Access from Internet with dedicated IP address

Description

This solution requires renting a VPS server which comes with a static public IP address, costs are starting at 1 Euro per month (in 2024 at ionos.de or strato.de). As this server is used only to forward data from the internet to the local server and back to the internet, the cheapest offer will most likely be sufficient. The local server will be connected to the VPS server using a VPN tunnel. All traffic aiming the public IP address of the VPS server is then being forwarded to the local server through this tunnel. Results from the local server are sent back through the tunnel to the VPS server and from there to the respective sender.

Internet <―――――(Public IP 85.215.213.68)―――――> VPS server <―――――(VPN tunnel 192.168.142.x)―――――> Local server

Basically the VPN connection is triggered automatically by the client (local server). Hence the local server is permanently accessable from the internet. Security settings are maintained in the local network like fail2ban and firewall rules to protect the local server against external attacks.

Terminology

Configuration

For the Wireguard VPN tunnel maintain the firewall rules on the VPS server to open port 51820 for incoming UDP traffic:

Enable packet forwarding for IPv4 in file /etc/sysctl.conf:

...
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
...

Enable the changes made in /etc/sysctl.conf:

sysctl -p

Install Wireguard VPN software on both VPS server and local server:

apt install wireguard
mkdir --mode=700 /etc/wireguard
chown root:root /etc/wireguard

Generate server key pair on both VPS server and local server:

cd /etc/wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Create config file /etc/wireguard/wg0.conf on VPS server:

[Interface]
PrivateKey = <Private key from VPS server>
ListenPort = 51820
Address = 192.168.142.1/24
PostUp = iptables -t nat -A PREROUTING -p tcp -d 85.215.213.68 -j DNAT --to 192.168.142.100
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp -d 85.215.213.68 -j DNAT --to 192.168.142.100
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE

[Peer]
PublicKey = <Public key from local server>
AllowedIPs = 192.168.142.100/32

Create config file /etc/wireguard/wg0.conf on local server:

[Interface]
PrivateKey = <Private key from local server>
Address = 192.168.142.100/24

[Peer]
PublicKey = <Public key from VPS server>
AllowedIPs = 0.0.0.0/0
Endpoint = 85.215.213.68:51820
PersistentKeepalive = 25

Edit file /etc/systemd/resolved.conf:

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details

[Resolve]
#>>>2024-10-30 Frank Wulf
#DNS=
DNS=192.168.141.10
#FallbackDNS=
FallbackDNS=1.1.1.1 1.0.0.1
#<<<2024-10-30 Frank Wulf
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes

Enable VPN interface to start at boot time on both VPS server and local server, then start the interface:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0