This article discusses connecting to the internal network at home from outside, such as accessing internal IP, SSH, SMB, and using your OpenWrt. If you donβt need to access the entire internal network and only require access to one of its services, setting up Nginx is sufficient. This article will not delve into that discussion.
Solutions Comparison
Here are the solutions I have tried, and other suggestions are welcome in the comments for discussion.
I initially used OpenConnect, which by default would mess up the local routing table, affecting daily use. However, since it was a long time ago, I wonβt write about it.
| Solution | Network Environment Requirements | Installation Type (server) | Connection Type | Latency | Installation / Maintenance Cost | Recommendation Rating | Remarks |
|---|---|---|---|---|---|---|---|
| Tailscale / ZeroTier | None | Docker | NAT | High | Low | β β βββ | Segment conflicts may occur: for example, if your home network segment is 192.168.1/24 (the most common), and it is added to the static route of tailscale, and the external WiFi segment happens to also be 192.168.1/24 (itβs really common), then you wonβt be able to access this network segment at home, which is exactly the opposite of OpenVPN. You can manually change your home network segment to a less commonly used one, such as 10.x.x/20. |
| Tailscale + Self-built Relay | A relay node with public IPv4 address | Docker | NAT | Low | Middle | β β βββ | - |
| Headscale | A relay node with public IPv4 address | Docker | NAT | Low | Middle | β β βββ | - |
| Tailscale + IPv6 | Public IPv6 (both ends) | Docker | Direct | Very low | Low | β β β β β | - |
| OpenVPN + IPv6 | Public IPv6 (both ends) | Virtual machine | Direct | Very low | High | β β β ββ | - |
| OpenVPN | Public IPv4( server end ) | Virtual machine | Direct | Very low | High | β β β ββ | Configuration is really cumbersome; remember to set a longer validity period for certificates. |
| WireGuard | Public IPv4( server end ) | unRAID built-in | Direct | Very low | Low | β β β β β | Can configure multiple peers for simultaneous multi-end connections |
Additional
Main steps to set up Tailscale:
- Add static routes
- Set DNS
- (Optional) Set unraid to exit mode
- (Optional) Select an exit node on the client (Mac/iOS)
Documentation for setting up WireGuard: https://unraid.net/blog/wireguard-on-unraid
Note: Regardless of which one, downloading the client in the Apple ecosystem requires a non-Chinese region Apple ID.