Building a Home Network Hub with Alibaba Cloud VPS: Intranet Tunneling + Remote Desktop + Proxy All-in-One Setup
- Published on
- ...
- Authors
- Name
- Huashan
- @herohuashan
Introduction
As a NAS and home server user, I often need to access home services from outside. This article explains how to use a lightweight Alibaba Cloud VPS (2 cores, 1.6GB RAM) to build a complete home network hub, including:
- FRP Reverse Proxy - Expose home services to the public internet
- Self-hosted RustDesk - Open-source remote desktop solution
- ShellCrash Transparent Proxy - Enable VPS access to overseas resources
- Tailscale DERP Relay - Accelerate Tailscale mesh networking
- Nginx Reverse Proxy + SSL - Add domain names and HTTPS to tunneled services
💡 Why choose Alibaba Cloud Shanghai node? Geographic proximity to home network means low latency (typically less than 30ms), making it ideal as a relay server for intranet tunneling.
Server Base Configuration
System Environment
OS: Ubuntu 22.04.5 LTS
CPU: 2 cores Intel Xeon Platinum
Memory: 1.6GB
Disk: 40GB SSD
Initial Setup
# Update system
apt update && apt upgrade -y
# Install basic tools
apt install -y curl wget git vim htop net-tools
# Install Docker
curl -fsSL https://get.docker.com | sh
systemctl enable docker
systemctl start docker
1. FRP Reverse Proxy
FRP (Fast Reverse Proxy) is a high-performance reverse proxy application that helps expose internal services to the public network.
1.1 Install FRP Server
# Download latest FRP
wget https://github.com/fatedier/frp/releases/download/v0.62.1/frp_0.62.1_linux_amd64.tar.gz
tar -xzf frp_0.62.1_linux_amd64.tar.gz
mv frp_0.62.1_linux_amd64 /opt/frp
1.2 Configure frps.toml
mkdir -p /etc/frp
cat > /etc/frp/frps.toml << 'EOF'
bindPort = 7000
vhostHTTPPort = 8081
auth.method = "token"
auth.token = "your_secure_token"
webServer.addr = "0.0.0.0"
webServer.port = 81
webServer.user = "admin"
webServer.password = "your_admin_password"
EOF
1.3 Create System Service
cat > /etc/systemd/system/frps.service << 'EOF'
[Unit]
Description=Frp Server Service
After=network.target
[Service]
Type=simple
ExecStart=/opt/frp/frps -c /etc/frp/frps.toml
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
systemctl enable frps
systemctl start frps
1.4 Client Configuration Example
Configure frpc on your home NAS or server:
# frpc.toml
serverAddr = "VPS_PUBLIC_IP"
serverPort = 7000
auth.token = "your_secure_token"
# Map SubStore service
[[proxies]]
name = "substore"
type = "tcp"
localIP = "127.0.0.1"
localPort = 3000
remotePort = 3003
# Map SSH
[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 2222
1.5 Open Firewall Ports
Open the following ports in Alibaba Cloud Security Group:
| Port | Protocol | Purpose |
|---|---|---|
| 7000 | TCP | FRP main port |
| 8081 | TCP | HTTP vhost |
| 81 | TCP | FRP Dashboard |
| 3003 | TCP | SubStore (example) |
| 2222 | TCP | SSH (example) |
2. Self-hosted RustDesk Remote Desktop
RustDesk is an open-source remote desktop software that can be fully self-hosted without relying on any third-party services.
2.1 Deploy with Docker
# Create directory
mkdir -p /opt/rustdesk
# Run hbbs (ID/Signaling server)
docker run --name hbbs \
-d --restart always \
-p 21115:21115 \
-p 21116:21116 \
-p 21116:21116/udp \
-p 21118:21118 \
-v /opt/rustdesk:/root \
rustdesk/rustdesk-server:latest \
hbbs -r VPS_PUBLIC_IP
# Run hbbr (Relay server)
docker run --name hbbr \
-d --restart always \
-p 21117:21117 \
-p 21119:21119 \
-v /opt/rustdesk:/root \
rustdesk/rustdesk-server:latest \
hbbr
2.2 Client Configuration
- Download RustDesk client
- Go to Settings → Network → ID/Relay Server
- Fill in:
- ID Server:
VPS_PUBLIC_IP - Relay Server:
VPS_PUBLIC_IP - Key: Check
/opt/rustdesk/id_ed25519.pub
- ID Server:
2.3 Open Ports
| Port | Protocol | Purpose |
|---|---|---|
| 21115 | TCP | NAT type testing |
| 21116 | TCP/UDP | ID registration and heartbeat |
| 21117 | TCP | Relay |
| 21118/21119 | TCP | WebSocket |
3. Tailscale DERP Relay Server
If you use Tailscale for mesh networking, self-hosting a DERP server can significantly reduce latency between domestic nodes.
3.1 Docker Deployment
docker run --restart always \
--name derper \
-d \
-p 59443:443 \
-p 3478:3478/udp \
ghcr.io/yangchuansheng/ip_derper:latest
3.2 Tailscale ACL Configuration
Add to the ACL in Tailscale admin console:
"derpMap": {
"OmitDefaultRegions": false,
"Regions": {
"901": {
"RegionID": 901,
"RegionCode": "sh",
"RegionName": "Shanghai Aliyun",
"Nodes": [{
"Name": "901",
"RegionID": 901,
"HostName": "VPS_PUBLIC_IP",
"DERPPort": 59443,
"IPv4": "VPS_PUBLIC_IP",
"InsecureForTests": true,
"STUNPort": 3478
}]
}
}
}
4. ShellCrash Transparent Proxy
A transparent proxy is useful when VPS needs to access overseas resources like Docker Hub and GitHub.
4.1 Install ShellCrash
# Install
export url='https://fastly.jsdelivr.net/gh/juewuy/ShellCrash@master' && sh -c "$(curl -kfsSl $url/install.sh)" && source /etc/profile &> /dev/null
4.2 Configure Subscription
Run the crash command to enter interactive configuration:
- Select
6 Import configuration file - Select
3 Local generationor2 Online fetch - Enter your Clash subscription URL (ensure it's Clash YAML format)
- Select
1 Start/Restart service
⚠️ Note: Make sure your subscription URL uses the
clash=smartparameter to get the correct YAML format configuration.
4.3 Verify Proxy
# Test if Google is accessible
curl -sI https://www.google.com
5. Nginx Reverse Proxy + SSL
Add domain names and HTTPS to tunneled services.
5.1 Install Nginx and Certbot
apt install -y nginx certbot python3-certbot-nginx
5.2 Configure Reverse Proxy
Using SubStore as an example, create a configuration file:
cat > /etc/nginx/sites-available/sub.example.com << 'EOF'
server {
listen 80;
server_name sub.example.com;
location / {
proxy_pass http://127.0.0.1:3003;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
EOF
ln -sf /etc/nginx/sites-available/sub.example.com /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx
5.3 Obtain SSL Certificate
# Run after adding DNS A record pointing to VPS IP
certbot --nginx -d sub.example.com --non-interactive --agree-tos --email [email protected]
5.4 Open Ports
| Port | Protocol | Purpose |
|---|---|---|
| 80 | TCP | HTTP (redirect) |
| 443 | TCP | HTTPS |
Architecture Diagram
┌─────────────────────────────────────┐
│ Alibaba Cloud VPS (Shanghai) │
│ │
External ────►│ ┌─────────┐ ┌─────────────────┐ │
Access │ │ Nginx │ │ ShellCrash │ │
│ │ :80/:443│ │ Transparent Proxy│ │
│ └────┬────┘ └─────────────────┘ │
│ │ │
│ ┌────▼────┐ ┌─────────────────┐ │
│ │ FRP │ │ RustDesk │ │
│ │ :7000 │ │ :21115-21119 │ │
│ └────┬────┘ └─────────────────┘ │
│ │ │
│ ┌────▼────┐ ┌─────────────────┐ │
│ │ Tunneled│ │ DERP (Tailscale)│ │
│ │Services │ │ :59443/:3478 │ │
│ │:3003 etc│ │ │ │
│ └────┬────┘ └─────────────────┘ │
└───────│─────────────────────────────┘
│
┌───────▼─────────┐
│ Home NAS/Mac │
│ (FRP Client) │
│ SubStore etc │
└─────────────────┘
Resource Usage
Running all above services on a 1.6GB RAM VPS:
| Service | Memory Usage |
|---|---|
| ShellCrash | ~30MB |
| FRP Server | ~10MB |
| Nginx | ~15MB |
| RustDesk (2 containers) | ~25MB |
| DERP | ~20MB |
| Total | ~100MB |
About 1GB of memory remains available, which is more than enough for daily use.
Security Recommendations
- Change default ports: Use non-standard ports for SSH (e.g., 2222)
- Use strong passwords: Generate random strong passwords for FRP token, RustDesk key, etc.
- Regular updates: Keep the system and all services up to date
- Minimize open ports: Only open necessary ports
- Enable fail2ban: Prevent brute force attacks
apt install -y fail2ban
systemctl enable fail2ban
FAQ
Q: Docker image pull fails?
A: Ensure ShellCrash proxy is running properly, or configure Docker to use domestic mirror sources.
Q: Nginx SSL certificate acquisition fails?
A: Check:
- Whether DNS A record has taken effect
- Whether port 80 is open in security group
- Whether firewall allows the traffic
Q: FRP connection fails?
A: Check:
- Whether server and client tokens match
- Whether port 7000 is open
- Use
frpc -c frpc.tomlto view detailed logs
Conclusion
With a lightweight Alibaba Cloud VPS, we successfully set up:
- ✅ FRP Reverse Proxy - Access home services from anywhere
- ✅ RustDesk Remote Desktop - Control home computers remotely
- ✅ ShellCrash Proxy - VPS can pull Docker images normally
- ✅ Tailscale DERP - Accelerate Tailscale mesh networking
- ✅ Nginx + SSL - Add HTTPS support to services
This solution is low-cost (lightweight VPS costs about $5-10/month), easy to maintain, and has low latency, making it ideal for users with home server needs.
Related Posts
Building a Fine-Grained Access Control System with Next.js and Supabase
A comprehensive guide to building a complete access control system in Next.js 15 with Supabase Auth, supporting multiple authentication methods, middleware protection, and fine-grained permission management.