Using a VPN in reverse: I need a "public" IP address

Recently my ISP changed how they route their traffic and instead of having a public IP I can ping from anywhere on the internet, my home router (pfsense) now sits on a “Shared address space” IP in the range. (think double-NAT) My web server, my IPV6 tunnel (ping back from, OpenVPN (for me to get back on my home network) and the github integration with my build server have all stopped working. Dynamic DNS tools and ip chicken find my IP address to be in However, because of this extra NAT, no communications can be initiated from the outside…

I appreciate that IPv4 addresses have run out and that such routing is necessary for many ISPs and won’t impact most residential users, however, it does affect me. The cost to get a static IP address with my ISP provider is much more than setting up a small cloud server for VPN and routing the traffic back home.

Most VPN are setup for “privacy” or for hiding your true IP address:
Home Computer -> pfsense -> isp -> internet -> OpenVPN on Ubuntu in linode -> Internet

My problem is the reverse… I want a public IP address so that I can ping back home…
Home Web Server <- pfsense <- isp <- internet <- OpenVPN on Ubuntu in linode <- Internet

Inspired from the videos on pfsense, OpenVPN and using Linode as a VPN “provider”, I am thinking of setting up a VPN server on a small cloud VM and configure it so that any “desired” traffic coming from the internet on the VM would be routed to my pfsense router and forwarded to the appropriate server/service in my home lab (Web, VPN, webhook for github, etc).

So far, I have created a small server on linode, installed Ubuntu 18.x. configured OpenVPN server (as per the video here, configured my pfsense router OpenVPN client, configured the rules on pfsense for forwarding port 80 to my webserver. I also created entries in the linode iptables to forward port 80 to the tunnel.

Pfsense successfully connects to the VPN. Unfortunately, whatever I try to get the traffic flow the other way fails. I don’t think I have everything set correctly for forwarding traffic from the public IP to pfsense.

What tools/methods should I use to test each leg and troubleshoot routing/forwarding?

If you know of a tutorial/page on how to set something like this, let me know. I tried to find something without much success.

1 Like

I have not tested it, but this could be an option for what you want to do.

1 Like

Reverse SSH tunnels. It looks like this would be very easy to set up. I need to figure it out for windows too. Some googling will help on that…

I assume that each port I need to tunnel would need its own SSH session. Is this right? This would take care of my web server (Ubuntu) and the GitHub web hook to my build server (windows). These would bypass pfsense since the connection would be from the server itself to the linode VM.

How should I take care of VPNing back home? Can pfsense do reverse tunnelling to a wan port?
Pfsense -> SSH(with reverse) -> linode VM

1 Like

You can use SSH tunneling to tunnel multiple ports over a single session.

1 Like

From my webserver on Ubuntu, I have tried:
ssh user@linode.ip -R 80:localhost:80

When I try to connect to linode.ip using chrome, it does nothing…

It was not until I edited the entry GatewayPorts in /etc/ssh/sshd_config on the ssh server side (on linode) that I was able to get external ports to be routed to the web server with the command above. There are good details here on how to do so.

For forwarding multiple ports on the same server, it’s as simple as:
ssh user@linode.ip -R 80:localhost:80 -R 10000:localhost:10000

For forwarding multiple ports from different servers: its not much more complicated:
ssh user@linode.ip -R 80:localhost:80 -R 8585:builder:8080

This takes care of tunneling the windows build machine web hook for GitHub

Any thoughts on enabling compression in the ssh tunnel? (-C option). Would this help reduce consumption of the linode transfer allocation? (1000Gb/month - I doubt I would come close… however, just in case…)

1 Like

Have you tried calling your ISP and asking them to revert this change for your connection? My parents’ ISP has the same sort of double NAT setup by default, but they switched their connection to “single NAT” after giving them a call and asking them to remove the double NAT.

1 Like

OMG! I have spent the last couple days trying to figure out pretty much the same thing, you guys rock!

My situation is slightly different, but essentially the same. I kept trying to go at it as setting up my own DDNS from Linode -> pfSense. I’ll have to post how I was planning to do that some time, but your solution looks more robust and will serve better maybe for my situation. That way I don’t have to worry about this happening to me too.