We get a white IP by forwarding ports from the VPS to your home server

In order for your site or service to be publicly (globally visible) on the Internet, it needs a white (public) IP address. For example, you have an ftp or web server with a website at home, and you want it to be visible to any Internet user. Or you want to play games and want to give a friend access to your game server. But what if your ISP has given you a gray (non-public IP) and there is no way to get a white IP address?

Note: "gray" IP addresses are easily distinguished by belonging to the following ranges:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
If you have an IP of one of these types, then your computer is not accessible from outside your provider's local network. What should I do to see him from the outside? The answer is simple: get a white IP from your ISP. It's certainly worth the extra money. And often, many providers do not give out such addresses to ordinary users. Most cellular network operators can be examples, and many conventional wired providers too.

But for website hosters, issuing white IP addresses is commonplace. There are regular hosters who host a large number of sites on their web servers (shared hosting or virtual hosting). On such hosting sites, many sites are hosted on the same IP.

Usually, in order to get a separate IP for your server, you had to rent a dedicated server. But lately, everything has become easier. You can rent a virtual machine, or VPS/VDS (virtual private server / virtual dedicated server), rather than a separate physical server. A VPS with a minimal configuration usually costs around $2-$10 per month, and is available to the average user.

So, getting yourself a personal VPS with a dedicated white IP is quite simple and cheap. Therefore, an idea arises, but how would the IP from the VPS be used to open access to a home server with a gray IP?

It turns out that this can be done. It is enough to install a VPN server on the VPS and for the home server to connect to the VPN server on the VPS, and then simply configure port forwarding from the VPS to the home server. Then the home server sort of "hides" behind the VPS. By connecting to a port, say 80 (www), the user is redirected to the appropriate port on the home server. both servers are directly accessible to each other by logging into a shared VPN network. A VPN is needed to provide direct communication between the server and the VPS (otherwise, the home server will have a separate address from the VPS, and there will be no direct connection from the VPS to the server).

The most popular and cheapest option for VPS OS is Linux. Therefore, we will assume that we have a Linux VPS. We will use iptables for port forwarding, and we will use openvpn as a VPN.

A good budget VPS-ok hosting is hostsailor . It also accepts a large number of payment systems, including cryptocurrencies. This is very important nowadays, when users from Russia have been disconnected from foreign payment platforms. But they are unlikely to be able to disconnect from cryptocurrencies.

Download the openvpn-install script. It will automatically install OpenVPN, create configs and certificates.

# cd /root
# wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Welcome to this OpenVPN road warrior installer!

Which IPv4 address should be used?
     1) 173.249.34.22
     2) 10.8.100.1
     3) 10.8.0.2
IPv4 address [1]: 

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 2

What port should OpenVPN listen to?
Port [1194]: 443

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 2

Enter a name for the first client:
Name [client]: 

Select the server's external IP, protocol (TCP), port (443) and YOU are Google. Port 443 is usually used for https, so it makes sense to use the same port to mask any other encrypted traffic (for example, VPN). Usually, this port is not closed on the firewall by the system administrator, because this would break the viewing of web pages.

Certificates of ca (authorization center), cert (server certificate itself) and key (server certificate key) will be generated. And the client client with the client.ovpn config will be added. The main thing is what the script does openvpn-install.sh this generates all the certificates as needed. We don't need to do it manually. And we will replace the server config with our own:

port 443
proto tcp
dev tun
tls-server
server 10.8.0.0 255.255.255.0
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
push redirect-gateway
push "route 10.8.0.0 255.255.255.0"
duplicate-cn
#comp-lzo
mssfix 0
auth-nocache
auth SHA512
cipher AES-256-CBC

client-config-dir /etc/openvpn/ccd
topology subnet
client-to-client

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
verb 3

The topology subnet line defines the "network" topology, i.e. there will be a 10.8.0.0/24 network, all IP addresses in which ping each other. There are two other topologies that will not suit us, for example, point-to-point, which consists of a client and a server that ping each other, the rest of the clients do not ping.

The client-config-dir string specifies a directory with configs for each individual client (each config has a name that matches the name of the certificate file).

And the client-to-client string indicates that clients can communicate with each other. Without this option, clients do not ping each other, and only the VPN server can ping.

Now let's create a file /etc/openvpn/ccd/client (named after the default client that created the script) containing just one line:

ifconfig-push 10.8.0.2 255.255.255.0

This line assigns a permanent IP address to the client: 10.8.0.2. The server will always have IP 10.8.0.1 (the address and subnet mask are set by the string "server 10.8.0.0 255.255.255.0" in the server config).

Now you can copy the client.ovpn client config to the home server (which we will have as a VPN client) and make sure that there is a connection by pinging the server and the client from each other.

If the home server is also running Linux, then you can copy client.ovpn to /etc/openvpn/client.conf, register the launch in systemd and run:

# systemctl enable openvpn@client

# systemctl start openvpn@client

The client has to get up. Ping the server:

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=63 time=65.1 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=63 time=63.5 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=63 time=57.6 ms
64 bytes from 10.8.0.1: icmp_seq=4 ttl=63 time=55.8 ms

Everything is OK, there is a connection. Now you need to configure the mapping port itself. Portmapping is configured similarly to the article "Hiding one server after another using portmapping", you only need to replace IP 1.1.1.1:8080 with 10.8.0.2:8080, and 2.2.2.2:80 with a white IP VPS with a VPN server and port 80. (Replace ports 8080 and 80 with ports in your specific case).

That's it, we can try to connect to <VPS IP>:80, it should work.