This and the comments highlight how bad many ISPs in North America and Western Europe are at IPv6, still, in 2025, and the lengths to which people will go to treat that as damage and literally route around it.
One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.
One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.
mjg59 6 hours ago [-]
Pretty much! My ISP was founded by https://en.wikipedia.org/wiki/Rudy_Rucker and is somewhat cheap and delightful and happily routes me a good amount of IPv6, and every 48 hours or so it RAs me an entirely different range even though I still have validity on the lease for the old one and everything breaks, so I've had to turn IPv6 off entirely (I sent dumps of the relevant lease traffic to support, they said they'd look into it, and then the ticket auto closed after being inactive for two years). I spent a while trying to make things work with IPv6 but the combination of it being broken at my end and also there still being enough people I want to provide access to who don't have it means it just wasn't a good option.
anonymousiam 5 hours ago [-]
One of my places uses Frontier FiOS (soon to become Verizon again). They have zero support for IPv6, and it isn't even on their roadmap.
I use a static HE (Hurricane Electric) IPv6 tunnel there, and it works great.
The only issue is that YouTube thinks the IPv6 block is commercial or an AI dev scraping their content, so I can't look at videos unless I'm logged in to YouTube.
stego-tech 1 hours ago [-]
I’m also on FiOS, and despite repeated statements to the effect I’d never get IPv6 on my (20 year) old ONT, I’ve got a nice little /56 block assigned on my kit via DHCPv6. Problem is that, as it’s a DHCP block, it changes, and Namecheap presently does not offer any sort of Dynamic DNS for IPv6 addresses.
Still, it let me tear down the HE IPv6 tunnel I was also running, since the sole reason I needed IPv6 was so our household game consoles could all play online without cursed firewall rules and IP reservations. I’m pretty chuffed with the present status quo, even if it’s far from perfect.
One other thing I’d note about OPs article (for folks considering it as a way to work around shitty ISP policies) is that once you have this up and running, you also have a perfect setup for a reverse proxy deployment for your public services. Just make sure you’re watching your bandwidth so you don’t get a surprise bill.
PaulKeeble 1 hours ago [-]
Mine officially supports it. However having configured the Prefix as they define and using SLAAC etc all my devices get their IPv6 addresses and can access the internet, I can even connect from outside the network so it all "works", but I have a bunch of issues. Neither of my ISPs defined DNS servers is available, I can't route one of the OpenDNS routers but the other works fine and then I have these periods where the entirity of IPv6 routing breaks for about a minute and then restores. Having done this with two different routers on completely different firmware now I can't help but think my official support from my ISP is garbage and they have major problems with it. I had to turn it off because it causes all sorts of problems.
jeroenhd 1 hours ago [-]
I'm in western Europe and every ISP but the ultra cheap ones and the niche use case ones have stable IPv6 prefixes. Some do /48, others /56.
IPv4 is getting CGNAT'd more and more, on the other hand. One national ISP basically lets you pick between IPv4 CGNAT and IPv6 support (with IPv6 being the default). Another has been rolling out CGNAT IPv4 for new customers (at first without even offering IPv6, took them a few months to correct that).
This isn't even an "America and Western Europe" thing. It's a "whatever batshit insane approach the local ISP took" thing. And it's not just affecting IPv6 either.
jxjnskkzxxhx 5 hours ago [-]
> Heath Robinson contraption
Ah, I see you also watched that video yesterday on manufacturing a tiny electric rotor.
JdeBP 5 hours ago [-]
I actually learned the expression when I was a child, via the Professor Branestawm books.
jxjnskkzxxhx 2 hours ago [-]
Ok so this is genuinely a case of I see an expression for the first time, learn an expression it, and then see it again immediately after. Fun.
57473m3n7Fur7h3 2 hours ago [-]
The Baader–Meinhof phenomenon strikes again!
Joeboy 3 hours ago [-]
"Heath Robinson" is British English for "Rube Goldberg".
jxjnskkzxxhx 2 hours ago [-]
TIL
emilfihlman 46 minutes ago [-]
Once again I voice the only sane option:
Skip IPv6 and the insanity that it is, and do IPv8 and simply double (or quadruple) the address space without introducing other new things.
1317 9 minutes ago [-]
Things like this that go through some external VPS always seem a bit pointless to me.
just host it on the VPS directly
orangeboats 6 minutes ago [-]
A VPS that relays traffic and a VPS that runs services are very different.
The commentents suggest Tailscale, but the author assumes this could only mean Funnel, but you could use Tailscale/Headscale for handling the wiregiard and low-level networking / IP Allocation.
Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.
The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.
But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.
(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)
PeterStuer 3 hours ago [-]
I run a very small VPS at Hetzner with Pangolin on it that takes care of all the Traefic Wireguard tunneling to my home servers. Very easy to set up and operate.
Cool! Do you like that approach? I've thought about setting up that exact thing but I wasn't sure how well it would work in practice. Are there any pitfalls you ran into early on? I might give it a shot after your "very easy to set up and operate" review!
DougN7 8 hours ago [-]
Why not use a dynamic DNS service instead? I’ve been using dyn.com (now oci.dyn.com) for years and it has worked great. A bonus is many home routers have support built in.
messe 7 hours ago [-]
Only works if you're not behind CGNAT, which has problems in and of itself. I pay my ISP an extra 29 DKK (about 4.50 USD at the moment) for a static address; my IPv4 connections and downloads in-general became way more stable after getting out from behind CGNAT.
neepi 6 hours ago [-]
CGNAT is hell. Here I had to choose between crap bandwidth or CGNAT. I chose crap bandwidth.
immibis 5 hours ago [-]
Hell for hosting, but if you're doing adversarial interoperability as a client, it does help you avoid being IP-banned. (At least in Western countries. I hear that Africa and Latin America tend to just get their CGNAT gateways banned because site operators don't give a shit about whether users from those regions can use their sites)
jeroenhd 1 hours ago [-]
The client feature only works for websites that care about making exceptions for CGNAT users. Plenty of them simply ban the shared addresses.
That's part of the reason why countries like India are getting so many CAPTCHAs: websites don't care for the reason behind lackluster IP plans from CGNAT ISPs. If the ISP offered IPv6 support, people wouldn't have so many issues, but alas, apparently there's money for shitty CGNAT boxes but not IPv6 routers.
neepi 4 hours ago [-]
Not quite. I'm in the UK and some of our customers get blocked by overzealous CDNs and they're all on CGNAT.
jaoane 5 hours ago [-]
CGNAT is completely irrelevant to the average person. It’s only an issue if you expect others to connect to you, which is something that almost all people don’t need.
(inb4 but the internet was made to receive connections! Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.)
throw0101d 8 minutes ago [-]
> It’s only an issue if you expect others to connect to you, which is something that almost all people don’t need.
So I think it CGNAT / double-NAT can hit a lot of folks.
> Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.
Why? Why should I accept the enshittification of the Internat that has evolved to this point? Why cannot people push for something better?
juergbi 4 hours ago [-]
Cloudflare sometimes preventing access to some sites and annoying CAPTCHA challenges due to CGNAT are relevant to the average person.
Full IPv6 support should be a requirement for both ISPs as well as websites and other servers.
jaoane 4 hours ago [-]
> Cloudflare sometimes preventing access to some sites and annoying CAPTCHA challenges due to CGNAT are relevant to the average person.
They would be, but thankfully CGNAT doesn’t cause that.
jeroenhd 1 hours ago [-]
It's not a direct cause, but if an IP is hitting my website with spam, I don't care if it's a spam bot or a CGNAT exit point. The only way to stop the spam is to take action against the IP address. For CGNAT customers, that means extra CAPTCHAs or worse.
You can ask your ISP for your own IPv6 subnet if you don't want to be lumped in with the people whose computers and phones are part of a scraping/spamming botnet.
messe 2 hours ago [-]
It contributes to it, because now you're behind the same public IP address as X other people. You're then X-times more likely to get flagged as suspicious and need to enter a CAPTCHA X-times more frequently.
jaoane 2 hours ago [-]
Cloudflare easily detects that using your discrete external port range and knows better than to show you a CAPTCHA.
thedanbob 2 hours ago [-]
This is what I do, except the dynamic DNS service is just a script on my server that updates Cloudflare DNS with my current external IP. In practice my address is almost static, I've never seen it change except when my router is reset/reconfigured.
mjg59 7 hours ago [-]
I have multiple devices on my internal network that I want to exist outside, and dynamic DNS is only going to let me expose one of them
rkagerer 7 hours ago [-]
If they don't all need distinct external IP addresses of their own, port forwarding is a typical approach.
mjg59 7 hours ago [-]
That doesn't work well if you want to run the same service on multiple machines. For some you can proxy that (eg, for web you can just run nginx to proxy everything based on either the host header or SNI data), but for others you can't - you're only going to be able to have one machine accepting port 22 traffic for ssh.
herbst 7 hours ago [-]
You can port forward SSH to other internal machines, just like nginx + web.
mjg59 7 hours ago [-]
I can port forward port 22 to a single machine. I can't proxy port 22 in a way that directs the incoming connection to the correct machine, at least not without client configuration.
koolba 6 hours ago [-]
You only need one inbound machine as your bastion. Then hop from there to the rest using local address. Once you set up the proxy config in ssh it’s completely transparent.
mjg59 6 hours ago [-]
Right yes but I (for various reasons) end up using a lot of different client systems and I don't want to have to configure all of them to transparently jumphost or use different port numbers and why are people spending so much time trying to tell me that I should make my life complicated in a different way to the one I've chosen?
mnw21cam 3 hours ago [-]
Yeah, I currently have a VPS with various SSH port forwards allowing me to direct incoming connections of various types to my home computer which is behind NAT. It's evil and horrible and nasty for various reasons, not least of which that all your incoming connections look to your inner server like they come from the same IP address, preventing you from logging or filtering the source of any request. And you need to make sure if you forward incoming connections to your SMTP server that it doesn't think they are local trusted connections that it can relay onwards, turning your setup into an open relay.
Seriously thinking about switching to a setup similar to the article. I mean, my setup works for now, but it's un-pretty.
mvanbaak 5 hours ago [-]
ipv6 has solved this.
Too bad it's not yet a common thing.
tialaramex 5 minutes ago [-]
The Google data strongly suggests that at this point it's probably available to a majority of home users. Corporate remains significantly worse. My employer, which paid me to do IPv6 stuff last century in a very different role, today has IPv6 for random outsiders but if you have a corporate issued laptop IPv6 is disabled and they cheerfully explained that it's "difficult" in a call this week right before I pointed out what I was paid to do and where a quarter century ago. Embarrassing for them.
chgs 7 hours ago [-]
Select an isp that gives you multiple ip v4 addresses. Or host on ipv6.
mjg59 7 hours ago [-]
Yes, if I had multiple IPv4 addresses already it wouldn't be necessary to tunnel in additional IPv4 addresses, but since I don't and since there are no ISPs who will provide that to me at this physical address, tunneling is where I am.
v5v3 7 hours ago [-]
In many countries, unless you buy a business broadband package (more expensive),residential internet does not come with such options.
dreamcompiler 16 minutes ago [-]
Putting a privkey on your VPS seems like asking for trouble.
KronisLV 7 hours ago [-]
Lovely write up! Personally, I just settled on Tailscale so I don’t have to manage WireGuard and iptables myself.
For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.
Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.
zokier 6 hours ago [-]
Yeah, this is the way to do this. I'm pretty sure that if you for some reason do not want to run wireguard on all your servers you could fairly easily adjust this recipe to have a centralized wg gateway on your local network instead.
I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling
anonymousiam 5 hours ago [-]
I did the same thing 20 years ago, but I used vtun because Wireguard didn't exist yet. It's a cool way to get around the bogus limitations on residential static IP addresses.
At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.
lostlogin 5 hours ago [-]
> At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP.
So ridiculous.
It’s fast, far quicker than I can use, and the static IP was a one off $10 or similar.
xiconfjs 5 hours ago [-]
Quote from OPs ISP [1]:
"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."
I wish I had access to a small ISP. It is comforting to know that if something goes wrong, on the other end of the line there is someone with a Cisco shell open ready to run a traceroute.
fainpul 46 minutes ago [-]
> Let's say the external IP address you're going to use for that machine is 321.985.520.309 and the wireguard address of your local system is 867.420.696.005.
What is going on here with these addresses? I'm used to seeing stuff like this in movies – where it always destroys my immersion because now I have to think about the clueless person who did the computer visuals – but surely this author knows about IPv4 addresses?
l-p 37 minutes ago [-]
The author did not want to use real addresses and was not aware of the 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 ranges specified in RFC 5737 - IPv4 Address Blocks Reserved for Documentation.
politelemon 7 hours ago [-]
Another alternative could be a cloudflare tunnel. It requires installing their Daemon on the server and setting up DNS in their control panel. No ports need opening from the outside in.
jeroenhd 1 hours ago [-]
The downside of the Cloudflare approach is that yet more websites are behind Cloudflare's control. The VPS approach works pretty much the same way Cloudflare does, but without the centralized control.
On the other hand, Cloudflare is a pretty easy solution against spam bots and scrapers. Probably a better choice if that's something you need protection against.
PaulKeeble 59 minutes ago [-]
Everyone does these days, although its really the AI scrapers you need defence from and Cloudflare isn't doing so good at that yet.
troupo 3 hours ago [-]
I used to expose a site hosted on my home NAS through it, and now I do the same from a server at Hetzner.
Works like magic :)
eqvinox 6 hours ago [-]
I would highly recommend reading up on VRFs and slotting that into the policy routing bits. It's really almost the same thing (same "ip route" commands with 'table' even), but better encapsulated.
dismalpedigree 3 hours ago [-]
I do something similar. I run a nebula network. The vps has haproxy and is passing the encrypted data to the hosts using sni to figure out the specific host. No keys on the vps.
The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.
Yes. Thats the one. Works really well. Basically a free version of tailscale. A bit more of a learning curve.
ghoshbishakh 3 hours ago [-]
There are tools specifically built for hosting stuff without public IP such as https://pinggy.io
v5v3 7 hours ago [-]
I would suggest putting a disclaimer on the article to warn any noobs that prior to opening up a server on the internet basic security needs to be in place.
kinduff 7 hours ago [-]
This is an interesting solution and wouldn't mind using one of my existing servers as a gateway or proxy (?).
Is there a way to be selective about what ports are exposed from the host to the target? The target could handle it but fine grained control is nice.
mjg59 7 hours ago [-]
You could just set a default deny iptables policy for forwarding to that host, and then explicitly open the ports you want
baobun 7 hours ago [-]
iptables is legacy now and if you're not already well-versed in it, better go straight to nftables (which should be easier to get started with anyway). On modern systems, iptables commands are translated to nftables equivalents by transitional package.
7 hours ago [-]
lazylizard 7 hours ago [-]
you can also run a proxy on the vps instead of the nat.
mjg59 7 hours ago [-]
Depends on the protocol. For web, sure - for ssh, nope, since the protocol doesn't indicate which machine it's trying to connect to and so you don't know where to proxy it to.
remram 29 minutes ago [-]
I don't know what you mean by "the protocol". Obviously there is a destination IP address on every packet... getsockname() will tell the proxy which local IP the client dialed, allowing it to create "virtual hosts" (or you can actually run multiple proxies bound on different local addresses).
baobun 6 hours ago [-]
You can still TCP proxy SSH just fine (one port per target host obv)
Certain UDP-based protocols may be hairier, though.
PhilipRoman 5 hours ago [-]
Socket based proxying is better for this, since you eliminate one point from your attack surface (if your proxy server gets compromised, it's just encrypted ssh/TLS)
7 hours ago [-]
sneak 42 minutes ago [-]
This article was not worth having to solve a captcha to read.
I think I will be done with sites that require me to solve captchas to visit for simple reading, just as I am done with sites that require me to run javascript to read their text.
superkuh 13 minutes ago [-]
At least it is technically possible to complete the dreamwidth captchas now. For many years (well before the modern corporate spidering insanity) dreamwidth was just completely inaccessible no matter how many times one completed their captchas. You'd have to be running a recent version of Chrome or the like.
Now after doing the captcha ~5 times and getting nothing a different captcha pops up that actually works and lets one in.
It's not good but it's a hell of a lot better than their old system.
One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.
One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.
I use a static HE (Hurricane Electric) IPv6 tunnel there, and it works great.
The only issue is that YouTube thinks the IPv6 block is commercial or an AI dev scraping their content, so I can't look at videos unless I'm logged in to YouTube.
Still, it let me tear down the HE IPv6 tunnel I was also running, since the sole reason I needed IPv6 was so our household game consoles could all play online without cursed firewall rules and IP reservations. I’m pretty chuffed with the present status quo, even if it’s far from perfect.
One other thing I’d note about OPs article (for folks considering it as a way to work around shitty ISP policies) is that once you have this up and running, you also have a perfect setup for a reverse proxy deployment for your public services. Just make sure you’re watching your bandwidth so you don’t get a surprise bill.
IPv4 is getting CGNAT'd more and more, on the other hand. One national ISP basically lets you pick between IPv4 CGNAT and IPv6 support (with IPv6 being the default). Another has been rolling out CGNAT IPv4 for new customers (at first without even offering IPv6, took them a few months to correct that).
This isn't even an "America and Western Europe" thing. It's a "whatever batshit insane approach the local ISP took" thing. And it's not just affecting IPv6 either.
Ah, I see you also watched that video yesterday on manufacturing a tiny electric rotor.
just host it on the VPS directly
Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.
The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.
But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.
(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)
https://fossorial.io/
That's part of the reason why countries like India are getting so many CAPTCHAs: websites don't care for the reason behind lackluster IP plans from CGNAT ISPs. If the ISP offered IPv6 support, people wouldn't have so many issues, but alas, apparently there's money for shitty CGNAT boxes but not IPv6 routers.
(inb4 but the internet was made to receive connections! Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.)
Unless they're playing video games:
* https://steamcommunity.com/sharedfiles/filedetails/?id=27339...
* https://www.checkmynat.com/posts/optimizing-nat-settings-for...
The video game industry is bigger than movies, television, and music combined:
* https://www.marketing-beat.co.uk/2024/10/22/dentsu-gaming-da...
So I think it CGNAT / double-NAT can hit a lot of folks.
> Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.
Why? Why should I accept the enshittification of the Internat that has evolved to this point? Why cannot people push for something better?
Full IPv6 support should be a requirement for both ISPs as well as websites and other servers.
They would be, but thankfully CGNAT doesn’t cause that.
You can ask your ISP for your own IPv6 subnet if you don't want to be lumped in with the people whose computers and phones are part of a scraping/spamming botnet.
Seriously thinking about switching to a setup similar to the article. I mean, my setup works for now, but it's un-pretty.
For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.
Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.
I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling
At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.
So ridiculous.
It’s fast, far quicker than I can use, and the static IP was a one off $10 or similar.
"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."
[1] https://www.monkeybrains.net/residential.php#residential
What is going on here with these addresses? I'm used to seeing stuff like this in movies – where it always destroys my immersion because now I have to think about the clueless person who did the computer visuals – but surely this author knows about IPv4 addresses?
On the other hand, Cloudflare is a pretty easy solution against spam bots and scrapers. Probably a better choice if that's something you need protection against.
Works like magic :)
The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.
Is there a way to be selective about what ports are exposed from the host to the target? The target could handle it but fine grained control is nice.
Certain UDP-based protocols may be hairier, though.
I think I will be done with sites that require me to solve captchas to visit for simple reading, just as I am done with sites that require me to run javascript to read their text.
Now after doing the captcha ~5 times and getting nothing a different captcha pops up that actually works and lets one in.
It's not good but it's a hell of a lot better than their old system.