I've divided this networking overview into the following three parts:
(1) Communication technology used within a single network
This knowledge was already acquired in previous projects within my home network:
Physical layer (L1 of the OSI model):
cables, Wi-Fi, fiber optics, hub
Data Link layer (L2 of the OSI model):
Unmanaged/Managed Switch, Wi-Fi Mesh
with frames, ARP (Address Resolution Protocol), STP (Spanning Tree Protocol),
MAC (Media Access Control) address, VLAN (Virtual Local Area Network), and subnetting as new concepts
Network layer (L3 of the OSI model):
Layer 3 Switch, Router, DHCP (Dynamic Host Configuration Protocol)
with packets, IP (Internet Protocol), ICMP (Internet Control Message Protocol; used by "ping"),
and IPsec (Internet Protocol Security) as new concepts
Transport layer (L4 of the OSI model):
software for multiplexing, error handling, and ordering
with segments, TCP (Transmission Control Protocol), UDP (User Datagram Protocol),
and ports as new concepts.
With the free WireShark software, I was able to study network traffic.
(2) Communication technology used between networks
The following technologies were studied for communication between the internet and my home network:
Support for accessibility:
DNS (Domain Name System), DDNS (Dynamic Domain Name System), NAT/PAT (Network/Port Address Translation), Port Forwarding
with host naming, IPv4, IPv6, private IP addresses, and public IP addresses as new concepts
Support for security:
(host-based and network-based) Firewall, VPN (Virtual Private Network), SSL/TLS (Secure Socket Layer / Transport Layer Security)
with DMZ (Demilitarized Zone) as a new concept
DHCP, NAT/PAT, Port Forwarding, and Firewall are already installed on a router (from the ISP provider),
but firewalls were also installed on host machines for additional security (e.g., Windows Defender, UFW on Ubuntu).
Installing a DDNS service makes it possible to link your changing public ip address to a fixed domain name.
Some good free DDNS Services are "Cloudflare", "Dynu" and "DuckDNS".
Installing a DNS server within the home network was considered to give hosts with private IP addresses a logical hostname.
Because the benefits are too limited, this additional installation was decided against.
There is an also other possibility. When you register a public domain name, you usually point it to a public IP address.
However you can also point it to a private IP address that will only be accessible in your local network.
For handling SSL, a reverse proxy can be used in the home network with DNS validation for our certificates.
We can use the Let's Encrypt's DNS Challenge to get a valid SSL certificate for all your applications (DNS Verification),
without making them public. As an added bonus, you don't have to run a custom DNS server.
(3) Additional middleware to support websites and web applications
The following software was studied:
(Forward) Proxy:
Intermediary between client machines and the internet (acting on behalf of the clients),
for increased security (hiding the identity of clients) and filtering (blocking access to certain content);
Often used for outgoing communication to the internet.
Reverse Proxy:
Intermediary between client and multiple backend servers (acting on behalf of the servers),
for increased security (hiding the identity of servers), load balancing, and efficiency (SSL termination, compression, caching);
Often used for incoming communication from the internet.
Load Balancer:
Distributes client requests across multiple backend servers providing the same service,
to ensure high availability and reliability by detecting and dynamically redeploying unhealthy services.
API (Application Programming Interface) Gateway:
A single point of entry for a set of services,
and manages request routing, authentication/authorization, monitoring, and rate limiting;
this is especially important for microservice architectures by providing a unified interface
for managing the complexity of multiple services with different APIs.
I've already used Nginx to learn web technology (HTML, CSS, JavaScript).
Nginx is a free, very popular, and powerful web server and reverse proxy,
Goal: Access devices or services on your private network from anywhere
Challenge: Ensuring security, performance and ease of configuration
What options are used in practice to provide users with secure access to a web application hosted on my home network via the public internet?
Port Forwarding:
Port Forwarding (on the WAN router by NAT) to an internally hosted application;
Port forwarding is often combined with HTTPS, DDNS and reverse proxy;
[+] it is the simplest method which gives direct access;
[-] it can only be used by just one service (without using reverse proxy);
[-] it is also not very secure (without using https);
Resulting communication path:
client => internet => home[wan_router => service]
Traditional VPN Tunneling:
Tunneling through holes in my firewall to a self-hosted VPN server,
such as with Wireguard VPN (or OpenVPN);
creates a direct encrypted tunnel to the network;
[-] more complex setup (more flexible also),
and requires firewall and router configuration;
[+] full access to the private network;
[-] may require static IP but has lower performance;
[-] requires manual updates and maintenance;
Resulting communication path:
client => internet => home[wan_router => vpn_server => service]
Overlay Network VPN Tunneling:
Use an existing externally hosted VPN server (Coordination Server), like Tailscale (or Netbird);
send requests to this Tailscale server (VPN built on Wireguard) with a public IP address,
which connects to a Tailscale client in your home network,
to access advertised private subnets;
access via your ISP provider will then be bypassed;
it uses peer-to-peer networking with NAT traversal;
[-] the setup is more complicated;
[+] simple interface, and client for all OS's;
[+] auth via Google, Microsoft, GitHub, etc;
[+] devices behave as if they're on the same LAN,
and great for full device access (SSH, RDP, SMB, etc);
Resulting communication path:
client => internet => tailscale_coordinator => internet => home[wan_router => tailscale_client => service]
Reverse Tunneling (newer):
Tunneling with Cloudflare technology,
where an outbound connector must be created in machine within the home network to external Cloudflare services;
creates a secure tunnel to expose web services (HHTP/S),
using Cloudflare's global infrastructure;
[+] easy setup with cloudflare client;
[+] no need for static IP or open ports in firewall (no exposure of WAN IP);
[+] authentication via cloudflare access (SSO, 2FA, etc),
and provides valid HTTPS certificates to devices that only support HTTP;
[-] needs sufficient trust in Cloudflare,
because all your communications can be read by them;
[-] your internal firewall rules are not used;
[-] not ideal for full network access, but web-based only (not SMB, etc);
Resulting communication path:
client => internet => cloudflare => home[wan_router => cloudflare_client ==> service]
security (protect what you have):
means to protect your data and devices against unauthorized access
(using vaults, encryption, MFA, firewall, virus scanning, etc);
port forwarding with https
makes your communication secure, by encrypting all trafic and guarantees correct destination
privacy (hide what you do):
means to control over your personal data, what you share with whom, and how it's used
(using disable location tracking, encrypted messaging apps, etc);
anonymity (hide who you are):
means that you can not be identified
(using Tor to browse anonymously, etc);
vpn tunneling
makes your communication secure, private and anonymous,
by encrypting all trafic, hiding identity (and location) of requestor from destination service
and hiding identity of destination from unreliable network
Conclusion:
Port forwarding with https is often secure enough for most communication use cases.