Make my IPv6 selfhosted service available on IPv4 network.

submitted by [deleted]

My ISP provide me with good IPv6 connection with support of opening ports how I like. But IPv4 is behind a CGNAT and makes me unable to host a service on the legacy Internet.

Unfortunetely some of my friends I want to host (Jellyfin and Nextcloud) for does not have modern Internet connection, so I have to put some proxy.

Now I need suggestions of a solution. VPN on some VPS they would need to connection to is one of them, but it should be as simple for them to use as possible.

Log in to comment

12 Comments

slazer2au

I'd say running the VPS as a proxy or nat64 setup would be the way to go. Cgnat kinda messes everything up.

[deleted] [OP]

What I want to do. But the question is how?

VPS as a proxy... but when I point A record to VPS and AAAA record to server in my home, how would the VPS know which traffic to pass and how.

TCB13 , edited

how would the VPS know which traffic to pass and how.

Install nginx in your VPS and configure it as reverse proxy to your home IPv6:

server {
    listen 80; # listens only on IPv4 port 80
    server_name example.com; # your domain name
    location / {
        proxy_pass http://[2a03:2880:f003:c07:face:b00c::2] # replace with your home server IPv6. Keep the brackets.
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
    }
}

Point your A record to your VPS, and your AAAA to the home server.


Kwa

Be aware that doing it like this, the traffic from the VPS to your home will be unencrypted.

TCB13 , edited

Yes, and wouldn't the traffic between his friend and his home server be encrypted as well? :)

The OP should first figure out how to do this with basic HTTP and then once it works he can do a more fancy setup like setup letsencrypt on the local server in order to have his website protected with a valid certificate.

Then he can configure the VPS Nginx instance to do SSL pass-thru on port 443. This makes it so the VPS will be able to receive HTTPS traffic and send it back to his home server without having to do SSL termination / decryption / dealing with SSL certificates. Only the home server will have the certificates thus be able to decrypt the traffic.

Once the website can be accessed from both servers directly with SSL he can proceed to disable plain text HTTP traffic. To do this simply remove the entire server { listen 80 section on both servers. The home server should end up server { listen listen [::]:443 ssl; section so it listens in both IPv4 and IPv6 for HTTPs traffic. The VPS should only have the stream at /etc/config/nginx.conf as described above - make sure the previous server block entry is removed from the VPS as it is no longer needed.

If the OP goes through all those steps then none of the servers will accept plain HTTP traffic and the VPS will only proxy encrypted data back to his home. The beauty of SSL pass-thru is that the VPS doesn't have the means to decrypt the traffic, you won't have to manage certificates in across two servers and it's way easier to setup than a WG tunnel.

i_am_not_a_robot

Be careful with doing this. X-Real-IP and X-Forwarded-For are good for when the client is a trusted proxy, but can be easily faked if you don't whitelist who's allowed to use those headers. Somebody with IPv6 access could send "X-Real-IP: 127.0.0.1" or something and if the server believes it then you'll see 127.0.0.1 in logs and depending on what you're running the user may gain special permissions.

Also be careful with the opposite problem. If your server doesn't trust the proxy, it will show the VPS IP in logs, and if you're running something like fail2ban you'll end up blocking your VPS and then nobody will be able to connect over IPv4.

TCB13 , edited

Fair enough yeah. :)

The OP can solve that potential security issue with this option: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from on the local server nginx:

http {
(...)
        real_ip_header    X-Real-IP;
        set_real_ip_from  [2a03::aaaac::1]; # Replace with the VPS IPv6 address.
}

This will make sure only the VPS is allowed to override the real IP.

Matt The Horwood

A and AAAA records can have different IPs, the VPS will know it's the host for your A and to forward AAAA to your home IP

Gobo

Setup nginx as a v6 to v4 reverse proxy. Or the inverse if you have a public v4 in a vpc to use as a dmz.

Decronym , edited

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSL Secure Sockets Layer, for transparent encryption
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #778 for this sub, first seen 1st Jun 2024, 14:35] [[FAQ](http://decronym.xyz/)] [[Full list](http://decronym.xyz/acronyms/selfhosted@lemmy_world)] [[Contact](https://hachyderm.io/@Two9A)] [Source code]

Albbi

Holy shit that's a great bot!

SteveTech

If you can't get the VPS to work, alternatively there's Cloudflare but last I checked streaming was a little out of their free terms. With it, you should just have to set your AAAA record and make the cloud orange, that way Cloudflare will proxy it, and IPv4 will work. There's also Cloudflare tunnels which lets you host websites without port forwarding anything.

exu

You'll want to install a reverse proxy of your choice on the VPS. Have clients access it over ipv4 and configure it to proxy pass it to your ipv6 address. Nginx at least is capable of doing ipv4 & ipv6 -> ipv4, I think the inverse should also be possible.