The commentents suggest Tailscale, but the author assumes this could only mean Funnel, but you could use Tailscale/Headscale for handling the wiregiard and low-level networking / IP Allocation.
Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.
The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.
But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.
(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)
Why not use a dynamic DNS service instead? I’ve been using dyn.com (now oci.dyn.com) for years and it has worked great. A bonus is many home routers have support built in.
Lovely write up! Personally, I just settled on Tailscale so I don’t have to manage WireGuard and iptables myself.
For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.
Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.
I run a very small VPS at Hetzner with Pangolin on it that takes care of all the Traefic Wireguard tunneling to my home servers. Very easy to set up and operate.
Yeah, this is the way to do this. I'm pretty sure that if you for some reason do not want to run wireguard on all your servers you could fairly easily adjust this recipe to have a centralized wg gateway on your local network instead.
I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling
Quote from OPs ISP [1]:
"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."
[1] https://www.monkeybrains.net/residential.php#residential
How is the author getting a symmetric 600mbps connection with Monkeybrains? They're an awesome local ISP and provide internet via roof mounted PtM wireless connections.
I want to love them, but sadly I only get an unreliable 80mbps/40mbps connection from them. With occasional latency spikes that make it much worse. To make up for this I run a multi-WAN gateway connecting to my neighbor/friend's Comcast as well. Here's the monkeybrains (https://i.imgur.com/FaByZbw.jpeg) vs comcast (https://i.imgur.com/jTa6Ldk.jpeg) latency log.
Curious if the author had to do anything special to get a symmetric 600mbps from Monkeybrains. They make no guarantees about speed at all, but are quite cheap, wholesome, and have great support. Albeit support hasn't been able to get me anywhere close to the author's speeds.
I did the same thing 20 years ago, but I used vtun because Wireguard didn't exist yet. It's a cool way to get around the bogus limitations on residential static IP addresses.
At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.
Another alternative could be a cloudflare tunnel. It requires installing their Daemon on the server and setting up DNS in their control panel. No ports need opening from the outside in.
I would highly recommend reading up on VRFs and slotting that into the policy routing bits. It's really almost the same thing (same "ip route" commands with 'table' even), but better encapsulated.
> multiple world routeable IPv4 addresses
It's pretty rare that you would need more than one.
If you're running different types of services (e.g. http, mail, ftp) then they each use their own ports and the ports can be mapped to different local machines from the same public IP address.
The most common one where you're likely to have multiple public services using the same protocol is http[s], and for that you can use a reverse proxy. This is only a few lines of config for nginx or haproxy and then you're doing yourself a favor because adding a new one is just adding a single line to the reverse proxy's config instead of having to configure and pay for another IPv4 address.
And if you want to expose multiple private services then have your clients use a VPN and then it's only the VPN that needs a public IP because the clients just use the private IPs over the VPN.
To actually need multiple public IPs you'd have to be doing something like running multiple independent public FTP servers while needing them all to use the official port. Don't contribute to the IPv4 address shortage. :)
I do something similar. I run a nebula network. The vps has haproxy and is passing the encrypted data to the hosts using sni to figure out the specific host. No keys on the vps.
The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.
I would suggest putting a disclaimer on the article to warn any noobs that prior to opening up a server on the internet basic security needs to be in place.
Hm, 600 symmetric with monkeybrains?? I’ve had monkeybrains for over 3 years and have never seen over 200 down. In fact, I reached out to them today because for the last 3 months it’s been about 50 down or less. Like, I can barely stream content slow. What gives? I am in a 6 unit in lower haight. Most of the units also have MB. The hardware is relatively new (2019?). What gives?
My only concern is logging. Will the webserver on your local server log the real ip address of your visitors, or will it log all traffics as coming from your vps?
This is an interesting usecase for a jumpbox. So what if we install a reverse proxy on the vps and use wireguard to redirect to services at home(nonstatic)? Would that work too? any risks that you can see?
> Let's say the external IP address you're going to use for that machine is 321.985.520.309 and the wireguard address of your local system is 867.420.696.005.
What is going on here with these addresses? I'm used to seeing stuff like this in movies – where it always destroys my immersion because now I have to think about the clueless person who did the computer visuals – but surely this author knows about IPv4 addresses?
There are tools specifically built for hosting stuff without public IP such as https://pinggy.io
I do something similar but using GRE since I don't need encryption. Then I have OSPF on the resulting overlay network (there are several sites) to deal with ISP outages. One hop is via Starlink and that does use Wireguard because Elon likes to block tunnel packets but we gets through.
Why would you want to expose your IP to the internet? I still feel that's dangerous, susceptible to DDoS attack, and I avoid that as much as possible. I put everything behind a Tailscale for internal use and behind Cloudflare for external use.
I feel like I missed a preread that teaches me about these strangle super-numeric ip addresses. Eg 400.564.987.500
Am I just seeing ipv6 in an unusually familiar format? Or is it an intentionally malformed format used by wireguard for internal routing?
Recommend trying vrf (l3mdev) for this (dual interface w/ 0.0.0.0/0 route) setup.
Put the wg interface in a new vrf, and spawn your self-hosted server in that vrf (ip vrf exec xxx command).
This is an interesting solution and wouldn't mind using one of my existing servers as a gateway or proxy (?).
Is there a way to be selective about what ports are exposed from the host to the target? The target could handle it but fine grained control is nice.
Wont sell you a static ip? Not even ipv6? Thats just incompetence.
How is it different from self hosting locally with Cloudflare tunnels or Tailscale?
E.g. I have a PiZero attached to my router and it’s exposed to the internet via Cloudflare tunnels.
I've taken the easier solution of Cloudflare's free Tunnel service so my IP is less exposed and I don't have to poke holes in my firewall.
Putting a privkey on your VPS seems like asking for trouble.
A similar simple option: https://github.com/hyprspace/hyprspace
you can also run a proxy on the vps instead of the nat.
Too lazy to set up wireguard. I just use ssh -L. And if there is another server in the way I hop with ssh -J -L
Things like this that go through some external VPS always seem a bit pointless to me.
just host it on the VPS directly
Um that article is not at all about what I expected. It solves a particular problem, which is not having a static IP address. I happen to have one, so that's not an issue.
But I still have so much to consider when doing local hosting. Redundant electricity? IP connectivity? What if some hardware dies? What if I get DDoS'ed? How do I get all relevant security fixes applied asap? How do I properly isolate the server from other home networking like kid's laptops and TV with Netflix? ...?
All solvable of course, but that's what I'd have expected in such an article.
I wrote about doing the same thing in 2016[1], crazy to think that we STILL don't have IPv6.
1: https://stosb.com/blog/using-an-external-server-and-a-vpn-to...
> Let's say the external IP address you're going to use for that machine is 321.985.520.309 and the wireguard address of your local system is 867.420.696.005.
What kind of IP addresses are these?
This article was not worth having to solve a captcha to read.
I think I will be done with sites that require me to solve captchas to visit for simple reading, just as I am done with sites that require me to run javascript to read their text.
This and the comments highlight how bad many ISPs in North America and Western Europe are at IPv6, still, in 2025, and the lengths to which people will go to treat that as damage and literally route around it.
One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.
One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.