is also needed to enhance the availability of the network.
Although it can be achieved by writing the static routing table of the router, almost all home routers on the market do not support this function (some ASUS or Merlin firmwares support it, but most of them are around four or five hundred).
Therefore, in order to further reduce the cost, it is necessary to refresh the router and let the router support the static routing function.
Here we directly use the millet router 4A Gigabit version to flash the machine. The soft routing system selected here is Lao Maozi ( Padavan
), which is said to be more OpenWRT
stable .
I have written a series of articles for reference about the specific router flashing process:
Introduction to Common Router Open Source Systems (Firmware)
Xiaomi Router 4A Gigabit Edition OpenWRTInvasion Flashing Tutorial
Xiaomi Router 4A Gigabit Edition CH341A Programmer Flashing Tutorial
Xiaomi Router 4A Gigabit Version save bricks and flash back to the official firmware
Mi Router 4A Gigabit version after replacing the 5G chip and hardware layout problems with flashing
Two configured Dandelion boxes and two routers with third-party firmware (Padavan) can be configured to realize the interconnection of any two nodes in the remote LAN network by configuring static routing.
Summarize
The access between the devices under the Dandelion box (PC-02, PC-04) and the device under the Dandelion client (mobile terminal) is through the virtual IP of the Dandelion account, and the device under the Dandelion box (PC-02) accesses the upper device (PC-01) uses NAT
the mode (for PC-02, PC-01 is the external network), and the upper-layer routing device (PC-01) accesses the device (PC-02) under the Dandelion Box using the static routing mode .
One of the most important concepts is: bypass routing . A series of articles will be involved in the technology of bypass routers. For this part of the content, we will dig a hole here first, and fill it in slowly later, haha!