If you’re looking for sympathy, you got it. Fuck the state.
If you’re looking for solutions, use a cheap $5/mo VPS that exists purely as your gateway host. Run everything you want on your home machines, then tunnel the traffic to your gateway and reverse-proxy it there. Your data stays in your hands, you can spin up and expose new services publicly in a matter of minutes, AND your home IP isn’t vulnerable to doxxing or DoS.
use a cheap $5/mo VPS that exists purely as your gateway host
Now, why so expensive?
https://racknerdtracker.com/?sort=price
Disclaimer: I never used Racknerd (nor any other VPS).
"JUST $10.28/YEAR - WOW!!" Laughed out loud at that, and I'll have to give this a look. Currently I just use nginx and duckdns to expose my home IP for my self hosted stuff.
Thanks king, this actually makes sense!
Is there a more detailed guide to this practice and the pros/cons?
This is @Shimitar@downonthestreet.eu‘s work, not mine - but it’s pretty similar to how I’d set things up:
https://wiki.gardiol.org/doku.php?id=networking%3Assh_tunnel
Really appreciated the reference!
Good to know my wiki is of any use to somebody.
:)
I basically do exactly this, but I am running the reverse proxy on my home computer: the VPS is literally just acting as a proxy, for which I use wireguard to tunnel the connection. So far it's worked great, though initial setup was a pain.
This is a great suggestion!
Lest anyone miss the buried lede, this approach means that traffic is pre-encrypted as it passes through the gateway VPS - so even if your VPS gets hacked, it’s way harder to steal credentials and break into the services running on your home network.
So you essentially have a DMZ between your VPS and home network that is divided by your reverse proxy?
@dgdft @ellie @selfhosted this is the way
While I agree on a practical level, and pragmatism sure is important, long term that workaround still keeps you paying for cloud services and gives cloud companies an easy way to directly man-in-the-middle your traffic. So I'm hoping one day the situation will improve.
@ellie @selfhosted what is the actual alternative? also, not all vps are offfered by megacorps.
The alternative is to get your ISP to offer you a static IPv6 and a reverse DNS PTR entry for your IPv6, like I asked for in the initial post. Some ISPs do if you offer them more money, some only do if you offer them more money and a legit business registration, apparently a few rare ones do it for free, and some never do it.
Once you got the static IP, you can point DNS directly to yourself, and there's no VPS or anything in between. Browser traffic and so on directly comes to your machine.
@ellie @selfhosted I've never seen that from an ISP. 🤷♂️
Most offer it, but often not for the regular consumer contracts.
I think you're giving their ability to coordinate too much credit. Best guess the ISPs are just withholding anything that requires investment to deploy or that they can monetize themselves. Everybody else is just bottom-feeding by selling workarounds wherever the ISPs can't or won't.
The invisible hand of the market sucks at creating optimal solutions, but it does great at creating scammy crap that will take your money, no conspiracy necessary.
Yepp, Hanlon's razor: they are mostly just lazy and maybe incompetent, not necessarily evil, that's just a side effect. E.g. in my country if you call them that you want to get out of CGNAT they'll just do that for you. My IP haven't changed in years, but I don't pay for fix IP. But it may be different in each country, I have mostly good experiences with local ISPs here.
I think there are still enough v4-only systems out there that you don't really want to host a mail server on v6. You are right though that it would be nice to be able to get static v6 (or for that matter v4) addresses from home isp's. Some do offer that of course.
Another issue can be that the average home internet user has no idea keep even a client system secure. So ISP's might use NAT and default firewall configurations partly to stop incoming connections on the theory that they are likely to be malicious. On home routers you can usually open ports if you know what you're doing. I don't know if that's even possible on mobile phones.
My ISP is a local deal, well-known for protecting privacy, and run by an absolute nerd (in the best way possible, also outspoken about privacy, FOSS, and other such things). Their customer service is second-to-none; I had an issue with my static IP a couple years back, and had an actual engineer on the line within a few hours. On a weekend.
It's XMission. I dropped Comcast for them once they were in my area. Comcast can climb up a cactus.
That is basically what they do yes. ISPs are the only thing standing in between the entirety of humanity and out of the box selfhosting. With fixed IPv6 IP addresses you could build and sell devices that just self host all your stuff out of the box. You could just sell complete normie people a "cloud box" that they can slap in their home for a one time cost that will take care of all their cloud storage and smart device needs. You could integrate it into any smartphone OS ootb so that all you have to do is scan a QR code on the "cloud box" and it connects all your apps that need it to it.
The big issue is that your network provider is also the physical provider, and there's no real competition as a result.
When most people got their Internet service over telephone lines, your ISP didn't need to also own the telephone lines, they just needed some telephone numbers.
When the telcos themselves got into the business of providing internet access, they pushed out the competition.
The 1996 Telecommunications Act, written by a Republican Congress, and signed into law by a Democratic president (Clinton) is largely responsible for the current state of affairs.
The "Information Superhighway" is a toll road, built by taxes, but owned by private corporations.
What's crazy is that the government paid these corporations to build this infrastructure.
When your government pays, say, a road building company to build roads, one doesn't then grant the ownership of those roads to that company.
But that is EXACTLY what we did with our communications infrastructure.
Capitalist institutions push capitalism? What kind of world is this!
We seriously need an international co-operative (Worker-owned) ISP.
I wonder how often the assigned prefix changes with most of the regular ISPs. I'd have to look someone else's router since I'm still stuck on an old contract. But I believe what I saw with some of the regular consumer contracts: the prefixes stay the same for a long time. You could just slap a free DynDNS service on top and be done with it.
But yes, I think this used to be the promise... We'd all get IPv6 and a lot of gadgets like NAS systems, video cameras and a wifi kettle and they'd be accessible from outside. Instead of that we use big capitalist cloud services and all the data from the internet of things devices has some stopover in the China cloud.
Nah, I don't think there's a lot on IPv6 in that book. I think OP's concern is valid. Accessing devices at home isn't unheard of. The amount of smart home stuff, appliances and consumer products increases every day. And we all gladly pay our ISPs to connect us and our devices to the internet. They could as well do a good job while at it. I mean should it cost extra to manage a static prefix, so be it. But oftentimes they really make it hard to even give them money and obtain that "additional" service.
If you have control over at least the root of your network you can totally get away with hosting in a dynamic pub ip. You just need to set up dynamicdns. There are other ways of handling this specific issue too. You can always go to a colocation and set up a server there if you want. You could also create your own reverse proxy tunnel in a place that is public then forward it. There are lots of work arounds really. Yeah, it sucks that American ISPs generally don’t support ipv6 but there are totally ways to work around it all.
What really gets me up in arms is when they advertise gigabit connections or 500mb speeds only to limit upload to 20mb/s. That is where they are actively inhibiting self hosting communities.
Even in an ideal DNS setup, you're probably going to have downtimes whenever your dynamic IP changes. If only because some ISPs even force-disconnect you after a while to change your address.
I mean I’ll be real. Sure in some circumstances that could be an annoyance for 15 seconds for some software that might rely on a session whenever your ip changes like once a month if that. A rotating ip is probably one of the easiest things to work around amongst the plethora of challenges that ISPs present for those who want to self host.
I mean just take a look at what is involved if you are in a situation where cg-nat is implemented. You legitimately have no control over the root of your network at that point. I have that issue in particular with what is essentially a mobile hotspot as my failover for when my fiber fails. That being said I had to architect it in a way that took that took cg-nat into consideration. If I hadn’t then when fiber fails it would take down my services as a whole anyway.
My point is that those challenges have workarounds, you can solve those issues relatively easily and they even present a level of security. Where it is actively malicious is with restrictions to capacity such as upload limits in which they to a degree lie about their speeds and capacity. The terms of service stuff is just flat out awful too.
Some ISPs require changes ever 24 hours and will disconnect you if needed. Also, if you set DNS to cache such a short amount of time that you can react to that in 5 minutes, you will incur way more DNS traffic which can become a problem when your site is busier. Also, even if your DNS TTL is set to a super short value, a web search suggests to me in practice there will likely be downstream clients and networks that ignore it and won't really update in such a short time frame.
What ISP are you referring to? I have genuinely never heard of an isp that takes 24 hours to rotate your IP. Also utilizing dynamicdns is not going to incur more dns traffic? Dynamic DNS updates your dns provider from a system on your local network that your pub ip has changed then your provider will start sending traffic to the new ip. Propagation used to take a while but I haven’t experienced propagation wait times of over 10 minutes in years. This all being said dynamic DNS isn’t exactly the most elegant solution. It is just one of the simplest that I mentioned. There are significantly better options overall that completely take the requirement of a static pubip completely out of the equation and can be built using all free open source tools relatively easily.
It causes way more traffic for the DNS server to use a shorter TTL, so yes, it does incur more DNS traffic. In Germany some providers will disconnect you regularly if you stay connected for too long.
Most users have no use for a static adress space. Those are usually business or power-user needs.
This you are classified as that. A power-user.
The reason they have no use for a static address is because applications haven't evolved to work that way. Roll back the clock 30 years, do IPv6 seriously so that everyone has static assignments by the time the Y2k problem has come and gone, and you have a very different Internet.
In fact, many applications, like VoIP and game hosting, have to go through all sorts of hoops to work around NAT.
There's pretty much no use for a normal person, just for business and power users like the person above you.
For your couple examples, nobody at home actually runs VOIP except a couple nerds just like nobody has home phones except a couple of old people. And quick game servers don't need statics, and if you are hosting something long term that would push you into the power use space.
. . . nobody at home actually runs VOIP . . .
Plenty of people used Skype and Vonage. Both were subverted because they have to assume NAT is there.
. . . quick game servers don’t need static . . .
But they do work better without NAT. That's somewhat separate from static addresses.
My old roommate and I had tons of problems back in the day when we tried to host an Internet game of C&C: Generals behind the same NAT. I couldn't connect to him. He couldn't connect to me. We could connect to each other but nobody outside could. It's a real problem that's only been "solved" because a lot of games have moved to publisher-hosted servers. Which has its own issues with longevity.
As far as I'm aware Skype does not support actual VOIP calling anymore, at least according to Microsoft and the couple forums i just skimmed through. But it's been probably 10+ years since I've actually used it or interacted with anyone who used it haha
And I was talking about static IPs, which are different. And at least in the US (in single family homes) its crazy unlikely that your router is behind any NAT. Unless you're talking about CGNAT but anything short of a dedicated fiber run or dedicated wavelength (which are not options for residential people) you will be behind a CGNAT anyways. Even if you have a public IP.
And, anecdotally. In the last 5-8 years I don't think I've had any issues with NAT when hosting games, it's just firewall rules or my public IP changed. But ymmv on that one when playing 22 year old games haha
Skype won't be supporting anything at all very soon.
What happened with Vonage is something that could happen with any kind of instant messaging, including things like Discord.
With everything directly addressable (not just static addresses, but directly addressable), an IM/VoIP service can simply connect to the recipient. No servers are necessary in between, only routers. That doesn't work with NAT (CG or otherwise), so what you have to do is create a server that everyone connects into, and then that forwards messages to the endpoint. This is:
This is largely invisible to end users until free services get enshittified or something goes wrong.
Yes, it's only tangentially related to static addresses, but it's all part of the package. This is not the Internet we should have had.
And at least in the US (in single family homes) its crazy unlikely that your router is behind any NAT
Your router has NAT. That's the problem. CGNAT is another problem. My C&C: Generals issues did not have CGNAT.
All routers have NAT, that's sort of their entire role. Are you maybe talking about "double NATing" where you have your router behind the ISP modem/router?
No they fucking don't, that's not what routers do. You don't know what you're talking about.
And don't fucking tell me NAT is for security, either.
That literally is though? NAT stands for Network Address Translation. It'll take you public IP and translate those packets to use your internal one.
If your computer has an address that starts with 169, 168, or 10 there is a NAT somewhere in your network.
And it's a "security thing" in the same way that asking someone's name over the phone prevents impersonation haha
It'll take you public IP and translate those packets to use your internal one.
That is NAT, yes. But that is only one small function that a router can perform, and not all routers have NAT enabled. You only need NAT if your ISP only allows you to use a single IP address.
If your computer has an address that starts with 169, 168, or 10 there is a NAT somewhere in your network.
That's not actually true. I can create such a network without connecting it to the internet, no NAT. I can create a second network, again, no NAT. I can then use a gateway router that allows any node on the first network to reach any node on the second. That router is still not doing any NAT. It's just passing traffic between two networks.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!