Tuesday, December 18, 2007

How to Get a Static IP at Home

Like any self-respecting geek out there I've wanted to get an IP address unconnected with a place of employment and without pesky upstream firewall restrictions.

The problem is that I was looking at around $50/mo for getting a box at some co-lo'd place... and then having to buy a 1U server. To put it simply that kind of outlay for this kind of activity had a very low WAF.

Then I happened upon a solution.

VPSLink offers OpenVZ hosting for as low as $6.62/mo if you purchase a year at a time. That certainly has a higher WAF. At the time I set this up they didn't have XEN hosting, although they do now.

The problem is that its a really crippled box. OpenVZ has no swap, so when they say 64 meg of ram, they mean you can only have 64 meg in ram! This means that aptitude on Debian cannot run (as it uses 69 meg of ram itself on my home box). Now with Xen it could swap this out, but that would be horribly slow.

However, there is a solution. It was to ask for a TUN/TAP device (although new accounts don't need to ask anymore). Then, after installing openvpn, poof! a tunnel was born.

On my home box (which is doing way too much, but that's another story), I am running a VMWare server with another Debian instance to actually be my Internet server. My home backend acts as a client to my VPSLink server, and as my home IP changes, the OpenVPN connection is automatically reestablished.

The basic concept is this:

  1. Request comes in to my OpenVZ instance at VPSLink
  2. iptables either rejects it or uses DNAT to route it to my VMWare instance handling the backend -- via the VPN
  3. The backend deals with it as it would (apache, BOFH excuse server, etc), and responds over the tunnel.
  4. the DNAT on my VPSLink translates the traffic back to the world.

In fact, I now have two backends, with the other one running Asterisk. Its a simple matter of having the iptables DNAT to the correct OpenVPN backend.

Now, there are issues with this:

  1. You are effectively halving your bandwidth (as each packet needs to ALSO travel back to your house or wherever). The $6.62/mo plan gives you 100 GB/month. Granted, my usage is so pathetic that isn't a problem, however, any serious usage is going to suck 50 GB in a short time.
  2. You've got a long winding path now for your service. Each packet needs to wind its way around the Internet over to VPSLink and then back to wherever you're running the backend.

At least for the good folks at VPSLink this shouldn't be an issue -- I'm not exactly using a lot of CPU, disk or network.

So, if nothing else, this is one way to get a static IP out in the world. The cool part is that as far as what your network provider that is preventing you from having an unencumbered static IP at home (Charter, SBC, whomever) will only see OpenVPN traffic... they will have no way of knowing what's crossing it. Furthermore, since the VPN connection is established outbound, you could have all incoming connections denied yet this method would still work.

So, your mileage will vary on this, so do your homework. This isn't something you should try unless you happen to know how IP networking, iptables, and openvpn play nicely together.

But it works for me :)


Andy said...

Thanks for this. I'm trying to get an IP at home. The ISPs and telcos are outrageously expensive but I don't think I want to tunnel. Why is this such a pain? And why can't I get a nice, fat block of IPV6 yet? :)

Jim said...

I was very inspired by this after finding out that my ISP, for which I pay well, blocks port 80. I currently have a small server running on port 8000 and for the moment they haven't noticed or don't care. For a few dollars a month I can set this up and get it going.