Locally hosting an internet-connected server
48 comments
·June 18, 2025JdeBP
This and the comments highlight how bad many ISPs in North America and Western Europe are at IPv6, still, in 2025, and the lengths to which people will go to treat that as damage and literally route around it.
One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.
One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.
mjg59
Pretty much! My ISP was founded by https://en.wikipedia.org/wiki/Rudy_Rucker and is somewhat cheap and delightful and happily routes me a good amount of IPv6, and every 48 hours or so it RAs me an entirely different range even though I still have validity on the lease for the old one and everything breaks, so I've had to turn IPv6 off entirely (I sent dumps of the relevant lease traffic to support, they said they'd look into it, and then the ticket auto closed after being inactive for two years). I spent a while trying to make things work with IPv6 but the combination of it being broken at my end and also there still being enough people I want to provide access to who don't have it means it just wasn't a good option.
anonymousiam
One of my places uses Frontier FiOS (soon to become Verizon again). They have zero support for IPv6, and it isn't even on their roadmap.
I use a static HE (Hurricane Electric) IPv6 tunnel there, and it works great.
The only issue is that YouTube thinks the IPv6 block is commercial or an AI dev scraping their content, so I can't look at videos unless I'm logged in to YouTube.
jxjnskkzxxhx
> Heath Robinson contraption
Ah, I see you also watched that video yesterday on manufacturing a tiny electric rotor.
JdeBP
I actually learned the expression when I was a child, via the Professor Branestawm books.
Joeboy
"Heath Robinson" is British English for "Rube Goldberg".
dismalpedigree
I do something similar. I run a nebula network. The vps has haproxy and is passing the encrypted data to the hosts using sni to figure out the specific host. No keys on the vps.
The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.
Daviey
The commentents suggest Tailscale, but the author assumes this could only mean Funnel, but you could use Tailscale/Headscale for handling the wiregiard and low-level networking / IP Allocation.
Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.
The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.
But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.
(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)
DougN7
Why not use a dynamic DNS service instead? I’ve been using dyn.com (now oci.dyn.com) for years and it has worked great. A bonus is many home routers have support built in.
messe
Only works if you're not behind CGNAT, which has problems in and of itself. I pay my ISP an extra 29 DKK (about 4.50 USD at the moment) for a static address; my IPv4 connections and downloads in-general became way more stable after getting out from behind CGNAT.
neepi
CGNAT is hell. Here I had to choose between crap bandwidth or CGNAT. I chose crap bandwidth.
immibis
Hell for hosting, but if you're doing adversarial interoperability as a client, it does help you avoid being IP-banned. (At least in Western countries. I hear that Africa and Latin America tend to just get their CGNAT gateways banned because site operators don't give a shit about whether users from those regions can use their sites)
jaoane
CGNAT is completely irrelevant to the average person. It’s only an issue if you expect others to connect to you, which is something that almost all people don’t need.
(inb4 but the internet was made to receive connections! Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.)
mjg59
I have multiple devices on my internal network that I want to exist outside, and dynamic DNS is only going to let me expose one of them
rkagerer
If they don't all need distinct external IP addresses of their own, port forwarding is a typical approach.
mjg59
That doesn't work well if you want to run the same service on multiple machines. For some you can proxy that (eg, for web you can just run nginx to proxy everything based on either the host header or SNI data), but for others you can't - you're only going to be able to have one machine accepting port 22 traffic for ssh.
KronisLV
Lovely write up! Personally, I just settled on Tailscale so I don’t have to manage WireGuard and iptables myself.
For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.
Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.
ghoshbishakh
There are tools specifically built for hosting stuff without public IP such as https://pinggy.io
anonymousiam
I did the same thing 20 years ago, but I used vtun because Wireguard didn't exist yet. It's a cool way to get around the bogus limitations on residential static IP addresses.
At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.
lostlogin
> At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP.
So ridiculous.
It’s fast, far quicker than I can use, and the static IP was a one off $10 or similar.
zokier
Yeah, this is the way to do this. I'm pretty sure that if you for some reason do not want to run wireguard on all your servers you could fairly easily adjust this recipe to have a centralized wg gateway on your local network instead.
I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling
xiconfjs
Quote from OPs ISP [1]:
"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."
[1] https://www.monkeybrains.net/residential.php#residential
uncircle
I wish I had access to a small ISP. It is comforting to know that if something goes wrong, on the other end of the line there is someone with a Cisco shell open ready to run a traceroute.
v5v3
I would suggest putting a disclaimer on the article to warn any noobs that prior to opening up a server on the internet basic security needs to be in place.
eqvinox
I would highly recommend reading up on VRFs and slotting that into the policy routing bits. It's really almost the same thing (same "ip route" commands with 'table' even), but better encapsulated.
I run a very small VPS at Hetzner with Pangolin on it that takes care of all the Traefic Wireguard tunneling to my home servers. Very easy to set up and operate.
https://fossorial.io/