Getting a public IPv4 address for self-hosting behind a CG-NAT

This guide should not be followed at the moment, due to an oversight on my part while writing it. I aim to update it shortly to correct this mistake.

1. Prerequisites

You will need:

A VPS with at least two stable, publicly routable IPv4 addresses allocated to it
A Local router or machine you want to have a public IP

2. Server configuration

This guide will assume you are running Debian 12 on the VPS server, have already completed basic setup steps and secured the machine.

Install the WireGuard VPN tools:

sudo apt install wireguard-tools

Then we’ll generate the server’s private and public key:

wg genkey > server.key
wg pubkey < server.key > server.pub

Now, generate the keys for the client:

wg genkey > client.key
wg pubkey < client.key > client.pub

Next, edit /etc/wireguard/wg0.conf on your VPS and fill it in as shown:

[Interface]
PrivateKey = *paste the contents of server.key here*
Address = 10.100.100.1/24
ListenPort = 51820

[Peer]
PublicKey = *paste the contents of client.pub here*
AllowedIPs = 1.2.3.4/32 # this needs to be your public IP address you want to give to the local machine, with the /32

Then you just need to get WireGuard running on the VPS, so run:

sudo systemctl enable —now wg-quick@wg0.service

3. Local machine configuration

This is the configuration on your local router or computer. If you want to give just one machine a public address, then follow these instructions on that machine, otherwise to have the IP function more like you’d expect, do this on a router. You should be able to do this on most any router as long as it’s not a basic ISP router type thing.

We’ll start by creating the configuration for the local machine:

[Interface]
PrivateKey = *paste contents of client.key here*
Address = 1.2.3.4/32 # this needs to be the IP the local machine is going to get, with the /32

[Peer]
PublicKey = *paste the contents of server.pub here*
Endpoint = *IP address of the VPS*:51820
AllowedIPs = 0.0.0.0/0

If the local machine is running linux, install wireguard-tools again, place that config in /etc/wireguard/wg0.conf

Now, run:

sudo systemctl enable —now wg-quick@wg0.service

to enable the WireGuard client.

If the local machine is a router, check the documentation for its operating system for how to create a WireGuard interface and route all traffic through it.

4. Notes

This setup is imperfect. While it does give you a public IPv4 to work with so you can self-host services at home while behind a CG-NAT, it creates another issue. In this configuration, all outgoing traffic from the machine with the WireGuard client configured on will flow through the tunnel.

This is because otherwise traffic will come in, but the response will go out on the regular interface and originate from the wrong source IP, meaning that it gets discarded on the other end of the connection by the client who originally opened the connection.

This has the effect that accessing the internet from the machine (or if configured on a router, the network) that the VPN client is configured on will act as if it had originated on the VPS, with all your internet traffic being tunnelled to and exiting at the VPS.