This and the comments highlight how bad many ISPs in North America and Western Europe are at IPv6, still, in 2025, and the lengths to which people will go to treat that as damage and literally route around it.
One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.
One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.
mjg59 9 hours ago [-]
Pretty much! My ISP was founded by https://en.wikipedia.org/wiki/Rudy_Rucker and is somewhat cheap and delightful and happily routes me a good amount of IPv6, and every 48 hours or so it RAs me an entirely different range even though I still have validity on the lease for the old one and everything breaks, so I've had to turn IPv6 off entirely (I sent dumps of the relevant lease traffic to support, they said they'd look into it, and then the ticket auto closed after being inactive for two years). I spent a while trying to make things work with IPv6 but the combination of it being broken at my end and also there still being enough people I want to provide access to who don't have it means it just wasn't a good option.
anonymousiam 8 hours ago [-]
One of my places uses Frontier FiOS (soon to become Verizon again). They have zero support for IPv6, and it isn't even on their roadmap.
I use a static HE (Hurricane Electric) IPv6 tunnel there, and it works great.
The only issue is that YouTube thinks the IPv6 block is commercial or an AI dev scraping their content, so I can't look at videos unless I'm logged in to YouTube.
stego-tech 4 hours ago [-]
I’m also on FiOS, and despite repeated statements to the effect I’d never get IPv6 on my (20 year) old ONT, I’ve got a nice little /56 block assigned on my kit via DHCPv6. Problem is that, as it’s a DHCP block, it changes, and Namecheap presently does not offer any sort of Dynamic DNS for IPv6 addresses.
Still, it let me tear down the HE IPv6 tunnel I was also running, since the sole reason I needed IPv6 was so our household game consoles could all play online without cursed firewall rules and IP reservations. I’m pretty chuffed with the present status quo, even if it’s far from perfect.
One other thing I’d note about OPs article (for folks considering it as a way to work around shitty ISP policies) is that once you have this up and running, you also have a perfect setup for a reverse proxy deployment for your public services. Just make sure you’re watching your bandwidth so you don’t get a surprise bill.
PaulKeeble 4 hours ago [-]
Mine officially supports it. However having configured the Prefix as they define and using SLAAC etc all my devices get their IPv6 addresses and can access the internet, I can even connect from outside the network so it all "works", but I have a bunch of issues. Neither of my ISPs defined DNS servers is available, I can't route one of the OpenDNS routers but the other works fine and then I have these periods where the entirity of IPv6 routing breaks for about a minute and then restores. Having done this with two different routers on completely different firmware now I can't help but think my official support from my ISP is garbage and they have major problems with it. I had to turn it off because it causes all sorts of problems.
jxjnskkzxxhx 8 hours ago [-]
> Heath Robinson contraption
Ah, I see you also watched that video yesterday on manufacturing a tiny electric rotor.
JdeBP 8 hours ago [-]
I actually learned the expression when I was a child, via the Professor Branestawm books.
jxjnskkzxxhx 6 hours ago [-]
Ok so this is genuinely a case of I see an expression for the first time, learn an expression it, and then see it again immediately after. Fun.
57473m3n7Fur7h3 5 hours ago [-]
The Baader–Meinhof phenomenon strikes again!
jxjnskkzxxhx 2 hours ago [-]
I just learned about this yesterday.
Joeboy 6 hours ago [-]
"Heath Robinson" is British English for "Rube Goldberg".
jxjnskkzxxhx 5 hours ago [-]
TIL
jeroenhd 4 hours ago [-]
I'm in western Europe and every ISP but the ultra cheap ones and the niche use case ones have stable IPv6 prefixes. Some do /48, others /56.
IPv4 is getting CGNAT'd more and more, on the other hand. One national ISP basically lets you pick between IPv4 CGNAT and IPv6 support (with IPv6 being the default). Another has been rolling out CGNAT IPv4 for new customers (at first without even offering IPv6, took them a few months to correct that).
This isn't even an "America and Western Europe" thing. It's a "whatever batshit insane approach the local ISP took" thing. And it's not just affecting IPv6 either.
emilfihlman 4 hours ago [-]
Once again I voice the only sane option:
Skip IPv6 and the insanity that it is, and do IPv8 and simply double (or quadruple) the address space without introducing other new things.
acdha 2 hours ago [-]
This is a pipe dream in the current century. IPv6 adoption has been slow but it’s approaching 50% and absolutely nobody is going to go through the trouble of implementing a new protocol; updating every operating system, network, and security tool; and waiting a decade for users to upgrade without a big advantage. “I don’t want to learn IPv6” is nowhere near that level of advantage.
Daviey 9 hours ago [-]
The commentents suggest Tailscale, but the author assumes this could only mean Funnel, but you could use Tailscale/Headscale for handling the wiregiard and low-level networking / IP Allocation.
Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.
The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.
But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.
(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)
PeterStuer 6 hours ago [-]
I run a very small VPS at Hetzner with Pangolin on it that takes care of all the Traefic Wireguard tunneling to my home servers. Very easy to set up and operate.
Cool! Do you like that approach? I've thought about setting up that exact thing but I wasn't sure how well it would work in practice. Are there any pitfalls you ran into early on? I might give it a shot after your "very easy to set up and operate" review!
PeterStuer 1 hours ago [-]
Honestly it was very easy. Their documentation is decent, and the defaults are good.
Setting up Pangolin on the VPS, and Newt on your lan, connecting them and adding e.g. a small demo website as a resource on Pagolin will take you about half an hour (unless your domain propagation is slow, so always start by defining the name in DNS and point it to your VPS IP to start with. You can use a wildcard if you do not want to manually make a new DNS entry each time)
DougN7 11 hours ago [-]
Why not use a dynamic DNS service instead? I’ve been using dyn.com (now oci.dyn.com) for years and it has worked great. A bonus is many home routers have support built in.
messe 10 hours ago [-]
Only works if you're not behind CGNAT, which has problems in and of itself. I pay my ISP an extra 29 DKK (about 4.50 USD at the moment) for a static address; my IPv4 connections and downloads in-general became way more stable after getting out from behind CGNAT.
neepi 9 hours ago [-]
CGNAT is hell. Here I had to choose between crap bandwidth or CGNAT. I chose crap bandwidth.
immibis 8 hours ago [-]
Hell for hosting, but if you're doing adversarial interoperability as a client, it does help you avoid being IP-banned. (At least in Western countries. I hear that Africa and Latin America tend to just get their CGNAT gateways banned because site operators don't give a shit about whether users from those regions can use their sites)
jeroenhd 4 hours ago [-]
The client feature only works for websites that care about making exceptions for CGNAT users. Plenty of them simply ban the shared addresses.
That's part of the reason why countries like India are getting so many CAPTCHAs: websites don't care for the reason behind lackluster IP plans from CGNAT ISPs. If the ISP offered IPv6 support, people wouldn't have so many issues, but alas, apparently there's money for shitty CGNAT boxes but not IPv6 routers.
neepi 7 hours ago [-]
Not quite. I'm in the UK and some of our customers get blocked by overzealous CDNs and they're all on CGNAT.
jaoane 8 hours ago [-]
CGNAT is completely irrelevant to the average person. It’s only an issue if you expect others to connect to you, which is something that almost all people don’t need.
(inb4 but the internet was made to receive connections! Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.)
juergbi 7 hours ago [-]
Cloudflare sometimes preventing access to some sites and annoying CAPTCHA challenges due to CGNAT are relevant to the average person.
Full IPv6 support should be a requirement for both ISPs as well as websites and other servers.
jaoane 7 hours ago [-]
> Cloudflare sometimes preventing access to some sites and annoying CAPTCHA challenges due to CGNAT are relevant to the average person.
They would be, but thankfully CGNAT doesn’t cause that.
jeroenhd 4 hours ago [-]
It's not a direct cause, but if an IP is hitting my website with spam, I don't care if it's a spam bot or a CGNAT exit point. The only way to stop the spam is to take action against the IP address. For CGNAT customers, that means extra CAPTCHAs or worse.
You can ask your ISP for your own IPv6 subnet if you don't want to be lumped in with the people whose computers and phones are part of a scraping/spamming botnet.
messe 6 hours ago [-]
It contributes to it, because now you're behind the same public IP address as X other people. You're then X-times more likely to get flagged as suspicious and need to enter a CAPTCHA X-times more frequently.
jaoane 6 hours ago [-]
Cloudflare easily detects that using your discrete external port range and knows better than to show you a CAPTCHA.
orangeboats 3 hours ago [-]
Anecdotal experience (I know, of course... this is sample size n=1) tells me that you can't be further from the truth.
Putting CF aside, anyone who has tried to edit Wikipedia anonymously should understand the pain of CGNAT.
throw0101d 3 hours ago [-]
> It’s only an issue if you expect others to connect to you, which is something that almost all people don’t need.
So I think CGNAT / double-NAT can hit a lot of folks.
> Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.
Why? Why should I accept the enshittification of the Internat that has evolved to this point? Why cannot people push for something better?
jaoane 2 hours ago [-]
Pathetic that in 2025 there still are games that rely on p2p connections, to the detriment of the experience because cheating can’t be detected server-side. GTA 5 is one of them.
throw0101d 2 hours ago [-]
If I've purchased a video game, why should I have to be reliant on the publisher's servers being up? Self-hosting should be a thing:
At the very least if a game publisher wants to power down their own servers because they don't feel it's "worth" supporting their customers, they should post the server code so that the customers can continue to use the product they 'bought'.
jaoane 2 hours ago [-]
Completely agree with the last paragraph.
mjg59 11 hours ago [-]
I have multiple devices on my internal network that I want to exist outside, and dynamic DNS is only going to let me expose one of them
rkagerer 10 hours ago [-]
If they don't all need distinct external IP addresses of their own, port forwarding is a typical approach.
mjg59 10 hours ago [-]
That doesn't work well if you want to run the same service on multiple machines. For some you can proxy that (eg, for web you can just run nginx to proxy everything based on either the host header or SNI data), but for others you can't - you're only going to be able to have one machine accepting port 22 traffic for ssh.
herbst 10 hours ago [-]
You can port forward SSH to other internal machines, just like nginx + web.
mjg59 10 hours ago [-]
I can port forward port 22 to a single machine. I can't proxy port 22 in a way that directs the incoming connection to the correct machine, at least not without client configuration.
koolba 9 hours ago [-]
You only need one inbound machine as your bastion. Then hop from there to the rest using local address. Once you set up the proxy config in ssh it’s completely transparent.
mjg59 9 hours ago [-]
Right yes but I (for various reasons) end up using a lot of different client systems and I don't want to have to configure all of them to transparently jumphost or use different port numbers and why are people spending so much time trying to tell me that I should make my life complicated in a different way to the one I've chosen?
mnw21cam 6 hours ago [-]
Yeah, I currently have a VPS with various SSH port forwards allowing me to direct incoming connections of various types to my home computer which is behind NAT. It's evil and horrible and nasty for various reasons, not least of which that all your incoming connections look to your inner server like they come from the same IP address, preventing you from logging or filtering the source of any request. And you need to make sure if you forward incoming connections to your SMTP server that it doesn't think they are local trusted connections that it can relay onwards, turning your setup into an open relay.
Seriously thinking about switching to a setup similar to the article. I mean, my setup works for now, but it's un-pretty.
mvanbaak 8 hours ago [-]
ipv6 has solved this.
Too bad it's not yet a common thing.
tialaramex 3 hours ago [-]
The Google data strongly suggests that at this point it's probably available to a majority of home users. Corporate remains significantly worse. My employer, which paid me to do IPv6 stuff last century in a very different role, today has IPv6 for random outsiders but if you have a corporate issued laptop IPv6 is disabled and they cheerfully explained that it's "difficult" in a call this week right before I pointed out what I was paid to do and where a quarter century ago. Embarrassing for them.
chgs 10 hours ago [-]
Select an isp that gives you multiple ip v4 addresses. Or host on ipv6.
mjg59 10 hours ago [-]
Yes, if I had multiple IPv4 addresses already it wouldn't be necessary to tunnel in additional IPv4 addresses, but since I don't and since there are no ISPs who will provide that to me at this physical address, tunneling is where I am.
v5v3 10 hours ago [-]
In many countries, unless you buy a business broadband package (more expensive),residential internet does not come with such options.
mystified5016 2 hours ago [-]
Yes, that's how it works when you only have a single IP. The standard way to deal with this is a reverse proxy for web requests. Other services require different workarounds. I have a port 22 SSH server for git activities, and another on a different port that acts as a gateway. From that machine I can SSH again to anywhere within my local network.
It's really not onerous or complicated at all. It's about as simple as it gets. I'm hosting a dozen web services behind a single IP4 address. Adding a new service is even easier than without the proxy setup. Instead of dicking around with my firewall and port forwarding, I just add an entry to my reverse proxy. I don't even use IPs, I just let my local DNS resolve hostnames for me. Easy as.
mjg59 55 minutes ago [-]
The entire point of this is that I don't want to deal with non-standard port numbers or bouncing through hosts. I want to be able to host services in the normal boring way, and this approach lets me do that without needing to worry about dynamic DNS updates whenever my public IP changes.
thedanbob 5 hours ago [-]
This is what I do, except the dynamic DNS service is just a script on my server that updates Cloudflare DNS with my current external IP. In practice my address is almost static, I've never seen it change except when my router is reset/reconfigured.
KronisLV 10 hours ago [-]
Lovely write up! Personally, I just settled on Tailscale so I don’t have to manage WireGuard and iptables myself.
For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.
Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.
zokier 9 hours ago [-]
Yeah, this is the way to do this. I'm pretty sure that if you for some reason do not want to run wireguard on all your servers you could fairly easily adjust this recipe to have a centralized wg gateway on your local network instead.
I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling
anonymousiam 8 hours ago [-]
I did the same thing 20 years ago, but I used vtun because Wireguard didn't exist yet. It's a cool way to get around the bogus limitations on residential static IP addresses.
At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.
lostlogin 8 hours ago [-]
> At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP.
So ridiculous.
It’s fast, far quicker than I can use, and the static IP was a one off $10 or similar.
xiconfjs 8 hours ago [-]
Quote from OPs ISP [1]:
"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."
I wish I had access to a small ISP. It is comforting to know that if something goes wrong, on the other end of the line there is someone with a Cisco shell open ready to run a traceroute.
politelemon 10 hours ago [-]
Another alternative could be a cloudflare tunnel. It requires installing their Daemon on the server and setting up DNS in their control panel. No ports need opening from the outside in.
jeroenhd 4 hours ago [-]
The downside of the Cloudflare approach is that yet more websites are behind Cloudflare's control. The VPS approach works pretty much the same way Cloudflare does, but without the centralized control.
On the other hand, Cloudflare is a pretty easy solution against spam bots and scrapers. Probably a better choice if that's something you need protection against.
PaulKeeble 4 hours ago [-]
Everyone does these days, although its really the AI scrapers you need defence from and Cloudflare isn't doing so good at that yet.
troupo 6 hours ago [-]
I used to expose a site hosted on my home NAS through it, and now I do the same from a server at Hetzner.
Works like magic :)
eqvinox 9 hours ago [-]
I would highly recommend reading up on VRFs and slotting that into the policy routing bits. It's really almost the same thing (same "ip route" commands with 'table' even), but better encapsulated.
bzmrgonz 2 hours ago [-]
This is an interesting usecase for a jumpbox. So what if we install a reverse proxy on the vps and use wireguard to redirect to services at home(nonstatic)? Would that work too? any risks that you can see?
v5v3 10 hours ago [-]
I would suggest putting a disclaimer on the article to warn any noobs that prior to opening up a server on the internet basic security needs to be in place.
dismalpedigree 6 hours ago [-]
I do something similar. I run a nebula network. The vps has haproxy and is passing the encrypted data to the hosts using sni to figure out the specific host. No keys on the vps.
The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.
I do something similar but using GRE since I don't need encryption. Then I have OSPF on the resulting overlay network (there are several sites) to deal with ISP outages. One hop is via Starlink and that does use Wireguard because Elon likes to block tunnel packets but we gets through.
1317 3 hours ago [-]
Things like this that go through some external VPS always seem a bit pointless to me.
just host it on the VPS directly
dboreham 28 minutes ago [-]
I have workloads that need 32T of enterprise nvme that I run on a machine in my garage.
orangeboats 3 hours ago [-]
A VPS that relays traffic and a VPS that runs services are very different.
fainpul 4 hours ago [-]
> Let's say the external IP address you're going to use for that machine is 321.985.520.309 and the wireguard address of your local system is 867.420.696.005.
What is going on here with these addresses? I'm used to seeing stuff like this in movies – where it always destroys my immersion because now I have to think about the clueless person who did the computer visuals – but surely this author knows about IPv4 addresses?
l-p 4 hours ago [-]
The author did not want to use real addresses and was not aware of the 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 ranges specified in RFC 5737 - IPv4 Address Blocks Reserved for Documentation.
dreamcompiler 3 hours ago [-]
Putting a privkey on your VPS seems like asking for trouble.
kinduff 11 hours ago [-]
This is an interesting solution and wouldn't mind using one of my existing servers as a gateway or proxy (?).
Is there a way to be selective about what ports are exposed from the host to the target? The target could handle it but fine grained control is nice.
mjg59 11 hours ago [-]
You could just set a default deny iptables policy for forwarding to that host, and then explicitly open the ports you want
baobun 10 hours ago [-]
iptables is legacy now and if you're not already well-versed in it, better go straight to nftables (which should be easier to get started with anyway). On modern systems, iptables commands are translated to nftables equivalents by transitional package.
10 hours ago [-]
lazylizard 11 hours ago [-]
you can also run a proxy on the vps instead of the nat.
mjg59 10 hours ago [-]
Depends on the protocol. For web, sure - for ssh, nope, since the protocol doesn't indicate which machine it's trying to connect to and so you don't know where to proxy it to.
remram 4 hours ago [-]
I don't know what you mean by "the protocol". There is a destination IP address on every packet... getsockname() will tell the proxy which local IP the client dialed, allowing it to create "virtual hosts" (or you can actually run multiple proxies bound on different local addresses).
mjg59 1 hours ago [-]
I have one public IP address. I have three machines behind it that I want to SSH into. How does the machine with the public address know where to route an incoming port 22 packet? For HTTPS this is easy - browsers send the desired site in the SNI field of the TLS handshake, so the frontend can look at that and route appropriately. For SSH there's no indication of which host the packet is intended for.
remram 30 minutes ago [-]
Well you can't, but that wouldn't work with routing either, and it is not the situation at hand: in the article there are multiple IPs on the VPS:
> you now have multiple real-world IP addresses that people can get to
In your new situation that is not the one in the article, you can just use different ports.
baobun 10 hours ago [-]
You can still TCP proxy SSH just fine (one port per target host obv)
Certain UDP-based protocols may be hairier, though.
PhilipRoman 8 hours ago [-]
Socket based proxying is better for this, since you eliminate one point from your attack surface (if your proxy server gets compromised, it's just encrypted ssh/TLS)
10 hours ago [-]
4 hours ago [-]
sneak 4 hours ago [-]
This article was not worth having to solve a captcha to read.
I think I will be done with sites that require me to solve captchas to visit for simple reading, just as I am done with sites that require me to run javascript to read their text.
superkuh 3 hours ago [-]
At least it is technically possible to complete the dreamwidth captchas now. For many years (well before the modern corporate spidering insanity) dreamwidth was just completely inaccessible no matter how many times one completed their captchas. You'd have to be running a recent version of Chrome or the like.
Now after doing the captcha ~5 times and getting nothing a different captcha pops up that actually works and lets one in.
It's not good but it's a hell of a lot better than their old system.
One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.
One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.
I use a static HE (Hurricane Electric) IPv6 tunnel there, and it works great.
The only issue is that YouTube thinks the IPv6 block is commercial or an AI dev scraping their content, so I can't look at videos unless I'm logged in to YouTube.
Still, it let me tear down the HE IPv6 tunnel I was also running, since the sole reason I needed IPv6 was so our household game consoles could all play online without cursed firewall rules and IP reservations. I’m pretty chuffed with the present status quo, even if it’s far from perfect.
One other thing I’d note about OPs article (for folks considering it as a way to work around shitty ISP policies) is that once you have this up and running, you also have a perfect setup for a reverse proxy deployment for your public services. Just make sure you’re watching your bandwidth so you don’t get a surprise bill.
Ah, I see you also watched that video yesterday on manufacturing a tiny electric rotor.
IPv4 is getting CGNAT'd more and more, on the other hand. One national ISP basically lets you pick between IPv4 CGNAT and IPv6 support (with IPv6 being the default). Another has been rolling out CGNAT IPv4 for new customers (at first without even offering IPv6, took them a few months to correct that).
This isn't even an "America and Western Europe" thing. It's a "whatever batshit insane approach the local ISP took" thing. And it's not just affecting IPv6 either.
Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.
The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.
But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.
(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)
https://fossorial.io/
Setting up Pangolin on the VPS, and Newt on your lan, connecting them and adding e.g. a small demo website as a resource on Pagolin will take you about half an hour (unless your domain propagation is slow, so always start by defining the name in DNS and point it to your VPS IP to start with. You can use a wildcard if you do not want to manually make a new DNS entry each time)
That's part of the reason why countries like India are getting so many CAPTCHAs: websites don't care for the reason behind lackluster IP plans from CGNAT ISPs. If the ISP offered IPv6 support, people wouldn't have so many issues, but alas, apparently there's money for shitty CGNAT boxes but not IPv6 routers.
(inb4 but the internet was made to receive connections! Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.)
Full IPv6 support should be a requirement for both ISPs as well as websites and other servers.
They would be, but thankfully CGNAT doesn’t cause that.
You can ask your ISP for your own IPv6 subnet if you don't want to be lumped in with the people whose computers and phones are part of a scraping/spamming botnet.
Putting CF aside, anyone who has tried to edit Wikipedia anonymously should understand the pain of CGNAT.
Unless they're playing video games:
* https://steamcommunity.com/sharedfiles/filedetails/?id=27339...
* https://www.checkmynat.com/posts/optimizing-nat-settings-for...
The video game industry is bigger than movies, television, and music combined:
* https://www.marketing-beat.co.uk/2024/10/22/dentsu-gaming-da...
So I think CGNAT / double-NAT can hit a lot of folks.
> Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.
Why? Why should I accept the enshittification of the Internat that has evolved to this point? Why cannot people push for something better?
* https://store.steampowered.com/curator/41339173-Self-Hosted-...
At the very least if a game publisher wants to power down their own servers because they don't feel it's "worth" supporting their customers, they should post the server code so that the customers can continue to use the product they 'bought'.
Seriously thinking about switching to a setup similar to the article. I mean, my setup works for now, but it's un-pretty.
It's really not onerous or complicated at all. It's about as simple as it gets. I'm hosting a dozen web services behind a single IP4 address. Adding a new service is even easier than without the proxy setup. Instead of dicking around with my firewall and port forwarding, I just add an entry to my reverse proxy. I don't even use IPs, I just let my local DNS resolve hostnames for me. Easy as.
For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.
Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.
I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling
At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.
So ridiculous.
It’s fast, far quicker than I can use, and the static IP was a one off $10 or similar.
"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."
[1] https://www.monkeybrains.net/residential.php#residential
On the other hand, Cloudflare is a pretty easy solution against spam bots and scrapers. Probably a better choice if that's something you need protection against.
Works like magic :)
The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.
just host it on the VPS directly
What is going on here with these addresses? I'm used to seeing stuff like this in movies – where it always destroys my immersion because now I have to think about the clueless person who did the computer visuals – but surely this author knows about IPv4 addresses?
Is there a way to be selective about what ports are exposed from the host to the target? The target could handle it but fine grained control is nice.
> you now have multiple real-world IP addresses that people can get to
In your new situation that is not the one in the article, you can just use different ports.
Certain UDP-based protocols may be hairier, though.
I think I will be done with sites that require me to solve captchas to visit for simple reading, just as I am done with sites that require me to run javascript to read their text.
Now after doing the captcha ~5 times and getting nothing a different captcha pops up that actually works and lets one in.
It's not good but it's a hell of a lot better than their old system.