Aloha,
Long term lurker. I probably rather need help with knowing the right works to chant into Google than actual step by step help.
The Problem in short: my self hostet Nextcloud is only available most of the time locally…and rarely externally.
The Problem in long:
Back in 2020 I build a somewhat low energy NAS based on an AsRock J5005-ITX. It contains a single SSD with the OS on it (Debian, running Open Media Vault) and 2x 10TB HardDisks in Raid 1.
I live in Germany, this might be of some import.
In my last two previous flats my Internet was provided by Vodafone where I had a legacy IPv4 address that was mostly static (it changed every time cable reconnected which happened only every 100 days or so), I combined that with an .xyz domain to make it reachable from the outside. For that I had simple port forwarding rules in my FritzBox and some custom DNS entries in my PiHole to locally redirect the nc.[domain].xyz to a virtual machine inside the bare metal Debian box. That worked pretty good.
Now I moved to southern Germany and my new Provider is O2, again via cable, for some reasons I couldnt book Vodafone despite them actually owning the wires. Anyway, O2 only offers pooled IPv4 (DS-Lite Tunnel?) which in practice means that I can see IPv4 stuff but I don’t have a real outside IPv4 address. But I got whole /64 IPv6 Block all for myself. So I configured my domain to that IPv6 address of the virtual web server that contains the Nextcloud and that kinda worked (there was also some Router settings)
But it actually doesnt. Most public wifis or other residential networks dont seem to give me external access to my Nextcloud, ironically, my mobile network via phone does. This is Problem 1.
Problem 2 is a bit more fuzzy, I believe it is because i haven’t configured the DNS/Pi Hole for IPv6 correctly or rather, not at all. The observation is that on my Laptop, the connection to the Nextcloud randomly drops and then gets reestablished. On my phone, while in my home network, the NC is rarely available or only for a few seconds which screws my automatic backup of photos. This is annoying. I think it is because there are two conflicting routes to the NC, one via the internal IPv4 and the other over the publicly available IPv6. But I don’t know enough about networking to really unfuck that.
2020 me was rather knowledgeable when I set all those things up, 2024 me is somewhat busy and I already am busy enough just keeping PHP on the virtual web host current so I can update Nextcloud. I tried googling around, but I don’t quite get what my actual problem is which makes possible solutions a bit muddy. I can imagine that this problem is somewhat common, as there are a lot of folks with self hosted stuff around right? Right?
Problem 1 seems to be best solved with renting the cheapest VPS I can find and then…build a permanent SSH tunnel to it? Use the WireGuard VPN of my router? Some other kind of tunnel to expose a public IPv4? Iirc, VPS are billed by throughput, I am not sure if I might run into problems here, but the only people that use it are my gf and me, and when not at home, mostly for the CalDAV stuff.
Problem 2 looks like a configuration problem to me, but I might be deadly wrong and it might be complicated.
In short, I need confirmation for 1 and maybe some practical hints how to best slap something together, for 2 actual experience would be nice
Way to many words, thanks for your patience.
Some subjects you might wanna look into.
-
NAT hairpin, also called NAT loopback If you’re sending packets to your ISP’s public IP from inside your LAN and it fails, your ISP modem (or whichever device does the NAT, probably doesn’t support NAT hairpin.
-
Split-horizon DNS That’s when you configure your own DNS for your hosted services, but with a different config on your LAN (which would point towards your services LAN IP) and another config with your public DNS provider (which would point to your public IP)
-
Carrier NAT This could break your chances of having a reachable service as they likely won’t make a port forwarding rule for you in their stuff.
-
IPv6 address types Link-local addresses are within fe80::/10 (kinda similar to how 169.254.0.0/24 is used in ipv4). This IP wouldn’t be reachable from the outside.
Global unicast addresses are all in 2000::/3, this would be reachable from the outside.
5.IPv6 DNS Make sure to configure both A (ipv4) and AAAA (ipv6) records with the right info. Although if your LAN devices only have ipv4 addresses and you’re doing Split-horizon, you could theoretically omit the AAAA on your LAN
- Phone DNS shenanigans.
Some recent phones ignore the DNS they receive through DHCP and instead use something like Google’s which breaks split-horizon and can confuse troubleshooting. This wasn’t in the SSID settings, but in a global “private DNS” setting.
As for your problems, it depends.
There might be a way to make this work without the VPS, but I don’t have all the info.
That said, a VPS or something like a cloudflare tunnel could come in handy. I usually prefer to host directly but still, that’s an option if port forwarding doesn’t work with your ISP.
You’d configure the DNS for your services to the VPS IP and configure the VPS to reach your stuff.
Using the VPS kinda also gets rid of NAT hairpin problems although it is inefficient to go through the VPS from the LAN with the downside of not working when your Internet is down.
You can still use the VPS and Split-horizon DNS if you wanna have local availability from your LAN when your Internet is down.Good luck
thanks, at least for the first point, those “Fritz Box” Routers are somewhat usual in german, I got my own to have more control over my network…and it does indeed support NAT loopback, I think that is what I had to configure in my previous IPv4 Setup for everything to work. For the rest…I will have to do some research. Although, my IPv6 address starts with 2a02 and is indeed reacheable from the outside, so apparently that is a thing
-
But it actually doesnt. Most public wifis or other residential networks dont seem to give me external access to my Nextcloud, ironically, my mobile network via phone does.
A lot of those networks are run by boomers who don’t care about IPv6 or don’t want to set it up because (insert excuse from IPv6 Bingo) or non-tech people whose router doesn’t turn it on automatically. So yeah, that is unfortunately something you have to expect and work around.
Problem 1 seems to be best solved with renting the cheapest VPS I can find and then…build a permanent SSH tunnel to it? Use the WireGuard VPN of my router? Some other kind of tunnel to expose a public IPv4? Iirc, VPS are billed by throughput, I am not sure if I might run into problems here, but the only people that use it are my gf and me, and when not at home, mostly for the CalDAV stuff.
You don’t even need a tunnel. Just a proxy on a VPS that runs on IPv4 and connects to the IPv6 upstream. Set the AAAA record to the real host and the A record to the VPS. Assuming you actually get a static prefix which you should, but some IPv4-brained ISPs don’t and you get a rotating prefix, in which case it’s probably more annoying.
I do this too, mine runs on a free Oracle Cloud ARM VPS.
Shouldnt it rather be the home instance of wireguard initiating the ssh tunnel to the vps? This way it shouldnt matter about the rotating subnet.
You don’t need a tunnel since your server is already accessible by the VPS over IPv6 (and you have to deal with changing prefix for the direct connection from other hosts already).
I do that too, my home doesn’t have IP V6 at all here in the UK. so my dedi proxy’s ipv6 to my home.
What I really wonder now…do I really need to actually rent a VPS or is there somewhere in the internet someone who overs IPv4 to IPv6 forwarding as a service. I looked at the Oracle ARM VPS but this seems to be a bit convoluted…and its Oracle Oo
Also thanks for this advice, this seems easier than I thought.
I don’t think I’ve ever seen a public WiFi network with IPv6 enabled. I usually just use the hotspot on my phone to access my server since my cell carrier provides IPv6. I do have a VPN as a backup though.
the NC is rarely available or only for a few seconds which screws my automatic backup of photos. This is annoying. I think it is because there are two conflicting routes to the NC, one via the internal IPv4 and the other over the publicly available IPv6.
Sounds unlikely tbh. A TCP connection is established for a specific target address which stays the same for the duration of that connection, and there is pretty much no interaction between IPv4 and IPv6 in the first place. Have you run Wireshaek? Is it the same problem from other clients in the network? Have you tried explicitly connecting to the IPv6 address and the IPv4 address to see if it’s a specific one that’s not working?
Thanks for the pointer, I will try that…as soon as I have repaired the network stuff that I somehow broke 15 minutes after I wrote the last text by trying to upgrade the host-debian system the webserver VM lives in.
But yes, its a problem with other devices, but actually not with the windows gaming pc that is connected via cable, only Wifi devices seem to have that problem. I actually checked if the swap to the guest wifi (because for some reason it has better connection?) and it doesnt, so its at least not that
There are IPv4 to IPv6 translation layers potentially. They shouldn’t cause issues but it untrue that IPv4 and IPv6 don’t interact.
Yeah, hence why I said “pretty much”.
DS-Lite means full ipv6 access, but ipv4 is NATted by the carrier. If you try to access it from a network that only supports ipv4, the carrier’s NAT will probably block it. If your internal DNS points to the external IPv4, that might cause the problem.