Hi, I live in Germany and only have public IPv6. My address changes only very, very rarely and has never changed in the time I’ve been self-hosting.
I also have a very small, pretty cheap VPS with static IPv4/IPv6 – which would seem like a great fit for some sort of tunneling/proxy setup. Now comes the question: What/how should I use it? I would like to not have the additional latency for IPv6 enabled hosts, can I just setup a reverse proxy for IPv4? Would Tailscale work for my usecase, what are some resources you found useful when using it?
Currently, I’m just hosting everything IPv6-only and hoping my address never changes, but that does not work for everyone, as especially many new buildings with fiber optic connections still only have IPv4 (strangely).
You must log in or register to comment.
Yes, you can just use a reverse proxy for IPv4 only and point it to the IPv6 upstream. That is what I do, with a separate DNS record which then combines the two. See the DNS records for id.knifepoint.net (CNAME), http.vineta.knifepoint.net (AAAA, A) and vineta.knifepoint.net (AAAA).
The reverse proxy config and certificate management is set up with NixOS, if it helps: https://git.dblsaiko.net/systems/tree/nixos/defaults/v4proxy.nix https://git.dblsaiko.net/systems/tree/nixos/modules/sys2x/v4proxy.nix
But having a reverse proxy would enable someone getting access to it to read traffic, while having a VPN Tunnel won’t.
Your reverse proxy should have a cert with HTTPS.
Tbf, technically data is still decrypted at the reverse proxy and then re-encrypted. So if someone manages to reconfigure the proxy or read its memory somehow they could read traffic in plain text.
However then since they have to control the VPS, they could also get a new cert for that domain (at least the way I’ve configured it) even if it was passed as is to the real host via a tunnel and read the plaintext data that way, so I don’t think a tunnel protects against anything.
Or just use Nginx stream proxy, and all the encryption happens on the endpoints. No need for certs on the proxy at all.
This is how I make https and mqtts available on ipv4.
Wire guard to the vps with nftables port forwarding.
Check my wiki here https://wiki.gardiol.org/doku.php?id=networking%3Awireguard_redirects
Or setup ssh with port forwarding as well. Less reliable but nothing to install on a basic Linux.
This. Using simple ssh tunneling with port forwarding in a similar scenario. Working flawlessly with zero maintenance for 5 years and counting. Very reliable
Not really reliable, much less than wire guard. If your connection is unstable ssh not the best option. Autossh make it better, but still after a forced disconnection ssh will take a while to drop and reconnect. Wire guard is much better. I moved from ssh+autossh to wireguard and wished I did that sooner.
Fair comment, I should qualified my answer: I use an ssh tunnel with auto-reconnect option, wrapped inside a systemd service. In all this years, I still have to run into a problem that wasn’t external (server down, no internet at home etc) I agree that wireguard is the proper solution however it requires a lot of extra configuration and support in both ends, which now is prevalent but not so much 5+ years ago. Also for a single port solution, ssh is so much simpler, practical and reliable, you only need an ssh user at the other end.
ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -R localhost:YOUR_PORT:localhost:YOUR_PORT SOME_USER@YOUR_SERVER
