Enable Cloudflare CDN proxy to implement IPv4 to IPv6 conversion

Enable Cloudflare CDN proxy to implement IPv4 to IPv6 conversion

A series of articles in the column of remote access through the public network IPv6 address:

1. "Using public network IPv6 to remotely access intranet devices"
2. "DDNS dynamic domain name resolution IPv6 address"
3. "Enable Cloudflare CDN proxy to realize IPv4 to IPv6 conversion"

Reminder:
There is some paid content in this article, but the payment is limited to the purchase of domain names. If you already have a domain name, please feel free to eat this article, because the rest of the content is free to use. For those who do not have a domain name, you can refer to the previous article "DDNS Dynamic Domain Name Resolution IPv6 Address" , which introduces in detail how to buy a cheap and easy-to-use domain name on Tencent Cloud.

I. Introduction

In the previous two articles, we introduced in detail how to enable IPv6 to achieve remote access to intranet devices, and how to use domain names and build DDNS services to achieve remote access through domain names. Let's briefly review first. First, we need to enable the function of the local network operator to distribute IPv6 addresses, and enable the IPv6 network permission of the intranet device. Because the IPv6 address is a public network address, we can directly use the specific IPv6 address of the intranet device at this time. address for direct access. But because the IPv6 address is too long and hard to remember, we bind the IP address through the domain name (domain) for easy memory. The IP address provided by the operator is a dynamic address, which will change after a certain period of time or after dialing up again. In response to this situation, we have built a DDNS service locally to monitor whether the current IP address changes. change, the new IP will be sent to the DNS resolution service provider, and the DNS resolution record of the domain name will be updated.

But we still have a problem left. Some network environments do not have IPv6 resolution capabilities, such as our company's network. In this case, we cannot use the content of the previous two articles for remote access. So is there a way to access IPv6 sites in an IPv4 Only environment? The answer is yes, namelyApplying CDN to return traffic to the source is simply to establish an intermediate service node between the source station and the client for bidirectional conversion of IPv6 and IPv4 traffic。

Of course, the answer is not the only one. Capable masters can build their own services for relay conversion, but there are free and simple wheels. Of course, we prefer to use them directly.

2. What is a CDN

Full name: Content Delivery Network or Content Ddistribute Network, that is, content distribution network, as the name suggests, it is a distributed node network (also known as edge location server), which helps to send content to the final distribution network based on the location of the user, the content source server and the edge server The user's location delivers content (web pages, videos, images, etc.). CDN nodes have a caching function to cache content, and can provide content to users from a location geographically close to the end user. CDN nodes are deployed by CDN providers in multiple geographic locations and can span multiple ISP (Internet Service Provider) networks.

To put it simply, it is an edge location server, and to put it simply, it is a server, what is it used for, and it is used to deliver (transfer) content. That is to say, when we visit the origin site, we actually visit the edge server in the CDN first, and then it requests content from the origin site, and then it sends us the response content.

If you can't understand it, that's okay. After reading the content of this article, you can use it.

3. Why choose Cloudflare ("CF" for short)

Let's first talk about the biggest shortcoming of Cloudflare's CDN: slow! If you use the default edge nodes provided by Cloudflare, your access speed may become extremely slow, because most of Cloudflare's servers are located overseas, so you naturally understand the speed of domestic access to these overseas edge nodes.

But why did we choose Cloudflare anyway? There are several reasons why you cannot refuse:

1. Provides free DNS resolution and CDN proxy, DNS supports pan resolution;
2. CDN supports mutual conversion of IPv4 and IPv6 dual-stack traffic;
3. You can use the third-party open source Cloudflare edge node IP optimization script to improve access speed through host hijacking;
4. After enabling CDN, we can hide the real IP address and improve personal network security;
5. Domestic CDNs are charged and need to be bound to a cloud server with a real-name record. Some CDNs do not support IPv6 back-to-origin (Tencent Cloud’s default CDN does not support it, and an additional ECDN needs to be purchased to support IPv6 back-to-origin);

In fact, based on the fifth point alone, Tulle's domestic CDN service is available. The slow speed of CF can be solved by paying and optimizing IP. Since they have to pay, why not pay more conscientious CF?

4. Host the domain name to CF

In the previous article, we purchased a domain name from Tencent Cloud and used dnspod for domain name resolution. Then before we use CF, the first thing we need to do is to host the domain name to CF. To use CF, you need to register an account, so I won’t go into too much detail about this step. The website supports Simplified Chinese. I believe that following the instructions to register an account should be able to be completed smoothly.

After the registration is complete, we click the " Add Site " button on the homepage to import the domain name we purchased:

Here we can choose the free plan. If you have additional needs, you can choose the paid plan as needed:

When this step is completed, we have completed all the operations on the CF interface during the hosting process. Next, we go to the console of Tencent Cloud and modify the name server of the domain name:

Enter my domain name interface:

In the "Modify DNS Server" interface, complete the modification of the name server:

4. Open CDN

During the process of domain name hosting, CF will automatically import the original domain name resolution records. We enter the domain name details page of CF, select the DNS option on the left, and open the DNS resolution record interface of the current domain name:

You can see that I have added several parsing records here. Let’s start from scratch and introduce how to add parsing records and enable proxy.

1. Manually add a DNS pan-resolution record and close the proxy:

   

2. Try to ping the domain name locally to confirm that the DNS resolution takes effect:

   

   It can be seen that the DNS resolution of CF has taken effect, and the domain name has been correctly resolved to the IP we filled in.

3. Modify the DNS resolution record and enable the CDN proxy:

   

4. Try to ping the domain name again, and observe whether the returned IP has been updated to the proxy's edge node IP:

   

5. Turn off the IPv6 network of the local computer, re-ping the domain name, and observe whether the ping is normal, and the returned IP is an IPv4 address:

   

6. Modify the DDNS information in OpenWrt:

   You need to obtain an API Key in CF's profile to update the DNS resolution record:

   

   Then go to OpenWrt's "Dynamic DNS" plug-in to add/modify DDNS service configuration information:

   

   Note: When the CDN proxy is enabled, this plug-in may have "warn" level logs, because it uses nslookup to obtain the IP pointed to by the domain name by default. After the proxy is enabled, nslookup obtains the IP address of the CF edge node, which is the same as our real The IP addresses are not the same, and multiple IPs will be obtained, which will cause an error in a step expand_ipv6 during script execution. But these two problems are not related, the only impact is that every time the IP is checked, the DNS resolution record will be updated forcibly, even if the real IP has not changed.

After the above 6 steps, we have successfully put CDN on the domain name, all requests for the domain name will be distributed and returned through the edge nodes of CF, and we can see that when the local IPv6 network is closed, CF will automatically give us IPv4-allocated edge nodes realize access to IPv6 source stations in a non-IPv6 network environment.

5. Cloudflare IP Selection

In the above operation steps of enabling the CDN proxy, when the proxy is not enabled in step 2, the response time of a single ping is 15 ms, while the response time of the ping in steps 4 and 5 directly rises to 200 ms, it can be seen that CF enables CDN The proxy has a relatively large impact on the speed of our visit. Therefore, we need to optimize the access IP of CDN edge nodes.

A third-party open source IP optimization script is recommended here: XIU2/CloudflareSpeedTest . Detailed usage methods and documents are introduced in detail on its github homepage, so I won't repeat them in this article.

6. Limitations after Cloudflare opens CDN

Is everything fine as long as the CDN is applied? In fact, Cloudflare CDN can only proxy HTTP and HTTPS traffic, and in our actual use, there are often different protocol traffic, such as SSH access to the server background (it is not recommended to expose the SSH service to the public network), Microsoft RDP (mstsc ), etc., cannot be accessed through the proxied domain name.

The solution is not too troublesome, just set up an independent subdomain name for special traffic and turn off the proxy. For example, add a subdomain resolution record for Microsoft RDP (mstsc): rdp.yourDomain.com, and specify the corresponding IP address. At the same time, rdp.yourDomain.comjust add a DDNS service. However, since there is no CDN agent in this way, it means that the IPv6 address will be directly accessed, and it will not be accessible when it is in an environment without IPv6 capability.

Of course, Cloudflare provides a more secure paid service Cloudflare Spectrum to solve this problem

There are also limitations to proxying HTTP and HTTPS traffic. Since standard ports 80 and 443 cannot be used in China, we have to use non-standard ports for HTTP(s) communication. However, there are restrictions on the ports that Cloudflare supports forwarding, and only supports the forwarding of the following ports:

HTTP  端口：80、8080、8880、2052、2082、2086、2095
HTTPS 端口：443、2053、2083、2087、2096、8443

Therefore, it is necessary to set port forwarding to forward the traffic of the CF port to the port specified by the deployed service.

7. Summary

At this point, the series of topics on IPv6 remote access has basically come to an end. Through three articles, we have introduced in detail how to open the IPv6 network, how to conduct remote access through the domain name, and how to access the IPv6 origin site through a CDN proxy in an environment without an IPv6 network.

Although this topic mainly introduces IPv6, IPv4 networks are also used, nothing more than changing the DNS resolution type of domain names from "AAAA" to "A" records.

Although Cloudflare's free plan cannot be perfect, but after we can make a slight detour, it is basically enough for general personal household scenarios, not to mention Frp, ZeroTier and other excellent penetration tools can be used to assist. Friends who are interested in Frp and ZeroTier, recommend watching this video of Sibotu: Exclusive bandwidth, teaching you to build your own intranet penetration server (based on frp and zerotier moon server)

I hope this topic series can bring help to those in need~

References

1. Official Cloudflare DNS Documentation
2. Cloudflare Spectrum Official Documentation
3. Cloudflare API Official Documentation
4. "I only have an IPv6 public network address at home, how can I make it accessible to other IPv4 networks?" "
5. XIU2/CloudflareSpeedTest