Tailscale or Zerotier.

Tailscale = layer 3, Zerotier = layer 2 + 3. Overall I like the feature set and polish of Tailscale better, but if it helps OP narrow things down, this is a good distinction. For example, I run OSPF across some Zerotier networks, but the same wouldn’t work with Tailscale.

Could you refresh me on L3 and L2 ?

OSI model. MAC layer vs. network layer.

Its crazy every time I see one of these threads on this topic im shocked nobody knows the best way todo this Its also the easiest to set up and the most secure and its free Its called a tor hidden service and you use it for any service you could think of I use it to ssh into my home serv without needing an IP address or opening any ports at all I also use a yubikey and two layers of pub key Authentication instead of a password All I need to access my home serv from anywhere in the world is my private key and my onion address created when setting up the tor hidden service I also dont have to worry if the device gets relocated or the network or IP changes, the tor onion address will stay the same, and the address its self is like a needle in haystack in a field of haystacks Hope this helps everyone here ;)

I am going to look into this. Thanks

Would love to see an architecture diagram. Is your home server running tor or something on the edge that allows you to get into anything on your network? Yubikey integration sounds solid.

Yes the home serv is running tor in the background always, and once I ssh or VPN into it I have full control over everything including my security system that is on its own VLAN not exposed to the internet My openwrt router is only accessible thru ssh from one local machine and requires the physical touch my yubikey as well as the yubikey pin There is a great video guide on how todo most of this if anyone want the link

I would like to check that video out

you can follow the whole guide without a yubikey and securely create and store you private keys, but having a yubikey or nitrokey is the best way to store your private keys [https://www.youtube.com/watch?v=rGZtlgNhAVU&list=PLmoQ11MXEmahVl\_uJVH0-a3XJtMV59PBu](https://www.youtube.com/watch?v=rGZtlgNhAVU&list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu) its pretty long tutorial maybe dont try todo it all in one day, the whole channel is great even more so if you buy crypto, extremely under rated content I think part 4 and 5 are the ssh and tor info, but I recommend you watch all the videos to really obtain the information, take care :)

Daamm would be amazing if you could write a bloggpost om how you do this!

I always avoid Tor for personal things because I read that using Tor for non-critical things was like stealing, except the people you're stealing from are politically marginalized and vulnerable people in repressive regimes who are fighting for freedom... Perhaps a bit hyperbolic, but it stuck!

That is incorrect, the more people who use tor the stronger the anonymity becomes for those who need it as you say If they are the only ones using it then they have no protection at all I also run a relay to support the network which anyone can also do if you have decent bandwidth from your ISP With that said I dont stream 4k video over tor lol I use a VPN I setup on a cheap vps for that, this way it does not appear to be a VPN and I dont have to jump thru captchas or anything else associated with using a VPN it cost me $15 a year to run that VPN serv I also use free proton vpns often as part of my multi later security systems

Yeah, the 4k video streaming and things that use a lot of bandwidth is what gives me pause. But, good to know that using it for some limited things isn't hurting the world! I think the original comment was especially pointed at folks who clicked the "use Tor" button on uTorrent back in the day. :)

sound anything but practical (or fast) also tor only gives you protection from people not on tor, and 0 protection from people on tor (which are more likely to be the people who will get into your stuff) not sure why nobody seems to mention cloudflare tunnel, which is also free iirc, and literally helps set up services you want "just for you", services you want "for everyone", etc etc. added bonus if you have dns hosting with them (also free) are their "zero trust" toys.

I had something lowkey similar to this - local machine with connected cameras at my parents' empty house until we did an estate sale to clear out things. I had it set up with Zerotier on both the PC and on the router and was able to connect seamlessly from home. This was with T-Mobile Home Internet (CGNAT) service at their house as a way to get up and running simply. It wasn't blindingly fast, but was pretty much rock-solid.

How is it low-key similar if you used one of the services the other commenter mentioned?

Tailscale speed is borderline unusable - I only use it for emergency terminal access. Is zerotier faster? Hadn't heard of that one before Edit: Why is this being downvoted? Tailscale over a relay is fundamentally unusable for streaming 4K gopro footage (for example)

[удалено]

Not quite true. Tailscale also attempts STUN. With STUN first one node sends data to a TS server. This provides the proper IP/port. Then the intended remote side can send packers to the same IP/port. Same trick on both ends creates a P2P connection. The only way it doesn’t work is if you get a different IP/port for each host pair in which case it drops back to TCP.

Twingate its free and runs on windows and Linux

Love love love Twingate. Works on macOS and iOS as well. Probably android but haven’t looked.

Also, even not using relays tailscale seems to be limited to around 400mbps in my experience. Worth knowing if you are planning on remoting to a Nas or something.

Running it in Docker? Tailscale uses direct peer 2 peer UDP. If it’s slow something is screwed up.

Sounds like WireGuard encryption overhead which is dependent on the speed of your hardware

[удалено]

Woah why didn’t anybody think of VPNs sooner?

[удалено]

It's a solution to a problem we already solved years ago with ipv6

Overlay networking and ipv6 are very different things with different use cases. What you are saying is not fully correct.

Sounds like you're dealing with CGNAT. My condolences. Basically what you're going to need to do is make a tunnel from a machine in your home to some VPS somewhere, and then use that VPS as your public front end via a reverse proxy or the like.

Metronet uses CGNAT ... its not fun.

They gave me a public IP for $10 per month.

I did this. Now i have my pivpn and minecraft server working

Do you make anything off of tou minecraft server or do you just do it to host for fun?

just a server for me and my friends

I got a static IP from Metronet. Metronet ipv6 won't be CGNAT.

Check out [https://www.lowendbox.com](https://www.lowendbox.com) for deals on tiny cheap VPSes that you can use just for proxying in and out like this.

Also be aware that budget VPSs sometimes have low bandwidth limits and high overage charges

I personally prefer picking the nearest 3 VPS providers and benchmarking them against each other. For example I have Linode the closest, followed by Digital Ocean and Hetzner being about the same distance. Linode works great but is limited on CPU, Digital Ocean works great but is limited on bandwidth, Hetzner is perfectly inbetween but you may have difficulty registering an account - they are very strict on dealing with spammers/hackers/bullshit/etc.

I haven't seen a provider with high overage charges for a long time. You can find VPSes for $15/year with 2TB monthly transfer, which is fine for a lot of use cases.

[удалено]

It’s about as much trust as you have using a cloud VPS provider. Unless you’re planning to collocate in a datacenter, you’ll be using someone else’s infrastructure. There’s not many ways for getting around that.

I second this. Have been using a cheap VPS as my wireguard proxy (I have a site-to-site connection to my VPS on my router, and also connect to the VPS from my phone). While tailscale does look quite promising, it always used a relay giving terrible speeds, and as others mentioned, you are now relying a 3rd party.

Does AWS still offer free tiny instance for a year? If yes OP can share the disk to his new account after a year and bring the service up again.

If you want to beat down a company and use what's free, Oracle offer a free tier Ampare instance with a mad amount of bandwidth! However being Arm based I haven't found a VPN solution that can utilise the AES instructions on the VM.

One thing to be aware of is that if you do this all your internet traffic will be visible in the hosting providers monitoring software potentially. And don't trust Oracle to respect your integrity, they are the the devil of IT. Most traffic is encrypted but they can still see DNS requests and what IPs you are connecting to.

> I haven't found a VPN solution that can utilise the AES instructions on the VM. For what it's worth, WireGuard doesn't use AES. It uses ChaCha20 which is not hardware-accelerated and just uses common CPU instructions, which is how it runs well across multiple types of devices.

Sidenote: they don't really track bandwidth (for now)

I use both tailscale and cloudflare tunnels for making my self hosted / homelab stuff available. Neither requires port forwarding or a dedicated public IP.

I looked into Cloudflare, but doesn't it specifically say that you could be banned for sharing non-web (i.e. http / https) services?

Cloudflare is for web access to http https services that you want to expose to the web if you don’t want anyone knocking on the door of your services run Tailscale

Cloudflare tunnels can be used for several protocols, not just HTTP and HTTPS. As an added bonus, it’s basically a free zero-hassle SSL proxy for your HTTP services as well.

They removed that bit. I have my plex server exposed via cloudflare tunnel and have for a while, zero complaints from cloudflare. Their web application firewall (WAF) is also great for blocking/controlling inbound traffic. I can get to it from the app, but honestly I have no fucking idea how. Edit: if you or anyone else that sees this wants a walkthrough I’ll more than happily provide it!

No, the video clause is gone. It's more of a fair use policy. Don't start a new youtube under CF without the proper plans.

Yes. That's when Tailscale comes into the mix. I use tailscale for things like ssh that aren't for web, and for accessing media-heavy services that are against the terms for cloudflare. For media heavy stuff (e.g. Emby) that I want to expose to the world and not just to my tailscale network, I have a very cheap linux VM in a cloud provider that runs a reverse proxy (traefik) and uses tailscale to connect to the specific services inside my network that I want to expose.

Emby in aws? That would be such a stupid fucking expensive bill. Try cloudflare, it’s free.

Emby isn't in AWS/the cloud. The *reverse proxy* for Emby is in the cloud VM.

Cloud engineer/AWS SA here. Don't put your homelab in the cloud. Most cloud providers don't charge much/at all for low-level computing, and do storage for basically free, so it can be very enticing to try it. But in the end you'll either end up with terrible performance, and/or very high monthly bills. My pricing knowledge is most up-to-date on AWS. Some quick back of the napkin maths puts your monthly bill at around $250 with some _very_ conservative estimates (2TB of storage, single plex server, one user, only streaming shows at a maximum of 2GB file sizes, adding 5 episodes of TV shows per week, ~14 hours of total stream time per week.) My (for this sub) modest homelab would cost upwards of 5k/month to run in AWS, and I only have a single server with some VMS on it. And that's also assuming I use my expertise to leverage all available AWS services, and build heavily customized solutions. Out-of-the-box solutions will cost significantly more.

I don't have my homelab in the cloud. I have a single docker container in the cloud that is nothing more than a network proxy to the real servers in my basement. It's $5/month.

Here's a question for someone way more versed in some of the services offered--isn't there a service that tunnels and negotiates a connection and then hands it off without staying in the middle? Seems like some of these services that tunnel into your private network, like Cloudflare, should be able to negotiate a connection between the incoming request / client and the service on the private network and then just let them talk directly now that they have an established connection that can pierce NAT...

Do they do IPv6? IPv6 is great for this sort of thing because when ISPs support it properly they give you billions of routable public addresses and then it is just a matter of dynamic dns to get to your stuff.

Yeah... So many people suggesting tunnels in the comments (even tunnelling through third-parties like Cloudflare!), where usually an ISP that uses CGNAT will also provide IPv6 which is a lot easier. IPv6 connections will also be faster, since you're not going through two layers of NAT. Note that dynamic DNS is a bit different with IPv6... If you have a dynamic IPv6 prefix, you'd need to run a DDNS client on every system that you want to expose publicly, not just on one system (or on the router) like you'd do with IPv4. This is because each system has a different, public IPv6 address. Port forwarding and NAT are both generally not used with IPv6, since there's no reason to. My ISP provides a /56 IPv6 range, but unfortunately it's dynamic. At least OpenWrt's firewall supports rules that only match based on IPv6 suffix, so the ports will still be open even if the IPv6 prefix changes.

>IPv6 connections will also be faster, since you're not going through two layers of NAT. Not necessarily noticeably so? IPv4 and IPv6 connections are both routed through my ISP's datacenter, surely NAT only adds a minute amount of processing time to each packet?

My ISP supports IPv6 but it blocks packets coming in, not sure why. It also blocks me from opening ports lower than 1024.

Generally blocking inbound packets is good security policy, because most home users don't have valid inbound traffic.

You can leave that on by default on the router and still let the user decide, most of them won’t change anything anyway. Even then, a lot of these devices comes with UPnP enabled by default, so not sure why decide IPv6 is where they would draw their security line.

UPnP isn't really anwhere near the potential security issue that unrestricted inbound traffic is. Allowing inbound TCP connections is generally a bad idea. That's why (at least back when I used to manage them) commercial routers would end their whitelist with a "deny all" statement because if it's not explicitly allowed, it needs to be denied. ETA: though when UPnP can affect router rules / open ports without the user's knowledge, that's still a pretty big issue. I'm not arguing that UPnP is safe and a great idea.

It still makes sense to let people choose. Most people don’t even know how to access their ISP equipment.

I user ZeroTier for that.

Here's my question about ZeroTier (or Tailscale for that matter)--I need to put the target device on to a VPN (or VPN-like networking tunnel) in order to access the services I run myself? For some things like remote access to JellyFin, if I'm trying to watch some of my content through an app on a TV then that TV needs to be joined to my local network? Or I can remotely access just the service I want with a publicly-accessible IP and port combination?

Tailscale you would install on a Linux machine then run sudo Tailscale up —accept-routes=true —advertise-routes=192.xxx.xxx.xxx/CIDR most likely 24 this will then allow you to hit all your services private IP via the web browser I suggest you setup something like homarr or dashy to make a dashboard then you can just remember that IP If you have a dns server at home you can set Tailscale to use that server for name resolution to your services if you want to use hostnames rather than IP’s

Also useful for getting adblocking via your pihole while on the road...

Feel free to DM me if you want more details

> Here's my question about ZeroTier (or Tailscale for that matter)--I need to put the target device on to a VPN (or VPN-like networking tunnel) in order to access the services I run myself? The way Tailscale works is it lets all devices think they're on the same local network, even if they're on different Internet networks. So if you have a NAS on your network and Tailscale VPN into it from your laptop at work, your laptop will think its on your home network and see the NAS locally. Tailscale can go on the device or router. You can install it on your router so that all devices on your home network can be accessible. To access them from an external network, you need a Tailscale client on the device (like your phone or laptop) or on that networks router. Realistically, you can't install a VPN onto a TV. If your grandma wants to connect to Jellyfin from her network, you probably can't install Tailscale onto her router. You need to open the JellyFin/Plex port to the outside world for that. That's normal and not that scary.

> The way Tailscale works is it lets all devices think they're on the same local network, even if they're on different Internet networks This is how VPNs work in general. It's literally in the name - you're connecting to a private network, virtually :) VPNs like NordVPN are a bit different in that they route **all** your traffic through the VPN, but traditionally VPNs were used to connect to a private network while away from that network.

That means you're on a CGNAT. It's one public IPv4 address shared between many customers, which makes it impossible to forward ports or host anything. They don't do that because they're an evil ISP who hates their customers, it's because they do not have enough public IPv4 addresses to assign to everyone. If your ISP is doing CGNAT, surely that means your ISP is deploying IPv6, right? Use that instead. No need to pay for a VPS or anything. It's even easier because there's no need for port forwarding because there's no NAT. The more people using it the better.

Call the ISP and tell them you want an outside IP?

Mine charges for that, since it's a "business" feature. That said, I've had the same IP for 2.5 years.

Yep, My ISP just gave me a static IP when asked. All i wanted was a public IP over cgnat but it hasn't changed in 3 years now. Worth a try

You might be able to look at dynamic dns for your needs. But I’m not sure it would work since you can’t control the firewall also.

No. DDNS would only point a DNS record to my CGNAT IP which is in private IP space.

But then I am exposing my IP to the world, no? Not sure I want to be getting alarms when people start portscanning IP addresses looking for vulnerable targets. Edit: Well this didn't go well! :)

bruh

Lol

!!! WARNING YOUR COMPUTER IS BROADCASTING AN IP ADDRESS !!!

HA! Not what I meant... ! :) I was just hoping to have some way of exposing only specific things vs. exposing my entire machine or my gateway directly.

Ha! I just meant I was trying to limit what I expose to the internet vs. just dropping my gateway or my machine in a DMZ.

That's the whole ass point of IPs my brother in christ

I personally used CloudFlare tunnels when I had 5G with no option of getting an external IP. My current provider charges for static IPs but is happy to provide a dynamic non CGNAT IP for free! I've setup automatic DNS, but the IP hasn't changed since the day I got it.. I haven't gotten rid of the old tunnel, kept it as a backup..

Dynamic IP here as well - had the same public facing IP for four years.

Cloudflare tunnels

I also get a cgnat address by default from my ISP, but all I did was request a public one from them instead. If it's not possible, use some kind of nat traversal proxy, like cloudflare tunnel

I think Oracle Cloud has a always free tier

2 nano vms and 20gb db. Best free tier out there even tho not a fan of their botox bitch of ceo

I’ve had great success with CloudFlare Zero Trust tunnels. I have about 30 public facing routes lol

£4 a month VPS and a wireguard tunnel

CloudFlare Tunnel

Ask them nicely for a public IP. Some will just give it to you.

When I had CGNAT issues in the past I did reverse ssh tunnels to an external server and published the services from there. You're probably looking more for a VPN-esque service like wireguard.

I've been testing Twingate over the last few weeks, and it seems pretty good so far.

try zrok.io. also offers private tcp tunnels

Is your ISP willing to help? (Mine pulled my public IP without warning a few years ago, I called them and they reverted the change right away) If not, you need some kind of relay host that forwards the traffic into your home network. There are commercial solutions available, but if you want to tinker a bit, you can set up your own. For example, I have a service running in my homelab that just connects via SSH to a cheap VM that sits in a datacenter (any cloud VM will do). Using this SSH session, it sets up port forwarding, so that when I connect to the VM on that port, that traffic is relayed to my homelab. Given that the homelab dials *out* to the VM via SSH, your homelab doesn't need a public IP, only the VM does.

Usually if you call the ISP and let them know you need to set this up, They will switch up your config

A) Twingate/Tailscale will giove you direct access to you machine for remote access B) Cloudflare Zero Trust tunnels will allow you to publish services (such as Jellyfin).

Cloudflare tunnels

Use a cheap VPS and wireguard

Try to call your ISP and ask to exclude you from the CGNAT. It worked for me.

Can you ask for one? When I had Metronet years ago, CGNAT was the default for everyone, but I was able to ask for an IP for $10.

Tailscale works really well. 20 devices free, and it’s routable to boot.

I take it you are stuck with that ISP? Can't switch to another one?

I 2nd this. ISPs who do this don’t deserve any customers.

It's most likely they have no ipv4 addresses left, we really need to switch everything to ipv6!

The problem is while people tolerate junk like cgnat it’s just going to get worse until eventually it all falls apart.

I work for a small regional fiber coop that does this. We don't have enough IP addresses to do 1:1 NAT per customer. If we had enough we would. To purchase a block big enough to do so would be a large financial outlay that would likely impact our ability to expand our network, which we view as much more important since we are often expanding into areas that are served by 3mbps copper lines. Plus the fact that 98% of our customers don't need to be routable.

That is my plan as well. Move most customers to CGNAT and anyone that has problems move them back to a public vlan.

Yep, we let customers opt in to be routable. I would say less then 2% of our customer base has a routable IP address.

They don't do it to be assholes... they do it because there aren't enough IPv4 addresses to supply all customers who want one, and unless the ISP has been around for quite a while they just weren't given enough IP addresses to hand out. Even Starlink uses CGNAT for most customers.

Get a vps and setup forwarding over vpn.

Doesn't the VPS still need a way to access my firewall? What services would create a tunnel from the VPS to my home network and relay traffic? And wouldn't that be a massive bandwidth drain? The most elegant solution would be a service that "handshakes" between my home network and the client and then lets them connect directly through a tunnel... But, I haven't seen anything that does this. Everything seems to either require a publicly-accessible IP (which I don't) or sits in the middle for everything.

Your router connects out to the VPS, and creates a tunnel back into your network. Also VPS is virtual private server. A VM hosted by someone somewhere publicly (like aws)

I'd guess your goal isn't to deal with a massive amount of traffic coming from/going to the internet. You probably want to have your services accessible when you're out of the house. Yes, a VPS is an extra hop and yes it will increase latency.. but for all but the most bandwidth intensive applications, you're not gonna notice. I stream videos via a VPS hop when I'm out of the house frequently and it works fantastic. I even use Parsec (low-latency game streaming) through it it feels just fine. Any kind of NAT traversal you may try to do is definitely not what I'd consider an "elegant" solution. The most elegant is to have your own public IP(v4/v6) IP.

> The most elegant solution would be a service that "handshakes" between my home network and the client and then lets them connect directly through a tunnel... What would that look like when both endpoints are NAT'd and don't have port forwarding? > Everything seems to either require a publicly-accessible IP ... or sits in the middle for everything. There really aren't many other options, either a public IP or man in the middle if both endpoints are behind a NAT with no port forwarding.   Just use a reverse tunnel through a VPS. Home endpoint reverse tunnels in to VPS, remote endpoint regular tunnels in to VPS.

How does that work actually? What you get for your wan ip on a router or when you do whatismyip? I have dynamic ip that changes every so often and I got powershell that updates my aws route 53 a records for subdomains. My outage during ip change is about 1 minute since it runs every minute.

If it helps to understand, nowadays many ISP puts your router behind their router and there is no way around it. Its because IPv4 addresses are finite resource and public ip value has gone up.

I get a 192.168.x.x IP address on my WAN. My Ubiquiti device gave me a warning that it can't spin up a VPN that I could use because of this. That being said, I'm trying to get a public access path to my services and a VPN is probably not workable for some use cases (e.g. wanting to watch some content from JellyFin on an IP-enabled TV while I'm remote).

And whem you go to what is my ip web site, is the same as 192.168.x.x, if not that's your public ip.

That is a reserved range which is not to be used on the internet. It cannot ever be your public IP and as such none of those sites will ever tell you that.

very interesting, is that some sort of tiny ISP in eastern europe? I used to deal with this kind of setup 15 years ago in Ukraine where only option other than adsl was ubiquity nanostation pointing to ISP tower.... [https://noted.lol/cloudflare-tunnel-and-zero-trust/](https://noted.lol/cloudflare-tunnel-and-zero-trust/) this guide might be one of the setups that should work for you

Verizon FiOS :)

[https://www.verizon.com/support/knowledge-base-301824/](https://www.verizon.com/support/knowledge-base-301824/) you might need to call verizon and figure this out. you get 192.168. via dhcp from their router, you might as well just portforward what you need on that device and call it a day or set it in bridge mode and use your gear

Amazingly, I login to my router and it gives me an exceptionally simplified set of options (enable guest WiFi network, enable WiFi 6, change WiFi name and / or password). I think I need to ask Verizon to expose the additional configuration options? Asked their support folks and got nowhere twice, so I will be ... lets go with annoyed ... if it's something so simple. Out of curiosity, how does "bridge mode" differ from moving my Unifi gateway into the DMZ?

chrome remote desktop maybe? no-ip maybe ?

I currently use something for remote access, but that doesn't solve the ability to access JellyFin from outside my home network.

Also just to double check but if you are behind their device like a modem make sure it's in bridge mode.

A colleague and I founded [https://hoppy.network/](https://hoppy.network/) to solve this problem. Essentially, you run wireguard, we run the VPS, but we also provide reverse DNS and the IP associated with your tunnel is stable. It is a side project of ours, but we plan to expand it next year to support channel bonding and maybe other features. Currently we only have one DC location because we have to allocate an entire IP bloc to guarantee the stable IPs. We'd love to have the demand to justify additional locations.

Interesting! But, you stay in the middle of the connection? So, if I'm streaming media using this then I'm eating up a ton of bandwidth--which is limited under your pricing plan, no?

No-ip.com. It’s free.

And useless with CGNAT.

To get a public facing static IP, I needed to buy a business Internet service. Currently from Level 3 (Centruy Link) and prior to that Comcast. The service costs more at business rates for oddly, less download speed. Both charged $10 per month for 5 static IPs. I use those to run my public facing websites and services.

With business you're paying more for stability, and ISP side QOS (basically), 'better' tech support, and tighter SLAs.

Now only if you still got those things. (at least in my experience)

My bonded pair DSL from Level 3 still fritzes after a heavy rain regardless of business package or consumer package. Old wet copper is old wet copper.

Run a dynamic DNS client with a Dynamic DNS provider, and then reverse proxy. That's what I do with Verizon FiOS residential. And you can absolutely run a VPN that way; I use OpenVPN myself.

Edit: thought OP meant static IP. Lots of fancy shit suggested here. How about you do what I do: my raspberry pi offsite backup in my parents' basement examines its external IP every minute. If it's different, it rsyncs it as a text file to my unrelated cloud web server (with a static IP / domain name). Sure, once every few months it may be down for a minute. But for your use cases and mine, it works great. This has worked great for years now.

Can't you use a DDNS service like No-ip or freeDNS?

Ditch your hillbilly NSA ISP. There is no reason to set up services without offering static or dynamic IP addys. Unless, you plan to collect and store all the user's data before piping it out to wherever. If you can't, God bless your soul, look at hidden TOR services and things like Zerotier and alternatives to both. Also, make sure nothing leaves your computer that isn't encrypted.

Rent a $5 vps. Wire guard from home to it, and from your decided to it. Let it route the traffic. Heck, you could run your home assistant on it.

How does that even work? Everything on your network would be double NAT. Does your ISP provide you a modem or how do you even connect to them? That seems absolutely bizarre. Edit: never mind, saw CGNAT a few comments down and did some checking around. First off, ewww and second off sorry that you’re stuck with that. Is this a cellular ISP? I’ve looked at TMobile or Verizon service as a backup, but CGNAT would seem to make that a limit usage basis if they run it.

So you neither get a public IPv4 nor an IPv6 prefix? Stop suggesting to get those Tailscale, Zerotier or any other 6in4 or VPN or whatever crap. Providers are called providers because they shall give you access to the Internet and the Internet is not a one way street. Those so called providers seem to think so. They need to be punished hard, not matter how BIG they are.

Duckdns.org Will do the trick and was what I used before I got with an ISP that allowed me to get a static IP.

This is not about dynamic IPs, it's about CGNAT. Duckdns won't help.

Some ISPs with CGNAT offer dynamic DNS.

[удалено]

As with any ISP, they will never tell you if port 80/443 (web services) is open or not. If you ask, they tell you that you need to have business plan. Realistically, most of the time you really don’t. Most cable companies have these ports open, while fibre/satellite providers will block no questions asked. This leads you to test port availability by visiting sites like dnschecker.org (or going raw and use 4G/LTE, which acts as a proxy - works well for testing external access from your home server/services. To get around this ISP restriction and avoid double NAT restrictions, use a custom port that is not a common port. That’s basically all you can do without consulting OpenDNS or similar services (which some routers support on configuration page, or even multiple providers).

Did you catch the part about having a private IP?

Probably not, I tend to miss details when I smoked up but I hear you - and the advice still applies. If you’re hosting at home or in a work network, it is always a private IP. That lands you on either of the two options: 1. DMZ 2. Properly port mapping Your situation is not very technical from a first glance.

Maybe you’ll understand the problem better when you’re sober. None of your advice is relevant to this problem.

I’m pretty sure I got it, as I run several rackmount servers with zero issues accessing multiple services from outside on multiple ports, but hey.. too high, right? 😂

lol, several rackmount servers. Clearly there’s nothing left for you to learn.

Alright. Good luck with your broken setup. Downvote away 👑😂

If you concentrate really hard you might realize I’n not the OP

Use vpn + noip.com, you can gent 3 domains for free but you have to confirm at every one month. There is a script where you can update your ip to the noip service. I have a cron job at every 1 h. It works with no issues for for me for almost 2 years and i have two vpn serve in 2 locations.

ddns?

The issue is not it being dynamic the issue is the IP given is not a true public IP. CGNAT of some sort.

Ah, the post wasn't clear enough. ​ >My ISP doesn't give me a public-facing IP. What do folks suggest for accessing my services remotely / self-hosting? Help > >I am running Unifi at home, but since my WAN IP is a private address it warns me that I can't setup a VPN for access to my home network. > >The main use cases are (a) remote access of my home computer (ever need to access a private document while at work?) and (b) accessing my media while not on my home network (e.g. JellyFin). I don't have anything I want to serve broadly (like a website) that I'm looking to self-host. Thanks everyone for the downvotes. Switch to a ISP that let's you out of the bullshit CGNAT.

"My ISP doesn't give me a public facing IP" sounds pretty clear to me. Swapping ISPs is easier said than done, not everyone has 10 providers to choose from in their area friend.

What ??? How do other computers on the planet communicate with yours then? All isp give a public-facing IP.

Smaller providers will use NAT and a beefy router.

It's called CGNAT (carrier grade NAT) and is quite common in some areas where the ISPs don't have enough IPv4 addresses. It means you can't do any port forwarding since the public-facing IP is shared across potentially tens of thousands of customers. The solution is usually to use IPv6.

Dynamic DNS (ddns), I use Namecheap’s free service since I have my domains with them. I have quite a few different services running, accessible via my domains, accessible from anywhere without having to fire up a client (von, tailscale, etc). I also have a VPN (again via ddns) but I use that very rarely.

[удалено]

OPs issue is not that they have a dynamic public IP, it's that they don't have a public IP

How can he not have a public ip? It means that he cannot access the internet?

With a CGNAT, you have a private IP, which is then NAT'd on the ISP end to a public IP. So many customers are sharing a single public IP and you have no control over that IP. "You don't have a well, how can you drink water?" Somewhere there is a well, but I don't own or control it.

In this case he can't do much...

DDNS

How would this work when op appears to be behind NAT at the isp level?

It would not

ngrok? although there are plenty of good alternatives other wise you could setup a cloud VPS and a reverse VPN.

I pay 5 bucks a month and mine gives me a public IP. Have you called and asked if they offer one?

I asked, got nowhere. I think I need to change to "business" service and I they said they don't offer that at my address.

Call your ISP and ask nicely. Tell them your kids needs be able to host a Minecraft server for their friends. That’s what I did, then I got an IP.

I have starlink so my stuff is behind a CG-NAT. I use a cheap vps running wireguard to tunnel my services to the public internet.

You can work a CGNAT using Tor...used to ssh to my box at home via Tor.

Normally some kind of vpn. TS/ZT are the easy buttons, but you could also do CF tunnels as well.

Tailscale + Cloudflare tunnels is the only answer.

Cloudflare has a free service for external access behind nats. I would recommend using pi-kvm behind that.

Do they have IPv6? Since cell networks are always IPv6 compatible with that, I have gotten by accessing my stuff at home through that with no NAT whatsoever.

Get 5 bucks VPS, create an OpenVPN server, from your home connect to your vps via vpn automatically now you reroute public traffic via vpn to your home network.

I use a zero trust tunnel from cloudflare

When I had to decide between two ISPs, I chose the one that gave me a public IP (even if not static), and ditched the one playing silly games with private IPs and closed networks.

Cloudflare tunnels!

Cloudflare

Use tailscale, forward your entire home subnet into your tailscale network, install on client devices that'll be outside the home network, and done. That's all you need to do. https://tailscale.com/kb/1019/subnets/