Assign Static Public IP to Computer

1

Is there a way to assign a public static IP to a computer that is behind a CGNAT?
I'm looking for something like the way Hamachi performs, however Hamachi requires a proprietary client(With username and password) for accessing the private LAN.

This is what i thought initially: Flowchart example

How do i achieve that?
Is there a service that creates a network adapter and exposes the public IP?

Nick LeBlanc

Posted 2019-12-18T14:28:04.437

Reputation: 113

Answers

3

Is there a service that creates a network adapter and exposes the public IP?

Yes, that's called a VPN.

  • If you have a remote VPN server with two or more IP addresses, then you can unassign one of those addresses from the server's "Ethernet" interface; route it through the VPN; and assign it directly to a client machine. (And if it's IPv4, you'll probably need to have Proxy-ARP enabled on the server.)

    ip addr del <addr>/xx dev eth0                    # Unassign from local OS
ip neigh add proxy <addr> dev eth0                # Trick local router
ip route add <addr>/32 dev wg0                    # Route via WireGuard
wg set wg0 peer <pubkey> allowed-ips <addr>/32    # Inform WireGuard

    You can use nearly any VPN protocol for this – such as WireGuard, Tinc, OpenVPN, ZeroTier, IPsec/GRE, IPIP, PPTP, PPP-over-SSH, etc.

    This even works even if the addresses are for different IP versions. For example, if you're able to use IPv6 for the VPN connection, then you can remove the server's last remaining IPv4 address and use it for your home system instead.

    (For OpenVPN TUN, the equivalent of allowed-ips would be "iroute" setting in server's CCD directory; for Tinc TUN it's the "Subnet=" setting on the client side. For most TAP i.e. layer-2 VPNs this is specified directly as "ip route add <addr> via <client>". And for point-to-point tunnels such as GRE or PPP nothing extra is needed at all.)

  • If you have a remote VPN server with only one IP address – well, you can still simply DNAT (port-forward) all inbound connections so that they reach your VPN client's private IP address instead.

    It works the same as home LAN port-forwarding:

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination <VpnClientIP>

    You can even use this method if the server itself is behind 1:1 NAT, such as various Very Big Cloud Providers. Again, you can use literally any available VPN protocol.

  • Some commercial VPN providers also offer a plan which reserves you a public IP address, but I believe usually they still perform 1:1 NAT instead of directly routing that address to the client system.

user1686

Posted 2019-12-18T14:28:04.437

Reputation: 283 655

Asked: 2019-12-18T14:28:04.437

Viewed: 77 times

Active: 2019-12-19T15:37:20.417