http://wiki.frank-wulf.de/index.php?action=history&feed=atom&title=Access_from_Internet_with_dedicated_IP_addressAccess from Internet with dedicated IP address - Versionsgeschichte2026-05-13T14:27:49ZVersionsgeschichte dieser Seite in wiki.frank-wulf.deMediaWiki 1.43.8http://wiki.frank-wulf.de/index.php?title=Access_from_Internet_with_dedicated_IP_address&diff=672&oldid=prevWulf: Die Seite wurde neu angelegt: „=== Description === This solution requires renting a VPS server which comes with a static public IP address, costs are starting at 1 Euro per month (in 2024 at ionos.de or strato.de). As this server is used only to forward data from the internet to the local server and back to the internet, the cheapest offer will most likely be sufficient. The local server will be connected to the VPS server using a VPN tunnel. All traffic aiming the public IP address of…“2025-09-14T07:31:39Z<p>Die Seite wurde neu angelegt: „=== Description === This solution requires renting a VPS server which comes with a static public IP address, costs are starting at 1 Euro per month (in 2024 at ionos.de or strato.de). As this server is used only to forward data from the internet to the local server and back to the internet, the cheapest offer will most likely be sufficient. The local server will be connected to the VPS server using a VPN tunnel. All traffic aiming the public IP address of…“</p>
<p><b>Neue Seite</b></p><div>=== Description ===<br />
This solution requires renting a VPS server which comes with a static public IP address, costs are starting at 1 Euro per month (in 2024 at ionos.de or strato.de). As this server is used only to forward data from the internet to the local server and back to the internet, the cheapest offer will most likely be sufficient. The local server will be connected to the VPS server using a VPN tunnel. All traffic aiming the public IP address of the VPS server is then being forwarded to the local server through this tunnel. Results from the local server are sent back through the tunnel to the VPS server and from there to the respective sender.<br />
'''<big>Internet</big> <―――――(Public IP 85.215.213.68)―――――> <big>VPS server</big> <―――――(VPN tunnel 192.168.142.x)―――――> <big>Local server</big>'''<br />
<br />
Basically the VPN connection is triggered automatically by the client (local server). Hence the local server is permanently accessable from the internet. Security settings are maintained in the local network like fail2ban and firewall rules to protect the local server against external attacks.<br />
<br />
=== Terminology ===<br />
{| class="wikitable"<br />
|+<br />
|! style="text-align:center; font-weight:bold; background-color:Moccasin"| Term<br />
! style="text-align:center; font-weight:bold; background-color:Moccasin"| Description<br />
|-<br />
|VPS Server<br />
|Virtual Private Server with a static public IP address assigned<br />
|-<br />
|Local Server<br />
|Server in local network (192.168.141.1)<br />
|-<br />
|IP subnet for local network<br />
|192.168.141.0/24<br />
|-<br />
|IP subnet for VPN tunnel<br />
|192.168.142.1/32 (VPS server)<br />
192.168.142.100/32 (local server)<br />
|-<br />
|Static public IP address<br />
|85.215.213.68<br />
|}<br />
<br /><br />
'''<big>Configuration</big>'''<br><br />
<br />
For the Wireguard VPN tunnel maintain the firewall rules on the VPS server to open port 51820 for incoming UDP traffic:<br />
{| class="wikitable"<br />
|+<br />
! style="text-align:center; font-weight:bold; background-color:Cornsilk"| Action<br />
! style="text-align:center; font-weight:bold; background-color:Cornsilk"| Allowed IP<br />
! style="text-align:center; font-weight:bold; background-color:Cornsilk"| Protocol<br />
! style="text-align:center; font-weight:bold; background-color:Cornsilk"| Port(s)<br />
! style="text-align:center; font-weight:bold; background-color:Cornsilk"| Description<br />
|-<br />
|Allow<br />
|All<br />
|TCP<br />
|22<br />
|''default''<br />
|-<br />
|Allow<br />
|All<br />
|TCP<br />
|80<br />
|''default''<br />
|-<br />
|Allow<br />
|All<br />
|TCP<br />
|443<br />
|''default''<br />
|-<br />
|Allow<br />
|All<br />
|TCP<br />
|8443<br />
|''default''<br />
|-<br />
|Allow<br />
|All<br />
|TCP<br />
|8447<br />
|''default''<br />
|-<br />
|'''Allow'''<br />
|'''All'''<br />
|'''UDP'''<br />
|'''51820'''<br />
|'''Wireguard'''<br />
|}<br />
<br />
<br />
Enable packet forwarding for IPv4 in file '''/etc/sysctl.conf''':<br />
<pre style="color: silver; background: black;"><br />
...<br />
# Uncomment the next line to enable packet forwarding for IPv4<br />
net.ipv4.ip_forward=1<br />
...<br />
</pre><br />
<br />
<br />
Enable the changes made in '''/etc/sysctl.conf''':<br />
<syntaxhighlight lang="bash"><br />
sysctl -p<br />
</syntaxhighlight><br />
<br />
<br />
Install Wireguard VPN software on both VPS server and local server:<syntaxhighlight lang="bash"><br />
apt install wireguard<br />
mkdir --mode=700 /etc/wireguard<br />
chown root:root /etc/wireguard<br />
</syntaxhighlight><br />
<br />
<br />
Generate server key pair on both VPS server and local server:<syntaxhighlight lang="bash"><br />
cd /etc/wireguard<br />
umask 077; wg genkey | tee privatekey | wg pubkey > publickey<br />
</syntaxhighlight><br />
<br />
<br />
Create config file '''/etc/wireguard/wg0.conf''' on VPS server:<br />
<pre style="color: silver; background: black;"><br />
[Interface]<br />
PrivateKey = <Private key from VPS server><br />
ListenPort = 51820<br />
Address = 192.168.142.1/24<br />
PostUp = iptables -t nat -A PREROUTING -p tcp -d 85.215.213.68 -j DNAT --to 192.168.142.100<br />
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE<br />
PostDown = iptables -t nat -D PREROUTING -p tcp -d 85.215.213.68 -j DNAT --to 192.168.142.100<br />
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE<br />
<br />
[Peer]<br />
PublicKey = <Public key from local server><br />
AllowedIPs = 192.168.142.100/32<br />
</pre><br />
<br />
<br />
Create config file '''/etc/wireguard/wg0.conf''' on local server:<br />
<pre style="color: silver; background: black;"><br />
[Interface]<br />
PrivateKey = <Private key from local server><br />
Address = 192.168.142.100/24<br />
<br />
[Peer]<br />
PublicKey = <Public key from VPS server><br />
AllowedIPs = 0.0.0.0/0<br />
Endpoint = 85.215.213.68:51820<br />
PersistentKeepalive = 25<br />
</pre><br />
<br />
<br />
Edit file '''''/etc/systemd/resolved.conf''''':<syntaxhighlight lang="bash" highlight="15-20"><br />
# This file is part of systemd.<br />
#<br />
# systemd is free software; you can redistribute it and/or modify it<br />
# under the terms of the GNU Lesser General Public License as published by<br />
# the Free Software Foundation; either version 2.1 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# Entries in this file show the compile time defaults.<br />
# You can change settings by editing this file.<br />
# Defaults can be restored by simply deleting this file.<br />
#<br />
# See resolved.conf(5) for details<br />
<br />
[Resolve]<br />
#>>>2024-10-30 Frank Wulf<br />
#DNS=<br />
DNS=192.168.141.10<br />
#FallbackDNS=<br />
FallbackDNS=1.1.1.1 1.0.0.1<br />
#<<<2024-10-30 Frank Wulf<br />
#Domains=<br />
#LLMNR=no<br />
#MulticastDNS=no<br />
#DNSSEC=no<br />
#DNSOverTLS=no<br />
#Cache=no-negative<br />
#DNSStubListener=yes<br />
#ReadEtcHosts=yes<br />
</syntaxhighlight><br />
<br />
<br />
Enable VPN interface to start at boot time on both VPS server and local server, then start the interface:<syntaxhighlight lang="bash"><br />
systemctl enable wg-quick@wg0<br />
systemctl start wg-quick@wg0<br />
</syntaxhighlight></div>Wulf