[{"data":1,"prerenderedAt":8838},["ShallowReactive",2],{"docs-slug-navigation":3,"guide-static-public-ip-address-how-to-get-a-public-ip-address":658,"guides-navigation":1214},[4,69,366],{"id":5,"title":6,"body":7,"createdAt":59,"description":60,"extension":61,"faq":59,"meta":62,"navigation":64,"path":65,"seo":66,"stem":67,"updatedAt":59,"__hash__":68},"docs\u002Fdocs\u002F1.getting-started.md","GetPublicIP - Getting Started",{"type":8,"value":9,"toc":53},"minimark",[10,15,19,24,27,30,34,37,47,50],[11,12,14],"h1",{"id":13},"getting-started","Getting Started",[16,17,18],"p",{},"Get Public IP makes it easy to get a public IP address any where you need it. This makes it easy to host your own chat servers, self hosted email server or host and serve any service out to the internet.",[20,21,23],"h2",{"id":22},"typical-use-cases","Typical Use Cases:",[16,25,26],{},"Getting public connectivity into a home or office server environment can be difficult. Your ISP will need to provision a static IP address and your router will need to be configured. IP addresses from ISP are also flagged and will have a lower reputation automatically with the rest of the internet. If you need to move house or change ISP then you will also need to change your IP address and all its related configuration.",[16,28,29],{},"Get Public IP provides you an IP address you can take anywhere. Your home or office internet can fail over to 4G or 5G without interrupting public connectivity to your server. We provide a firewall facility and a UI to manage which ports you want to be forwarded through.",[20,31,33],{"id":32},"how-it-works","How it works:",[16,35,36],{},"We use a Wireguard VPN tunnel to connect your server to our infrastructure. Once the connection is up you will then see public packets comes through the Wireguard interface. The packets will have the public source IP of the remote connection. We do not terminate SSL \u002F TLS connections. This means 2 things:",[38,39,40,44],"ol",{},[41,42,43],"li",{},"You will need to configure SSL \u002F TLS yourself and use your own certificates.",[41,45,46],{},"The connection between the remote client and your server is fully encrypted, we will not be able to see the traffic.",[16,48,49],{},"Ports can be opened and mapped via our interface for your IP address.",[16,51,52],{},"The use of a VPN tunnel enables your public IP traffic to be delivered anywhere, as long as you can connect to our servers your server will have public connectivity. This means that you can change the location, ISP or connection type of your home or office server without interruption.",{"title":54,"searchDepth":55,"depth":55,"links":56},"",2,[57,58],{"id":22,"depth":55,"text":23},{"id":32,"depth":55,"text":33},null,"Learn more about getting a public IP address and get started with using our service. We support both Linux and Windows","md",{"icon":63},"mdi-file-document-outline",{"title":14,"icon":63},"\u002Fdocs\u002Fgetting-started",{"title":6,"description":60},"docs\u002F1.getting-started","wdriAz9O12l2i8HUQtlrrTNeixpL6mb7rHxYzb6XBmA",{"id":70,"title":71,"body":72,"createdAt":59,"description":358,"extension":61,"faq":59,"meta":359,"navigation":360,"path":362,"seo":363,"stem":364,"updatedAt":59,"__hash__":365},"docs\u002Fdocs\u002F2.linux.md","GetPublicIP - Setting up on Linux",{"type":8,"value":73,"toc":354},[74,78,96,99,238,244,247,346,350],[11,75,77],{"id":76},"linux","Linux",[38,79,80,89],{},[41,81,82],{},[83,84,88],"a",{"className":85,"href":87},[86],"link","#debian-12--13","Debian 12 \u002F 13",[41,90,91],{},[83,92,95],{"className":93,"href":94},[86],"#redhat-enterprise-linux-10","Redhat Enterprise Linux 10",[20,97,88],{"id":98},"debian-12-13",[38,100,101,136,152,171,188,204,230],{},[41,102,103,104,108,109],{},"First install ",[105,106,107],"code",{},"wireguard"," on your server, as root run the following commands:",[110,111,115],"pre",{"className":112,"code":113,"language":114,"meta":54,"style":54},"language-bash shiki shiki-themes monokai","apt install wireguard resolvconf\n","bash",[105,116,117],{"__ignoreMap":54},[118,119,122,126,130,133],"span",{"class":120,"line":121},"line",1,[118,123,125],{"class":124},"sHkqI","apt",[118,127,129],{"class":128},"s_Ekj"," install",[118,131,132],{"class":128}," wireguard",[118,134,135],{"class":128}," resolvconf\n",[41,137,138,139,142,143],{},"Download the Linux configuration from your IP address. Copy the ",[105,140,141],{},"pi0.conf"," to:",[110,144,146],{"className":112,"code":145,"language":114,"meta":54,"style":54},"\u002Fetc\u002Fwireguard\u002F\n",[105,147,148],{"__ignoreMap":54},[118,149,150],{"class":120,"line":121},[118,151,145],{"class":124},[41,153,154,155],{},"Start the service:",[110,156,158],{"className":112,"code":157,"language":114,"meta":54,"style":54},"systemctl start wg-quick@pi0\n",[105,159,160],{"__ignoreMap":54},[118,161,162,165,168],{"class":120,"line":121},[118,163,164],{"class":124},"systemctl",[118,166,167],{"class":128}," start",[118,169,170],{"class":128}," wg-quick@pi0\n",[41,172,173,174],{},"If you want to start the service on boot then:",[110,175,177],{"className":112,"code":176,"language":114,"meta":54,"style":54},"systemctl enable wg-quick@pi0\n",[105,178,179],{"__ignoreMap":54},[118,180,181,183,186],{"class":120,"line":121},[118,182,164],{"class":124},[118,184,185],{"class":128}," enable",[118,187,170],{"class":128},[41,189,190,191],{},"Check the Wireguard interface is up:",[110,192,194],{"className":112,"code":193,"language":114,"meta":54,"style":54},"wg show\n",[105,195,196],{"__ignoreMap":54},[118,197,198,201],{"class":120,"line":121},[118,199,200],{"class":124},"wg",[118,202,203],{"class":128}," show\n",[41,205,206,207,210,211],{},"You are now online. You can now open ports on your firewall. Use the following command to open port ",[105,208,209],{},"80",":",[110,212,214],{"className":112,"code":213,"language":114,"meta":54,"style":54},"sudo ufw allow 80\u002Ftcp\n",[105,215,216],{"__ignoreMap":54},[118,217,218,221,224,227],{"class":120,"line":121},[118,219,220],{"class":124},"sudo",[118,222,223],{"class":128}," ufw",[118,225,226],{"class":128}," allow",[118,228,229],{"class":128}," 80\u002Ftcp\n",[41,231,232,233,237],{},"(Recommended) ",[83,234,236],{"href":235},"\u002Fguides\u002Fself-hosting\u002Fwireguard-simple-watchdog-script","Install the WireGuard watchdog script"," to improve connection reliability",[16,239,240,241,243],{},"The watchdog script monitors your WireGuard connection and automatically restarts it if network conditions change (such as when your ISP changes your IP address). This prevents connection hangs and improves uptime reliability. ",[83,242,236],{"href":235}," to ensure the connection restarts when network conditions change.",[20,245,95],{"id":246},"redhat-enterprise-linux-10",[38,248,249,269,281,295,309,321,342],{},[41,250,103,251,108,254],{},[105,252,253],{},"wireguard-tools",[110,255,257],{"className":112,"code":256,"language":114,"meta":54,"style":54},"yum install wireguard-tools\n",[105,258,259],{"__ignoreMap":54},[118,260,261,264,266],{"class":120,"line":121},[118,262,263],{"class":124},"yum",[118,265,129],{"class":128},[118,267,268],{"class":128}," wireguard-tools\n",[41,270,138,271,142,273],{},[105,272,141],{},[110,274,275],{"className":112,"code":145,"language":114,"meta":54,"style":54},[105,276,277],{"__ignoreMap":54},[118,278,279],{"class":120,"line":121},[118,280,145],{"class":124},[41,282,154,283],{},[110,284,285],{"className":112,"code":157,"language":114,"meta":54,"style":54},[105,286,287],{"__ignoreMap":54},[118,288,289,291,293],{"class":120,"line":121},[118,290,164],{"class":124},[118,292,167],{"class":128},[118,294,170],{"class":128},[41,296,173,297],{},[110,298,299],{"className":112,"code":176,"language":114,"meta":54,"style":54},[105,300,301],{"__ignoreMap":54},[118,302,303,305,307],{"class":120,"line":121},[118,304,164],{"class":124},[118,306,185],{"class":128},[118,308,170],{"class":128},[41,310,190,311],{},[110,312,313],{"className":112,"code":193,"language":114,"meta":54,"style":54},[105,314,315],{"__ignoreMap":54},[118,316,317,319],{"class":120,"line":121},[118,318,200],{"class":124},[118,320,203],{"class":128},[41,322,206,323,210,325],{},[105,324,209],{},[110,326,328],{"className":112,"code":327,"language":114,"meta":54,"style":54},"firewall-cmd --zone=public --add-port=80\u002Ftcp\n",[105,329,330],{"__ignoreMap":54},[118,331,332,335,339],{"class":120,"line":121},[118,333,334],{"class":124},"firewall-cmd",[118,336,338],{"class":337},"s7s5_"," --zone=public",[118,340,341],{"class":337}," --add-port=80\u002Ftcp\n",[41,343,232,344,237],{},[83,345,236],{"href":235},[16,347,240,348,243],{},[83,349,236],{"href":235},[351,352,353],"style",{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .s7s5_, html code.shiki .s7s5_{--shiki-default:#AE81FF}",{"title":54,"searchDepth":55,"depth":55,"links":355},[356,357],{"id":98,"depth":55,"text":88},{"id":246,"depth":55,"text":95},"Follow our guides to setup your public IP address on Linux systems such as Debian, Ubuntu, Fedora.",{},{"title":77,"icon":361},"mdi-linux","\u002Fdocs\u002Flinux",{"title":71,"description":358},"docs\u002F2.linux","755guF4CavE3NnLwROfR-aVrvwqlxcq_zrCKXLlk91Q",{"id":367,"title":368,"body":369,"createdAt":59,"description":650,"extension":61,"faq":59,"meta":651,"navigation":652,"path":654,"seo":655,"stem":656,"updatedAt":59,"__hash__":657},"docs\u002Fdocs\u002F3.windows.md","GetPublicIP - Setting up on Windows",{"type":8,"value":370,"toc":645},[371,375,398,401,418,426,431,438,444,450,453,467,474,479,485,495,500,506,511,514,527,533,542,547,555,560,569,574,587,592,598,603,609,614,620,625,634,639],[11,372,374],{"id":373},"windows","Windows",[38,376,377,384,391],{},[41,378,379],{},[83,380,383],{"href":381,"className":382},"#download-and-install-wireguard",[86],"Download and install Wireguard",[41,385,386],{},[83,387,390],{"href":388,"className":389},"#configure-wireguard",[86],"Configure Wireguard",[41,392,393],{},[83,394,397],{"href":395,"className":396},"#configure-windows-firewall",[86],"Configure Windows Firewall",[20,399,383],{"id":400},"download-and-install-wireguard",[38,402,403],{},[41,404,405,406,412,413,417],{},"Download the Windows installer from the ",[83,407,411],{"className":408,"href":409,"target":410},[86],"https:\u002F\u002Fwww.wireguard.com\u002Finstall\u002F","_blank","Wireguard website"," (",[83,414,409],{"href":409,"rel":415},[416],"nofollow",")",[16,419,420],{},[421,422],"img",{"alt":423,"preload":54,"quality":209,"src":424,"width":425},"Download Wireguard Installer","\u002Fimages\u002Fwindows\u002Fstep1.png",850,[38,427,428],{"start":55},[41,429,430],{},"Run the installer",[16,432,433],{},[421,434],{"alt":435,"preload":54,"quality":209,"src":436,"width":437},"Run the Installer","\u002Fimages\u002Fwindows\u002Fstep2.png",500,[38,439,441],{"start":440},3,[41,442,443],{},"Click Yes to proceed",[16,445,446],{},[421,447],{"alt":448,"preload":54,"quality":209,"src":449,"width":437},"Allow the Installer","\u002Fimages\u002Fwindows\u002Fstep3.png",[20,451,390],{"id":452},"configure-wireguard",[38,454,455,461],{},[41,456,457,458,460],{},"Download the configuration file (",[105,459,141],{},") from your IP address",[41,462,463,464],{},"Open Wireguard and click ",[105,465,466],{},"Add Tunnel",[16,468,469],{},[421,470],{"alt":471,"preload":54,"quality":209,"src":472,"width":473},"Open Wireguard","\u002Fimages\u002Fwindows\u002Fstep4.png",600,[38,475,476],{"start":440},[41,477,478],{},"Select the configuration file you downloaded",[16,480,481],{},[421,482],{"alt":471,"preload":54,"quality":209,"src":483,"width":484},"\u002Fimages\u002Fwindows\u002Fstep5.png",700,[38,486,488],{"start":487},4,[41,489,490,491,494],{},"You will now have a new tunnel in Wireguard. Click ",[105,492,493],{},"Activate"," to start the VPN connection",[16,496,497],{},[421,498],{"alt":471,"preload":54,"quality":209,"src":499,"width":484},"\u002Fimages\u002Fwindows\u002Fstep6.png",[38,501,503],{"start":502},5,[41,504,505],{},"You are now online. Remember to enable applications through the Windows firewall",[16,507,508],{},[421,509],{"alt":471,"preload":54,"quality":209,"src":510,"width":484},"\u002Fimages\u002Fwindows\u002Fstep7.png",[20,512,397],{"id":513},"configure-windows-firewall",[38,515,516],{},[41,517,518,519,522,523,526],{},"In this example, I will open port 80 for HTTP. Open ",[105,520,521],{},"Windows Defender Firewall"," by searching for ",[105,524,525],{},"firewall"," in the start menu",[16,528,529],{},[421,530],{"alt":531,"preload":54,"quality":209,"src":532,"width":473},"Open Windows Defender Firewall","\u002Fimages\u002Fwindows\u002Ffirewall-1.png",[38,534,535],{"start":55},[41,536,537,538,541],{},"Click ",[105,539,540],{},"Advanced Settings"," in the left hand menu",[16,543,544],{},[421,545],{"alt":471,"preload":54,"quality":209,"src":546,"width":473},"\u002Fimages\u002Fwindows\u002Ffirewall-2.png",[38,548,549],{"start":440},[41,550,537,551,554],{},[105,552,553],{},"Inbound Rules"," on the left hand menu",[16,556,557],{},[421,558],{"alt":471,"preload":54,"quality":209,"src":559,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-3.png",[38,561,562],{"start":487},[41,563,564,565,568],{},"Now click ",[105,566,567],{},"New Rule..."," in the right hand menu",[16,570,571],{},[421,572],{"alt":471,"preload":54,"quality":209,"src":573,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-4.png",[38,575,576],{"start":502},[41,577,578,579,582,583,586],{},"Select ",[105,580,581],{},"Port"," to open a port. You can also choose ",[105,584,585],{},"Program"," and then select the .exe",[16,588,589],{},[421,590],{"alt":471,"preload":54,"quality":209,"src":591,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-5.png",[38,593,595],{"start":594},6,[41,596,597],{},"Select the protocol and ports to open. In this example I am opening HTTP so I will open TCP port 80 and 443",[16,599,600],{},[421,601],{"alt":471,"preload":54,"quality":209,"src":602,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-6.png",[38,604,606],{"start":605},7,[41,607,608],{},"Allow the connection",[16,610,611],{},[421,612],{"alt":471,"preload":54,"quality":209,"src":613,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-7.png",[38,615,617],{"start":616},8,[41,618,619],{},"If you are unsure what to select for profile then select all of them.",[16,621,622],{},[421,623],{"alt":471,"preload":54,"quality":209,"src":624,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-8.png",[38,626,628],{"start":627},9,[41,629,630,631],{},"Enter in a name and then click ",[105,632,633],{},"finish",[16,635,636],{},[421,637],{"alt":471,"preload":54,"quality":209,"src":638,"width":484},"\u002Fimages\u002Fwindows\u002Ffirewall-9.png",[38,640,642],{"start":641},10,[41,643,644],{},"The port will now be open on Windows, you can try and connect to it via your public IP address.",{"title":54,"searchDepth":55,"depth":55,"links":646},[647,648,649],{"id":400,"depth":55,"text":383},{"id":452,"depth":55,"text":390},{"id":513,"depth":55,"text":397},"Setup your public IP on Windows 10\u002F11 and get your services online today. Our simple guide makes it easy.",{},{"title":374,"icon":653},"mdi-microsoft-windows","\u002Fdocs\u002Fwindows",{"title":368,"description":650},"docs\u002F3.windows","8iXK20CswyI-Patr7UlXduH0hnq5h_WzHtDVdCuOCZU",{"id":659,"title":660,"body":661,"createdAt":1193,"description":1194,"extension":61,"faq":1195,"meta":1205,"navigation":1206,"path":1210,"seo":1211,"stem":1212,"updatedAt":1193,"__hash__":1213},"docs\u002Fguides\u002Fstatic-public-ip-address\u002Fhow-to-get-a-public-ip-address.md","How to Get a Public IP Address (4 Methods, 2026 Guide)",{"type":8,"value":662,"toc":1179},[663,667,686,737,784,844,984,1037,1090,1176],[11,664,666],{"id":665},"how-to-get-a-public-ip-address","How to Get a Public IP Address",[668,669,678],"v-sheet",{"className":670,"rounded":54,"max-width":677},[671,672,673,674,675,676],"mx-auto","pa-lg-4","pa-2","mt-2","mb-4","ma-0","1200",[16,679,680,681,685],{},"Every device connected to the internet has a public IP address, but most home and office users share one with dozens or hundreds of other customers through their ISP. If you need a ",[682,683,684],"strong",{},"dedicated, reachable public IP"," to host a server, run email, accept game connections, or access your home network remotely, this guide covers what a public IP actually is and the four realistic ways to get one.",[668,687,689,693,700,718,730],{"className":688,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,690,692],{"id":691},"what-is-a-public-ip-address","What is a public IP address?",[16,694,695,696,699],{},"A ",[682,697,698],{},"public IP address"," is the address that identifies your connection on the open internet. When you load a website, send an email, or join a video call, the remote server sees your public IP and sends its response back to it.",[16,701,695,702,705,706,709,710,713,714,717],{},[682,703,704],{},"private (local) IP address"," is what your devices use inside your home or office network, typically in the ",[105,707,708],{},"192.168.x.x",", ",[105,711,712],{},"10.x.x.x",", or ",[105,715,716],{},"172.16-31.x.x"," ranges. Your router translates between your private addresses and your public address using Network Address Translation (NAT), so all your devices can share a single public IP for outbound traffic.",[16,719,720,721,724,725,729],{},"The problem starts when you want ",[682,722,723],{},"inbound"," traffic. If you're running a web server, email server, Minecraft server, or any service that other people need to connect to, they need to reach your public IP. But if your ISP shares that public IP with other customers via ",[83,726,728],{"href":727},"\u002Fguides\u002Fself-hosting\u002Fself-hosting-behind-carrier-grade-nat-cgnat","carrier-grade NAT (CGNAT)",", incoming connections have nowhere to go, your ISP's NAT equipment doesn't know which customer should receive them.",[16,731,732,733,736],{},"That's why getting a ",[682,734,735],{},"dedicated"," public IP matters: it's an address that belongs to you alone, where inbound connections are forwarded to your server and nobody else's.",[668,738,740,744,747,762,770],{"className":739,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,741,743],{"id":742},"check-your-current-public-ip","Check your current public IP",[16,745,746],{},"Before doing anything else, find out what public IP you currently have:",[110,748,752],{"className":749,"code":750,"language":751,"meta":54,"style":54},"language-shell shiki shiki-themes monokai","curl https:\u002F\u002Fapi.getpublicip.com\u002Fip\n","shell",[105,753,754],{"__ignoreMap":54},[118,755,756,759],{"class":120,"line":121},[118,757,758],{"class":124},"curl",[118,760,761],{"class":128}," https:\u002F\u002Fapi.getpublicip.com\u002Fip\n",[16,763,764,765,769],{},"This prints your current public IP along with your ISP and approximate location. For more options (wget, dig, IPv6), see our ",[83,766,768],{"href":767},"\u002Fguides\u002Ffind-your-public-ip-address\u002Ffind-your-ip-address-on-linux","full guide to finding your public IP on Linux",".",[16,771,772,775,776,779,780,783],{},[682,773,774],{},"What to look for",": if your router's WAN IP doesn't match what the command above returns, your ISP is using CGNAT. If the router shows an address in the ",[105,777,778],{},"100.64.0.0"," to ",[105,781,782],{},"100.127.255.255"," range, that's the reserved CGNAT range, confirming your ISP shares your public IP with other customers.",[668,785,787,791,798,805],{"className":786,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,788,790],{"id":789},"do-you-need-a-dedicated-public-ip","Do you need a dedicated public IP?",[16,792,793,794,797],{},"If you just need to ",[682,795,796],{},"check"," what your IP is, the command above is all you need.",[16,799,800,801,804],{},"If you need a ",[682,802,803],{},"dedicated, reachable"," public IP so that people on the internet can connect to something you're hosting, you'll need one of the four methods below. Common reasons to get a dedicated public IP include:",[806,807,808,814,820,826,832,838],"ul",{},[41,809,810,813],{},[682,811,812],{},"Self-hosting a website or web application"," at home or the office",[41,815,816,819],{},[682,817,818],{},"Running an email server"," (SMTP\u002FIMAP require a dedicated IP with good reputation)",[41,821,822,825],{},[682,823,824],{},"Hosting a game server"," (Minecraft, Valheim, Factorio, etc.)",[41,827,828,831],{},[682,829,830],{},"Remote access"," to your home network (SSH, RDP, VPN endpoint)",[41,833,834,837],{},[682,835,836],{},"Home Assistant or similar smart-home dashboards"," accessible from outside the house",[41,839,840,843],{},[682,841,842],{},"Running a VoIP\u002FSIP server"," or any other service that needs inbound connections",[668,845,847,851,856,859,865,871,878,882,885,890,895,899,902,907,912,919,923,930,935,973],{"className":846,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,848,850],{"id":849},"_4-ways-to-get-a-dedicated-public-ip-address","4 ways to get a dedicated public IP address",[852,853,855],"h3",{"id":854},"_1-request-a-static-ip-from-your-isp","1. Request a static IP from your ISP",[16,857,858],{},"The most straightforward option: call your ISP and ask for a static public IP address.",[16,860,861,864],{},[682,862,863],{},"Pros",": a real, dedicated public IP directly on your line. Works for all protocols and all use cases.",[16,866,867,870],{},[682,868,869],{},"Cons",": many ISPs only offer static IPs on business plans ($5-$30\u002Fmonth extra). The IP is tied to your physical line, so moving house means losing it. Residential IP blocks often have poor email-sender reputation, which can break self-hosted email. There's no failover — if your connection goes down, the IP goes with it.",[16,872,873,874,769],{},"For a deeper look at how ISP-assigned static IPs work and what to expect, see our ",[83,875,877],{"href":876},"\u002Fguides\u002Fstatic-public-ip-address\u002Fhow-to-get-a-static-ip-address","guide to getting a static IP address",[852,879,881],{"id":880},"_2-use-a-vpn-with-a-dedicated-ip-option","2. Use a VPN with a dedicated IP option",[16,883,884],{},"Some commercial VPN providers (NordVPN, Mullvad, etc.) offer a dedicated IP add-on alongside their standard shared-IP service.",[16,886,887,889],{},[682,888,863],{},": portable — works from any connection. Encrypts your traffic.",[16,891,892,894],{},[682,893,869],{},": most VPN dedicated IPs still have port restrictions and aren't designed for hosting. Latency is higher because traffic routes through the VPN provider's data centre. Protocol support varies. Not suitable for serious self-hosting.",[852,896,898],{"id":897},"_3-use-cloudflare-tunnel-free-httphttps-only","3. Use Cloudflare Tunnel (free, HTTP\u002FHTTPS only)",[16,900,901],{},"Cloudflare Tunnel (formerly Argo Tunnel) lets you expose a local web server to the internet without a public IP. It works by creating an outbound tunnel from your server to Cloudflare's edge.",[16,903,904,906],{},[682,905,863],{},": free on the Zero Trust free tier. Bypasses CGNAT automatically. Easy to set up.",[16,908,909,911],{},[682,910,869],{},": only works for HTTP and HTTPS traffic. No support for email, game servers, SSH on custom ports, VoIP, or raw TCP\u002FUDP protocols. SSL\u002FTLS is terminated at Cloudflare's servers, meaning Cloudflare can see your traffic in plaintext before re-encrypting it to the visitor.",[16,913,914,915,769],{},"For a detailed comparison, see ",[83,916,918],{"href":917},"\u002Fguides\u002Fself-hosting\u002Fgetpublicip-vs-cloudflare-tunnel-vs-tailscale","GetPublicIP vs Cloudflare Tunnel vs Tailscale",[852,920,922],{"id":921},"_4-use-getpublicip-recommended","4. Use GetPublicIP (recommended)",[16,924,925,926,929],{},"GetPublicIP delivers a ",[682,927,928],{},"dedicated public IPv4 address"," to your server over an encrypted WireGuard VPN tunnel. Your server connects outbound to our edge infrastructure (which CGNAT allows), and we forward all inbound traffic for your IP through that tunnel.",[16,931,932,210],{},[682,933,934],{},"What makes it different",[806,936,937,943,949,955,961,967],{},[41,938,939,942],{},[682,940,941],{},"Any protocol",": HTTP, HTTPS, email (SMTP\u002FIMAP), game servers, SSH, VoIP, raw TCP\u002FUDP — all work.",[41,944,945,948],{},[682,946,947],{},"End-to-end encryption",": SSL\u002FTLS terminates at your server, not ours. We never see your plaintext traffic.",[41,950,951,954],{},[682,952,953],{},"Portable",": move your server to a different ISP or location and keep the same public IP.",[41,956,957,960],{},[682,958,959],{},"Built-in failover",": if your primary connection drops, traffic can route to a backup.",[41,962,963,966],{},[682,964,965],{},"No router configuration",": the tunnel handles everything.",[41,968,969,972],{},[682,970,971],{},"$8.99 USD\u002Fmonth"," per IP. No contracts.",[16,974,975,979,980,983],{},[83,976,978],{"href":977},"\u002Fsign-up","Create an account"," or start with the ",[83,981,982],{"href":65},"getting-started guide"," to have a dedicated public IP running in minutes.",[668,985,987,991,1002,1005,1031],{"className":986,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,988,990],{"id":989},"what-if-youre-behind-cgnat","What if you're behind CGNAT?",[16,992,993,994,996,997,779,999,1001],{},"Many ISPs, especially on mobile networks and newer fibre connections, use ",[682,995,728],{}," to share a single public IP across hundreds of customers. If your router's WAN address is in the ",[105,998,778],{},[105,1000,782],{}," range, you're on CGNAT.",[16,1003,1004],{},"CGNAT blocks all inbound connections, making self-hosting impossible without a workaround. Of the four methods above:",[806,1006,1007,1013,1019,1025],{},[41,1008,1009,1012],{},[682,1010,1011],{},"ISP static IP"," (method 1) takes you off the CGNAT pool entirely — if your ISP offers it.",[41,1014,1015,1018],{},[682,1016,1017],{},"GetPublicIP"," (method 4) bypasses CGNAT transparently because the tunnel is initiated as an outbound connection from your server.",[41,1020,1021,1024],{},[682,1022,1023],{},"Cloudflare Tunnel"," (method 3) also bypasses CGNAT, but only for HTTP\u002FHTTPS.",[41,1026,1027,1030],{},[682,1028,1029],{},"VPN dedicated IP"," (method 2) may or may not work depending on the provider's port-forwarding support.",[16,1032,1033,1034,769],{},"For a full technical explanation of CGNAT and how to detect it, see our ",[83,1035,1036],{"href":727},"complete CGNAT guide",[668,1038,1040,1044,1047,1073,1080],{"className":1039,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1041,1043],{"id":1042},"public-ip-vs-static-ip-whats-the-difference","Public IP vs static IP — what's the difference?",[16,1045,1046],{},"These terms are related but not interchangeable:",[806,1048,1049,1063],{},[41,1050,695,1051,1054,1055,1058,1059,1062],{},[682,1052,1053],{},"public IP"," is any IP address visible on the open internet. Most home connections have one, but it may be ",[682,1056,1057],{},"dynamic"," (your ISP changes it periodically — sometimes daily, sometimes monthly) or ",[682,1060,1061],{},"shared"," (via CGNAT).",[41,1064,695,1065,1068,1069,1072],{},[682,1066,1067],{},"static IP"," is a public IP that ",[682,1070,1071],{},"never changes",". It stays the same indefinitely, which is essential for hosting because your DNS records, firewall rules, and clients all depend on the address being stable.",[16,1074,1075,1076,1079],{},"Most home ISPs give you a ",[682,1077,1078],{},"dynamic public IP"," by default. If you're behind CGNAT, you don't even get your own public IP at all.",[16,1081,1082,1083,1086,1087,769],{},"For hosting, you need a ",[682,1084,1085],{},"static public IP",": one that belongs to you, doesn't change, and accepts inbound connections. That's what GetPublicIP provides. For more on how static IPs work and the options available, see our ",[83,1088,1089],{"href":876},"guide to static IP addresses",[668,1091,1093,1097,1109,1122,1131,1140,1149,1158,1167],{"className":1092,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1094,1096],{"id":1095},"frequently-asked-questions","Frequently Asked Questions",[1098,1099,1102,1106],"details",{"className":1100},[1101],"faq-item",[1103,1104,1105],"summary",{},"How do I get a public IP address?",[16,1107,1108],{},"Every internet connection already has a public IP, but it is usually shared (via CGNAT) or dynamic (changes periodically). To get a dedicated public IP you can either request a static IP from your ISP, use a tunneling service like Cloudflare Tunnel for HTTP traffic, or use a dedicated public IP service like GetPublicIP that delivers a real IPv4 address to your server over an encrypted WireGuard tunnel.",[1098,1110,1112,1115],{"className":1111},[1101],[1103,1113,1114],{},"Is a public IP address free?",[16,1116,1117,1118,1121],{},"Checking your current public IP is free — just run ",[105,1119,1120],{},"curl https:\u002F\u002Fapi.getpublicip.com\u002Fip"," from any terminal. Getting a dedicated public IP for hosting typically costs money. ISPs charge $5 to $30 per month for a static IP. GetPublicIP starts at $8.99 per month per IP. Cloudflare Tunnel is free but only supports HTTP and HTTPS traffic.",[1098,1123,1125,1128],{"className":1124},[1101],[1103,1126,1127],{},"Where can I get a public IP?",[16,1129,1130],{},"Four main sources: your ISP (request a static IP add-on), a VPN provider that offers dedicated IPs, Cloudflare Tunnel (free, HTTP only), or a dedicated public IP service like GetPublicIP. The best choice depends on what you are hosting and whether you need full protocol support, email hosting, or end-to-end encryption.",[1098,1132,1134,1137],{"className":1133},[1101],[1103,1135,1136],{},"What is the difference between a public and private IP address?",[16,1138,1139],{},"A private IP (like 192.168.1.x or 10.0.0.x) is used inside your local network and is not reachable from the internet. A public IP is the address the rest of the internet sees when your traffic leaves your router. Your router translates between the two using NAT. To host a server that anyone on the internet can reach, you need a dedicated public IP.",[1098,1141,1143,1146],{"className":1142},[1101],[1103,1144,1145],{},"Do I need a public IP to host a server?",[16,1147,1148],{},"Yes, if you want the server to be reachable from the open internet. Without a dedicated public IP, inbound connections cannot reach your machine because your ISP's NAT or CGNAT does not know which customer to forward them to. Services like email servers, game servers, web servers, and remote desktop all require a reachable public IP.",[1098,1150,1152,1155],{"className":1151},[1101],[1103,1153,1154],{},"Can I get a public IP if my ISP uses CGNAT?",[16,1156,1157],{},"Yes. CGNAT blocks inbound connections by sharing one public IP across many customers, but you can bypass it. GetPublicIP delivers a dedicated public IP over a WireGuard tunnel, which works even behind the strictest CGNAT because the tunnel is initiated as an outbound connection from your server. You can also ask your ISP for a static IP (if they offer it) to be taken off the CGNAT pool.",[1098,1159,1161,1164],{"className":1160},[1101],[1103,1162,1163],{},"Is a public IP the same as a static IP?",[16,1165,1166],{},"Not exactly. A public IP can be dynamic (your ISP changes it periodically) or static (it never changes). Most home connections get a dynamic public IP. A static public IP is what you need for hosting because your DNS records, firewall rules, and clients all rely on the address staying the same. GetPublicIP provides static public IPs.",[1098,1168,1170,1173],{"className":1169},[1101],[1103,1171,1172],{},"How much does a dedicated public IP cost?",[16,1174,1175],{},"It depends on the provider. ISPs typically charge $5 to $30 per month for a static IP add-on, often restricted to business plans. GetPublicIP offers dedicated public IPv4 addresses starting at $8.99 per month with no contract, full protocol support, and end-to-end encryption. Cloudflare Tunnel is free but limited to HTTP and HTTPS.",[351,1177,1178],{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":54,"searchDepth":55,"depth":55,"links":1180},[1181,1182,1183,1184,1190,1191,1192],{"id":691,"depth":55,"text":692},{"id":742,"depth":55,"text":743},{"id":789,"depth":55,"text":790},{"id":849,"depth":55,"text":850,"children":1185},[1186,1187,1188,1189],{"id":854,"depth":440,"text":855},{"id":880,"depth":440,"text":881},{"id":897,"depth":440,"text":898},{"id":921,"depth":440,"text":922},{"id":989,"depth":55,"text":990},{"id":1042,"depth":55,"text":1043},{"id":1095,"depth":55,"text":1096},"2026-04-16T00:00:00.000Z","Need a public IP address? Learn what a public IP is, how to check yours, and 4 ways to get a dedicated one for self-hosting — from free to best.",[1196,1197,1199,1200,1201,1202,1203,1204],{"question":1105,"answer":1108},{"question":1114,"answer":1198},"Checking your current public IP is free, just run curl https:\u002F\u002Fapi.getpublicip.com\u002Fip from any terminal. Getting a dedicated public IP for hosting typically costs money. ISPs charge $5 to $30 per month for a static IP. GetPublicIP starts at $8.99 per month per IP. Cloudflare Tunnel is free but only supports HTTP and HTTPS traffic.",{"question":1127,"answer":1130},{"question":1136,"answer":1139},{"question":1145,"answer":1148},{"question":1154,"answer":1157},{"question":1163,"answer":1166},{"question":1172,"answer":1175},{},{"title":1207,"icon":1208,"description":1209},"How to get a public IP address","mdi-earth","What a public IP is, how to check yours, and 4 ways to get a dedicated public IP for self-hosting.","\u002Fguides\u002Fstatic-public-ip-address\u002Fhow-to-get-a-public-ip-address",{"title":660,"description":1194},"guides\u002Fstatic-public-ip-address\u002Fhow-to-get-a-public-ip-address","FGMOwlzNstcTZkhp44rMOucPid4KdKAZFaSEB3rFbVk",[1215,2836,7926,8519],{"path":1216,"title":1217,"icon":1218,"children":1219},"\u002Fguides\u002Ffind-your-public-ip-address","Find Your Public Ip Address","mdi-folder",[1220,2530],{"id":1221,"title":1222,"body":1223,"createdAt":2499,"description":2500,"extension":61,"faq":2501,"meta":2522,"navigation":2523,"path":767,"seo":2527,"stem":2528,"updatedAt":1193,"__hash__":2529},"docs\u002Fguides\u002Ffind-your-public-ip-address\u002Ffind-your-ip-address-on-linux.md","Find Your Public IP on Linux (curl, wget, dig) — 2026 Guide",{"type":8,"value":1224,"toc":2472},[1225,1229,1246,1296,1486,1664,1763,1862,2034,2232,2469],[11,1226,1228],{"id":1227},"find-your-public-ip-on-linux-curl-wget-dig","Find Your Public IP on Linux (curl, wget, dig)",[1230,1231,1232,1241],"v-row",{},[1233,1234,1237],"v-col",{"cols":1235,"md":1236},12,"6",[1238,1239],"ipv4-address",{"max-width":1240},"500",[1233,1242,1243],{"cols":1235,"md":1236},[1244,1245],"ipv6-address",{"max-width":1240},[668,1247,1249,1253,1256,1266,1278,1290],{"className":1248,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1250,1252],{"id":1251},"quick-answer-get-your-public-ip-in-one-command","Quick answer: get your public IP in one command",[16,1254,1255],{},"If you just need your public IP right now, run one of these:",[110,1257,1258],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,1259,1260],{"__ignoreMap":54},[118,1261,1262,1264],{"class":120,"line":121},[118,1263,758],{"class":124},[118,1265,761],{"class":128},[110,1267,1269],{"className":749,"code":1268,"language":751,"meta":54,"style":54},"curl ifconfig.me\n",[105,1270,1271],{"__ignoreMap":54},[118,1272,1273,1275],{"class":120,"line":121},[118,1274,758],{"class":124},[118,1276,1277],{"class":128}," ifconfig.me\n",[16,1279,1280,1281,709,1283,709,1286,1289],{},"Both print your public IPv4 address to the terminal. The rest of this guide covers every variation: ",[105,1282,758],{},[105,1284,1285],{},"wget",[105,1287,1288],{},"dig",", forcing IPv4\u002FIPv6, quiet mode, alternative services, and finding your local\u002Fprivate IP.",[16,1291,1292,1293,1295],{},"If your public IP doesn't match the WAN address on your router, your ISP is likely using ",[83,1294,728],{"href":727}," — which blocks inbound connections and makes self-hosting impossible without a workaround.",[668,1297,1299,1303,1308,1312,1322,1325,1333,1336,1350,1353,1359,1363,1403,1406,1431,1435,1479],{"className":1298,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1300,1302],{"id":1301},"find-your-public-ip-with-curl","Find your public IP with curl",[16,1304,1305,1307],{},[105,1306,758],{}," is the most common way to fetch your public IP from the command line. It ships with virtually every Linux distribution.",[852,1309,1311],{"id":1310},"basic-usage","Basic usage",[110,1313,1314],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,1315,1316],{"__ignoreMap":54},[118,1317,1318,1320],{"class":120,"line":121},[118,1319,758],{"class":124},[118,1321,761],{"class":128},[16,1323,1324],{},"Output (structured — includes ISP and location):",[110,1326,1331],{"className":1327,"code":1329,"language":1330},[1328],"language-text","IP Address: 203.0.113.42\nISP: Example ISP\nCity: Auckland\nCountry: New Zealand\n","text",[105,1332,1329],{"__ignoreMap":54},[16,1334,1335],{},"For just the raw IP address with no extra metadata:",[110,1337,1339],{"className":749,"code":1338,"language":751,"meta":54,"style":54},"curl -s ifconfig.me\n",[105,1340,1341],{"__ignoreMap":54},[118,1342,1343,1345,1348],{"class":120,"line":121},[118,1344,758],{"class":124},[118,1346,1347],{"class":337}," -s",[118,1349,1277],{"class":128},[16,1351,1352],{},"Output:",[110,1354,1357],{"className":1355,"code":1356,"language":1330},[1328],"203.0.113.42\n",[105,1358,1356],{"__ignoreMap":54},[852,1360,1362],{"id":1361},"force-ipv4-or-ipv6","Force IPv4 or IPv6",[110,1364,1366],{"className":749,"code":1365,"language":751,"meta":54,"style":54},"# Force IPv4\ncurl -4 ifconfig.me\n\n# Force IPv6\ncurl -6 ifconfig.me\n",[105,1367,1368,1374,1383,1389,1394],{"__ignoreMap":54},[118,1369,1370],{"class":120,"line":121},[118,1371,1373],{"class":1372},"snpHw","# Force IPv4\n",[118,1375,1376,1378,1381],{"class":120,"line":55},[118,1377,758],{"class":124},[118,1379,1380],{"class":337}," -4",[118,1382,1277],{"class":128},[118,1384,1385],{"class":120,"line":440},[118,1386,1388],{"emptyLinePlaceholder":1387},true,"\n",[118,1390,1391],{"class":120,"line":487},[118,1392,1393],{"class":1372},"# Force IPv6\n",[118,1395,1396,1398,1401],{"class":120,"line":502},[118,1397,758],{"class":124},[118,1399,1400],{"class":337}," -6",[118,1402,1277],{"class":128},[16,1404,1405],{},"GetPublicIP also has dedicated endpoints for each protocol:",[110,1407,1409],{"className":749,"code":1408,"language":751,"meta":54,"style":54},"curl https:\u002F\u002Fipv4.getpublicip.com\u002Fip    # IPv4 only\ncurl https:\u002F\u002Fipv6.getpublicip.com\u002Fip    # IPv6 only\n",[105,1410,1411,1421],{"__ignoreMap":54},[118,1412,1413,1415,1418],{"class":120,"line":121},[118,1414,758],{"class":124},[118,1416,1417],{"class":128}," https:\u002F\u002Fipv4.getpublicip.com\u002Fip",[118,1419,1420],{"class":1372},"    # IPv4 only\n",[118,1422,1423,1425,1428],{"class":120,"line":55},[118,1424,758],{"class":124},[118,1426,1427],{"class":128}," https:\u002F\u002Fipv6.getpublicip.com\u002Fip",[118,1429,1430],{"class":1372},"    # IPv6 only\n",[852,1432,1434],{"id":1433},"other-services-that-work-with-curl","Other services that work with curl",[110,1436,1438],{"className":749,"code":1437,"language":751,"meta":54,"style":54},"curl ifconfig.me           # plain text IP\ncurl api.ipify.org         # plain text IP\ncurl icanhazip.com         # plain text IP\ncurl ifconfig.co           # plain text IP (also supports JSON)\n",[105,1439,1440,1450,1460,1469],{"__ignoreMap":54},[118,1441,1442,1444,1447],{"class":120,"line":121},[118,1443,758],{"class":124},[118,1445,1446],{"class":128}," ifconfig.me",[118,1448,1449],{"class":1372},"           # plain text IP\n",[118,1451,1452,1454,1457],{"class":120,"line":55},[118,1453,758],{"class":124},[118,1455,1456],{"class":128}," api.ipify.org",[118,1458,1459],{"class":1372},"         # plain text IP\n",[118,1461,1462,1464,1467],{"class":120,"line":440},[118,1463,758],{"class":124},[118,1465,1466],{"class":128}," icanhazip.com",[118,1468,1459],{"class":1372},[118,1470,1471,1473,1476],{"class":120,"line":487},[118,1472,758],{"class":124},[118,1474,1475],{"class":128}," ifconfig.co",[118,1477,1478],{"class":1372},"           # plain text IP (also supports JSON)\n",[16,1480,1481,1482,1485],{},"All return your public IP as plain text. Add ",[105,1483,1484],{},"-s"," (silent mode) to suppress the progress bar in scripts.",[668,1487,1489,1493,1501,1504,1518,1529,1532,1545,1547,1552,1555,1592,1595,1620,1624],{"className":1488,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1490,1492],{"id":1491},"find-your-public-ip-with-wget","Find your public IP with wget",[16,1494,1495,1497,1498,1500],{},[105,1496,1285],{}," is available on most Linux systems and is often preferred in environments where ",[105,1499,758],{}," isn't installed (older minimal installs, embedded systems).",[852,1502,1311],{"id":1503},"basic-usage-1",[110,1505,1507],{"className":749,"code":1506,"language":751,"meta":54,"style":54},"wget -qO- https:\u002F\u002Fapi.getpublicip.com\u002Fip\n",[105,1508,1509],{"__ignoreMap":54},[118,1510,1511,1513,1516],{"class":120,"line":121},[118,1512,1285],{"class":124},[118,1514,1515],{"class":337}," -qO-",[118,1517,761],{"class":128},[16,1519,1520,1521,1524,1525,1528],{},"The ",[105,1522,1523],{},"-q"," flag suppresses progress output. The ",[105,1526,1527],{},"-O-"," flag sends the result to stdout (the terminal) instead of saving it to a file.",[16,1530,1531],{},"For just the raw IP address:",[110,1533,1535],{"className":749,"code":1534,"language":751,"meta":54,"style":54},"wget -qO- ifconfig.me\n",[105,1536,1537],{"__ignoreMap":54},[118,1538,1539,1541,1543],{"class":120,"line":121},[118,1540,1285],{"class":124},[118,1542,1515],{"class":337},[118,1544,1277],{"class":128},[16,1546,1352],{},[110,1548,1550],{"className":1549,"code":1356,"language":1330},[1328],[105,1551,1356],{"__ignoreMap":54},[852,1553,1362],{"id":1554},"force-ipv4-or-ipv6-1",[110,1556,1558],{"className":749,"code":1557,"language":751,"meta":54,"style":54},"# Force IPv4\nwget -4 -qO- ifconfig.me\n\n# Force IPv6\nwget -6 -qO- ifconfig.me\n",[105,1559,1560,1564,1574,1578,1582],{"__ignoreMap":54},[118,1561,1562],{"class":120,"line":121},[118,1563,1373],{"class":1372},[118,1565,1566,1568,1570,1572],{"class":120,"line":55},[118,1567,1285],{"class":124},[118,1569,1380],{"class":337},[118,1571,1515],{"class":337},[118,1573,1277],{"class":128},[118,1575,1576],{"class":120,"line":440},[118,1577,1388],{"emptyLinePlaceholder":1387},[118,1579,1580],{"class":120,"line":487},[118,1581,1393],{"class":1372},[118,1583,1584,1586,1588,1590],{"class":120,"line":502},[118,1585,1285],{"class":124},[118,1587,1400],{"class":337},[118,1589,1515],{"class":337},[118,1591,1277],{"class":128},[16,1593,1594],{},"GetPublicIP dedicated endpoints:",[110,1596,1598],{"className":749,"code":1597,"language":751,"meta":54,"style":54},"wget -qO- https:\u002F\u002Fipv4.getpublicip.com\u002Fip    # IPv4 only\nwget -qO- https:\u002F\u002Fipv6.getpublicip.com\u002Fip    # IPv6 only\n",[105,1599,1600,1610],{"__ignoreMap":54},[118,1601,1602,1604,1606,1608],{"class":120,"line":121},[118,1603,1285],{"class":124},[118,1605,1515],{"class":337},[118,1607,1417],{"class":128},[118,1609,1420],{"class":1372},[118,1611,1612,1614,1616,1618],{"class":120,"line":55},[118,1613,1285],{"class":124},[118,1615,1515],{"class":337},[118,1617,1427],{"class":128},[118,1619,1430],{"class":1372},[852,1621,1623],{"id":1622},"other-services-that-work-with-wget","Other services that work with wget",[110,1625,1627],{"className":749,"code":1626,"language":751,"meta":54,"style":54},"wget -qO- ifconfig.me\nwget -qO- api.ipify.org\nwget -qO- icanhazip.com\nwget -qO- ifconfig.co\n",[105,1628,1629,1637,1646,1655],{"__ignoreMap":54},[118,1630,1631,1633,1635],{"class":120,"line":121},[118,1632,1285],{"class":124},[118,1634,1515],{"class":337},[118,1636,1277],{"class":128},[118,1638,1639,1641,1643],{"class":120,"line":55},[118,1640,1285],{"class":124},[118,1642,1515],{"class":337},[118,1644,1645],{"class":128}," api.ipify.org\n",[118,1647,1648,1650,1652],{"class":120,"line":440},[118,1649,1285],{"class":124},[118,1651,1515],{"class":337},[118,1653,1654],{"class":128}," icanhazip.com\n",[118,1656,1657,1659,1661],{"class":120,"line":487},[118,1658,1285],{"class":124},[118,1660,1515],{"class":337},[118,1662,1663],{"class":128}," ifconfig.co\n",[668,1665,1667,1671,1674,1678,1696,1698,1703,1707,1727,1730,1736,1740,1755],{"className":1666,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1668,1670],{"id":1669},"find-your-public-ip-with-dig-or-host-dns-method","Find your public IP with dig or host (DNS method)",[16,1672,1673],{},"If you prefer not to make an HTTP request, you can query your public IP via DNS. This uses your DNS resolver's knowledge of your egress IP.",[852,1675,1677],{"id":1676},"using-dig-opendns","Using dig (OpenDNS)",[110,1679,1681],{"className":749,"code":1680,"language":751,"meta":54,"style":54},"dig +short myip.opendns.com @resolver1.opendns.com\n",[105,1682,1683],{"__ignoreMap":54},[118,1684,1685,1687,1690,1693],{"class":120,"line":121},[118,1686,1288],{"class":124},[118,1688,1689],{"class":128}," +short",[118,1691,1692],{"class":128}," myip.opendns.com",[118,1694,1695],{"class":128}," @resolver1.opendns.com\n",[16,1697,1352],{},[110,1699,1701],{"className":1700,"code":1356,"language":1330},[1328],[105,1702,1356],{"__ignoreMap":54},[852,1704,1706],{"id":1705},"using-dig-google-dns","Using dig (Google DNS)",[110,1708,1710],{"className":749,"code":1709,"language":751,"meta":54,"style":54},"dig TXT +short o-o.myaddr.l.google.com @ns1.google.com\n",[105,1711,1712],{"__ignoreMap":54},[118,1713,1714,1716,1719,1721,1724],{"class":120,"line":121},[118,1715,1288],{"class":124},[118,1717,1718],{"class":128}," TXT",[118,1720,1689],{"class":128},[118,1722,1723],{"class":128}," o-o.myaddr.l.google.com",[118,1725,1726],{"class":128}," @ns1.google.com\n",[16,1728,1729],{},"Output (quoted TXT record):",[110,1731,1734],{"className":1732,"code":1733,"language":1330},[1328],"\"203.0.113.42\"\n",[105,1735,1733],{"__ignoreMap":54},[852,1737,1739],{"id":1738},"using-host","Using host",[110,1741,1743],{"className":749,"code":1742,"language":751,"meta":54,"style":54},"host myip.opendns.com resolver1.opendns.com\n",[105,1744,1745],{"__ignoreMap":54},[118,1746,1747,1750,1752],{"class":120,"line":121},[118,1748,1749],{"class":124},"host",[118,1751,1692],{"class":128},[118,1753,1754],{"class":128}," resolver1.opendns.com\n",[16,1756,1520,1757,1759,1760,1762],{},[105,1758,1288],{}," and ",[105,1761,1749],{}," methods don't require an HTTP request — just a single DNS lookup. Useful in locked-down environments where outbound HTTP is restricted but DNS is allowed.",[668,1764,1766,1769,1772,1844],{"className":1765,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1767,1362],{"id":1768},"force-ipv4-or-ipv6-2",[16,1770,1771],{},"On dual-stack connections (where your machine has both IPv4 and IPv6), the default command may return either address depending on your OS and DNS resolution order. Use these flags to force a specific protocol:",[1773,1774,1775,1791],"table",{},[1776,1777,1778],"thead",{},[1779,1780,1781,1785,1788],"tr",{},[1782,1783,1784],"th",{},"Tool",[1782,1786,1787],{},"Force IPv4",[1782,1789,1790],{},"Force IPv6",[1792,1793,1794,1811,1827],"tbody",{},[1779,1795,1796,1801,1806],{},[1797,1798,1799],"td",{},[682,1800,758],{},[1797,1802,1803],{},[105,1804,1805],{},"curl -4 ifconfig.me",[1797,1807,1808],{},[105,1809,1810],{},"curl -6 ifconfig.me",[1779,1812,1813,1817,1822],{},[1797,1814,1815],{},[682,1816,1285],{},[1797,1818,1819],{},[105,1820,1821],{},"wget -4 -qO- ifconfig.me",[1797,1823,1824],{},[105,1825,1826],{},"wget -6 -qO- ifconfig.me",[1779,1828,1829,1834,1839],{},[1797,1830,1831],{},[682,1832,1833],{},"GetPublicIP endpoint",[1797,1835,1836],{},[105,1837,1838],{},"curl https:\u002F\u002Fipv4.getpublicip.com\u002Fip",[1797,1840,1841],{},[105,1842,1843],{},"curl https:\u002F\u002Fipv6.getpublicip.com\u002Fip",[16,1845,1846,1847,1759,1850,1853,1854,1857,1858,1861],{},"The dedicated GetPublicIP endpoints (",[105,1848,1849],{},"ipv4.",[105,1851,1852],{},"ipv6.",") are DNS-level IPv4\u002FIPv6 only, so they work even if your tool doesn't support the ",[105,1855,1856],{},"-4","\u002F",[105,1859,1860],{},"-6"," flags.",[668,1863,1865,1869,1872,2020,2028],{"className":1864,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,1866,1868],{"id":1867},"alternative-whats-my-ip-services","Alternative \"what's my IP\" services",[16,1870,1871],{},"Several free services let you query your public IP from the command line. Here's a quick comparison:",[1773,1873,1874,1893],{},[1776,1875,1876],{},[1779,1877,1878,1881,1884,1887,1890],{},[1782,1879,1880],{},"Service",[1782,1882,1883],{},"URL",[1782,1885,1886],{},"IPv4-only mode",[1782,1888,1889],{},"IPv6-only mode",[1782,1891,1892],{},"Output format",[1792,1894,1895,1919,1945,1972,1995],{},[1779,1896,1897,1901,1906,1911,1916],{},[1797,1898,1899],{},[682,1900,1017],{},[1797,1902,1903],{},[105,1904,1905],{},"api.getpublicip.com\u002Fip",[1797,1907,1908],{},[105,1909,1910],{},"ipv4.getpublicip.com\u002Fip",[1797,1912,1913],{},[105,1914,1915],{},"ipv6.getpublicip.com\u002Fip",[1797,1917,1918],{},"Structured (IP + ISP + location)",[1779,1920,1921,1926,1930,1937,1942],{},[1797,1922,1923],{},[682,1924,1925],{},"ifconfig.me",[1797,1927,1928],{},[105,1929,1925],{},[1797,1931,1932,1933,1936],{},"Use ",[105,1934,1935],{},"curl -4"," flag",[1797,1938,1932,1939,1936],{},[105,1940,1941],{},"curl -6",[1797,1943,1944],{},"Plain text IP",[1779,1946,1947,1952,1957,1961,1966],{},[1797,1948,1949],{},[682,1950,1951],{},"ipify",[1797,1953,1954],{},[105,1955,1956],{},"api.ipify.org",[1797,1958,1959],{},[105,1960,1956],{},[1797,1962,1963],{},[105,1964,1965],{},"api6.ipify.org",[1797,1967,1968,1969,417],{},"Plain text (or ",[105,1970,1971],{},"?format=json",[1779,1973,1974,1979,1983,1988,1993],{},[1797,1975,1976],{},[682,1977,1978],{},"icanhazip.com",[1797,1980,1981],{},[105,1982,1978],{},[1797,1984,1985],{},[105,1986,1987],{},"ipv4.icanhazip.com",[1797,1989,1990],{},[105,1991,1992],{},"ipv6.icanhazip.com",[1797,1994,1944],{},[1779,1996,1997,2002,2006,2010,2014],{},[1797,1998,1999],{},[682,2000,2001],{},"ifconfig.co",[1797,2003,2004],{},[105,2005,2001],{},[1797,2007,1932,2008,1936],{},[105,2009,1935],{},[1797,2011,1932,2012,1936],{},[105,2013,1941],{},[1797,2015,2016,2017,417],{},"Plain text (or JSON with ",[105,2018,2019],{},"\u002Fjson",[16,2021,2022,2023,1759,2025,2027],{},"All work with both ",[105,2024,758],{},[105,2026,1285],{},". GetPublicIP returns metadata alongside the IP; the others return a single line with just the address.",[16,2029,800,2030,2033],{},[83,2031,2032],{"href":876},"permanent, dedicated public IP"," for self-hosting (rather than just checking what your current IP is), see our guide on getting a static IP.",[668,2035,2037,2041,2044,2048,2061,2064,2068,2081,2084,2090,2104,2131,2134,2160,2164,2170,2179,2182,2188,2196,2200,2203,2229],{"className":2036,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,2038,2040],{"id":2039},"find-your-local-ip-address-on-linux","Find your local IP address on Linux",[16,2042,2043],{},"Your local (private) IP is the address assigned to your machine on your LAN — not visible to the outside internet. Here are the ways to find it.",[852,2045,2047],{"id":2046},"quick-one-liner","Quick one-liner",[110,2049,2051],{"className":749,"code":2050,"language":751,"meta":54,"style":54},"hostname -I\n",[105,2052,2053],{"__ignoreMap":54},[118,2054,2055,2058],{"class":120,"line":121},[118,2056,2057],{"class":124},"hostname",[118,2059,2060],{"class":337}," -I\n",[16,2062,2063],{},"This prints a space-separated list of all IP addresses assigned to the machine (both IPv4 and IPv6, all interfaces). It's the fastest way to see everything at a glance.",[852,2065,2067],{"id":2066},"detailed-ip-command-modern","Detailed: ip command (modern)",[110,2069,2071],{"className":749,"code":2070,"language":751,"meta":54,"style":54},"ip a\n",[105,2072,2073],{"__ignoreMap":54},[118,2074,2075,2078],{"class":120,"line":121},[118,2076,2077],{"class":124},"ip",[118,2079,2080],{"class":128}," a\n",[16,2082,2083],{},"You will see output similar to:",[110,2085,2088],{"className":2086,"code":2087,"language":1330},[1328],"1: lo: \u003CLOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\u002Floopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\u002F8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\u002F128 scope host noprefixroute \n       valid_lft forever preferred_lft forever\n2: eno0: \u003CBROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n    link\u002Fether 00:94:37:b7:8a:88 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.66.245\u002F24 brd 192.168.66.255 scope global dynamic noprefixroute wlan0\n       valid_lft 71625sec preferred_lft 71625sec\n    inet6 fe80::767e:5882:2cdd:686e\u002F64 scope link noprefixroute \n       valid_lft forever preferred_lft forever\n",[105,2089,2087],{"__ignoreMap":54},[16,2091,2092,2093,2096,2097,2100,2101,769],{},"On the left you'll see interface names: ",[105,2094,2095],{},"lo"," (loopback) and ",[105,2098,2099],{},"eno0"," (Ethernet). Wireless adapters are usually named ",[105,2102,2103],{},"wlan0",[806,2105,2106,2112,2121],{},[41,2107,2108,2111],{},[105,2109,2110],{},"link\u002Fether"," — the MAC address (hardware identifier assigned by the manufacturer).",[41,2113,2114,2117,2118,769],{},[105,2115,2116],{},"inet"," — the IPv4 address. In this example, ",[105,2119,2120],{},"192.168.66.245",[41,2122,2123,2126,2127,2130],{},[105,2124,2125],{},"inet6"," — the IPv6 address. Addresses starting with ",[105,2128,2129],{},"fe80"," are link-local (not routable beyond the LAN).",[16,2132,2133],{},"To show only IPv4 or only IPv6 addresses:",[110,2135,2137],{"className":749,"code":2136,"language":751,"meta":54,"style":54},"ip -4 a    # IPv4 only\nip -6 a    # IPv6 only\n",[105,2138,2139,2150],{"__ignoreMap":54},[118,2140,2141,2143,2145,2148],{"class":120,"line":121},[118,2142,2077],{"class":124},[118,2144,1380],{"class":337},[118,2146,2147],{"class":128}," a",[118,2149,1420],{"class":1372},[118,2151,2152,2154,2156,2158],{"class":120,"line":55},[118,2153,2077],{"class":124},[118,2155,1400],{"class":337},[118,2157,2147],{"class":128},[118,2159,1430],{"class":1372},[852,2161,2163],{"id":2162},"older-linux-systems-ifconfig","Older Linux systems: ifconfig",[16,2165,2166,2167,2169],{},"If your system doesn't have the ",[105,2168,2077],{}," command, use:",[110,2171,2173],{"className":749,"code":2172,"language":751,"meta":54,"style":54},"ifconfig\n",[105,2174,2175],{"__ignoreMap":54},[118,2176,2177],{"class":120,"line":121},[118,2178,2172],{"class":124},[16,2180,2181],{},"Which outputs similar information:",[110,2183,2186],{"className":2184,"code":2185,"language":1330},[1328],"lo: flags=73\u003CUP,LOOPBACK,RUNNING>  mtu 65536\n        inet 127.0.0.1  netmask 255.0.0.0\n        inet6 ::1  prefixlen 128  scopeid 0x10\u003Chost>\n        loop  txqueuelen 1000  (Local Loopback)\n\neno0: flags=4163\u003CUP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 192.168.66.245  netmask 255.255.255.0  broadcast 192.168.66.255\n        inet6 fe80::767e:5882:2cdd:686e  prefixlen 64  scopeid 0x20\u003Clink>\n        ether 00:94:37:b7:8a:88  txqueuelen 1000  (Ethernet)\n",[105,2187,2185],{"__ignoreMap":54},[16,2189,1520,2190,2192,2193,2195],{},[105,2191,2116],{}," line is the IPv4 address. The ",[105,2194,2125],{}," line is the IPv6 address.",[852,2197,2199],{"id":2198},"networkmanager-nmcli","NetworkManager (nmcli)",[16,2201,2202],{},"On systems using NetworkManager (most desktop distros), you can also use:",[110,2204,2206],{"className":749,"code":2205,"language":751,"meta":54,"style":54},"nmcli device show | grep IP4.ADDRESS\n",[105,2207,2208],{"__ignoreMap":54},[118,2209,2210,2213,2216,2219,2223,2226],{"class":120,"line":121},[118,2211,2212],{"class":124},"nmcli",[118,2214,2215],{"class":128}," device",[118,2217,2218],{"class":128}," show",[118,2220,2222],{"class":2221},"s8I7P"," |",[118,2224,2225],{"class":124}," grep",[118,2227,2228],{"class":128}," IP4.ADDRESS\n",[16,2230,2231],{},"This shows IP addresses grouped by network interface (Ethernet, Wi-Fi, VPN, etc.).",[668,2233,2235,2237,2257,2287,2311,2338,2358,2383,2398,2417,2450],{"className":2234,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,2236,1096],{"id":1095},[1098,2238,2240,2243],{"className":2239},[1101],[1103,2241,2242],{},"How do I find my public IP address on Linux?",[16,2244,2245,2246,2248,2249,2252,2253,2256],{},"The quickest way is to run ",[105,2247,1120],{}," or ",[105,2250,2251],{},"curl ifconfig.me"," from a terminal. Both print your public IPv4 address to stdout. For IPv6, use ",[105,2254,2255],{},"curl -6 https:\u002F\u002Fipv6.getpublicip.com\u002Fip",". You can also use wget, dig, or host to accomplish the same thing.",[1098,2258,2260,2263],{"className":2259},[1101],[1103,2261,2262],{},"How do I get my public IP with curl?",[16,2264,2265,2266,2268,2269,2271,2272,2274,2275,2277,2278,709,2280,2283,2284,769],{},"Run ",[105,2267,1120],{}," to get your public IP. Add ",[105,2270,1484],{}," for silent mode (no progress bar). Force IPv4 with ",[105,2273,1935],{}," or IPv6 with ",[105,2276,1941],{},". Alternative services include ",[105,2279,2251],{},[105,2281,2282],{},"curl api.ipify.org",", and ",[105,2285,2286],{},"curl icanhazip.com",[1098,2288,2290,2293],{"className":2289},[1101],[1103,2291,2292],{},"How do I get my public IP with wget?",[16,2294,2265,2295,2298,2299,2301,2302,2304,2305,2274,2308,769],{},[105,2296,2297],{},"wget -qO- https:\u002F\u002Fapi.getpublicip.com\u002Fip"," to print your public IP to stdout. The ",[105,2300,1523],{}," flag suppresses progress output and ",[105,2303,1527],{}," sends the result to stdout instead of a file. Force IPv4 with ",[105,2306,2307],{},"wget -4",[105,2309,2310],{},"wget -6",[1098,2312,2314,2317],{"className":2313},[1101],[1103,2315,2316],{},"How do I force IPv4 or IPv6 when fetching my IP?",[16,2318,2319,2320,2322,2323,2325,2326,2328,2329,2331,2332,1759,2335,769],{},"Both curl and wget support ",[105,2321,1856],{}," (force IPv4) and ",[105,2324,1860],{}," (force IPv6) flags. For example, ",[105,2327,1805],{}," always returns your IPv4 address even on a dual-stack connection, and ",[105,2330,1810],{}," returns your IPv6 address. GetPublicIP also offers dedicated endpoints: ",[105,2333,2334],{},"ipv4.getpublicip.com",[105,2336,2337],{},"ipv6.getpublicip.com",[1098,2339,2341,2344],{"className":2340},[1101],[1103,2342,2343],{},"What is the quietest one-liner to print just my IP?",[16,2345,2346,2349,2350,2353,2354,2357],{},[105,2347,2348],{},"curl -s ifconfig.me"," prints only your IP with no extra output. With wget, use ",[105,2351,2352],{},"wget -qO- ifconfig.me",". With dig, use ",[105,2355,2356],{},"dig +short myip.opendns.com @resolver1.opendns.com",". All three return a single line containing just your public IPv4 address.",[1098,2359,2361,2364],{"className":2360},[1101],[1103,2362,2363],{},"What are the best services for getting my IP from the command line?",[16,2365,2366,2367,2370,2371,2373,2374,2376,2377,2379,2380,2382],{},"Popular free services include ",[105,2368,2369],{},"api.getpublicip.com"," (returns IP with ISP and location metadata), ",[105,2372,1925],{}," (plain text IP), ",[105,2375,1956],{}," (plain text, supports JSON), ",[105,2378,1978],{}," (plain text), and ",[105,2381,2001],{}," (supports JSON and plain text). All work with curl and wget.",[1098,2384,2386,2389],{"className":2385},[1101],[1103,2387,2388],{},"How do I find my public IP using dig?",[16,2390,2265,2391,2393,2394,2397],{},[105,2392,2356],{}," to query OpenDNS for your public IP. Or use ",[105,2395,2396],{},"dig TXT +short o-o.myaddr.l.google.com @ns1.google.com"," for the Google DNS equivalent. The dig method does not require an HTTP request, just a DNS lookup.",[1098,2399,2401,2404],{"className":2400},[1101],[1103,2402,2403],{},"What is the difference between public IP and local IP on Linux?",[16,2405,2406,2407,2248,2410,2413,2414,2416],{},"Your local (private) IP is the address assigned to your machine on the LAN, typically in the 192.168.x.x, 10.x.x.x, or 172.16-31.x.x range. Your public (external) IP is what the rest of the internet sees when you connect. Your router performs NAT to translate between the two. Use ",[105,2408,2409],{},"ip a",[105,2411,2412],{},"hostname -I"," for local IPs and ",[105,2415,2251],{}," for your public IP.",[1098,2418,2420,2423],{"className":2419},[1101],[1103,2421,2422],{},"How do I list all local IPs on my machine?",[16,2424,2265,2425,2427,2428,2430,2431,2434,2435,2438,2439,2441,2442,2445,2446,2449],{},[105,2426,2412],{}," for a quick space-separated list of all assigned IPs. For detailed interface-by-interface output, use ",[105,2429,2409],{}," (or ",[105,2432,2433],{},"ip -4 a"," for only IPv4, ",[105,2436,2437],{},"ip -6 a"," for only IPv6). On older systems without the ",[105,2440,2077],{}," command, use ",[105,2443,2444],{},"ifconfig",". For NetworkManager-managed systems, ",[105,2447,2448],{},"nmcli device show"," lists IPs per interface.",[1098,2451,2453,2456],{"className":2452},[1101],[1103,2454,2455],{},"Why does my router show a different IP than curl ifconfig.me?",[16,2457,2458,2459,2461,2462,2464,2465,2468],{},"If your router's WAN IP does not match what ",[105,2460,2251],{}," returns, your ISP is almost certainly using ",[83,2463,728],{"href":727},". CGNAT places an extra layer of NAT between your router and the public internet, sharing one public IP across many customers. This blocks inbound connections and makes self-hosting impossible without a workaround. See our full guide on ",[83,2466,2467],{"href":727},"self-hosting behind CGNAT"," for solutions.",[351,2470,2471],{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .s7s5_, html code.shiki .s7s5_{--shiki-default:#AE81FF}html pre.shiki code .snpHw, html code.shiki .snpHw{--shiki-default:#88846F}html pre.shiki code .s8I7P, html code.shiki .s8I7P{--shiki-default:#F92672}",{"title":54,"searchDepth":55,"depth":55,"links":2473},[2474,2475,2480,2485,2490,2491,2492,2498],{"id":1251,"depth":55,"text":1252},{"id":1301,"depth":55,"text":1302,"children":2476},[2477,2478,2479],{"id":1310,"depth":440,"text":1311},{"id":1361,"depth":440,"text":1362},{"id":1433,"depth":440,"text":1434},{"id":1491,"depth":55,"text":1492,"children":2481},[2482,2483,2484],{"id":1503,"depth":440,"text":1311},{"id":1554,"depth":440,"text":1362},{"id":1622,"depth":440,"text":1623},{"id":1669,"depth":55,"text":1670,"children":2486},[2487,2488,2489],{"id":1676,"depth":440,"text":1677},{"id":1705,"depth":440,"text":1706},{"id":1738,"depth":440,"text":1739},{"id":1768,"depth":55,"text":1362},{"id":1867,"depth":55,"text":1868},{"id":2039,"depth":55,"text":2040,"children":2493},[2494,2495,2496,2497],{"id":2046,"depth":440,"text":2047},{"id":2066,"depth":440,"text":2067},{"id":2162,"depth":440,"text":2163},{"id":2198,"depth":440,"text":2199},{"id":1095,"depth":55,"text":1096},"2025-01-05T16:26:00.000Z","Find your public IPv4 or IPv6 address on Linux using curl, wget, or dig. One-liners, force-v4\u002Fv6 flags, and how to find your local IP too. 2026 guide.",[2502,2504,2506,2508,2510,2512,2514,2516,2518,2520],{"question":2242,"answer":2503},"The quickest way is to run curl https:\u002F\u002Fapi.getpublicip.com\u002Fip or curl ifconfig.me from a terminal. Both print your public IPv4 address to stdout. For IPv6, use curl -6 https:\u002F\u002Fipv6.getpublicip.com\u002Fip. You can also use wget, dig, or host to accomplish the same thing.",{"question":2262,"answer":2505},"Run curl https:\u002F\u002Fapi.getpublicip.com\u002Fip to get your public IP. Add -s for silent mode (no progress bar). Force IPv4 with curl -4 or IPv6 with curl -6. Alternative services include curl ifconfig.me, curl api.ipify.org, and curl icanhazip.com.",{"question":2292,"answer":2507},"Run wget -qO- https:\u002F\u002Fapi.getpublicip.com\u002Fip to print your public IP to stdout. The -q flag suppresses progress output and -O- sends the result to stdout instead of a file. Force IPv4 with wget -4 or IPv6 with wget -6.",{"question":2316,"answer":2509},"Both curl and wget support -4 (force IPv4) and -6 (force IPv6) flags. For example, curl -4 ifconfig.me always returns your IPv4 address even on a dual-stack connection, and curl -6 ifconfig.me returns your IPv6 address. GetPublicIP also offers dedicated endpoints: ipv4.getpublicip.com and ipv6.getpublicip.com.",{"question":2343,"answer":2511},"curl -s ifconfig.me prints only your IP with no extra output. With wget, use wget -qO- ifconfig.me. With dig, use dig +short myip.opendns.com @resolver1.opendns.com. All three return a single line containing just your public IPv4 address.",{"question":2363,"answer":2513},"Popular free services include api.getpublicip.com (returns IP with ISP and location metadata), ifconfig.me (plain text IP), api.ipify.org (plain text, supports JSON), icanhazip.com (plain text), and ifconfig.co (supports JSON and plain text). All work with curl and wget.",{"question":2388,"answer":2515},"Run dig +short myip.opendns.com @resolver1.opendns.com to query OpenDNS for your public IP. Or use dig TXT +short o-o.myaddr.l.google.com @ns1.google.com for the Google DNS equivalent. The dig method does not require an HTTP request, just a DNS lookup.",{"question":2403,"answer":2517},"Your local (private) IP is the address assigned to your machine on the LAN, typically in the 192.168.x.x, 10.x.x.x, or 172.16-31.x.x range. Your public (external) IP is what the rest of the internet sees when you connect. Your router performs NAT to translate between the two. Use ip a or hostname -I for local IPs and curl ifconfig.me for your public IP.",{"question":2422,"answer":2519},"Run hostname -I for a quick space-separated list of all assigned IPs. For detailed interface-by-interface output, use ip a (or ip -4 a for only IPv4, ip -6 a for only IPv6). On older systems without the ip command, use ifconfig. For NetworkManager-managed systems, nmcli device show lists IPs per interface.",{"question":2455,"answer":2521},"If your router's WAN IP does not match what curl ifconfig.me returns, your ISP is almost certainly using carrier-grade NAT (CGNAT). CGNAT places an extra layer of NAT between your router and the public internet, sharing one public IP across many customers. This blocks inbound connections and makes self-hosting impossible without a workaround. See our full guide on self-hosting behind CGNAT for solutions.",{},{"title":2524,"icon":2525,"description":2526},"Find your IP Address on Linux","mdi-penguin","Find your public and local IP address on Linux using curl, wget, dig, and built-in tools.",{"title":1222,"description":2500},"guides\u002Ffind-your-public-ip-address\u002Ffind-your-ip-address-on-linux","LXEVQUsxETGjD4rFvsWci354RE_70AJGR1Gu99hkQZQ",{"id":2531,"title":2532,"body":2533,"createdAt":2827,"description":2828,"extension":61,"faq":59,"meta":2829,"navigation":2830,"path":2832,"seo":2833,"stem":2834,"updatedAt":2827,"__hash__":2835},"docs\u002Fguides\u002Ffind-your-public-ip-address\u002Ffind-your-ip-address-on-windows.md","Find your IP Address on Windows",{"type":8,"value":2534,"toc":2818},[2535,2538,2548,2694,2815],[11,2536,2532],{"id":2537},"find-your-ip-address-on-windows",[1230,2539,2540,2544],{},[1233,2541,2542],{"cols":1235,"md":1236},[1238,2543],{"max-width":1240},[1233,2545,2546],{"cols":1235,"md":1236},[1244,2547],{"max-width":1240},[668,2549,2551,2556,2563,2567,2570,2581,2584,2593,2596,2605,2618,2624,2633,2637,2648,2651,2661,2664,2673,2676,2685,2688],{"className":2550,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,2552,2555],{"className":2553,"id":2554},[675],"find-your-public-ip-external-address-on-windows","Find your public IP \u002F external address on Windows",[16,2557,2558,2559,2562],{},"Windows 10 and later ship with ",[105,2560,2561],{},"curl.exe"," built in, so you can check your public IP directly from PowerShell or Command Prompt.",[852,2564,2566],{"id":2565},"using-powershell","Using PowerShell",[16,2568,2569],{},"Get your public IP \u002F external address (IPv4 or IPv6 depending on your setup) using PowerShell",[110,2571,2575],{"className":2572,"code":2573,"language":2574,"meta":54,"style":54},"language-powershell shiki shiki-themes monokai","curl.exe https:\u002F\u002Fapi.getpublicip.com\u002Fip\n","powershell",[105,2576,2577],{"__ignoreMap":54},[118,2578,2579],{"class":120,"line":121},[118,2580,2573],{},[16,2582,2583],{},"Get your external IPv4 address using PowerShell",[110,2585,2587],{"className":2572,"code":2586,"language":2574,"meta":54,"style":54},"curl.exe https:\u002F\u002Fipv4.getpublicip.com\u002Fip\n",[105,2588,2589],{"__ignoreMap":54},[118,2590,2591],{"class":120,"line":121},[118,2592,2586],{},[16,2594,2595],{},"Get your external IPv6 address using PowerShell",[110,2597,2599],{"className":2572,"code":2598,"language":2574,"meta":54,"style":54},"curl.exe https:\u002F\u002Fipv6.getpublicip.com\u002Fip\n",[105,2600,2601],{"__ignoreMap":54},[118,2602,2603],{"class":120,"line":121},[118,2604,2598],{},[16,2606,2607,2608,2610,2611,2614,2615,2617],{},"Note: In PowerShell, ",[105,2609,758],{}," is an alias for ",[105,2612,2613],{},"Invoke-WebRequest",". Use ",[105,2616,2561],{}," to call the actual curl binary instead.",[16,2619,2620,2621,2623],{},"You can also use ",[105,2622,2613],{}," directly:",[110,2625,2627],{"className":2572,"code":2626,"language":2574,"meta":54,"style":54},"(Invoke-WebRequest -UseBasicParsing -URI https:\u002F\u002Fapi.getpublicip.com\u002Fip).Content\n",[105,2628,2629],{"__ignoreMap":54},[118,2630,2631],{"class":120,"line":121},[118,2632,2626],{},[852,2634,2636],{"id":2635},"using-command-prompt","Using Command Prompt",[16,2638,2639,2640,2643,2644,2647],{},"Open Command Prompt by pressing ",[105,2641,2642],{},"Win + R",", typing ",[105,2645,2646],{},"cmd",", and pressing Enter.",[16,2649,2650],{},"Get your public IP address (IPv4 or IPv6 depending on your connection) using Command Prompt",[110,2652,2655],{"className":2653,"code":750,"language":2654,"meta":54,"style":54},"language-batch shiki shiki-themes monokai","batch",[105,2656,2657],{"__ignoreMap":54},[118,2658,2659],{"class":120,"line":121},[118,2660,750],{},[16,2662,2663],{},"Get your external IPv4 address using Command Prompt",[110,2665,2667],{"className":2653,"code":2666,"language":2654,"meta":54,"style":54},"curl https:\u002F\u002Fipv4.getpublicip.com\u002Fip\n",[105,2668,2669],{"__ignoreMap":54},[118,2670,2671],{"class":120,"line":121},[118,2672,2666],{},[16,2674,2675],{},"Get your external IPv6 address using Command Prompt",[110,2677,2679],{"className":2653,"code":2678,"language":2654,"meta":54,"style":54},"curl https:\u002F\u002Fipv6.getpublicip.com\u002Fip\n",[105,2680,2681],{"__ignoreMap":54},[118,2682,2683],{"class":120,"line":121},[118,2684,2678],{},[16,2686,2687],{},"The output of these commands will look like:",[110,2689,2692],{"className":2690,"code":2691,"language":1330},[1328],"IP Address: 172.21.0.1\nISP: Unknown\nCity: Unknown\nCountry: Unknown\n",[105,2693,2691],{"__ignoreMap":54},[668,2695,2697,2701,2707,2716,2719,2725,2736,2749,2758,2764,2767,2776,2779,2785,2794,2797,2803,2806],{"className":2696,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,2698,2700],{"id":2699},"find-your-local-ip-address-on-windows","Find your local IP address on Windows",[16,2702,2703,2704,210],{},"The quickest way to find your local IP address on Windows is using ",[105,2705,2706],{},"ipconfig",[110,2708,2710],{"className":2653,"code":2709,"language":2654,"meta":54,"style":54},"ipconfig\n",[105,2711,2712],{"__ignoreMap":54},[118,2713,2714],{"class":120,"line":121},[118,2715,2709],{},[16,2717,2718],{},"You will see an output similar to:",[110,2720,2723],{"className":2721,"code":2722,"language":1330},[1328],"Windows IP Configuration\n\nEthernet adapter Ethernet:\n\n   Connection-specific DNS Suffix  . : home.local\n   Link-local IPv6 Address . . . . . : fe80::767e:5882:2cdd:686e%12\n   IPv4 Address. . . . . . . . . . . : 192.168.1.100\n   Subnet Mask . . . . . . . . . . . : 255.255.255.0\n   Default Gateway . . . . . . . . . : 192.168.1.1\n\nWireless LAN adapter Wi-Fi:\n\n   Connection-specific DNS Suffix  . : home.local\n   Link-local IPv6 Address . . . . . : fe80::a1b2:c3d4:e5f6:7890%15\n   IPv4 Address. . . . . . . . . . . : 192.168.1.105\n   Subnet Mask . . . . . . . . . . . : 255.255.255.0\n   Default Gateway . . . . . . . . . : 192.168.1.1\n",[105,2724,2722],{"__ignoreMap":54},[16,2726,2727,2728,2731,2732,2735],{},"Each section represents a network adapter. The ",[105,2729,2730],{},"Ethernet adapter"," section is your wired connection and ",[105,2733,2734],{},"Wireless LAN adapter Wi-Fi"," is your wireless connection.",[16,2737,1520,2738,2741,2742,2745,2746,769],{},[105,2739,2740],{},"IPv4 Address"," line shows your local IP address. In this case the wired connection has ",[105,2743,2744],{},"192.168.1.100"," and the wireless connection has ",[105,2747,2748],{},"192.168.1.105",[16,2750,1520,2751,2754,2755,2757],{},[105,2752,2753],{},"Link-local IPv6 Address"," line shows the IPv6 address of the adapter. All IPv6 addresses that start with ",[105,2756,2129],{}," are reserved link-local addresses.",[16,2759,1520,2760,2763],{},[105,2761,2762],{},"Default Gateway"," is usually your router's IP address.",[16,2765,2766],{},"For more detailed information including MAC addresses, use:",[110,2768,2770],{"className":2653,"code":2769,"language":2654,"meta":54,"style":54},"ipconfig \u002Fall\n",[105,2771,2772],{"__ignoreMap":54},[118,2773,2774],{"class":120,"line":121},[118,2775,2769],{},[852,2777,2566],{"id":2778},"using-powershell-1",[16,2780,2781,2782,210],{},"PowerShell provides a more structured way to view your IP addresses using ",[105,2783,2784],{},"Get-NetIPAddress",[110,2786,2788],{"className":2572,"code":2787,"language":2574,"meta":54,"style":54},"Get-NetIPAddress | Format-Table InterfaceAlias, IPAddress, PrefixLength\n",[105,2789,2790],{"__ignoreMap":54},[118,2791,2792],{"class":120,"line":121},[118,2793,2787],{},[16,2795,2796],{},"Which will output:",[110,2798,2801],{"className":2799,"code":2800,"language":1330},[1328],"InterfaceAlias       IPAddress                       PrefixLength\n--------------       ---------                       ------------\nEthernet             192.168.1.100                             24\nEthernet             fe80::767e:5882:2cdd:686e%12              64\nWi-Fi                192.168.1.105                             24\nWi-Fi                fe80::a1b2:c3d4:e5f6:7890%15             64\nLoopback Pseudo...   127.0.0.1                                  8\nLoopback Pseudo...   ::1                                      128\n",[105,2802,2800],{"__ignoreMap":54},[16,2804,2805],{},"To filter for only IPv4 addresses:",[110,2807,2809],{"className":2572,"code":2808,"language":2574,"meta":54,"style":54},"Get-NetIPAddress -AddressFamily IPv4 | Format-Table InterfaceAlias, IPAddress\n",[105,2810,2811],{"__ignoreMap":54},[118,2812,2813],{"class":120,"line":121},[118,2814,2808],{},[351,2816,2817],{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":54,"searchDepth":55,"depth":55,"links":2819},[2820,2824],{"id":2554,"depth":55,"text":2555,"children":2821},[2822,2823],{"id":2565,"depth":440,"text":2566},{"id":2635,"depth":440,"text":2636},{"id":2699,"depth":55,"text":2700,"children":2825},[2826],{"id":2778,"depth":440,"text":2566},"2026-03-31T12:00:00.000Z","Find your public IP address on Windows using PowerShell and Command Prompt. Get your IPv4 or IPv6 external address and local IP using built-in commands.",{},{"title":2532,"icon":653,"description":2831},"Find your public and local IP address on Windows using PowerShell and Command Prompt.","\u002Fguides\u002Ffind-your-public-ip-address\u002Ffind-your-ip-address-on-windows",{"title":2532,"description":2828},"guides\u002Ffind-your-public-ip-address\u002Ffind-your-ip-address-on-windows","7gOHXeEqtCX_O5rzhyBysqvk9yk90ICcT-6yzgrbgXM",{"path":2837,"title":2838,"icon":1218,"children":2839},"\u002Fguides\u002Fself-hosting","Self Hosting",[2840,3864,4659,5891,6804],{"id":2841,"title":2842,"body":2843,"createdAt":1193,"description":3847,"extension":61,"faq":3848,"meta":3855,"navigation":3856,"path":3860,"seo":3861,"stem":3862,"updatedAt":1193,"__hash__":3863},"docs\u002Fguides\u002Fself-hosting\u002Fexpose-home-server-to-internet.md","How to Expose Your Home Server to the Internet (5 Methods, 2026)",{"type":8,"value":2844,"toc":3804},[2845,2849,2874,2942,3017,3119,3220,3298,3391,3525,3587,3742,3801],[11,2846,2848],{"id":2847},"how-to-expose-your-home-server-to-the-internet","How to Expose Your Home Server to the Internet",[668,2850,2852,2855,2865],{"className":2851,"rounded":54,"max-width":677},[671,672,673,674,675,676],[16,2853,2854],{},"You have a server running at home. Maybe it is Home Assistant, Nextcloud, a Minecraft server, a personal website, or a mail server. It works on your local network. Now you want the rest of the internet to reach it.",[16,2856,2857,2858,2861,2862,2864],{},"There are five realistic ways to do this, each with different trade-offs around cost, protocol support, and whether they work behind ",[83,2859,2860],{"href":727},"CGNAT",". This guide walks through all five, from simplest to most capable, so you can pick the right one for your situation. If you do not yet have a ",[83,2863,698],{"href":1210},", some of these methods will not work at all, and knowing that up front saves you hours of troubleshooting.",[16,2866,2867],{},[421,2868],{"alt":2869,"className":2870,"src":2873},"Comparison diagram showing the 5 methods to expose a home server to the internet, with traffic flow for each method",[2871,2872],"w-100","my-4","\u002Fimages\u002Fguides\u002Fhome_server_exposure_methods.svg",[668,2875,2877,2881,2884,2888,2891,2901,2906,2913,2917,2927,2931],{"className":2876,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,2878,2880],{"id":2879},"before-you-start-check-your-network-situation","Before you start — check your network situation",[16,2882,2883],{},"Before choosing a method, you need to know what kind of internet connection you have. Run through these checks first.",[852,2885,2887],{"id":2886},"do-you-have-a-public-ip","Do you have a public IP?",[16,2889,2890],{},"From any device on your LAN, run:",[110,2892,2893],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,2894,2895],{"__ignoreMap":54},[118,2896,2897,2899],{"class":120,"line":121},[118,2898,758],{"class":124},[118,2900,761],{"class":128},[16,2902,2903,2904,769],{},"Then log into your router's admin panel and find the WAN IP address (usually under \"Status\" or \"Internet\"). If the two addresses match, you have a real public IP. If they don't match, your ISP is doing something upstream, most likely ",[83,2905,2860],{"href":727},[16,2907,2908,2909,2912],{},"See our full guide to ",[83,2910,2911],{"href":767},"finding your public IP on Linux"," for more commands and alternatives.",[852,2914,2916],{"id":2915},"is-your-ip-static-or-dynamic","Is your IP static or dynamic?",[16,2918,2919,2920,2922,2923,2926],{},"Most residential ISPs assign dynamic IPs that change periodically (every few hours, days, or weeks). You can check by running ",[105,2921,1120],{}," over a few days and comparing the results. If the address changes, you have a dynamic IP. Your ISP may offer a ",[83,2924,2925],{"href":876},"static IP upgrade",", usually for an extra monthly fee.",[852,2928,2930],{"id":2929},"are-you-behind-cgnat","Are you behind CGNAT?",[16,2932,2933,2934,2937,2938,2941],{},"If your router's WAN interface shows an address in the ",[682,2935,2936],{},"100.64.0.0 - 100.127.255.255"," range, you are behind carrier-grade NAT. This means your ISP shares one public IP across many customers, and ",[682,2939,2940],{},"no amount of port forwarding on your router will work",". Methods 1 and 2 below are off the table. You need Method 3, 4, or 5.",[668,2943,2945,2949,2952,2956,2976,2980,2983,2987,3010],{"className":2944,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,2946,2948],{"id":2947},"method-1-port-forwarding-free-requires-a-public-ip","Method 1 — Port forwarding (free, requires a public IP)",[16,2950,2951],{},"Port forwarding is the oldest and most straightforward way to expose a home server. You tell your router: \"any traffic arriving on port X, send it to internal IP address Y on port Z.\"",[852,2953,2955],{"id":2954},"how-to-set-it-up","How to set it up",[38,2957,2958,2964,2967,2970,2973],{},[41,2959,2960,2961,2963],{},"Give your server a static local IP address (for example, ",[105,2962,2744],{},") either by setting it manually on the server or by creating a DHCP reservation in your router.",[41,2965,2966],{},"Log into your router's admin panel.",[41,2968,2969],{},"Find the port forwarding section (sometimes called \"virtual servers\" or \"NAT rules\").",[41,2971,2972],{},"Create a rule: external port (for example, 443 for HTTPS) forwarded to your server's internal IP on the same port.",[41,2974,2975],{},"Save and test from an external network (phone on mobile data, or ask a friend to try).",[852,2977,2979],{"id":2978},"when-it-works","When it works",[16,2981,2982],{},"You have a real public IP from your ISP (not CGNAT), and your ISP does not block the ports you need. This is free and gives you full protocol support, any TCP or UDP port.",[852,2984,2986],{"id":2985},"when-it-doesnt-work","When it doesn't work",[806,2988,2989,2998,3004],{},[41,2990,2991,2993,2994,2997],{},[682,2992,2860],{},": Your ISP shares your public IP with other customers. Port forwarding on your router has no effect because the ISP's NAT upstream never forwards the traffic to you. See our ",[83,2995,2996],{"href":727},"CGNAT guide"," for how to confirm this.",[41,2999,3000,3003],{},[682,3001,3002],{},"ISP port blocks",": Some ISPs block common ports like 25 (SMTP), 80 (HTTP), or 443 (HTTPS) on residential plans.",[41,3005,3006,3009],{},[682,3007,3008],{},"Dynamic IP",": Your public IP changes, so anyone trying to reach your server by IP address will lose connectivity when it rotates. Method 2 solves this.",[16,3011,3012,3013,769],{},"If port forwarding is not working for you, see our ",[83,3014,3016],{"href":3015},"\u002Fguides\u002Fself-hosting\u002Fport-forwarding-not-working","port forwarding troubleshooting guide",[668,3018,3020,3024,3027,3030,3037,3041,3061,3065,3105,3109,3116],{"className":3019,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3021,3023],{"id":3022},"method-2-dynamic-dns-port-forwarding-free-handles-ip-changes","Method 2 — Dynamic DNS + port forwarding (free, handles IP changes)",[16,3025,3026],{},"If your ISP gives you a real public IP but it changes periodically, dynamic DNS (DDNS) keeps a hostname pointed at your current address.",[852,3028,3029],{"id":32},"How it works",[16,3031,3032,3033,3036],{},"A small agent runs on your server (or router, if it supports it) and periodically reports your current public IP to a DNS provider. When your IP changes, the DNS record updates automatically. Anyone connecting to ",[105,3034,3035],{},"yourserver.duckdns.org"," always reaches the right address.",[852,3038,3040],{"id":3039},"popular-ddns-providers","Popular DDNS providers",[806,3042,3043,3049,3055],{},[41,3044,3045,3048],{},[682,3046,3047],{},"DuckDNS"," — Free, open-source, simple API",[41,3050,3051,3054],{},[682,3052,3053],{},"No-IP"," — Free tier with manual renewal every 30 days",[41,3056,3057,3060],{},[682,3058,3059],{},"Cloudflare DNS"," — Free if you already own a domain and use Cloudflare for DNS; update the A record via their API",[852,3062,3064],{"id":3063},"setup-example-with-duckdns","Setup example with DuckDNS",[110,3066,3068],{"className":749,"code":3067,"language":751,"meta":54,"style":54},"# Add to crontab — updates your IP every 5 minutes\n*\u002F5 * * * * curl -s \"https:\u002F\u002Fwww.duckdns.org\u002Fupdate?domains=YOURDOMAIN&token=YOURTOKEN&ip=\" > \u002Fdev\u002Fnull\n",[105,3069,3070,3075],{"__ignoreMap":54},[118,3071,3072],{"class":120,"line":121},[118,3073,3074],{"class":1372},"# Add to crontab — updates your IP every 5 minutes\n",[118,3076,3077,3080,3084,3086,3089,3091,3093,3096,3099,3102],{"class":120,"line":55},[118,3078,3079],{"class":2221},"*",[118,3081,3083],{"class":3082},"sCdxs","\u002F5 ",[118,3085,3079],{"class":2221},[118,3087,3088],{"class":2221}," *",[118,3090,3088],{"class":2221},[118,3092,3088],{"class":2221},[118,3094,3095],{"class":3082}," curl -s ",[118,3097,3098],{"class":128},"\"https:\u002F\u002Fwww.duckdns.org\u002Fupdate?domains=YOURDOMAIN&token=YOURTOKEN&ip=\"",[118,3100,3101],{"class":2221}," >",[118,3103,3104],{"class":3082}," \u002Fdev\u002Fnull\n",[852,3106,3108],{"id":3107},"limitations","Limitations",[16,3110,3111,3112,3115],{},"DDNS only solves the \"my IP keeps changing\" problem. You still need port forwarding to work, which means you still need a real public IP. DDNS does ",[682,3113,3114],{},"not"," bypass CGNAT. If you are behind CGNAT, skip to Method 3, 4, or 5.",[16,3117,3118],{},"There is also a propagation delay. When your IP changes, it can take a few minutes for the DNS update to propagate, during which your server is unreachable.",[668,3120,3122,3126,3129,3132,3157,3160,3186,3189,3215],{"className":3121,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3123,3125],{"id":3124},"method-3-cloudflare-tunnel-free-httphttps-only","Method 3 — Cloudflare Tunnel (free, HTTP\u002FHTTPS only)",[16,3127,3128],{},"Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound connection from your server to Cloudflare's edge network. Because the connection is outbound, it bypasses CGNAT entirely.",[852,3130,3029],{"id":3131},"how-it-works-1",[38,3133,3134,3141,3144,3151],{},[41,3135,3136,3137,3140],{},"Install the ",[105,3138,3139],{},"cloudflared"," daemon on your server.",[41,3142,3143],{},"Authenticate with your Cloudflare account and create a tunnel.",[41,3145,3146,3147,3150],{},"Configure which local service to expose (for example, ",[105,3148,3149],{},"localhost:8080",").",[41,3152,3153,3154,769],{},"Cloudflare assigns a URL on your domain, and traffic flows: ",[682,3155,3156],{},"visitor -> Cloudflare edge -> tunnel -> your server",[852,3158,863],{"id":3159},"pros",[806,3161,3162,3168,3174,3183],{},[41,3163,3164,3167],{},[682,3165,3166],{},"Free"," on the Zero Trust free tier",[41,3169,3170,3173],{},[682,3171,3172],{},"Bypasses CGNAT"," since your server initiates the connection",[41,3175,3176,3179,3180,3182],{},[682,3177,3178],{},"Easy setup"," with ",[105,3181,3139],{}," CLI",[41,3184,3185],{},"Built-in DDoS protection via Cloudflare's network",[852,3187,869],{"id":3188},"cons",[806,3190,3191,3197,3203,3209],{},[41,3192,3193,3196],{},[682,3194,3195],{},"HTTP and HTTPS only"," on the free plan. No support for raw TCP, UDP, email (SMTP), game servers, VoIP, or SSH on custom ports.",[41,3198,3199,3202],{},[682,3200,3201],{},"SSL terminates at Cloudflare",". Cloudflare decrypts your HTTPS traffic at their edge, inspects it, and re-encrypts it before forwarding to your server. They can see the plaintext content of every request and response. For some use cases this is a dealbreaker.",[41,3204,3205,3208],{},[682,3206,3207],{},"No dedicated IP",". Your domain points to Cloudflare's shared IP space, not a dedicated address.",[41,3210,3211,3214],{},[682,3212,3213],{},"No reverse DNS",". Cannot set PTR records, which rules out email hosting.",[16,3216,3217,3218,769],{},"Cloudflare Tunnel is an excellent free option if you only need to expose a web application and you are comfortable with Cloudflare terminating your SSL. For a deeper comparison, see ",[83,3219,918],{"href":917},[668,3221,3223,3227,3230,3233,3244,3247,3272,3275,3295],{"className":3222,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3224,3226],{"id":3225},"method-4-tailscale-wireguard-mesh-free-tier-private-access","Method 4 — Tailscale \u002F WireGuard mesh (free tier, private access)",[16,3228,3229],{},"Tailscale is a mesh VPN built on WireGuard. It connects your devices in a private network (called a tailnet) with zero configuration.",[852,3231,3029],{"id":3232},"how-it-works-2",[38,3234,3235,3238,3241],{},[41,3236,3237],{},"Install Tailscale on your server and on any device you want to connect from (phone, laptop, etc.).",[41,3239,3240],{},"Log in with the same account on each device.",[41,3242,3243],{},"Your devices can now reach each other using Tailscale-assigned IPs, regardless of network, CGNAT, or firewalls.",[852,3245,863],{"id":3246},"pros-1",[806,3248,3249,3255,3260,3266],{},[41,3250,3251,3254],{},[682,3252,3253],{},"Zero configuration"," — install, log in, done",[41,3256,3257,3259],{},[682,3258,3172],{}," since connections are relayed through Tailscale's coordination servers when needed",[41,3261,3262,3265],{},[682,3263,3264],{},"Free tier"," supports up to 3 users and 100 devices",[41,3267,3268,3271],{},[682,3269,3270],{},"End-to-end encrypted"," within your tailnet",[852,3273,869],{"id":3274},"cons-1",[806,3276,3277,3283,3289],{},[41,3278,3279,3282],{},[682,3280,3281],{},"Not public-facing",". Only devices on your Tailscale network can connect. A random visitor on the internet cannot reach your server.",[41,3284,3285,3288],{},[682,3286,3287],{},"Tailscale Funnel"," can expose HTTPS services publicly, but it is limited to HTTPS only, routes through Tailscale's relay infrastructure, and has undisclosed bandwidth limits. It is not designed for production public hosting.",[41,3290,3291,3294],{},[682,3292,3293],{},"Not suitable for public services"," like websites, email servers, or game servers that need to be reachable by anyone.",[16,3296,3297],{},"Tailscale is the best option if you only need to access your home server from your own devices while away from home. It is not the right tool for hosting public services.",[668,3299,3301,3305,3308,3311,3327,3330,3334,3376,3380,3383],{"className":3300,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3302,3304],{"id":3303},"method-5-dedicated-public-ip-service-any-protocol-public-facing","Method 5 — Dedicated public IP service (any protocol, public-facing)",[16,3306,3307],{},"GetPublicIP assigns you a real, dedicated public IPv4 address and routes it to your server through an encrypted WireGuard tunnel. Your server receives traffic exactly as if the public IP were configured directly on your machine: all ports, all protocols, no modification or inspection of your packets.",[852,3309,3029],{"id":3310},"how-it-works-3",[38,3312,3313,3318,3321,3324],{},[41,3314,3315,3317],{},[83,3316,978],{"href":977}," and provision a public IP address.",[41,3319,3320],{},"Install WireGuard on your server and import the configuration file from your dashboard.",[41,3322,3323],{},"The WireGuard tunnel connects your server to GetPublicIP's edge infrastructure.",[41,3325,3326],{},"All inbound traffic for your public IP flows through the tunnel to your server. Your server responds directly.",[16,3328,3329],{},"Because the tunnel is an outbound connection from your server, it works behind CGNAT, restrictive ISPs, and any network configuration.",[852,3331,3333],{"id":3332},"what-makes-this-different","What makes this different",[806,3335,3336,3342,3347,3353,3359,3364,3370],{},[41,3337,3338,3341],{},[682,3339,3340],{},"All protocols",": TCP, UDP, ICMP — every port from 1 to 65535. Host websites, email servers, game servers, VoIP, DNS, SSH, or anything else.",[41,3343,3344,3346],{},[682,3345,947],{},": SSL\u002FTLS terminates at your server, not at a proxy. GetPublicIP never decrypts, inspects, or modifies your traffic.",[41,3348,3349,3352],{},[682,3350,3351],{},"Dedicated IP",": The IPv4 address is yours alone, not shared with other customers.",[41,3354,3355,3358],{},[682,3356,3357],{},"Reverse DNS",": Set PTR records for your IP, which is essential for email deliverability.",[41,3360,3361,3363],{},[682,3362,953],{},": Move your server to a new location, different ISP, different country. Your public IP stays the same.",[41,3365,3366,3369],{},[682,3367,3368],{},"Failover",": If your primary internet connection drops, your IP can failover automatically.",[41,3371,3372,3375],{},[682,3373,3374],{},"Shields your home IP",": Internet traffic hits your dedicated IP on our edge, not your ISP-assigned home address.",[852,3377,3379],{"id":3378},"pricing","Pricing",[16,3381,3382],{},"$8.99\u002Fmonth per IP address. No contracts, cancel anytime.",[16,3384,3385,3386,3388,3389,769],{},"Ready to get started? ",[83,3387,978],{"href":977}," or follow the ",[83,3390,982],{"href":65},[668,3392,3394,3398,3522],{"className":3393,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3395,3397],{"id":3396},"comparison-table","Comparison table",[1773,3399,3400,3424],{},[1776,3401,3402],{},[1779,3403,3404,3407,3410,3412,3415,3418,3421],{},[1782,3405,3406],{},"Method",[1782,3408,3409],{},"Works behind CGNAT",[1782,3411,3340],{},[1782,3413,3414],{},"Email hosting",[1782,3416,3417],{},"SSL\u002FTLS",[1782,3419,3420],{},"Cost",[1782,3422,3423],{},"Complexity",[1792,3425,3426,3448,3465,3483,3503],{},[1779,3427,3428,3431,3434,3437,3440,3443,3445],{},[1797,3429,3430],{},"Port forwarding",[1797,3432,3433],{},"No",[1797,3435,3436],{},"Yes",[1797,3438,3439],{},"Yes (if port 25 open)",[1797,3441,3442],{},"At your server",[1797,3444,3166],{},[1797,3446,3447],{},"Low",[1779,3449,3450,3453,3455,3457,3459,3461,3463],{},[1797,3451,3452],{},"DDNS + port forwarding",[1797,3454,3433],{},[1797,3456,3436],{},[1797,3458,3439],{},[1797,3460,3442],{},[1797,3462,3166],{},[1797,3464,3447],{},[1779,3466,3467,3469,3471,3474,3476,3479,3481],{},[1797,3468,1023],{},[1797,3470,3436],{},[1797,3472,3473],{},"HTTP\u002FHTTPS only",[1797,3475,3433],{},[1797,3477,3478],{},"At Cloudflare",[1797,3480,3166],{},[1797,3482,3447],{},[1779,3484,3485,3488,3490,3493,3496,3499,3501],{},[1797,3486,3487],{},"Tailscale",[1797,3489,3436],{},[1797,3491,3492],{},"Yes (private only)",[1797,3494,3495],{},"No (not public)",[1797,3497,3498],{},"End-to-end",[1797,3500,3264],{},[1797,3502,3447],{},[1779,3504,3505,3507,3509,3512,3514,3517,3520],{},[1797,3506,1017],{},[1797,3508,3436],{},[1797,3510,3511],{},"Yes (all)",[1797,3513,3436],{},[1797,3515,3516],{},"At your server (E2E)",[1797,3518,3519],{},"$8.99\u002Fmo",[1797,3521,3447],{},[16,3523,3524],{},"Port forwarding and DDNS are free but require a real public IP and open ports from your ISP. Cloudflare Tunnel is free and bypasses CGNAT but only handles web traffic. Tailscale is excellent for private access but cannot serve the public internet. GetPublicIP is the only option that combines CGNAT bypass, all-protocol support, and a real dedicated public IP.",[668,3526,3528,3532,3535,3544,3555,3563,3571,3579],{"className":3527,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3529,3531],{"id":3530},"which-method-should-you-choose","Which method should you choose?",[16,3533,3534],{},"The right method depends on what you are hosting and how your network is configured.",[16,3536,3537,3540,3541,3543],{},[682,3538,3539],{},"Just want remote access for yourself?"," Use ",[682,3542,3487],{},". Install it on your server and your devices, and you can reach your home server from anywhere. No public exposure, no ports to manage.",[16,3545,3546,3549,3550,3552,3553,769],{},[682,3547,3548],{},"Hosting a public website only?"," ",[682,3551,1023],{}," works well and is free. If you need end-to-end encryption or a dedicated IP, use ",[682,3554,1017],{},[16,3556,3557,3549,3560,3562],{},[682,3558,3559],{},"Running an email server?",[682,3561,1017],{}," is the only option here. Email requires ports 25, 465, 587, and 993, plus reverse DNS (PTR records) for deliverability. No other method in this list supports this.",[16,3564,3565,3549,3568,3570],{},[682,3566,3567],{},"Hosting a game server (Minecraft, Valheim, Palworld, etc.)?",[682,3569,1017],{},". Game servers need raw TCP and UDP on specific ports. Cloudflare Tunnel does not support UDP. Tailscale only works for players on your private network.",[16,3572,3573,3549,3576,3578],{},[682,3574,3575],{},"Need reliability and failover?",[682,3577,1017],{},". Your public IP persists even if your home ISP connection drops temporarily, and it stays the same if you switch ISPs or move your server.",[16,3580,3581,3549,3584,3586],{},[682,3582,3583],{},"Behind CGNAT and need all protocols?",[682,3585,1017],{},". It is the only method that gives you a real, routable public IPv4 address with full protocol support while bypassing CGNAT.",[668,3588,3590,3594,3597,3601,3614,3680,3684,3687,3691,3694,3698,3701,3735,3739],{"className":3589,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3591,3593],{"id":3592},"common-mistakes-when-exposing-a-home-server","Common mistakes when exposing a home server",[16,3595,3596],{},"Once your server is reachable from the internet, you need to treat it like a public-facing system. These are the most common mistakes.",[852,3598,3600],{"id":3599},"_1-no-firewall","1. No firewall",[16,3602,3603,3604,709,3607,713,3610,3613],{},"Exposing your server without a firewall means every service running on it is accessible to the entire internet. Use ",[105,3605,3606],{},"ufw",[105,3608,3609],{},"iptables",[105,3611,3612],{},"nftables"," to allow only the specific ports your services need. Block everything else.",[110,3615,3617],{"className":749,"code":3616,"language":751,"meta":54,"style":54},"# Example: allow only HTTP, HTTPS, and SSH\nsudo ufw default deny incoming\nsudo ufw allow 22\u002Ftcp\nsudo ufw allow 80\u002Ftcp\nsudo ufw allow 443\u002Ftcp\nsudo ufw enable\n",[105,3618,3619,3624,3639,3650,3660,3671],{"__ignoreMap":54},[118,3620,3621],{"class":120,"line":121},[118,3622,3623],{"class":1372},"# Example: allow only HTTP, HTTPS, and SSH\n",[118,3625,3626,3628,3630,3633,3636],{"class":120,"line":55},[118,3627,220],{"class":124},[118,3629,223],{"class":128},[118,3631,3632],{"class":128}," default",[118,3634,3635],{"class":128}," deny",[118,3637,3638],{"class":128}," incoming\n",[118,3640,3641,3643,3645,3647],{"class":120,"line":440},[118,3642,220],{"class":124},[118,3644,223],{"class":128},[118,3646,226],{"class":128},[118,3648,3649],{"class":128}," 22\u002Ftcp\n",[118,3651,3652,3654,3656,3658],{"class":120,"line":487},[118,3653,220],{"class":124},[118,3655,223],{"class":128},[118,3657,226],{"class":128},[118,3659,229],{"class":128},[118,3661,3662,3664,3666,3668],{"class":120,"line":502},[118,3663,220],{"class":124},[118,3665,223],{"class":128},[118,3667,226],{"class":128},[118,3669,3670],{"class":128}," 443\u002Ftcp\n",[118,3672,3673,3675,3677],{"class":120,"line":594},[118,3674,220],{"class":124},[118,3676,223],{"class":128},[118,3678,3679],{"class":128}," enable\n",[852,3681,3683],{"id":3682},"_2-default-passwords-on-services","2. Default passwords on services",[16,3685,3686],{},"Bots scan the internet constantly and try default credentials within minutes of a new service appearing. Change default passwords on everything: databases, admin panels, web apps, SSH. Use strong, unique passwords or SSH keys.",[852,3688,3690],{"id":3689},"_3-running-without-https","3. Running without HTTPS",[16,3692,3693],{},"If you expose a web service over plain HTTP, login credentials and data are transmitted in cleartext. Use Let's Encrypt (free) to get a TLS certificate. Tools like Caddy and Traefik handle automatic HTTPS out of the box.",[852,3695,3697],{"id":3696},"_4-not-updating-software","4. Not updating software",[16,3699,3700],{},"Unpatched software is the most common entry point for attackers. Enable automatic security updates for your OS and keep your applications current. Subscribe to security advisories for the software you run.",[110,3702,3704],{"className":749,"code":3703,"language":751,"meta":54,"style":54},"# Enable automatic security updates on Ubuntu\u002FDebian\nsudo apt install unattended-upgrades\nsudo dpkg-reconfigure -plow unattended-upgrades\n",[105,3705,3706,3711,3723],{"__ignoreMap":54},[118,3707,3708],{"class":120,"line":121},[118,3709,3710],{"class":1372},"# Enable automatic security updates on Ubuntu\u002FDebian\n",[118,3712,3713,3715,3718,3720],{"class":120,"line":55},[118,3714,220],{"class":124},[118,3716,3717],{"class":128}," apt",[118,3719,129],{"class":128},[118,3721,3722],{"class":128}," unattended-upgrades\n",[118,3724,3725,3727,3730,3733],{"class":120,"line":440},[118,3726,220],{"class":124},[118,3728,3729],{"class":128}," dpkg-reconfigure",[118,3731,3732],{"class":337}," -plow",[118,3734,3722],{"class":128},[852,3736,3738],{"id":3737},"_5-exposing-your-real-home-ip-address","5. Exposing your real home IP address",[16,3740,3741],{},"When you use port forwarding with your ISP-assigned IP, attackers can see your home IP address directly. This ties your physical location to your server. A dedicated IP service like GetPublicIP shields your real home IP: internet traffic hits your dedicated IP on our edge infrastructure, and only the WireGuard tunnel connects back to your actual network.",[668,3743,3745,3747,3756,3765,3774,3783,3792],{"className":3744,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,3746,1096],{"id":1095},[1098,3748,3750,3753],{"className":3749},[1101],[1103,3751,3752],{},"How do I expose my home server to the internet?",[16,3754,3755],{},"There are five main methods. Port forwarding works if you have a real public IP from your ISP. Dynamic DNS plus port forwarding handles IP address changes. Cloudflare Tunnel bypasses CGNAT but only supports HTTP and HTTPS traffic. Tailscale provides private remote access for your own devices. A dedicated public IP service like GetPublicIP gives you a real static IPv4 address over a WireGuard tunnel, supporting all protocols and working behind any ISP restriction including CGNAT.",[1098,3757,3759,3762],{"className":3758},[1101],[1103,3760,3761],{},"Can I host a website without a public IP?",[16,3763,3764],{},"Yes. Cloudflare Tunnel lets you expose HTTP and HTTPS services for free without a public IP. For a website only, this works well. If you also need email, game servers, or any non-HTTP protocol, you need a dedicated public IP service like GetPublicIP, which assigns you a real public IPv4 address tunneled to your server via WireGuard.",[1098,3766,3768,3771],{"className":3767},[1101],[1103,3769,3770],{},"Is it safe to expose a home server to the internet?",[16,3772,3773],{},"It can be, with proper precautions. Use a firewall to limit open ports to only what you need. Run HTTPS with a valid certificate. Keep your software updated. Use strong, unique passwords and disable default credentials. A dedicated IP service like GetPublicIP adds an extra layer by shielding your real home IP address, so attackers never see your actual ISP-assigned address.",[1098,3775,3777,3780],{"className":3776},[1101],[1103,3778,3779],{},"Do I need a static IP to host a server at home?",[16,3781,3782],{},"Not necessarily. Dynamic DNS can map a hostname to a changing IP, but you still need a real public IP (not CGNAT) for port forwarding to work. A dedicated public IP service like GetPublicIP gives you a static public IPv4 that stays the same regardless of your ISP, location, or whether your home IP changes.",[1098,3784,3786,3789],{"className":3785},[1101],[1103,3787,3788],{},"What is the easiest way to access my home server remotely?",[16,3790,3791],{},"For private access from your own devices, Tailscale is the easiest option. Install it on your server and your phone or laptop, and they connect automatically. For public access where anyone on the internet can reach your server, GetPublicIP is the simplest path. You get a dedicated public IP, install WireGuard, import the config, and your server is online with a real routable address.",[1098,3793,3795,3798],{"className":3794},[1101],[1103,3796,3797],{},"How do I expose my home server if my ISP uses CGNAT?",[16,3799,3800],{},"CGNAT blocks all inbound connections, so port forwarding will not work. You have three options that bypass CGNAT. Cloudflare Tunnel works for HTTP and HTTPS websites only. Tailscale works for private access between your own devices. GetPublicIP gives you a real dedicated public IPv4 address over a WireGuard tunnel, supporting all protocols including email, game servers, and raw TCP\u002FUDP.",[351,3802,3803],{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .snpHw, html code.shiki .snpHw{--shiki-default:#88846F}html pre.shiki code .s8I7P, html code.shiki .s8I7P{--shiki-default:#F92672}html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .s7s5_, html code.shiki .s7s5_{--shiki-default:#AE81FF}",{"title":54,"searchDepth":55,"depth":55,"links":3805},[3806,3811,3816,3822,3827,3832,3837,3838,3839,3846],{"id":2879,"depth":55,"text":2880,"children":3807},[3808,3809,3810],{"id":2886,"depth":440,"text":2887},{"id":2915,"depth":440,"text":2916},{"id":2929,"depth":440,"text":2930},{"id":2947,"depth":55,"text":2948,"children":3812},[3813,3814,3815],{"id":2954,"depth":440,"text":2955},{"id":2978,"depth":440,"text":2979},{"id":2985,"depth":440,"text":2986},{"id":3022,"depth":55,"text":3023,"children":3817},[3818,3819,3820,3821],{"id":32,"depth":440,"text":3029},{"id":3039,"depth":440,"text":3040},{"id":3063,"depth":440,"text":3064},{"id":3107,"depth":440,"text":3108},{"id":3124,"depth":55,"text":3125,"children":3823},[3824,3825,3826],{"id":3131,"depth":440,"text":3029},{"id":3159,"depth":440,"text":863},{"id":3188,"depth":440,"text":869},{"id":3225,"depth":55,"text":3226,"children":3828},[3829,3830,3831],{"id":3232,"depth":440,"text":3029},{"id":3246,"depth":440,"text":863},{"id":3274,"depth":440,"text":869},{"id":3303,"depth":55,"text":3304,"children":3833},[3834,3835,3836],{"id":3310,"depth":440,"text":3029},{"id":3332,"depth":440,"text":3333},{"id":3378,"depth":440,"text":3379},{"id":3396,"depth":55,"text":3397},{"id":3530,"depth":55,"text":3531},{"id":3592,"depth":55,"text":3593,"children":3840},[3841,3842,3843,3844,3845],{"id":3599,"depth":440,"text":3600},{"id":3682,"depth":440,"text":3683},{"id":3689,"depth":440,"text":3690},{"id":3696,"depth":440,"text":3697},{"id":3737,"depth":440,"text":3738},{"id":1095,"depth":55,"text":1096},"Five ways to expose your home server to the internet: port forwarding, DDNS, Cloudflare Tunnel, Tailscale, and a dedicated public IP. Compare protocols, CGNAT support, and cost.",[3849,3850,3851,3852,3853,3854],{"question":3752,"answer":3755},{"question":3761,"answer":3764},{"question":3770,"answer":3773},{"question":3779,"answer":3782},{"question":3788,"answer":3791},{"question":3797,"answer":3800},{},{"title":3857,"icon":3858,"description":3859},"Expose Your Home Server to the Internet","mdi-server-network","Five realistic methods to make your home server reachable from the internet, from port forwarding to a dedicated public IP.","\u002Fguides\u002Fself-hosting\u002Fexpose-home-server-to-internet",{"title":2842,"description":3847},"guides\u002Fself-hosting\u002Fexpose-home-server-to-internet","p0GNM0mhYdk1SprJpfp_WKQH6RHYrn-U89nOS4afLfU",{"id":3865,"title":3866,"body":3867,"createdAt":2827,"description":4643,"extension":61,"faq":4644,"meta":4651,"navigation":4652,"path":917,"seo":4656,"stem":4657,"updatedAt":2827,"__hash__":4658},"docs\u002Fguides\u002Fself-hosting\u002Fgetpublicip-vs-cloudflare-tunnel-vs-tailscale.md","GetPublicIP vs Cloudflare Tunnel vs Tailscale for Self-Hosting",{"type":8,"value":3868,"toc":4610},[3869,3873,4047,4089,4132,4182,4339,4434,4539,4565],[11,3870,3872],{"id":3871},"getpublicip-vs-cloudflare-tunnel-vs-tailscale-which-is-best-for-self-hosting","GetPublicIP vs Cloudflare Tunnel vs Tailscale — Which Is Best for Self-Hosting?",[668,3874,3876,3886,3889,3894],{"className":3875,"rounded":54,"max-width":677},[671,672,673,674,675,676],[16,3877,3878,3879,709,3881,2283,3883,3885],{},"If you're self-hosting behind CGNAT or a restrictive ISP, you need a way to make your server reachable from the internet. The three most popular solutions are ",[682,3880,1017],{},[682,3882,1023],{},[682,3884,3487],{}," — but they work in fundamentally different ways and each has trade-offs.",[16,3887,3888],{},"Here's the short version: Cloudflare Tunnel is free but only handles HTTP\u002FHTTPS traffic and terminates your SSL. Tailscale is a private mesh VPN that doesn't give you a public IP. GetPublicIP gives you a real dedicated public IP address with full port and protocol access.",[20,3890,3893],{"className":3891,"id":3892},[675],"quick-comparison","Quick Comparison",[1230,3895,3896],{},[1233,3897,3898],{"cols":1235},[1773,3899,3900,3914],{},[1776,3901,3902],{},[1779,3903,3904,3907,3910,3912],{},[1782,3905,3906],{},"Feature",[1782,3908,1017],{"align":3909},"center",[1782,3911,1023],{"align":3909},[1782,3913,3487],{"align":3909},[1792,3915,3916,3929,3942,3956,3972,3988,4004,4017,4031],{},[1779,3917,3918,3923,3925,3927],{},[1797,3919,3920],{},[682,3921,3922],{},"Dedicated public IP",[1797,3924,3436],{"align":3909},[1797,3926,3433],{"align":3909},[1797,3928,3433],{"align":3909},[1779,3930,3931,3936,3938,3940],{},[1797,3932,3933],{},[682,3934,3935],{},"Email \u002F SMTP hosting",[1797,3937,3436],{"align":3909},[1797,3939,3433],{"align":3909},[1797,3941,3433],{"align":3909},[1779,3943,3944,3949,3951,3953],{},[1797,3945,3946],{},[682,3947,3948],{},"All ports (TCP + UDP)",[1797,3950,3436],{"align":3909},[1797,3952,3473],{"align":3909},[1797,3954,3955],{"align":3909},"Within tailnet only",[1779,3957,3958,3963,3966,3969],{},[1797,3959,3960],{},[682,3961,3962],{},"SSL\u002FTLS termination",[1797,3964,3965],{"align":3909},"None — your traffic passes unmodified",[1797,3967,3968],{"align":3909},"Cloudflare terminates SSL",[1797,3970,3971],{"align":3909},"E2E within tailnet",[1779,3973,3974,3979,3982,3985],{},[1797,3975,3976],{},[682,3977,3978],{},"Public access",[1797,3980,3981],{"align":3909},"Full — real public IP",[1797,3983,3984],{"align":3909},"Yes — via reverse proxy",[1797,3986,3987],{"align":3909},"Limited — Funnel (HTTPS only)",[1779,3989,3990,3995,3998,4001],{},[1797,3991,3992],{},[682,3993,3994],{},"Protocol support",[1797,3996,3997],{"align":3909},"All (TCP, UDP, ICMP)",[1797,3999,4000],{"align":3909},"HTTP\u002FHTTPS (Spectrum for TCP, paid)",[1797,4002,4003],{"align":3909},"All within tailnet",[1779,4005,4006,4011,4013,4015],{},[1797,4007,4008],{},[682,4009,4010],{},"Reverse DNS (rDNS)",[1797,4012,3436],{"align":3909},[1797,4014,3433],{"align":3909},[1797,4016,3433],{"align":3909},[1779,4018,4019,4023,4026,4028],{},[1797,4020,4021],{},[682,4022,3379],{},[1797,4024,4025],{"align":3909},"$8.99\u002Fmonth per IP",[1797,4027,3166],{"align":3909},[1797,4029,4030],{"align":3909},"Free (personal, up to 3 users)",[1779,4032,4033,4038,4041,4044],{},[1797,4034,4035],{},[682,4036,4037],{},"Setup complexity",[1797,4039,4040],{"align":3909},"Low — install WireGuard, import config",[1797,4042,4043],{"align":3909},"Low — install cloudflared",[1797,4045,4046],{"align":3909},"Low — install Tailscale client",[668,4048,4050,4055,4058,4066,4069,4079,4082],{"className":4049,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4051,4054],{"className":4052,"id":4053},[675],"what-each-service-does","What Each Service Does",[852,4056,1017],{"id":4057},"getpublicip",[16,4059,4060,4061,4065],{},"GetPublicIP assigns you a ",[4062,4063,4064],"b",{},"real, dedicated public IPv4 and IPv6 address"," that is routed to your server through an encrypted WireGuard VPN tunnel. Your server receives traffic exactly as if the public IP was configured directly on your machine — all ports, all protocols, with zero modification or inspection of your packets. It works behind CGNAT, across ISP changes, and supports automatic failover.",[852,4067,1023],{"id":4068},"cloudflare-tunnel",[16,4070,4071,4072,4074,4075,4078],{},"Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only connection from your server to Cloudflare's edge network using the ",[105,4073,3139],{}," daemon. Cloudflare acts as a ",[4062,4076,4077],{},"reverse proxy"," — it receives incoming HTTP\u002FHTTPS requests on your domain, terminates the TLS connection at their edge servers, inspects the traffic, then forwards it to your origin server through the tunnel. You do not get a public IP address. Traffic is limited to HTTP and HTTPS protocols on the free plan.",[852,4080,3487],{"id":4081},"tailscale",[16,4083,4084,4085,4088],{},"Tailscale is a ",[4062,4086,4087],{},"mesh VPN"," built on WireGuard that connects your devices in a private network (tailnet). It excels at securely connecting your own devices to each other — for example, accessing your home server from your laptop. However, it is not designed for public-facing services. Tailscale Funnel can expose a service publicly, but it is limited to HTTPS traffic only and routes through Tailscale's infrastructure.",[668,4090,4092,4097,4100,4104,4111,4114,4118,4121,4125],{"className":4091,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4093,4096],{"className":4094,"id":4095},[675],"ssltls-and-privacy","SSL\u002FTLS and Privacy",[16,4098,4099],{},"This is one of the most important differences and is often overlooked.",[852,4101,4103],{"id":4102},"cloudflare-tunnel-terminates-your-ssl","Cloudflare Tunnel terminates your SSL",[16,4105,4106,4107,4110],{},"When you use Cloudflare Tunnel, Cloudflare ",[4062,4108,4109],{},"decrypts your HTTPS traffic"," at their edge servers, inspects it, and then re-encrypts it before forwarding to your origin. This means Cloudflare can see the plaintext content of every request and response passing through your tunnel. Cloudflare uses this capability for features like their WAF, bot detection, and caching — but it means a third party has access to your unencrypted traffic.",[16,4112,4113],{},"For some users this is acceptable. For others — especially those self-hosting for privacy reasons, running a personal email server, or handling sensitive data — this is a dealbreaker.",[852,4115,4117],{"id":4116},"tailscale-encrypts-end-to-end-within-your-network","Tailscale encrypts end-to-end (within your network)",[16,4119,4120],{},"Tailscale uses WireGuard encryption between your devices. Traffic stays encrypted and private within your tailnet. However, if you use Tailscale Funnel to expose a service publicly, traffic routes through Tailscale's DERP relay servers, which adds latency and means your traffic passes through their infrastructure.",[852,4122,4124],{"id":4123},"getpublicip-never-sees-your-plaintext-traffic","GetPublicIP never sees your plaintext traffic",[16,4126,4127,4128,4131],{},"GetPublicIP routes traffic through an encrypted WireGuard tunnel directly to your server ",[4062,4129,4130],{},"without terminating SSL\u002FTLS",". We never decrypt, inspect, or modify your packets. You implement your own SSL\u002FTLS encryption end-to-end, maintaining complete control over your privacy and security. Packets arrive at your server exactly as they were sent — with full visibility of source IPs and original traffic data.",[668,4133,4135,4140,4143,4147,4154,4157,4161,4164,4168,4179],{"className":4134,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4136,4139],{"className":4137,"id":4138},[675],"email-and-smtp-support","Email and SMTP Support",[16,4141,4142],{},"If you want to self-host an email server (Mailcow, Mail-in-a-Box, Postfix\u002FDovecot, or similar), your choice of tunnel service matters a lot.",[852,4144,4146],{"id":4145},"cloudflare-tunnel-no-email-support","Cloudflare Tunnel — No email support",[16,4148,4149,4150,4153],{},"Cloudflare ",[4062,4151,4152],{},"blocks port 25 (SMTP)"," and does not proxy email traffic through tunnels. You cannot run a public-facing email server behind a Cloudflare Tunnel. This is a fundamental architectural limitation — Cloudflare Tunnel only handles HTTP and HTTPS traffic on the free plan. The Spectrum add-on supports TCP but is paid, enterprise-tier, and still does not support email on port 25.",[16,4155,4156],{},"Cloudflare's own documentation states that they do not proxy SMTP traffic unless Spectrum is configured, and even then port 25 is restricted.",[852,4158,4160],{"id":4159},"tailscale-no-public-email-support","Tailscale — No public email support",[16,4162,4163],{},"Tailscale is a private mesh network. While you could theoretically run an email server accessible within your tailnet, there is no way to receive email from the public internet through Tailscale. Tailscale Funnel only supports HTTPS — not SMTP, IMAP, or any email protocol.",[852,4165,4167],{"id":4166},"getpublicip-full-email-support","GetPublicIP — Full email support",[16,4169,4170,4171,4174,4175,4178],{},"GetPublicIP gives you a ",[4062,4172,4173],{},"real dedicated public IP address"," with all ports available, including port 25 (SMTP), 465 (SMTPS), 587 (submission), and 993 (IMAPS). You can configure ",[4062,4176,4177],{},"reverse DNS (rDNS \u002F PTR records)"," through the management console, which is essential for email deliverability — most receiving mail servers verify that your sending IP has a valid PTR record.",[16,4180,4181],{},"This makes GetPublicIP the only option in this comparison that supports running a fully functional, public-facing email server from your home or office.",[668,4183,4185,4190,4329,4332],{"className":4184,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4186,4189],{"className":4187,"id":4188},[675],"port-and-protocol-access","Port and Protocol Access",[1230,4191,4192],{},[1233,4193,4194],{"cols":1235},[1773,4195,4196,4209],{},[1776,4197,4198],{},[1779,4199,4200,4203,4205,4207],{},[1782,4201,4202],{},"Capability",[1782,4204,1017],{"align":3909},[1782,4206,1023],{"align":3909},[1782,4208,3487],{"align":3909},[1792,4210,4211,4223,4235,4248,4260,4273,4284,4295,4307,4318],{},[1779,4212,4213,4216,4218,4220],{},[1797,4214,4215],{},"HTTP (80)",[1797,4217,3436],{"align":3909},[1797,4219,3436],{"align":3909},[1797,4221,4222],{"align":3909},"Funnel (HTTPS only)",[1779,4224,4225,4228,4230,4232],{},[1797,4226,4227],{},"HTTPS (443)",[1797,4229,3436],{"align":3909},[1797,4231,3436],{"align":3909},[1797,4233,4234],{"align":3909},"Funnel",[1779,4236,4237,4240,4242,4245],{},[1797,4238,4239],{},"SSH (22)",[1797,4241,3436],{"align":3909},[1797,4243,4244],{"align":3909},"Via Access (browser-based)",[1797,4246,4247],{"align":3909},"Within tailnet",[1779,4249,4250,4253,4255,4258],{},[1797,4251,4252],{},"SMTP (25)",[1797,4254,3436],{"align":3909},[1797,4256,4257],{"align":3909},"Blocked",[1797,4259,3433],{"align":3909},[1779,4261,4262,4265,4268,4271],{},[1797,4263,4264],{},"Custom TCP ports",[1797,4266,4267],{"align":3909},"Yes — all ports",[1797,4269,4270],{"align":3909},"No (Spectrum, paid)",[1797,4272,4247],{"align":3909},[1779,4274,4275,4278,4280,4282],{},[1797,4276,4277],{},"UDP",[1797,4279,3436],{"align":3909},[1797,4281,3433],{"align":3909},[1797,4283,4247],{"align":3909},[1779,4285,4286,4289,4291,4293],{},[1797,4287,4288],{},"ICMP (ping)",[1797,4290,3436],{"align":3909},[1797,4292,3433],{"align":3909},[1797,4294,4247],{"align":3909},[1779,4296,4297,4300,4302,4305],{},[1797,4298,4299],{},"Game servers",[1797,4301,3436],{"align":3909},[1797,4303,4304],{"align":3909},"No (UDP required)",[1797,4306,3955],{"align":3909},[1779,4308,4309,4312,4314,4316],{},[1797,4310,4311],{},"VoIP \u002F SIP",[1797,4313,3436],{"align":3909},[1797,4315,4304],{"align":3909},[1797,4317,3955],{"align":3909},[1779,4319,4320,4323,4325,4327],{},[1797,4321,4322],{},"DNS server",[1797,4324,3436],{"align":3909},[1797,4326,3433],{"align":3909},[1797,4328,3955],{"align":3909},[16,4330,4331],{},"If your use case involves anything beyond HTTP\u002FHTTPS — game servers, DNS, email, VoIP, custom TCP services, or any UDP-based protocol — Cloudflare Tunnel cannot help you. Tailscale works for these protocols within your private network but cannot expose them publicly.",[16,4333,4334,4335,4338],{},"GetPublicIP supports ",[4062,4336,4337],{},"all ports and all protocols"," because you receive a real public IP address. There is no reverse proxy or application-layer gateway — traffic is routed at the network layer, just like having a static IP from your ISP.",[668,4340,4342,4345,4425,4428,4431],{"className":4341,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4343,3379],{"className":4344,"id":3378},[675],[1230,4346,4347],{},[1233,4348,4349],{"cols":1235},[1773,4350,4351,4364],{},[1776,4352,4353],{},[1779,4354,4355,4358,4360,4362],{},[1782,4356,4357],{},"Plan",[1782,4359,1017],{"align":3909},[1782,4361,1023],{"align":3909},[1782,4363,3487],{"align":3909},[1792,4365,4366,4380,4395,4411],{},[1779,4367,4368,4372,4374,4377],{},[1797,4369,4370],{},[682,4371,3264],{},[1797,4373,3433],{"align":3909},[1797,4375,4376],{"align":3909},"Yes — HTTP\u002FHTTPS only",[1797,4378,4379],{"align":3909},"Yes — 3 users, 100 devices",[1779,4381,4382,4387,4389,4392],{},[1797,4383,4384],{},[682,4385,4386],{},"Paid",[1797,4388,4025],{"align":3909},[1797,4390,4391],{"align":3909},"Free (Spectrum: enterprise pricing)",[1797,4393,4394],{"align":3909},"From $6\u002Fuser\u002Fmonth",[1779,4396,4397,4402,4405,4408],{},[1797,4398,4399],{},[682,4400,4401],{},"What you get",[1797,4403,4404],{"align":3909},"Dedicated public IPv4 + IPv6, all ports, all protocols, rDNS, failover, firewall, management console",[1797,4406,4407],{"align":3909},"HTTP\u002FHTTPS reverse proxy, WAF, DDoS protection, caching",[1797,4409,4410],{"align":3909},"Mesh VPN, Funnel (HTTPS), MagicDNS, ACLs",[1779,4412,4413,4418,4421,4423],{},[1797,4414,4415],{},[682,4416,4417],{},"Contracts",[1797,4419,4420],{"align":3909},"No — cancel anytime",[1797,4422,3433],{"align":3909},[1797,4424,3433],{"align":3909},[16,4426,4427],{},"Cloudflare Tunnel is hard to beat on price — it is genuinely free for HTTP\u002FHTTPS use cases with no usage limits. If all you need is to expose a web application, it's an excellent choice.",[16,4429,4430],{},"Tailscale's free tier is generous for personal use (up to 3 users and 100 devices). For teams, pricing starts at $6\u002Fuser\u002Fmonth.",[16,4432,4433],{},"GetPublicIP costs $8.99\u002Fmonth per IP address with no contracts. While it's not free, you get capabilities that neither Cloudflare nor Tailscale offer at any price: a real public IP, full port and protocol access, email hosting support, rDNS, and connection failover.",[668,4435,4437,4442,4446,4467,4471,4489,4493],{"className":4436,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4438,4441],{"className":4439,"id":4440},[675],"when-to-use-each","When to Use Each",[852,4443,4445],{"id":4444},"use-cloudflare-tunnel-when","Use Cloudflare Tunnel when:",[806,4447,4448,4455,4458,4461,4464],{},[41,4449,4450,4451,4454],{},"You only need to expose ",[4062,4452,4453],{},"web applications"," (HTTP\u002FHTTPS)",[41,4456,4457],{},"Free is a priority and you don't need email, UDP, or custom ports",[41,4459,4460],{},"You want built-in DDoS protection and WAF",[41,4462,4463],{},"You're comfortable with Cloudflare terminating your SSL and inspecting your traffic",[41,4465,4466],{},"You don't need a real public IP address",[852,4468,4470],{"id":4469},"use-tailscale-when","Use Tailscale when:",[806,4472,4473,4480,4483,4486],{},[41,4474,4475,4476,4479],{},"You need ",[4062,4477,4478],{},"private access"," between your own devices (phone, laptop, home server)",[41,4481,4482],{},"You want a mesh VPN with zero configuration",[41,4484,4485],{},"You don't need to expose services to the public internet",[41,4487,4488],{},"You want to share access with specific people within your tailnet",[852,4490,4492],{"id":4491},"use-getpublicip-when","Use GetPublicIP when:",[806,4494,4495,4501,4508,4514,4521,4527,4533],{},[41,4496,4497,4498],{},"You need a ",[4062,4499,4500],{},"real, dedicated public IP address",[41,4502,4503,4504,4507],{},"You want to ",[4062,4505,4506],{},"self-host an email server"," with reverse DNS",[41,4509,4475,4510,4513],{},[4062,4511,4512],{},"full port and protocol access"," (TCP, UDP, ICMP — all ports)",[41,4515,4516,4517,4520],{},"You want ",[4062,4518,4519],{},"complete privacy"," — no SSL termination, no traffic inspection",[41,4522,4475,4523,4526],{},[4062,4524,4525],{},"connection failover"," — keep your IP when your ISP changes",[41,4528,4529,4530],{},"You're running ",[4062,4531,4532],{},"game servers, VoIP, DNS, or custom TCP\u002FUDP services",[41,4534,4535,4536,4538],{},"You're behind ",[4062,4537,2860],{}," and need a solution that works like having a static IP from your ISP, without the ISP",[668,4540,4542,4547,4550,4562],{"className":4541,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4543,4546],{"className":4544,"id":4545},[675],"can-i-combine-these-services","Can I combine these services?",[16,4548,4549],{},"Yes — many self-hosters use more than one. A common setup is:",[806,4551,4552,4557],{},[41,4553,4554,4556],{},[4062,4555,1017],{}," for your public-facing services (web server, email, game server) that need a real IP address and full port access",[41,4558,4559,4561],{},[4062,4560,3487],{}," for private remote access to your devices (SSH into your server from your phone, access admin panels privately)",[16,4563,4564],{},"These two services complement each other well. GetPublicIP handles the public-facing side, while Tailscale handles private device-to-device access.",[668,4566,4568,4571,4575,4578,4582,4585,4589,4592,4596,4599,4603],{"className":4567,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4569,1096],{"className":4570,"id":1095},[675],[852,4572,4574],{"id":4573},"can-i-host-an-email-server-with-cloudflare-tunnel","Can I host an email server with Cloudflare Tunnel?",[16,4576,4577],{},"No. Cloudflare Tunnel blocks port 25 (SMTP) and only proxies HTTP\u002FHTTPS traffic on the free plan. You cannot run a public email server behind a Cloudflare Tunnel. GetPublicIP is the only option in this comparison that supports email hosting with all required ports and reverse DNS.",[852,4579,4581],{"id":4580},"does-cloudflare-tunnel-give-me-a-public-ip-address","Does Cloudflare Tunnel give me a public IP address?",[16,4583,4584],{},"No. Cloudflare Tunnel acts as a reverse proxy — your domain points to Cloudflare's IP addresses, not yours. You share Cloudflare's IP space with millions of other sites. GetPublicIP gives you a dedicated public IP that is yours alone.",[852,4586,4588],{"id":4587},"can-tailscale-expose-my-server-to-the-public-internet","Can Tailscale expose my server to the public internet?",[16,4590,4591],{},"Tailscale Funnel can expose HTTPS services publicly, but it is limited to HTTPS only, routes through Tailscale's relay servers, and has undisclosed bandwidth limits. It is not designed for production public-facing hosting. For full public access with all protocols, you need a real public IP from a service like GetPublicIP.",[852,4593,4595],{"id":4594},"is-getpublicip-a-vpn","Is GetPublicIP a VPN?",[16,4597,4598],{},"GetPublicIP uses a WireGuard VPN tunnel to route a dedicated public IP address to your server, but it is not a privacy VPN like NordVPN or Mullvad. It does the opposite — instead of hiding your IP, it gives you a public IP so your server is reachable from the internet. Your existing internet connection continues to work normally for outbound traffic.",[852,4600,4602],{"id":4601},"which-is-best-for-self-hosting-behind-cgnat","Which is best for self-hosting behind CGNAT?",[16,4604,4605,4606,4609],{},"All three bypass CGNAT, but they solve different problems. Cloudflare Tunnel works for HTTP\u002FHTTPS websites. Tailscale works for private access to your devices. GetPublicIP works for any use case that needs a real public IP — web hosting, email, game servers, VoIP, or any other protocol. See our ",[83,4607,4608],{"href":727},"complete guide to self-hosting behind CGNAT"," for more detail.",{"title":54,"searchDepth":55,"depth":55,"links":4611},[4612,4613,4618,4623,4628,4629,4630,4635,4636],{"id":3892,"depth":55,"text":3893},{"id":4053,"depth":55,"text":4054,"children":4614},[4615,4616,4617],{"id":4057,"depth":440,"text":1017},{"id":4068,"depth":440,"text":1023},{"id":4081,"depth":440,"text":3487},{"id":4095,"depth":55,"text":4096,"children":4619},[4620,4621,4622],{"id":4102,"depth":440,"text":4103},{"id":4116,"depth":440,"text":4117},{"id":4123,"depth":440,"text":4124},{"id":4138,"depth":55,"text":4139,"children":4624},[4625,4626,4627],{"id":4145,"depth":440,"text":4146},{"id":4159,"depth":440,"text":4160},{"id":4166,"depth":440,"text":4167},{"id":4188,"depth":55,"text":4189},{"id":3378,"depth":55,"text":3379},{"id":4440,"depth":55,"text":4441,"children":4631},[4632,4633,4634],{"id":4444,"depth":440,"text":4445},{"id":4469,"depth":440,"text":4470},{"id":4491,"depth":440,"text":4492},{"id":4545,"depth":55,"text":4546},{"id":1095,"depth":55,"text":1096,"children":4637},[4638,4639,4640,4641,4642],{"id":4573,"depth":440,"text":4574},{"id":4580,"depth":440,"text":4581},{"id":4587,"depth":440,"text":4588},{"id":4594,"depth":440,"text":4595},{"id":4601,"depth":440,"text":4602},"Compare GetPublicIP, Cloudflare Tunnel and Tailscale for self-hosting. See which supports email hosting, full port access, and real public IPs without SSL termination.",[4645,4646,4647,4648,4649],{"question":4574,"answer":4577},{"question":4581,"answer":4584},{"question":4588,"answer":4591},{"question":4595,"answer":4598},{"question":4602,"answer":4650},"All three bypass CGNAT, but they solve different problems. Cloudflare Tunnel works for HTTP\u002FHTTPS websites. Tailscale works for private access to your devices. GetPublicIP works for any use case that needs a real public IP — web hosting, email, game servers, VoIP, or any other protocol.",{},{"title":4653,"icon":4654,"description":4655},"GetPublicIP vs Cloudflare vs Tailscale","mdi-compare","Compare GetPublicIP, Cloudflare Tunnel and Tailscale for self-hosting servers at home or the office.",{"title":3866,"description":4643},"guides\u002Fself-hosting\u002Fgetpublicip-vs-cloudflare-tunnel-vs-tailscale","rtQy9y-PNDiFxKlr9VpUvlMxfA9BEkn81QwOMFpUZyE",{"id":4660,"title":4661,"body":4662,"createdAt":1193,"description":5869,"extension":61,"faq":5870,"meta":5883,"navigation":5884,"path":3015,"seo":5888,"stem":5889,"updatedAt":1193,"__hash__":5890},"docs\u002Fguides\u002Fself-hosting\u002Fport-forwarding-not-working.md","Port Forwarding Not Working? Here's Why and How to Fix It (2026)",{"type":8,"value":4663,"toc":5835},[4664,4668,4686,4752,4874,5059,5193,5297,5393,5453,5526,5749,5832],[11,4665,4667],{"id":4666},"port-forwarding-not-working-heres-why-and-how-to-fix-it","Port Forwarding Not Working? Here's Why (and How to Fix It)",[668,4669,4671,4674],{"className":4670,"rounded":54,"max-width":677},[671,672,673,674,675,676],[16,4672,4673],{},"You set up port forwarding in your router. The rule looks correct. The service is running. But connections from outside your network still time out, and you have no idea why.",[16,4675,4676,4677,4680,4681,4685],{},"You are not alone. Port forwarding fails silently, and the real cause is often something your router cannot tell you about. This guide walks through the ",[682,4678,4679],{},"6 most common reasons port forwarding stops working",", how to diagnose each one, and how to fix it. If you have been troubleshooting for hours, start with the ",[83,4682,4684],{"href":4683},"#quick-diagnosis-checklist","quick diagnosis checklist"," at the bottom to rule things out fast.",[668,4687,4689,4693,4696],{"className":4688,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4690,4692],{"id":4691},"the-6-most-common-reasons-port-forwarding-fails","The 6 most common reasons port forwarding fails",[16,4694,4695],{},"Before diving into each cause, here is a quick overview so you can jump straight to the one that matches your situation:",[38,4697,4698,4707,4716,4725,4734,4743],{},[41,4699,4700,4706],{},[682,4701,4702],{},[83,4703,4705],{"href":4704},"#1-wrong-local-ip-address","Wrong local IP address"," — your router is forwarding traffic to a device that moved or no longer has that IP",[41,4708,4709,4715],{},[682,4710,4711],{},[83,4712,4714],{"href":4713},"#2-firewall-blocking-the-port","Firewall blocking the port"," — your server's OS firewall is silently dropping incoming traffic",[41,4717,4718,4724],{},[682,4719,4720],{},[83,4721,4723],{"href":4722},"#3-isp-blocking-the-port","ISP blocking the port"," — your internet provider filters certain ports on residential connections",[41,4726,4727,4733],{},[682,4728,4729],{},[83,4730,4732],{"href":4731},"#4-double-nat","Double NAT"," — a second router or ISP modem is performing NAT before your router",[41,4735,4736,4742],{},[682,4737,4738],{},[83,4739,4741],{"href":4740},"#5-your-isp-uses-cgnat","Your ISP uses CGNAT"," — the most common hidden cause, and the hardest to spot",[41,4744,4745,4751],{},[682,4746,4747],{},[83,4748,4750],{"href":4749},"#6-dynamic-ip-changed","Dynamic IP changed"," — your public IP address changed since you set things up",[668,4753,4755,4759,4762,4765,4769,4772,4777,4787,4803,4808,4816,4819,4824,4839,4842,4846,4853,4871],{"className":4754,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4756,4758],{"id":4757},"_1-wrong-local-ip-address","1. Wrong local IP address",[16,4760,4761],{},"The most basic cause: your router's port forwarding rule points to an IP address that no longer belongs to the device running your service.",[16,4763,4764],{},"This happens when your server gets its IP via DHCP and your router assigns it a different address after a reboot or lease expiration. The forwarding rule still says \"send port 443 to 192.168.1.50\" but your server is now at 192.168.1.52.",[852,4766,4768],{"id":4767},"how-to-check","How to check",[16,4770,4771],{},"On your server, verify its current local IP:",[16,4773,4774],{},[682,4775,4776],{},"Linux:",[110,4778,4779],{"className":749,"code":2070,"language":751,"meta":54,"style":54},[105,4780,4781],{"__ignoreMap":54},[118,4782,4783,4785],{"class":120,"line":121},[118,4784,2077],{"class":124},[118,4786,2080],{"class":128},[16,4788,4789,4790,709,4793,713,4796,4799,4800,4802],{},"Look for your main network interface (usually ",[105,4791,4792],{},"eth0",[105,4794,4795],{},"enp0s3",[105,4797,4798],{},"eno1","). The ",[105,4801,2116],{}," line shows your IPv4 address.",[16,4804,4805],{},[682,4806,4807],{},"Windows:",[110,4809,4810],{"className":749,"code":2709,"language":751,"meta":54,"style":54},[105,4811,4812],{"__ignoreMap":54},[118,4813,4814],{"class":120,"line":121},[118,4815,2709],{"class":124},[16,4817,4818],{},"Look for \"IPv4 Address\" under your active adapter.",[16,4820,4821],{},[682,4822,4823],{},"macOS:",[110,4825,4827],{"className":749,"code":4826,"language":751,"meta":54,"style":54},"ipconfig getifaddr en0\n",[105,4828,4829],{"__ignoreMap":54},[118,4830,4831,4833,4836],{"class":120,"line":121},[118,4832,2706],{"class":124},[118,4834,4835],{"class":128}," getifaddr",[118,4837,4838],{"class":128}," en0\n",[16,4840,4841],{},"Now compare that address to the IP in your router's port forwarding rule. If they don't match, that's your problem.",[852,4843,4845],{"id":4844},"how-to-fix-it","How to fix it",[16,4847,4848,4849,4852],{},"Give your server a ",[682,4850,4851],{},"static local IP"," so it never changes. You have two options:",[806,4854,4855,4861],{},[41,4856,4857,4860],{},[682,4858,4859],{},"DHCP reservation"," (recommended): In your router's admin panel, find the DHCP settings and reserve a specific IP for your server's MAC address. The server still uses DHCP but always receives the same address.",[41,4862,4863,4866,4867,4870],{},[682,4864,4865],{},"Manual static IP",": Configure a static IP directly on the server's network interface. On Linux, this is typically done in ",[105,4868,4869],{},"\u002Fetc\u002Fnetplan\u002F"," (Ubuntu\u002FDebian) or via NetworkManager.",[16,4872,4873],{},"Either way, make sure the reserved IP is outside your router's DHCP pool range to avoid conflicts.",[668,4875,4877,4881,4884,4892,4895,4900,4917,4924,4929,4963,4966,4971,4974,4978,5007,5012,5047,5052],{"className":4876,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,4878,4880],{"id":4879},"_2-firewall-blocking-the-port","2. Firewall blocking the port",[16,4882,4883],{},"Your port forwarding rule is correct and traffic is arriving at your server, but the server's OS firewall is dropping it before it reaches your application.",[16,4885,4886,4887,2248,4889,4891],{},"This is especially common on Linux servers where ",[105,4888,3606],{},[105,4890,3609],{}," is enabled by default, and on Windows where Windows Defender Firewall blocks inbound connections unless you create an explicit rule.",[852,4893,4768],{"id":4894},"how-to-check-1",[16,4896,4897],{},[682,4898,4899],{},"Linux (ufw):",[110,4901,4903],{"className":749,"code":4902,"language":751,"meta":54,"style":54},"sudo ufw status verbose\n",[105,4904,4905],{"__ignoreMap":54},[118,4906,4907,4909,4911,4914],{"class":120,"line":121},[118,4908,220],{"class":124},[118,4910,223],{"class":128},[118,4912,4913],{"class":128}," status",[118,4915,4916],{"class":128}," verbose\n",[16,4918,4919,4920,4923],{},"If the output shows ",[105,4921,4922],{},"Status: active"," and your port is not listed, the firewall is blocking it.",[16,4925,4926],{},[682,4927,4928],{},"Linux (iptables \u002F nftables):",[110,4930,4932],{"className":749,"code":4931,"language":751,"meta":54,"style":54},"sudo iptables -L -n | grep \u003Cyour-port>\n",[105,4933,4934],{"__ignoreMap":54},[118,4935,4936,4938,4941,4944,4947,4949,4951,4954,4957,4960],{"class":120,"line":121},[118,4937,220],{"class":124},[118,4939,4940],{"class":128}," iptables",[118,4942,4943],{"class":337}," -L",[118,4945,4946],{"class":337}," -n",[118,4948,2222],{"class":2221},[118,4950,2225],{"class":124},[118,4952,4953],{"class":2221}," \u003C",[118,4955,4956],{"class":128},"your-por",[118,4958,4959],{"class":3082},"t",[118,4961,4962],{"class":2221},">\n",[16,4964,4965],{},"If there is no ACCEPT rule for your port, or if there is a DROP\u002FREJECT rule earlier in the chain, traffic is being blocked.",[16,4967,4968,4970],{},[682,4969,4807],{},"\nOpen Windows Defender Firewall with Advanced Security and check the Inbound Rules. Look for a rule that allows your port. If none exists, traffic is being silently dropped.",[852,4972,4845],{"id":4973},"how-to-fix-it-1",[16,4975,4976],{},[682,4977,4899],{},[110,4979,4981],{"className":749,"code":4980,"language":751,"meta":54,"style":54},"sudo ufw allow 443\u002Ftcp\nsudo ufw allow 25565\u002Ftcp   # Minecraft, for example\n",[105,4982,4983,4993],{"__ignoreMap":54},[118,4984,4985,4987,4989,4991],{"class":120,"line":121},[118,4986,220],{"class":124},[118,4988,223],{"class":128},[118,4990,226],{"class":128},[118,4992,3670],{"class":128},[118,4994,4995,4997,4999,5001,5004],{"class":120,"line":55},[118,4996,220],{"class":124},[118,4998,223],{"class":128},[118,5000,226],{"class":128},[118,5002,5003],{"class":128}," 25565\u002Ftcp",[118,5005,5006],{"class":1372},"   # Minecraft, for example\n",[16,5008,5009],{},[682,5010,5011],{},"Linux (iptables):",[110,5013,5015],{"className":749,"code":5014,"language":751,"meta":54,"style":54},"sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT\n",[105,5016,5017],{"__ignoreMap":54},[118,5018,5019,5021,5023,5026,5029,5032,5035,5038,5041,5044],{"class":120,"line":121},[118,5020,220],{"class":124},[118,5022,4940],{"class":128},[118,5024,5025],{"class":337}," -A",[118,5027,5028],{"class":128}," INPUT",[118,5030,5031],{"class":337}," -p",[118,5033,5034],{"class":128}," tcp",[118,5036,5037],{"class":337}," --dport",[118,5039,5040],{"class":337}," 443",[118,5042,5043],{"class":337}," -j",[118,5045,5046],{"class":128}," ACCEPT\n",[16,5048,5049,5051],{},[682,5050,4807],{},"\nCreate a new Inbound Rule in Windows Defender Firewall: choose \"Port\", enter the port number, select \"Allow the connection\", and apply to all profiles.",[16,5053,5054,5055,5058],{},"After making changes, test from another device on your LAN first (e.g., ",[105,5056,5057],{},"curl http:\u002F\u002F192.168.1.50:8080",") to confirm the firewall is no longer blocking it before testing from outside.",[668,5060,5062,5066,5069,5072,5098,5101,5104,5109,5128,5136,5162,5165,5168],{"className":5061,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5063,5065],{"id":5064},"_3-isp-blocking-the-port","3. ISP blocking the port",[16,5067,5068],{},"Even if your router and firewall are configured correctly, your ISP may be filtering specific ports on residential connections. This is common and rarely documented.",[16,5070,5071],{},"Ports that ISPs frequently block on residential lines:",[806,5073,5074,5080,5086,5092],{},[41,5075,5076,5079],{},[682,5077,5078],{},"Port 25"," (SMTP) — blocked to prevent spam from compromised home computers",[41,5081,5082,5085],{},[682,5083,5084],{},"Port 80"," (HTTP) — blocked to discourage web hosting on residential plans",[41,5087,5088,5091],{},[682,5089,5090],{},"Port 443"," (HTTPS) — blocked on some ISPs, less common than port 80",[41,5093,5094,5097],{},[682,5095,5096],{},"Port 8080"," (HTTP alternate) — blocked by some ISPs",[852,5099,4768],{"id":5100},"how-to-check-2",[16,5102,5103],{},"The quickest test is to try a high, random port that no ISP would bother blocking:",[38,5105,5106],{},[41,5107,5108],{},"Start a temporary listener on your server:",[110,5110,5112],{"className":749,"code":5111,"language":751,"meta":54,"style":54},"python3 -m http.server 9999\n",[105,5113,5114],{"__ignoreMap":54},[118,5115,5116,5119,5122,5125],{"class":120,"line":121},[118,5117,5118],{"class":124},"python3",[118,5120,5121],{"class":337}," -m",[118,5123,5124],{"class":128}," http.server",[118,5126,5127],{"class":337}," 9999\n",[38,5129,5130,5133],{"start":55},[41,5131,5132],{},"Set up a port forwarding rule in your router for port 9999 to your server.",[41,5134,5135],{},"From outside your network (a phone on mobile data, or a friend's connection), try to connect:",[110,5137,5139],{"className":749,"code":5138,"language":751,"meta":54,"style":54},"curl http:\u002F\u002F\u003Cyour-public-ip>:9999\n",[105,5140,5141],{"__ignoreMap":54},[118,5142,5143,5145,5148,5151,5154,5156,5159],{"class":120,"line":121},[118,5144,758],{"class":124},[118,5146,5147],{"class":128}," http:\u002F\u002F",[118,5149,5150],{"class":2221},"\u003C",[118,5152,5153],{"class":128},"your-public-i",[118,5155,16],{"class":3082},[118,5157,5158],{"class":2221},">",[118,5160,5161],{"class":128},":9999\n",[16,5163,5164],{},"If port 9999 works but your original port does not, your ISP is blocking that specific port.",[852,5166,4845],{"id":5167},"how-to-fix-it-2",[806,5169,5170,5176,5182],{},[41,5171,5172,5175],{},[682,5173,5174],{},"Use a non-standard port",": Run your service on a high port (e.g., 8443 instead of 443, 2525 instead of 25). This is the simplest workaround but means anyone connecting needs to know the custom port.",[41,5177,5178,5181],{},[682,5179,5180],{},"Call your ISP",": Some ISPs will unblock ports on request, especially if you upgrade to a business plan. It's worth asking.",[41,5183,5184,5187,5188,5192],{},[682,5185,5186],{},"Use a tunneling service",": If you need standard ports and your ISP won't budge, a service like ",[83,5189,1017],{"href":5190,"rel":5191},"https:\u002F\u002Fgetpublicip.com",[416]," gives you a dedicated public IP where all ports are available, bypassing ISP port restrictions entirely.",[668,5194,5196,5200,5203,5206,5209,5213,5228,5232,5244,5264,5274,5277],{"className":5195,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5197,5199],{"id":5198},"_4-double-nat","4. Double NAT",[16,5201,5202],{},"Double NAT happens when there are two devices performing Network Address Translation between your server and the internet. The most common scenario: your ISP gave you a modem\u002Frouter combo, and you plugged your own router into it. Both devices are running NAT, so port forwarding on your router alone is not enough — the ISP modem's NAT drops inbound traffic before it ever reaches your router.",[852,5204,4768],{"id":5205},"how-to-check-3",[16,5207,5208],{},"Run a traceroute from your server and look at the first few hops:",[16,5210,5211],{},[682,5212,4776],{},[110,5214,5216],{"className":749,"code":5215,"language":751,"meta":54,"style":54},"traceroute -n 8.8.8.8\n",[105,5217,5218],{"__ignoreMap":54},[118,5219,5220,5223,5225],{"class":120,"line":121},[118,5221,5222],{"class":124},"traceroute",[118,5224,4946],{"class":337},[118,5226,5227],{"class":337}," 8.8.8.8\n",[16,5229,5230],{},[682,5231,4807],{},[110,5233,5235],{"className":749,"code":5234,"language":751,"meta":54,"style":54},"tracert 8.8.8.8\n",[105,5236,5237],{"__ignoreMap":54},[118,5238,5239,5242],{"class":120,"line":121},[118,5240,5241],{"class":124},"tracert",[118,5243,5227],{"class":337},[16,5245,5246,5247,5250,5251,5254,5255,713,5258,5254,5260,5263],{},"If you see ",[682,5248,5249],{},"two private IP addresses"," in the first hops (e.g., ",[105,5252,5253],{},"192.168.1.1"," then ",[105,5256,5257],{},"192.168.0.1",[105,5259,5253],{},[105,5261,5262],{},"10.0.0.1","), you have double NAT. The first hop is your router, and the second is the ISP modem doing its own NAT.",[16,5265,5266,5267,709,5269,713,5271,5273],{},"Another clue: log into your router and check the WAN IP. If it is a private address (",[105,5268,708],{},[105,5270,712],{},[105,5272,716],{},") instead of a public one, something upstream is performing NAT.",[852,5275,4845],{"id":5276},"how-to-fix-it-3",[806,5278,5279,5285,5291],{},[41,5280,5281,5284],{},[682,5282,5283],{},"Bridge mode"," (best option): Log into the ISP modem\u002Frouter and set it to bridge mode. This disables its NAT and DHCP functions, turning it into a simple modem. Your router then gets the public IP directly on its WAN interface, and port forwarding works as expected.",[41,5286,5287,5290],{},[682,5288,5289],{},"DMZ on the ISP modem",": If bridge mode is not available, configure the ISP modem's DMZ to forward all traffic to your router's WAN IP. This is less clean but effective.",[41,5292,5293,5296],{},[682,5294,5295],{},"Replace the ISP modem",": Some ISPs let you use your own modem, eliminating the double NAT entirely.",[668,5298,5300,5304,5311,5318,5321,5324,5329,5333,5339,5345,5355,5361,5378,5383,5387,5390],{"className":5299,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5301,5303],{"id":5302},"_5-your-isp-uses-cgnat","5. Your ISP uses CGNAT",[16,5305,5306,5307,5310],{},"This is the big one. ",[682,5308,5309],{},"Carrier-grade NAT (CGNAT) is the number one hidden cause of port forwarding not working",", and it is the hardest for most people to diagnose because everything on your end looks correct.",[16,5312,5313],{},[421,5314],{"alt":5315,"className":5316,"src":5317},"Diagram comparing normal port forwarding vs port forwarding behind CGNAT, showing why CGNAT drops packets before they reach your router",[2871,2872],"\u002Fimages\u002Fguides\u002Fcgnat_blocking_port_forwarding.svg",[16,5319,5320],{},"CGNAT means your ISP is performing an additional layer of NAT at their network level, sharing a single public IPv4 address among dozens or hundreds of customers. Your router does not have a real public IP — it has an ISP-internal address. Port forwarding rules on your router only control your router's NAT table. They have zero effect on the ISP's CGNAT, which sits above your router and silently drops all unsolicited inbound connections.",[16,5322,5323],{},"The result: you can configure port forwarding perfectly, your firewall rules can be correct, your server can be listening — and outside connections will still time out. No error, no rejection, just silence. This is why it is so frustrating.",[16,5325,5326,5327,769],{},"For a deep dive on what CGNAT is, how it works, and which ISPs use it, see our ",[83,5328,4608],{"href":727},[852,5330,5332],{"id":5331},"how-to-check-if-you-are-behind-cgnat","How to check if you are behind CGNAT",[16,5334,5335,5338],{},[682,5336,5337],{},"Step 1:"," Log into your router's admin panel and find the WAN IP address (sometimes called \"Internet IP\" or \"External IP\").",[16,5340,5341,5344],{},[682,5342,5343],{},"Step 2:"," From any device on your network, check your actual public IP:",[110,5346,5347],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,5348,5349],{"__ignoreMap":54},[118,5350,5351,5353],{"class":120,"line":121},[118,5352,758],{"class":124},[118,5354,761],{"class":128},[16,5356,5357,5360],{},[682,5358,5359],{},"If these two addresses do not match, you are behind CGNAT."," Your router thinks it has a public IP, but the ISP is translating it again before it reaches the internet.",[16,5362,5363,5366,5367,1759,5369,5371,5372,5377],{},[682,5364,5365],{},"Step 3:"," Check whether the WAN IP is in the CGNAT reserved range. If your router shows an address between ",[105,5368,778],{},[105,5370,782],{},", that is the ",[83,5373,5376],{"href":5374,"rel":5375},"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc6598",[416],"RFC 6598"," range reserved specifically for CGNAT. This is a definitive confirmation.",[16,5379,5380,5381,769],{},"For more ways to check your public IP, see our guide to ",[83,5382,2911],{"href":767},[852,5384,5386],{"id":5385},"why-no-router-configuration-can-fix-cgnat","Why no router configuration can fix CGNAT",[16,5388,5389],{},"Your router's port forwarding rules only control the translation between your LAN (192.168.x.x) and your router's WAN address. But with CGNAT, that WAN address is not public — it is an ISP-internal address. The ISP's NAT device handles the translation from that internal address to the shared public IP, and it has no port forwarding rules for your traffic. You cannot configure it, your ISP controls it, and in most cases they will not add forwarding rules for individual customers.",[16,5391,5392],{},"Changing routers, enabling UPnP, using DMZ mode — none of it matters. The problem is above your network.",[668,5394,5396,5400,5403,5406,5409,5419,5422,5425],{"className":5395,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5397,5399],{"id":5398},"_6-dynamic-ip-changed","6. Dynamic IP changed",[16,5401,5402],{},"If port forwarding was working before and suddenly stopped, your ISP may have changed your public IP address. Most residential internet plans use dynamic IP assignment — your public IP can change when your modem reboots, when the ISP performs maintenance, or simply after a DHCP lease expires.",[16,5404,5405],{},"Anyone trying to connect to your old IP address will reach nothing (or worse, someone else's network).",[852,5407,4768],{"id":5408},"how-to-check-4",[110,5410,5411],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,5412,5413],{"__ignoreMap":54},[118,5414,5415,5417],{"class":120,"line":121},[118,5416,758],{"class":124},[118,5418,761],{"class":128},[16,5420,5421],{},"Compare the result to the IP you have been giving out or using in DNS records. If it changed, that is your answer.",[852,5423,4845],{"id":5424},"how-to-fix-it-4",[806,5426,5427,5433,5443],{},[41,5428,5429,5432],{},[682,5430,5431],{},"Dynamic DNS (DDNS)",": Services like DuckDNS, No-IP, or Cloudflare DNS with an update script can automatically update a hostname to point to your current IP. This does not prevent the IP from changing, but it ensures the hostname always resolves to your latest address. Most routers have built-in DDNS support.",[41,5434,5435,5438,5439,5442],{},[682,5436,5437],{},"Static IP from your ISP",": Ask your ISP for a static public IP address. This prevents the IP from ever changing. See our ",[83,5440,5441],{"href":876},"guide to getting a static IP"," for what to expect.",[41,5444,5445,5448,5449,5452],{},[682,5446,5447],{},"Dedicated public IP via GetPublicIP",": A ",[83,5450,1017],{"href":5190,"rel":5451},[416]," address is static by default, does not change, and is not tied to your ISP line. If you switch ISPs or move house, the IP stays the same.",[668,5454,5456,5460,5463,5467,5470,5476,5482,5486,5489,5494,5499,5503,5509,5515],{"className":5455,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5457,5459],{"id":5458},"how-to-fix-port-forwarding-when-cgnat-is-the-problem","How to fix port forwarding when CGNAT is the problem",[16,5461,5462],{},"If you have confirmed CGNAT is blocking your port forwarding, router-level fixes will not help. You need to get traffic to your server through a different path. Here are three realistic options, from simplest to most capable.",[852,5464,5466],{"id":5465},"option-1-ask-your-isp-for-a-static-public-ip","Option 1: Ask your ISP for a static public IP",[16,5468,5469],{},"Some ISPs offer a dedicated public IP as a paid add-on, typically $5-30\u002Fmonth. This takes you out of the CGNAT pool and gives you a real public address where port forwarding works normally.",[16,5471,5472,5475],{},[682,5473,5474],{},"Downsides:"," Not all ISPs offer it (especially on residential plans). The IP is tied to your physical line — move house and you lose it. Residential IPs often have poor sender reputation for email. No failover if your connection drops.",[16,5477,5478,5479,769],{},"For a full breakdown: ",[83,5480,5481],{"href":876},"How to get a static IP address",[852,5483,5485],{"id":5484},"option-2-cloudflare-tunnel-free-httphttps-only","Option 2: Cloudflare Tunnel (free, HTTP\u002FHTTPS only)",[16,5487,5488],{},"Cloudflare Tunnel creates an outbound connection from your server to Cloudflare's edge, and Cloudflare reverse-proxies HTTP\u002FHTTPS traffic back to you. It is free and bypasses CGNAT because the tunnel is outbound (which CGNAT allows).",[16,5490,5491,5493],{},[682,5492,5474],{}," Only works for HTTP and HTTPS. SSL\u002FTLS is terminated at Cloudflare — they can see your traffic in plaintext. No support for email (SMTP), game servers, VoIP, or any UDP-based protocol. You do not get a real public IP.",[16,5495,5496,5497,769],{},"For a detailed comparison: ",[83,5498,918],{"href":917},[852,5500,5502],{"id":5501},"option-3-getpublicip-dedicated-ipv4-any-protocol","Option 3: GetPublicIP (dedicated IPv4, any protocol)",[16,5504,5505,5508],{},[83,5506,1017],{"href":5190,"rel":5507},[416]," gives you a dedicated public IPv4 address routed to your server over an encrypted WireGuard tunnel. Your server makes an outbound connection to our edge (which CGNAT allows), and all inbound traffic for your public IP flows through that tunnel to your server.",[16,5510,5511,5514],{},[682,5512,5513],{},"Why this works for port forwarding:"," You get a real, static public IP address with all 65,535 ports available. Open exactly the ports you need through the management console. Any protocol works — TCP, UDP, ICMP. SSL\u002FTLS is end-to-end encrypted; we never terminate or inspect your traffic.",[16,5516,5517,5518,5521,5522,5525],{},"Setup takes about five minutes: ",[83,5519,5520],{"href":977},"create an account",", provision an IP, download the WireGuard config, and start the tunnel. Full walkthrough in the ",[83,5523,5524],{"href":65},"getting started guide",". The cost is $8.99\u002Fmonth per IP with no contracts.",[668,5527,5529,5533,5540,5543,5548,5609,5619,5624,5627,5647,5650,5655,5663,5668,5707,5710,5715,5725,5728,5733,5741,5746],{"className":5528,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5530,5532],{"id":5531},"quick-diagnosis-checklist","Quick diagnosis checklist",[16,5534,5535],{},[421,5536],{"alt":5537,"className":5538,"src":5539},"Port forwarding diagnosis flowchart showing how to identify the cause of port forwarding failures step by step",[2871,2872],"\u002Fimages\u002Fguides\u002Fport_forwarding_diagram.svg",[16,5541,5542],{},"Work through these steps in order. Each one rules out a specific cause, and by the end you will know exactly what is wrong.",[16,5544,5545],{},[682,5546,5547],{},"1. Is your server actually listening on the port?",[110,5549,5551],{"className":749,"code":5550,"language":751,"meta":54,"style":54},"# Linux\nss -tlnp | grep \u003Cport>\n\n# Windows\nnetstat -an | findstr \u003Cport>\n",[105,5552,5553,5558,5579,5583,5588],{"__ignoreMap":54},[118,5554,5555],{"class":120,"line":121},[118,5556,5557],{"class":1372},"# Linux\n",[118,5559,5560,5563,5566,5568,5570,5572,5575,5577],{"class":120,"line":55},[118,5561,5562],{"class":124},"ss",[118,5564,5565],{"class":337}," -tlnp",[118,5567,2222],{"class":2221},[118,5569,2225],{"class":124},[118,5571,4953],{"class":2221},[118,5573,5574],{"class":128},"por",[118,5576,4959],{"class":3082},[118,5578,4962],{"class":2221},[118,5580,5581],{"class":120,"line":440},[118,5582,1388],{"emptyLinePlaceholder":1387},[118,5584,5585],{"class":120,"line":487},[118,5586,5587],{"class":1372},"# Windows\n",[118,5589,5590,5593,5596,5598,5601,5603,5605,5607],{"class":120,"line":502},[118,5591,5592],{"class":124},"netstat",[118,5594,5595],{"class":337}," -an",[118,5597,2222],{"class":2221},[118,5599,5600],{"class":124}," findstr",[118,5602,4953],{"class":2221},[118,5604,5574],{"class":128},[118,5606,4959],{"class":3082},[118,5608,4962],{"class":2221},[16,5610,5611,5612,5615,5616,3150],{},"If there is no listener, the service is not running or is bound to the wrong interface (e.g., ",[105,5613,5614],{},"127.0.0.1"," instead of ",[105,5617,5618],{},"0.0.0.0",[16,5620,5621],{},[682,5622,5623],{},"2. Can you connect from another device on your LAN?",[16,5625,5626],{},"From a second computer or phone on the same network:",[110,5628,5630],{"className":749,"code":5629,"language":751,"meta":54,"style":54},"curl http:\u002F\u002F192.168.1.50:\u003Cport>\n",[105,5631,5632],{"__ignoreMap":54},[118,5633,5634,5636,5639,5641,5643,5645],{"class":120,"line":121},[118,5635,758],{"class":124},[118,5637,5638],{"class":128}," http:\u002F\u002F192.168.1.50:",[118,5640,5150],{"class":2221},[118,5642,5574],{"class":128},[118,5644,4959],{"class":3082},[118,5646,4962],{"class":2221},[16,5648,5649],{},"If this fails, the problem is the server itself (firewall or configuration), not your router or ISP.",[16,5651,5652],{},[682,5653,5654],{},"3. Is your router forwarding to the correct local IP?",[16,5656,5657,5658,2248,5660,5662],{},"Check the port forwarding rule in your router's admin panel. Verify the destination IP matches your server's current IP (run ",[105,5659,2409],{},[105,5661,2706],{}," on the server to confirm).",[16,5664,5665],{},[682,5666,5667],{},"4. Is your OS firewall allowing the port?",[110,5669,5671],{"className":749,"code":5670,"language":751,"meta":54,"style":54},"# Linux (ufw)\nsudo ufw status\n\n# Linux (iptables)\nsudo iptables -L -n\n",[105,5672,5673,5678,5687,5691,5696],{"__ignoreMap":54},[118,5674,5675],{"class":120,"line":121},[118,5676,5677],{"class":1372},"# Linux (ufw)\n",[118,5679,5680,5682,5684],{"class":120,"line":55},[118,5681,220],{"class":124},[118,5683,223],{"class":128},[118,5685,5686],{"class":128}," status\n",[118,5688,5689],{"class":120,"line":440},[118,5690,1388],{"emptyLinePlaceholder":1387},[118,5692,5693],{"class":120,"line":487},[118,5694,5695],{"class":1372},"# Linux (iptables)\n",[118,5697,5698,5700,5702,5704],{"class":120,"line":502},[118,5699,220],{"class":124},[118,5701,4940],{"class":128},[118,5703,4943],{"class":337},[118,5705,5706],{"class":337}," -n\n",[16,5708,5709],{},"On Windows, check Inbound Rules in Windows Defender Firewall with Advanced Security.",[16,5711,5712],{},[682,5713,5714],{},"5. Compare your router's WAN IP to your real public IP",[110,5716,5717],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,5718,5719],{"__ignoreMap":54},[118,5720,5721,5723],{"class":120,"line":121},[118,5722,758],{"class":124},[118,5724,761],{"class":128},[16,5726,5727],{},"If the result does not match your router's WAN IP, you are behind CGNAT. Port forwarding at the router level cannot work.",[16,5729,5730],{},[682,5731,5732],{},"6. Is the WAN IP in the 100.64.x.x range?",[16,5734,5735,5736,1759,5738,5740],{},"If your router's WAN interface shows an address between ",[105,5737,778],{},[105,5739,782],{},", CGNAT is confirmed. No router-level fix exists.",[16,5742,5743],{},[682,5744,5745],{},"7. Test a high random port from outside your network",[16,5747,5748],{},"Forward a port in the 49152-65535 range and test from a phone on mobile data or a friend's network. If even this high port fails from outside, the problem is above your router — either CGNAT or an ISP-level firewall.",[668,5750,5752,5754,5766,5787,5799,5808,5817],{"className":5751,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5753,1096],{"id":1095},[1098,5755,5757,5760],{"className":5756},[1101],[1103,5758,5759],{},"Why is my port forwarding not working even though it is set up correctly?",[16,5761,5762,5763,5765],{},"The most common hidden cause is CGNAT (carrier-grade NAT), where your ISP shares one public IP among many customers. Your router's port forwarding rules are technically correct, but they only control the first NAT layer. The ISP's CGNAT sits above your router and drops all inbound traffic before it ever reaches you. Compare your router's WAN IP to ",[105,5764,1120],{}," — if they differ, CGNAT is the problem. Other causes include OS firewalls silently dropping traffic, the server's local IP changing due to DHCP, or your ISP blocking specific ports on residential connections.",[1098,5767,5769,5772],{"className":5768},[1101],[1103,5770,5771],{},"How do I know if my ISP uses CGNAT?",[16,5773,5774,5775,5777,5778,5780,5781,5783,5784,769],{},"Log into your router and note the WAN IP address. Then run ",[105,5776,1120],{}," from any device on your network. If the two addresses do not match, your ISP is using CGNAT. Another strong signal is seeing an address in the ",[105,5779,778],{}," through ",[105,5782,782],{}," range on your router's WAN interface — that is the reserved CGNAT range defined in RFC 6598. For a full explanation, see our ",[83,5785,5786],{"href":727},"guide to self-hosting behind CGNAT",[1098,5788,5790,5793],{"className":5789},[1101],[1103,5791,5792],{},"Can I port forward behind CGNAT?",[16,5794,5795,5796,5798],{},"No. CGNAT is controlled by your ISP, not your router. No amount of router configuration can fix it because the ISP's NAT device does not know which customer should receive an inbound connection. You need a workaround: request a static public IP from your ISP, use a reverse proxy like Cloudflare Tunnel (HTTP\u002FHTTPS only), or use a dedicated public IP service like ",[83,5797,1017],{"href":977}," that tunnels a real public IPv4 to your server over WireGuard.",[1098,5800,5802,5805],{"className":5801},[1101],[1103,5803,5804],{},"Does a VPN fix port forwarding problems?",[16,5806,5807],{},"A standard privacy VPN (NordVPN, Mullvad, etc.) does not fix port forwarding. Most consumer VPNs block inbound connections entirely — they are designed to hide your IP, not expose one. A tunneling service like GetPublicIP is different: it assigns you a dedicated public IP and routes all inbound traffic to your server through an encrypted WireGuard tunnel, which bypasses CGNAT and ISP port blocks completely.",[1098,5809,5811,5814],{"className":5810},[1101],[1103,5812,5813],{},"Why does my ISP block certain ports?",[16,5815,5816],{},"ISPs block ports like 25 (SMTP), 80 (HTTP), and 443 (HTTPS) on residential connections to prevent spam from compromised machines, reduce abuse, and encourage business-tier upgrades. Some ISPs also block ports to comply with regional regulations. You can test whether a specific port is blocked by forwarding a high port like 9999 instead — if traffic arrives on 9999 but not on 80, your ISP is filtering that port.",[1098,5818,5820,5823],{"className":5819},[1101],[1103,5821,5822],{},"What is the easiest way to get port forwarding working behind CGNAT?",[16,5824,5825,5826,5828,5829,5831],{},"The easiest full-featured solution is ",[83,5827,1017],{"href":977},". Sign up, provision a dedicated public IPv4 address, download the WireGuard config to your server, and start the tunnel. All inbound traffic for your public IP is routed to your server over an encrypted tunnel — any protocol, any port. Setup takes about five minutes and costs $8.99\u002Fmonth. See the ",[83,5830,5524],{"href":65}," for a full walkthrough.",[351,5833,5834],{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .s7s5_, html code.shiki .s7s5_{--shiki-default:#AE81FF}html pre.shiki code .s8I7P, html code.shiki .s8I7P{--shiki-default:#F92672}html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .snpHw, html code.shiki .snpHw{--shiki-default:#88846F}",{"title":54,"searchDepth":55,"depth":55,"links":5836},[5837,5838,5842,5846,5850,5854,5858,5862,5867,5868],{"id":4691,"depth":55,"text":4692},{"id":4757,"depth":55,"text":4758,"children":5839},[5840,5841],{"id":4767,"depth":440,"text":4768},{"id":4844,"depth":440,"text":4845},{"id":4879,"depth":55,"text":4880,"children":5843},[5844,5845],{"id":4894,"depth":440,"text":4768},{"id":4973,"depth":440,"text":4845},{"id":5064,"depth":55,"text":5065,"children":5847},[5848,5849],{"id":5100,"depth":440,"text":4768},{"id":5167,"depth":440,"text":4845},{"id":5198,"depth":55,"text":5199,"children":5851},[5852,5853],{"id":5205,"depth":440,"text":4768},{"id":5276,"depth":440,"text":4845},{"id":5302,"depth":55,"text":5303,"children":5855},[5856,5857],{"id":5331,"depth":440,"text":5332},{"id":5385,"depth":440,"text":5386},{"id":5398,"depth":55,"text":5399,"children":5859},[5860,5861],{"id":5408,"depth":440,"text":4768},{"id":5424,"depth":440,"text":4845},{"id":5458,"depth":55,"text":5459,"children":5863},[5864,5865,5866],{"id":5465,"depth":440,"text":5466},{"id":5484,"depth":440,"text":5485},{"id":5501,"depth":440,"text":5502},{"id":5531,"depth":55,"text":5532},{"id":1095,"depth":55,"text":1096},"Port forwarding not working? The 6 most common causes - wrong IP, firewall, ISP blocks, double NAT, CGNAT, and dynamic IP - plus how to diagnose and fix each one.",[5871,5873,5875,5877,5879,5881],{"question":5759,"answer":5872},"The most common hidden cause is CGNAT (carrier-grade NAT), where your ISP shares one public IP among many customers. Your router's port forwarding rules are technically correct, but they only control the first NAT layer. The ISP's CGNAT sits above your router and drops all inbound traffic before it ever reaches you. Compare your router's WAN IP to curl https:\u002F\u002Fapi.getpublicip.com\u002Fip - if they differ, CGNAT is the problem.",{"question":5771,"answer":5874},"Log into your router and note the WAN IP address. Then run curl https:\u002F\u002Fapi.getpublicip.com\u002Fip from any device on your network. If the two addresses do not match, your ISP is using CGNAT. Another strong signal is seeing an address in the 100.64.0.0 through 100.127.255.255 range on your router's WAN interface - that is the reserved CGNAT range defined in RFC 6598.",{"question":5792,"answer":5876},"No. CGNAT is controlled by your ISP, not your router. No amount of router configuration can fix it because the ISP's NAT device does not know which customer should receive an inbound connection. You need a workaround: request a static public IP from your ISP, use a reverse proxy like Cloudflare Tunnel (HTTP\u002FHTTPS only), or use a dedicated public IP service like GetPublicIP that tunnels a real public IPv4 to your server over WireGuard.",{"question":5804,"answer":5878},"A standard privacy VPN (NordVPN, Mullvad, etc.) does not fix port forwarding. Most consumer VPNs block inbound connections entirely. A tunneling service like GetPublicIP is different - it assigns you a dedicated public IP and routes inbound traffic to your server through an encrypted WireGuard tunnel, which bypasses CGNAT and ISP port blocks.",{"question":5813,"answer":5880},"ISPs block ports like 25 (SMTP), 80 (HTTP), and 443 (HTTPS) on residential connections to prevent spam, reduce abuse, and encourage business-tier upgrades. Some ISPs also block ports to comply with regulations. You can test this by forwarding a high port like 9999 instead - if that works but port 80 does not, your ISP is filtering specific ports.",{"question":5822,"answer":5882},"The easiest full-featured solution is GetPublicIP. Sign up, provision a dedicated public IPv4 address, download the WireGuard config to your server, and start the tunnel. All inbound traffic for your public IP is routed to your server over an encrypted tunnel. It works with any protocol on any port, takes about five minutes to set up, and costs $8.99 per month.",{},{"title":5885,"icon":5886,"description":5887},"Port Forwarding Not Working?","mdi-lan-disconnect","Diagnose the 6 most common reasons port forwarding fails and learn how to fix each one, including the hidden CGNAT problem.",{"title":4661,"description":5869},"guides\u002Fself-hosting\u002Fport-forwarding-not-working","GDI2tqdJAiVN7RcNKjYmFEV_WQnkCBWRDBJGNd1f9YE",{"id":5892,"title":5893,"body":5894,"createdAt":6782,"description":6783,"extension":61,"faq":6784,"meta":6796,"navigation":6797,"path":727,"seo":6801,"stem":6802,"updatedAt":1193,"__hash__":6803},"docs\u002Fguides\u002Fself-hosting\u002Fself-hosting-behind-carrier-grade-nat-cgnat.md","What is CGNAT? How to Self-Host Behind Carrier-Grade NAT (2026)",{"type":8,"value":5895,"toc":6761},[5896,5900,5909,5937,5951,6031,6124,6178,6254,6468,6623,6661,6758],[11,5897,5899],{"id":5898},"what-is-cgnat-how-to-self-host-behind-carrier-grade-nat","What is CGNAT? How to Self-Host Behind Carrier-Grade NAT",[668,5901,5903],{"className":5902,"rounded":54,"max-width":677},[671,672,673,674,675,676],[16,5904,5905,5906,5908],{},"If your internet service provider (ISP) sits you behind ",[682,5907,728],{},", you can't host anything at home. Game servers don't accept connections. Self-hosted email goes nowhere. Home Assistant is unreachable from outside the house. This guide explains what CGNAT is, how to check if you're stuck behind it, which ISPs use it, and most importantly, how to get a real public IP address so you can actually host what you want to host.",[668,5910,5912,5916,5929],{"className":5911,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5913,5915],{"id":5914},"what-is-cgnat-plain-english","What is CGNAT? (Plain English)",[16,5917,5918,5921,5922,2248,5925,5928],{},[682,5919,5920],{},"Carrier-grade NAT (CGNAT)"," also called ",[682,5923,5924],{},"CGN",[682,5926,5927],{},"large-scale NAT (LSN)"," is a way for your ISP to share a single public IPv4 address among hundreds or thousands of customers. Your home router already performs NAT (translating your devices' private addresses to the public address assigned to your line). CGNAT adds a second translation on top: your ISP takes what looks like a public IP on your router and translates it again to their shared public IP before it reaches the internet.",[16,5930,5931,5932,5936],{},"The result for you is that you don't actually have a public IP of your own. You have a share of one. CGNAT is invisible for everyday browsing, streaming, or video calls, your outbound connections still work; but it breaks any service that relies on other people reaching ",[5933,5934,5935],"em",{},"you",": self-hosted websites, email, VoIP, game servers, Minecraft servers, remote desktop, Home Assistant remote access, and so on.",[668,5938,5940,5944],{"className":5939,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5941,5943],{"id":5942},"why-isps-use-cgnat","Why ISPs use CGNAT",[16,5945,5946,5947,5950],{},"The IPv4 address space, about 4.3 billion unique addresses total, was fully allocated years ago. Rather than push every customer to IPv6 (which many services and apps still handle poorly), ISPs increasingly reuse a small pool of public IPv4 addresses across customers using CGNAT. It's cheap, invisible to most subscribers, and lets them keep adding new customers without buying IPv4 blocks on the secondary market where prices have climbed to $40+ per address. ",[83,5948,5376],{"href":5374,"rel":5949},[416]," reserved the 100.64.0.0\u002F10 address range specifically for this purpose.",[668,5952,5954,5958,5964,5967,5977,5982,6008,6012],{"className":5953,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,5955,5957],{"id":5956},"how-does-network-address-translation-nat-work","How does Network Address Translation (NAT) work?",[16,5959,5960,5961,5963],{},"Network Address Translation (NAT) is a fundamental networking technique that enables multiple devices on a private network to share a single public IP address when accessing the internet. NAT acts as an intermediary between your local network and the broader internet, translating private IP addresses (like ",[105,5962,2744],{},") into public IP addresses that can be routed across the internet. It has become essential in modern networking because of the limited availability of IPv4 addresses and the need for network security. By implementing NAT, organizations and home users can conserve public IP addresses while maintaining connectivity for many devices simultaneously.",[16,5965,5966],{},"The primary function of NAT is maintaining a translation table that maps internal private IP addresses and port numbers to external public IP addresses and ports. When a device on your private network initiates an outbound connection, the NAT device (typically a router or firewall) replaces the source IP address and port with its own public IP address and an available port number. This process ensures that return traffic can be properly routed back to the originating device. NAT operates at the network layer (Layer 3) of the OSI model and is transparent to end users, meaning devices on the internal network can communicate with external resources without requiring individual public IP addresses.",[16,5968,5969],{},[421,5970],{"alt":5971,"className":5972,"format":5973,"height":5974,"quality":209,"src":5975,"width":5976},"Network diagram showing a basic home or office network using a NAT table to translate inbound and outbound traffic",[2871,2872],"webp",689,"\u002Fimages\u002Fguides\u002Fnat1.png",1200,[5978,5979,5981],"h4",{"id":5980},"what-happens-when-device-a-connects-to-a-website","What happens when device A connects to a website",[38,5983,5984,5994,6003],{},[41,5985,5986,5987,5990,5991,417],{},"Device A sends a packet (",[105,5988,5989],{},"192.168.1.100:12345"," → ",[105,5992,5993],{},"203.0.113.10:80",[41,5995,5996,5997,5990,6000,6002],{},"The router translates the packet to (",[105,5998,5999],{},"202.88.69.1:7771",[105,6001,5993],{},") and records an entry in its NAT table",[41,6004,6005,6006],{},"The web server receives a packet from ",[105,6007,5999],{},[5978,6009,6011],{"id":6010},"the-reply-flow-from-website-to-device-a","The reply flow from website to device A",[38,6013,6014,6021,6028],{},[41,6015,6016,6017,5990,6019,417],{},"Website responds (",[105,6018,5993],{},[105,6020,5999],{},[41,6022,6023,6024,5990,6026,417],{},"The router uses the NAT table to translate the packet (",[105,6025,5993],{},[105,6027,5989],{},[41,6029,6030],{},"Device A receives the response",[668,6032,6034,6038,6041,6049,6053,6087,6091,6116],{"className":6033,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6035,6037],{"id":6036},"how-does-carrier-grade-nat-cgnat-work","How does carrier-grade NAT (CGNAT) work?",[16,6039,6040],{},"Carrier-grade NAT works the same way as your home or office NAT, the end result is simply two layers of NAT between your devices and the internet. It lets multiple ISP subscribers share a single public IP address, which saves the number of public IP addresses needed for all users on the internet and allows the internet to keep growing on a limited pool of IPv4 addresses.",[16,6042,6043],{},[421,6044],{"alt":6045,"className":6046,"format":5973,"height":6047,"quality":209,"src":6048,"width":5976},"A network diagram showing a home network setup with NAT and an ISP carrier grade NAT",[2871,2872],967,"\u002Fimages\u002Fguides\u002Fnat2.png",[5978,6050,6052],{"id":6051},"what-happens-when-subscriber-bs-device-b-connects-to-a-website","What happens when subscriber B's device B connects to a website",[38,6054,6055,6063,6073,6082],{},[41,6056,6057,6058,5990,6061,417],{},"Device B sends a packet (",[105,6059,6060],{},"192.168.1.101:54321",[105,6062,5993],{},[41,6064,6065,6066,5990,6069,6072],{},"The home \u002F office router translates the packet (",[105,6067,6068],{},"172.22.0.102:8881",[105,6070,6071],{},"172.22.0.1:8881",") and maintains its own NAT table",[41,6074,6075,6076,5990,6079,6081],{},"The ISP then translates the packet again (",[105,6077,6078],{},"202.88.69.1:6666",[105,6080,5993],{},") and maintains a separate NAT table",[41,6083,6084,6085],{},"The web server receives the packet from ",[105,6086,6078],{},[5978,6088,6090],{"id":6089},"the-reply-flow-from-the-website","The reply flow from the website",[38,6092,6093,6099,6106,6113],{},[41,6094,6016,6095,5990,6097,417],{},[105,6096,5993],{},[105,6098,6078],{},[41,6100,6101,6102,5990,6104,417],{},"The ISP router uses the NAT table to translate the packet (",[105,6103,5993],{},[105,6105,6068],{},[41,6107,6108,6109,5990,6111,417],{},"Your home \u002F office router uses its NAT table to translate the packet (",[105,6110,6071],{},[105,6112,6060],{},[41,6114,6115],{},"Subscriber B's device B receives the response",[16,6117,6118],{},[421,6119],{"alt":6120,"className":6121,"format":5973,"height":6122,"quality":209,"src":6123,"width":5976},"A network diagram showing a home network setup with NAT and a ISP carrier grade NAT showing a red line outlining the logical flow",[2871,2872],965,"\u002Fimages\u002Fguides\u002Fnat3.png",[668,6125,6127,6131,6159,6172],{"className":6126,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6128,6130],{"id":6129},"the-cgnat-ip-address-range-100640010","The CGNAT IP address range (100.64.0.0\u002F10)",[16,6132,6133,6134,6137,6138,6144,6145,6150,6151,709,6153,709,6156,6158],{},"CGNAT uses a reserved IPv4 range defined in ",[83,6135,5376],{"href":5374,"rel":6136},[416],": ",[682,6139,6140,779,6142],{},[105,6141,778],{},[105,6143,782],{},", written in CIDR notation as ",[682,6146,6147],{},[105,6148,6149],{},"100.64.0.0\u002F10",". That's roughly 4 million addresses, enough for an ISP to stand up a large customer base without conflicting with any public internet address or the private RFC 1918 ranges (",[105,6152,712],{},[105,6154,6155],{},"172.16–31.x.x",[105,6157,708],{},") that home routers use.",[16,6160,6161,6164,6165,5780,6168,6171],{},[682,6162,6163],{},"The practical signal",": if your router's WAN interface shows an address starting with ",[105,6166,6167],{},"100.64.",[105,6169,6170],{},"100.127.",", your ISP is using CGNAT. You can check this in your router's admin panel (usually under \"WAN\" or \"Status → Internet\") or from a computer on the LAN by visiting the router's admin page.",[16,6173,6174,6175,6177],{},"Not every CGNAT deployment uses this range, some ISPs deploy CGNAT on other unallocated blocks, but ",[105,6176,6149],{}," is the standard and the most common signal.",[668,6179,6181,6185,6188,6192,6195,6220,6229,6233,6244,6248],{"className":6180,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6182,6184],{"id":6183},"how-to-check-if-youre-behind-cgnat","How to check if you're behind CGNAT",[16,6186,6187],{},"Three quick tests. Any one of them confirms CGNAT.",[852,6189,6191],{"id":6190},"_1-compare-your-routers-wan-ip-to-your-real-public-ip","1. Compare your router's WAN IP to your real public IP",[16,6193,6194],{},"Log into your router's admin panel and note the WAN \u002F public IP it reports. Then, from any device on your network, run one of these commands to see what the internet actually sees you as:",[110,6196,6198],{"className":112,"code":6197,"language":114,"meta":54,"style":54},"curl https:\u002F\u002Fapi.getpublicip.com\u002Fip\n# or\nwget -O- https:\u002F\u002Fapi.getpublicip.com\u002Fip\n",[105,6199,6200,6206,6211],{"__ignoreMap":54},[118,6201,6202,6204],{"class":120,"line":121},[118,6203,758],{"class":124},[118,6205,761],{"class":128},[118,6207,6208],{"class":120,"line":55},[118,6209,6210],{"class":1372},"# or\n",[118,6212,6213,6215,6218],{"class":120,"line":440},[118,6214,1285],{"class":124},[118,6216,6217],{"class":337}," -O-",[118,6219,761],{"class":128},[16,6221,6222,6223,6226,6227,2912],{},"If the two IPs ",[682,6224,6225],{},"don't match",", you're behind CGNAT (or some other kind of upstream translation). See our full guide to ",[83,6228,2911],{"href":767},[852,6230,6232],{"id":6231},"_2-check-for-a-10064xx-address-on-your-routers-wan","2. Check for a 100.64.x.x address on your router's WAN",[16,6234,6235,6236,6243],{},"If your router's WAN interface shows an address in the range ",[682,6237,6238,6240,6241],{},[105,6239,778],{}," - ",[105,6242,782],{},", that's the reserved CGNAT range, your ISP is definitely using CGNAT.",[852,6245,6247],{"id":6246},"_3-try-to-open-a-port-from-the-outside","3. Try to open a port from the outside",[16,6249,6250,6251],{},"Pick an unused port (say, 8080), forward it on your router to a test service, and try to connect from a phone on mobile data or from a friend's network. If the connection times out and everything in your setup looks correct, CGNAT at the ISP level is the likely cause. You can also call your ISP and ask directly: ",[5933,6252,6253],{},"Am I on CGNAT? Can I get a public IPv4 address on my plan?",[668,6255,6257,6261,6269,6465],{"className":6256,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6258,6260],{"id":6259},"which-isps-use-cgnat","Which ISPs use CGNAT?",[16,6262,6263,6264,6268],{},"CGNAT is most common on mobile networks (4G \u002F 5G) and increasingly on fibre broadband in markets where IPv4 is scarce. The list below is not exhaustive, and individual plans or customer cohorts within an ISP may differ, use the ",[83,6265,6267],{"href":6266},"#how-to-check-if-youre-behind-cgnat","three checks above"," to confirm your own situation.",[1773,6270,6271,6287],{},[1776,6272,6273],{},[1779,6274,6275,6278,6281,6284],{},[1782,6276,6277],{},"ISP",[1782,6279,6280],{},"Country",[1782,6282,6283],{},"Status",[1782,6285,6286],{},"Notes",[1792,6288,6289,6303,6317,6330,6342,6354,6367,6380,6393,6404,6417,6430,6441,6452],{},[1779,6290,6291,6294,6297,6300],{},[1797,6292,6293],{},"Virgin Media",[1797,6295,6296],{},"UK \u002F Ireland",[1797,6298,6299],{},"Partial",[1797,6301,6302],{},"Rolled out to new subscribers in Ireland; UK residential mostly still public",[1779,6304,6305,6308,6311,6314],{},[1797,6306,6307],{},"Tele2",[1797,6309,6310],{},"Sweden \u002F Baltics",[1797,6312,6313],{},"Confirmed",[1797,6315,6316],{},"Mobile and residential fibre",[1779,6318,6319,6322,6325,6327],{},[1797,6320,6321],{},"Simba (formerly TPG Telecom SG)",[1797,6323,6324],{},"Singapore",[1797,6326,6313],{},[1797,6328,6329],{},"Shared IPv4 across customers on residential fibre",[1779,6331,6332,6335,6337,6339],{},[1797,6333,6334],{},"StarHub",[1797,6336,6324],{},[1797,6338,6299],{},[1797,6340,6341],{},"Some residential broadband plans",[1779,6343,6344,6347,6349,6351],{},[1797,6345,6346],{},"Singtel",[1797,6348,6324],{},[1797,6350,6299],{},[1797,6352,6353],{},"Mixed - depends on plan tier",[1779,6355,6356,6359,6362,6364],{},[1797,6357,6358],{},"2degrees",[1797,6360,6361],{},"New Zealand",[1797,6363,6313],{},[1797,6365,6366],{},"Mobile and some residential",[1779,6368,6369,6372,6375,6377],{},[1797,6370,6371],{},"TPG \u002F iiNet",[1797,6373,6374],{},"Australia",[1797,6376,6299],{},[1797,6378,6379],{},"Some NBN plans",[1779,6381,6382,6385,6388,6390],{},[1797,6383,6384],{},"Hyperoptic",[1797,6386,6387],{},"UK",[1797,6389,6313],{},[1797,6391,6392],{},"Residential fibre by default",[1779,6394,6395,6398,6400,6402],{},[1797,6396,6397],{},"Community Fibre",[1797,6399,6387],{},[1797,6401,6313],{},[1797,6403,6392],{},[1779,6405,6406,6409,6412,6414],{},[1797,6407,6408],{},"Cox Communications",[1797,6410,6411],{},"US",[1797,6413,6299],{},[1797,6415,6416],{},"Cox Mobile; residential broadband generally public",[1779,6418,6419,6422,6425,6427],{},[1797,6420,6421],{},"FPT Telecom",[1797,6423,6424],{},"Vietnam",[1797,6426,6313],{},[1797,6428,6429],{},"Residential fibre",[1779,6431,6432,6435,6437,6439],{},[1797,6433,6434],{},"Viettel",[1797,6436,6424],{},[1797,6438,6313],{},[1797,6440,6429],{},[1779,6442,6443,6446,6448,6450],{},[1797,6444,6445],{},"VNPT",[1797,6447,6424],{},[1797,6449,6313],{},[1797,6451,6429],{},[1779,6453,6454,6457,6460,6462],{},[1797,6455,6456],{},"Most mobile \u002F 4G \u002F 5G networks",[1797,6458,6459],{},"Worldwide",[1797,6461,6313],{},[1797,6463,6464],{},"CGNAT is effectively the default on mobile data",[16,6466,6467],{},"If your ISP isn't listed, don't assume you're in the clear. Some ISPs offer a static IP add-on as a paid upgrade that takes you out of the CGNAT pool, if that's not an option, read on.",[668,6469,6471,6475,6478,6596,6599,6605,6607,6612,6615,6618,6620],{"className":6470,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6472,6474],{"id":6473},"cgnat-vs-static-ip-vs-cloudflare-tunnel-vs-getpublicip","CGNAT vs static IP vs Cloudflare Tunnel vs GetPublicIP",[16,6476,6477],{},"Four realistic ways to get inbound connectivity at home despite CGNAT. Each has trade-offs.",[1773,6479,6480,6503],{},[1776,6481,6482],{},[1779,6483,6484,6487,6490,6492,6495,6498,6501],{},[1782,6485,6486],{},"Solution",[1782,6488,6489],{},"Inbound connections",[1782,6491,3414],{},[1782,6493,6494],{},"SSL\u002FTLS terminates",[1782,6496,6497],{},"Typical cost",[1782,6499,6500],{},"Portability",[1782,6502,3368],{},[1792,6504,6505,6527,6550,6573],{},[1779,6506,6507,6511,6513,6516,6518,6521,6524],{},[1797,6508,6509],{},[682,6510,1011],{},[1797,6512,3436],{},[1797,6514,6515],{},"⚠️ Poor reputation",[1797,6517,3442],{},[1797,6519,6520],{},"$5–$30 \u002F month (often business-only)",[1797,6522,6523],{},"❌ Tied to your line",[1797,6525,6526],{},"❌ None",[1779,6528,6529,6533,6536,6539,6541,6544,6547],{},[1797,6530,6531],{},[682,6532,1023],{},[1797,6534,6535],{},"HTTP(S) only",[1797,6537,6538],{},"❌ Not supported",[1797,6540,3478],{},[1797,6542,6543],{},"Free on Zero Trust free tier",[1797,6545,6546],{},"✅ Yes",[1797,6548,6549],{},"Via Cloudflare",[1779,6551,6552,6557,6560,6563,6565,6568,6570],{},[1797,6553,6554],{},[682,6555,6556],{},"Tailscale \u002F mesh VPN",[1797,6558,6559],{},"Only for invited peers",[1797,6561,6562],{},"❌ No public email",[1797,6564,3498],{},[1797,6566,6567],{},"Free tier \u002F $6+ per user",[1797,6569,6546],{},[1797,6571,6572],{},"Depends on setup",[1779,6574,6575,6579,6581,6584,6587,6590,6593],{},[1797,6576,6577],{},[682,6578,1017],{},[1797,6580,941],{},[1797,6582,6583],{},"✅ Full SMTP\u002FIMAP",[1797,6585,6586],{},"At your server (end-to-end)",[1797,6588,6589],{},"Flat monthly per IP",[1797,6591,6592],{},"✅ Move your server anywhere",[1797,6594,6595],{},"✅ Built-in",[852,6597,1011],{"id":6598},"isp-static-ip",[16,6600,6601,6602,769],{},"Ask your ISP. Some offer it for an extra monthly fee, usually on business plans only. You get a real, dedicated public IPv4. Downsides: residential-IP blocks often have poor mail sender reputation (which breaks email hosting), you lose the IP if you move house, and there's no failover if your line goes down. Our full walkthrough: ",[83,6603,6604],{"href":876},"how to get a static IP address",[852,6606,1023],{"id":4068},[16,6608,6609,6610,769],{},"Free and works, for HTTP(S) only. Cloudflare reverse-proxies your traffic through their edge, so SSL\u002FTLS is terminated on Cloudflare's servers. That's a dealbreaker if you need true end-to-end encryption or you're hosting anything beyond web services (email, game servers, VoIP, SSH over a custom port, etc.). See our detailed comparison: ",[83,6611,918],{"href":917},[852,6613,6556],{"id":6614},"tailscale-mesh-vpn",[16,6616,6617],{},"Great if the only people connecting to your server are you and a small circle you can invite onto the VPN. Not suitable for anything that needs to be reachable on the open internet, your services aren't visible to non-members.",[852,6619,1017],{"id":4057},[16,6621,6622],{},"A dedicated public IPv4 hosted on our edge infrastructure, routed to your server via a WireGuard tunnel. Your server initiates an outbound connection to us (which CGNAT allows), and all inbound traffic for your public IP flows back through that tunnel. SSL\u002FTLS is end-to-end encrypted, we never see your plaintext. Works for any protocol. Portable across locations. Built-in failover.",[668,6624,6626,6630,6633,6641,6643,6654],{"className":6625,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6627,6629],{"id":6628},"how-does-getpublicip-work","How does GetPublicIP work?",[16,6631,6632],{},"GetPublicIP delivers a public IP address over an encrypted WireGuard VPN tunnel to your server in your home or office. This solution overcomes carrier-grade NAT and lets you relocate your server to another location without needing to change your IP address, unlike ISP static IP addresses, which are tied to the physical line.",[16,6634,6635],{},[421,6636],{"alt":6637,"className":6638,"format":5973,"height":6639,"quality":209,"src":6640,"width":5976},"Network diagram showing a VPN tunnel between a server at home traversing carrier grade NAT and terminating at a server",[2871,2872],475,"\u002Fimages\u002Fguides\u002Fnat4.png",[5978,6642,3029],{"id":32},[806,6644,6645,6648,6651],{},[41,6646,6647],{},"Your server connects to the GetPublicIP server. This outbound connection sets the NAT tables between your server and GetPublicIP's server and creates a path for communication something CGNAT allows without issue.",[41,6649,6650],{},"When remote clients connect to your public IP address, the packets are sent through the encrypted VPN tunnel to your server.",[41,6652,6653],{},"The SSL \u002F TLS connection between the client and your server is end-to-end encrypted with your own SSL certificates. It starts at the client and ends at your server, we never see the plaintext.",[16,6655,6656,6657,979,6659,769],{},"Ready to try it? ",[83,6658,978],{"href":977},[83,6660,982],{"href":65},[668,6662,6664,6666,6675,6684,6696,6705,6714,6722,6731,6740,6749],{"className":6663,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6665,1096],{"id":1095},[1098,6667,6669,6672],{"className":6668},[1101],[1103,6670,6671],{},"What is CGNAT (carrier-grade NAT)?",[16,6673,6674],{},"Carrier-grade NAT (CGNAT), also known as large-scale NAT (LSN) or CGN, is a technique internet service providers use to share a single public IPv4 address among hundreds or thousands of customers. Your ISP translates your traffic at their network edge, meaning you no longer have a dedicated public IP. It conserves scarce IPv4 addresses but breaks inbound connections, so you cannot host servers, run game hosts, or reliably use services that need a reachable address.",[1098,6676,6678,6681],{"className":6677},[1101],[1103,6679,6680],{},"Why do ISPs use CGNAT?",[16,6682,6683],{},"IPv4 addresses ran out. There are only about 4.3 billion IPv4 addresses in existence and they have all been allocated. Rather than force every customer onto IPv6 (which many services still do not support), ISPs share a single public IP across many subscribers using CGNAT. It is cheap, invisible to most users, and lets them keep adding customers without buying expensive IP blocks on the secondary market.",[1098,6685,6687,6690],{"className":6686},[1101],[1103,6688,6689],{},"How do I know if I am behind CGNAT?",[16,6691,6692,6693,6695],{},"Check your router's WAN IP address and compare it to your actual public IP (run ",[105,6694,1120],{}," from a device on your LAN, or visit any what-is-my-IP site). If the two do not match, or if your router shows an address in the 100.64.0.0\u002F10 range (100.64.x.x through 100.127.x.x), you are behind CGNAT. You can also try opening a port in your router, if external connections never arrive, CGNAT is almost certainly the cause.",[1098,6697,6699,6702],{"className":6698},[1101],[1103,6700,6701],{},"What is the CGNAT IP address range?",[16,6703,6704],{},"The reserved range for CGNAT is 100.64.0.0\u002F10, defined in RFC 6598. This gives ISPs about 4 million addresses (100.64.0.0 through 100.127.255.255) to use internally for CGNAT without colliding with any public internet address or private RFC 1918 range. If you see one of these addresses on your router's WAN interface, your ISP is using CGNAT.",[1098,6706,6708,6711],{"className":6707},[1101],[1103,6709,6710],{},"Can I self-host servers behind CGNAT?",[16,6712,6713],{},"Not directly. CGNAT breaks inbound connections because your ISP's NAT does not know which customer to forward an incoming packet to. You need one of four workarounds: request a static IP from your ISP, use Cloudflare Tunnel (works but terminates SSL on Cloudflare's servers), use Tailscale or a similar mesh VPN (works only for people you invite), or use a dedicated public-IP service like GetPublicIP that routes a real static public IP to your server over an encrypted tunnel.",[1098,6715,6717,6719],{"className":6716},[1101],[1103,6718,6260],{},[16,6720,6721],{},"Many worldwide, especially in mobile and fibre markets where IPv4 is scarce. Commonly reported CGNAT ISPs include Virgin Media (Ireland), Tele2 (Sweden and Baltics), Simba and StarHub (Singapore), 2degrees (New Zealand), TPG and iiNet (Australia), Hyperoptic and Community Fibre (UK), Cox Mobile (US), and Vietnam's FPT, Viettel, and VNPT. Most mobile and 4G\u002F5G networks globally use CGNAT by default. Some ISPs offer a public-IP opt-out for a fee.",[1098,6723,6725,6728],{"className":6724},[1101],[1103,6726,6727],{},"Is CGNAT the same as double NAT?",[16,6729,6730],{},"They are related but not identical. Any home router performs NAT (private LAN to public IP). CGNAT adds a second NAT layer at the ISP (their private range to a shared public IP), creating a double-NAT scenario. The symptoms are similar, broken inbound connections, port forwarding does not work, UPnP is unreliable, but CGNAT is caused by your ISP, not your own equipment, so changing your router will not fix it.",[1098,6732,6734,6737],{"className":6733},[1101],[1103,6735,6736],{},"What is the difference between CGNAT and a public IP?",[16,6738,6739],{},"A true public IP is unique to you on the internet and is reachable from anywhere by default (subject to your own firewall). A CGNAT address is shared with many other customers and is not reachable from the outside, you can browse the web and initiate connections, but nobody can connect in to a server running at your address. If you need inbound connectivity (servers, email, games hosted at home, remote desktop), CGNAT is a dealbreaker.",[1098,6741,6743,6746],{"className":6742},[1101],[1103,6744,6745],{},"Does a static IP from my ISP solve CGNAT?",[16,6747,6748],{},"Yes, if your ISP actually offers it. A static IP from your ISP takes you out of the CGNAT pool and gives you a dedicated public address. The downsides: it is usually expensive (especially on residential plans), tied to your physical line (moving house means losing it), often has poor email-sender reputation, and many ISPs do not offer static IPs to residential customers at all.",[1098,6750,6752,6755],{"className":6751},[1101],[1103,6753,6754],{},"How does GetPublicIP bypass CGNAT?",[16,6756,6757],{},"GetPublicIP gives you a dedicated public IPv4 address hosted on our edge infrastructure, then tunnels traffic to your server via WireGuard. Your server makes an outbound connection to us (which CGNAT allows fine), and we forward all inbound traffic for your public IP through that tunnel. SSL\u002FTLS is end-to-end encrypted, we never see your plaintext. The result is a real static public IP, portable across locations, no router changes, works even behind the strictest CGNAT.",[351,6759,6760],{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html pre.shiki code .snpHw, html code.shiki .snpHw{--shiki-default:#88846F}html pre.shiki code .s7s5_, html code.shiki .s7s5_{--shiki-default:#AE81FF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":54,"searchDepth":55,"depth":55,"links":6762},[6763,6764,6765,6766,6767,6768,6773,6774,6780,6781],{"id":5914,"depth":55,"text":5915},{"id":5942,"depth":55,"text":5943},{"id":5956,"depth":55,"text":5957},{"id":6036,"depth":55,"text":6037},{"id":6129,"depth":55,"text":6130},{"id":6183,"depth":55,"text":6184,"children":6769},[6770,6771,6772],{"id":6190,"depth":440,"text":6191},{"id":6231,"depth":440,"text":6232},{"id":6246,"depth":440,"text":6247},{"id":6259,"depth":55,"text":6260},{"id":6473,"depth":55,"text":6474,"children":6775},[6776,6777,6778,6779],{"id":6598,"depth":440,"text":1011},{"id":4068,"depth":440,"text":1023},{"id":6614,"depth":440,"text":6556},{"id":4057,"depth":440,"text":1017},{"id":6628,"depth":55,"text":6629},{"id":1095,"depth":55,"text":1096},"2025-07-09T16:26:00.000Z","Stuck behind your ISP's CGNAT? Learn what carrier-grade NAT is, how to detect it, which ISPs use it, and how to self-host a real public IP in minutes.",[6785,6786,6787,6789,6790,6791,6792,6793,6794,6795],{"question":6671,"answer":6674},{"question":6680,"answer":6683},{"question":6689,"answer":6788},"Check your router's WAN IP address and compare it to your actual public IP (run curl https:\u002F\u002Fapi.getpublicip.com\u002Fip from a device on your LAN, or visit any what-is-my-IP site). If the two do not match, or if your router shows an address in the 100.64.0.0\u002F10 range (100.64.x.x through 100.127.x.x), you are behind CGNAT. You can also try opening a port in your router, if external connections never arrive, CGNAT is almost certainly the cause.",{"question":6701,"answer":6704},{"question":6710,"answer":6713},{"question":6260,"answer":6721},{"question":6727,"answer":6730},{"question":6736,"answer":6739},{"question":6745,"answer":6748},{"question":6754,"answer":6757},{},{"title":6798,"icon":6799,"description":6800},"What is carrier grade NAT?","mdi-lan-pending","Learn what CGNAT is, how to check if you're behind it, which ISPs use it, and how to self-host a real public IP bypassing carrier-grade NAT.",{"title":5893,"description":6783},"guides\u002Fself-hosting\u002Fself-hosting-behind-carrier-grade-nat-cgnat","gh_eWvc9PVqd23DNBOSiW21dTBI4RuKmCc6E5BvL6Mc",{"id":6805,"title":6806,"body":6807,"createdAt":7916,"description":7917,"extension":61,"faq":59,"meta":7918,"navigation":7919,"path":235,"seo":7923,"stem":7924,"updatedAt":7916,"__hash__":7925},"docs\u002Fguides\u002Fself-hosting\u002Fwireguard-simple-watchdog-script.md","WireGuard Simple Watchdog Script",{"type":8,"value":6808,"toc":7909},[6809,6812,6829,6864,7464,7856,7906],[11,6810,6806],{"id":6811},"wireguard-simple-watchdog-script",[668,6813,6815,6820,6823,6826],{"className":6814,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6816,6819],{"className":6817,"id":6818},[675],"why-do-you-need-a-wireguard-watchdog-script","Why do you need a WireGuard watchdog script?",[16,6821,6822],{},"When running WireGuard VPN tunnels, especially for services like GetPublicIP that provide static IP addresses through VPN connections, maintaining a stable connection is crucial. However, your internet service provider may change network conditions such as your public IP address, which can cause the WireGuard connection to hang or become unresponsive.",[16,6824,6825],{},"In these situations, the WireGuard interface may appear to be up and running, but the connection has actually stopped working because the underlying network conditions have changed. Without active monitoring, you might not notice until external services can no longer reach your server, potentially causing downtime for your hosted services.",[16,6827,6828],{},"This simple watchdog script monitors WireGuard connections by checking the last handshake time between your server and the VPN endpoint. If the last handshake is more than 5 minutes old, the script automatically restarts the WireGuard interface to re-establish the connection. This ensures your VPN tunnel remains active and your services stay online even when your ISP changes network conditions.",[668,6830,6832,6837,6840],{"className":6831,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6833,6836],{"className":6834,"id":6835},[675],"easy-install","Easy Install",[16,6838,6839],{},"Run this one-liner command as root to install the watchdog script:",[110,6841,6843],{"className":112,"code":6842,"language":114,"meta":54,"style":54},"curl -s https:\u002F\u002Fgetpublicip.com\u002Fscripts\u002Fwireguard-watch-install.sh | bash -s e576faaf43203ed71257c31da12b21f1b77cce4fdce655da88d3022e55a2d6f6\n",[105,6844,6845],{"__ignoreMap":54},[118,6846,6847,6849,6851,6854,6856,6859,6861],{"class":120,"line":121},[118,6848,758],{"class":124},[118,6850,1347],{"class":337},[118,6852,6853],{"class":128}," https:\u002F\u002Fgetpublicip.com\u002Fscripts\u002Fwireguard-watch-install.sh",[118,6855,2222],{"class":2221},[118,6857,6858],{"class":124}," bash",[118,6860,1347],{"class":337},[118,6862,6863],{"class":128}," e576faaf43203ed71257c31da12b21f1b77cce4fdce655da88d3022e55a2d6f6\n",[668,6865,6867,6872,6875],{"className":6866,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,6868,6871],{"className":6869,"id":6870},[675],"the-install-script","The Install Script",[16,6873,6874],{},"Or if you prefer to download and run the install script manually:",[110,6876,6878],{"className":112,"code":6877,"language":114,"meta":54,"style":54},"#!\u002Fbin\u002Fbash\n\nset -e\n\n# Configuration\nSCRIPT_URL=\"https:\u002F\u002Fgetpublicip.com\u002Fscripts\u002Fwireguard-watch\"\nSCRIPT_PATH=\"\u002Fusr\u002Fbin\u002Fwireguard-watch\"\nCRON_ENTRY=\"*\u002F5 * * * * \u002Fusr\u002Fbin\u002Fwireguard-watch\"\n\n# Check if SHA256 hash argument is provided\nif [ -z \"$1\" ]; then\n    echo \"Usage: $0 \u003Csha256_hash>\"\n    echo \"Example: $0 e576faaf43203ed71257c31da12b21f1b77cce4fdce655da88d3022e55a2d6f6\"\n    exit 1\nfi\n\nEXPECTED_SHA256=\"$1\"\n\n# Check if running as root\nif [ \"$EUID\" -ne 0 ]; then \n    echo \"Please run as root\"\n    exit 1\nfi\n\n# Download the script\necho \"Downloading wireguard-watch script...\"\ncurl -o \"$SCRIPT_PATH\" \"$SCRIPT_URL\"\n\n# Verify SHA256 checksum\necho \"Verifying SHA256 checksum...\"\nACTUAL_SHA256=$(sha256sum \"$SCRIPT_PATH\" | awk '{print $1}')\n\nif [ \"$ACTUAL_SHA256\" != \"$EXPECTED_SHA256\" ]; then\n    echo \"ERROR: SHA256 checksum mismatch!\"\n    echo \"Expected: $EXPECTED_SHA256\"\n    echo \"Got:      $ACTUAL_SHA256\"\n    rm -f \"$SCRIPT_PATH\"\n    exit 1\nfi\n\necho \"SHA256 checksum verified successfully.\"\n\n# Make script executable\nchmod +x \"$SCRIPT_PATH\"\necho \"Made script executable.\"\n\n# Check if cron entry already exists\nif crontab -l 2>\u002Fdev\u002Fnull | grep -q \"$SCRIPT_PATH\"; then\n    echo \"Cron entry already exists. Skipping cron setup.\"\nelse\n    # Add cron entry\n    (crontab -l 2>\u002Fdev\u002Fnull; echo \"$CRON_ENTRY\") | crontab -\n    echo \"Added cron entry to run every 5 minutes.\"\nfi\n\necho \"Installation complete!\"\necho \"The watchdog script will run every 5 minutes.\"\n",[105,6879,6880,6885,6889,6898,6902,6907,6918,6928,6938,6942,6947,6975,6989,7002,7011,7017,7022,7037,7042,7048,7076,7084,7091,7096,7101,7107,7116,7138,7143,7149,7157,7188,7193,7221,7229,7241,7253,7268,7275,7280,7285,7293,7298,7304,7319,7327,7332,7338,7373,7381,7387,7393,7430,7438,7443,7448,7456],{"__ignoreMap":54},[118,6881,6882],{"class":120,"line":121},[118,6883,6884],{"class":1372},"#!\u002Fbin\u002Fbash\n",[118,6886,6887],{"class":120,"line":55},[118,6888,1388],{"emptyLinePlaceholder":1387},[118,6890,6891,6895],{"class":120,"line":440},[118,6892,6894],{"class":6893},"sYf5A","set",[118,6896,6897],{"class":337}," -e\n",[118,6899,6900],{"class":120,"line":487},[118,6901,1388],{"emptyLinePlaceholder":1387},[118,6903,6904],{"class":120,"line":502},[118,6905,6906],{"class":1372},"# Configuration\n",[118,6908,6909,6912,6915],{"class":120,"line":594},[118,6910,6911],{"class":3082},"SCRIPT_URL",[118,6913,6914],{"class":2221},"=",[118,6916,6917],{"class":128},"\"https:\u002F\u002Fgetpublicip.com\u002Fscripts\u002Fwireguard-watch\"\n",[118,6919,6920,6923,6925],{"class":120,"line":605},[118,6921,6922],{"class":3082},"SCRIPT_PATH",[118,6924,6914],{"class":2221},[118,6926,6927],{"class":128},"\"\u002Fusr\u002Fbin\u002Fwireguard-watch\"\n",[118,6929,6930,6933,6935],{"class":120,"line":616},[118,6931,6932],{"class":3082},"CRON_ENTRY",[118,6934,6914],{"class":2221},[118,6936,6937],{"class":128},"\"*\u002F5 * * * * \u002Fusr\u002Fbin\u002Fwireguard-watch\"\n",[118,6939,6940],{"class":120,"line":627},[118,6941,1388],{"emptyLinePlaceholder":1387},[118,6943,6944],{"class":120,"line":641},[118,6945,6946],{"class":1372},"# Check if SHA256 hash argument is provided\n",[118,6948,6950,6953,6956,6959,6962,6966,6969,6972],{"class":120,"line":6949},11,[118,6951,6952],{"class":2221},"if",[118,6954,6955],{"class":3082}," [ ",[118,6957,6958],{"class":2221},"-z",[118,6960,6961],{"class":128}," \"",[118,6963,6965],{"class":6964},"sW0Xf","$1",[118,6967,6968],{"class":128},"\"",[118,6970,6971],{"class":3082}," ]; ",[118,6973,6974],{"class":2221},"then\n",[118,6976,6977,6980,6983,6986],{"class":120,"line":1235},[118,6978,6979],{"class":6893},"    echo",[118,6981,6982],{"class":128}," \"Usage: ",[118,6984,6985],{"class":6964},"$0",[118,6987,6988],{"class":128}," \u003Csha256_hash>\"\n",[118,6990,6992,6994,6997,6999],{"class":120,"line":6991},13,[118,6993,6979],{"class":6893},[118,6995,6996],{"class":128}," \"Example: ",[118,6998,6985],{"class":6964},[118,7000,7001],{"class":128}," e576faaf43203ed71257c31da12b21f1b77cce4fdce655da88d3022e55a2d6f6\"\n",[118,7003,7005,7008],{"class":120,"line":7004},14,[118,7006,7007],{"class":6893},"    exit",[118,7009,7010],{"class":337}," 1\n",[118,7012,7014],{"class":120,"line":7013},15,[118,7015,7016],{"class":2221},"fi\n",[118,7018,7020],{"class":120,"line":7019},16,[118,7021,1388],{"emptyLinePlaceholder":1387},[118,7023,7025,7028,7030,7032,7034],{"class":120,"line":7024},17,[118,7026,7027],{"class":3082},"EXPECTED_SHA256",[118,7029,6914],{"class":2221},[118,7031,6968],{"class":128},[118,7033,6965],{"class":6964},[118,7035,7036],{"class":128},"\"\n",[118,7038,7040],{"class":120,"line":7039},18,[118,7041,1388],{"emptyLinePlaceholder":1387},[118,7043,7045],{"class":120,"line":7044},19,[118,7046,7047],{"class":1372},"# Check if running as root\n",[118,7049,7051,7053,7055,7057,7060,7062,7065,7068,7070,7073],{"class":120,"line":7050},20,[118,7052,6952],{"class":2221},[118,7054,6955],{"class":3082},[118,7056,6968],{"class":128},[118,7058,7059],{"class":3082},"$EUID",[118,7061,6968],{"class":128},[118,7063,7064],{"class":2221}," -ne",[118,7066,7067],{"class":337}," 0",[118,7069,6971],{"class":3082},[118,7071,7072],{"class":2221},"then",[118,7074,7075],{"class":3082}," \n",[118,7077,7079,7081],{"class":120,"line":7078},21,[118,7080,6979],{"class":6893},[118,7082,7083],{"class":128}," \"Please run as root\"\n",[118,7085,7087,7089],{"class":120,"line":7086},22,[118,7088,7007],{"class":6893},[118,7090,7010],{"class":337},[118,7092,7094],{"class":120,"line":7093},23,[118,7095,7016],{"class":2221},[118,7097,7099],{"class":120,"line":7098},24,[118,7100,1388],{"emptyLinePlaceholder":1387},[118,7102,7104],{"class":120,"line":7103},25,[118,7105,7106],{"class":1372},"# Download the script\n",[118,7108,7110,7113],{"class":120,"line":7109},26,[118,7111,7112],{"class":6893},"echo",[118,7114,7115],{"class":128}," \"Downloading wireguard-watch script...\"\n",[118,7117,7119,7121,7124,7126,7129,7131,7133,7136],{"class":120,"line":7118},27,[118,7120,758],{"class":124},[118,7122,7123],{"class":337}," -o",[118,7125,6961],{"class":128},[118,7127,7128],{"class":3082},"$SCRIPT_PATH",[118,7130,6968],{"class":128},[118,7132,6961],{"class":128},[118,7134,7135],{"class":3082},"$SCRIPT_URL",[118,7137,7036],{"class":128},[118,7139,7141],{"class":120,"line":7140},28,[118,7142,1388],{"emptyLinePlaceholder":1387},[118,7144,7146],{"class":120,"line":7145},29,[118,7147,7148],{"class":1372},"# Verify SHA256 checksum\n",[118,7150,7152,7154],{"class":120,"line":7151},30,[118,7153,7112],{"class":6893},[118,7155,7156],{"class":128}," \"Verifying SHA256 checksum...\"\n",[118,7158,7160,7163,7165,7168,7171,7173,7175,7177,7179,7182,7185],{"class":120,"line":7159},31,[118,7161,7162],{"class":3082},"ACTUAL_SHA256",[118,7164,6914],{"class":2221},[118,7166,7167],{"class":3082},"$(",[118,7169,7170],{"class":124},"sha256sum",[118,7172,6961],{"class":128},[118,7174,7128],{"class":3082},[118,7176,6968],{"class":128},[118,7178,2222],{"class":2221},[118,7180,7181],{"class":124}," awk",[118,7183,7184],{"class":128}," '{print $1}'",[118,7186,7187],{"class":3082},")\n",[118,7189,7191],{"class":120,"line":7190},32,[118,7192,1388],{"emptyLinePlaceholder":1387},[118,7194,7196,7198,7200,7202,7205,7207,7210,7212,7215,7217,7219],{"class":120,"line":7195},33,[118,7197,6952],{"class":2221},[118,7199,6955],{"class":3082},[118,7201,6968],{"class":128},[118,7203,7204],{"class":3082},"$ACTUAL_SHA256",[118,7206,6968],{"class":128},[118,7208,7209],{"class":2221}," !=",[118,7211,6961],{"class":128},[118,7213,7214],{"class":3082},"$EXPECTED_SHA256",[118,7216,6968],{"class":128},[118,7218,6971],{"class":3082},[118,7220,6974],{"class":2221},[118,7222,7224,7226],{"class":120,"line":7223},34,[118,7225,6979],{"class":6893},[118,7227,7228],{"class":128}," \"ERROR: SHA256 checksum mismatch!\"\n",[118,7230,7232,7234,7237,7239],{"class":120,"line":7231},35,[118,7233,6979],{"class":6893},[118,7235,7236],{"class":128}," \"Expected: ",[118,7238,7214],{"class":3082},[118,7240,7036],{"class":128},[118,7242,7244,7246,7249,7251],{"class":120,"line":7243},36,[118,7245,6979],{"class":6893},[118,7247,7248],{"class":128}," \"Got:      ",[118,7250,7204],{"class":3082},[118,7252,7036],{"class":128},[118,7254,7256,7259,7262,7264,7266],{"class":120,"line":7255},37,[118,7257,7258],{"class":124},"    rm",[118,7260,7261],{"class":337}," -f",[118,7263,6961],{"class":128},[118,7265,7128],{"class":3082},[118,7267,7036],{"class":128},[118,7269,7271,7273],{"class":120,"line":7270},38,[118,7272,7007],{"class":6893},[118,7274,7010],{"class":337},[118,7276,7278],{"class":120,"line":7277},39,[118,7279,7016],{"class":2221},[118,7281,7283],{"class":120,"line":7282},40,[118,7284,1388],{"emptyLinePlaceholder":1387},[118,7286,7288,7290],{"class":120,"line":7287},41,[118,7289,7112],{"class":6893},[118,7291,7292],{"class":128}," \"SHA256 checksum verified successfully.\"\n",[118,7294,7296],{"class":120,"line":7295},42,[118,7297,1388],{"emptyLinePlaceholder":1387},[118,7299,7301],{"class":120,"line":7300},43,[118,7302,7303],{"class":1372},"# Make script executable\n",[118,7305,7307,7310,7313,7315,7317],{"class":120,"line":7306},44,[118,7308,7309],{"class":124},"chmod",[118,7311,7312],{"class":128}," +x",[118,7314,6961],{"class":128},[118,7316,7128],{"class":3082},[118,7318,7036],{"class":128},[118,7320,7322,7324],{"class":120,"line":7321},45,[118,7323,7112],{"class":6893},[118,7325,7326],{"class":128}," \"Made script executable.\"\n",[118,7328,7330],{"class":120,"line":7329},46,[118,7331,1388],{"emptyLinePlaceholder":1387},[118,7333,7335],{"class":120,"line":7334},47,[118,7336,7337],{"class":1372},"# Check if cron entry already exists\n",[118,7339,7341,7343,7346,7349,7352,7355,7357,7359,7362,7364,7366,7368,7371],{"class":120,"line":7340},48,[118,7342,6952],{"class":2221},[118,7344,7345],{"class":124}," crontab",[118,7347,7348],{"class":337}," -l",[118,7350,7351],{"class":2221}," 2>",[118,7353,7354],{"class":128},"\u002Fdev\u002Fnull",[118,7356,2222],{"class":2221},[118,7358,2225],{"class":124},[118,7360,7361],{"class":337}," -q",[118,7363,6961],{"class":128},[118,7365,7128],{"class":3082},[118,7367,6968],{"class":128},[118,7369,7370],{"class":3082},"; ",[118,7372,6974],{"class":2221},[118,7374,7376,7378],{"class":120,"line":7375},49,[118,7377,6979],{"class":6893},[118,7379,7380],{"class":128}," \"Cron entry already exists. Skipping cron setup.\"\n",[118,7382,7384],{"class":120,"line":7383},50,[118,7385,7386],{"class":2221},"else\n",[118,7388,7390],{"class":120,"line":7389},51,[118,7391,7392],{"class":1372},"    # Add cron entry\n",[118,7394,7396,7399,7402,7404,7406,7408,7410,7412,7414,7417,7419,7422,7425,7427],{"class":120,"line":7395},52,[118,7397,7398],{"class":3082},"    (",[118,7400,7401],{"class":124},"crontab",[118,7403,7348],{"class":337},[118,7405,7351],{"class":2221},[118,7407,7354],{"class":128},[118,7409,7370],{"class":3082},[118,7411,7112],{"class":6893},[118,7413,6961],{"class":128},[118,7415,7416],{"class":3082},"$CRON_ENTRY",[118,7418,6968],{"class":128},[118,7420,7421],{"class":3082},") ",[118,7423,7424],{"class":2221},"|",[118,7426,7345],{"class":124},[118,7428,7429],{"class":128}," -\n",[118,7431,7433,7435],{"class":120,"line":7432},53,[118,7434,6979],{"class":6893},[118,7436,7437],{"class":128}," \"Added cron entry to run every 5 minutes.\"\n",[118,7439,7441],{"class":120,"line":7440},54,[118,7442,7016],{"class":2221},[118,7444,7446],{"class":120,"line":7445},55,[118,7447,1388],{"emptyLinePlaceholder":1387},[118,7449,7451,7453],{"class":120,"line":7450},56,[118,7452,7112],{"class":6893},[118,7454,7455],{"class":128}," \"Installation complete!\"\n",[118,7457,7459,7461],{"class":120,"line":7458},57,[118,7460,7112],{"class":6893},[118,7462,7463],{"class":128}," \"The watchdog script will run every 5 minutes.\"\n",[668,7465,7467,7472,7475],{"className":7466,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,7468,7471],{"className":7469,"id":7470},[675],"the-watchdog-script","The Watchdog Script",[16,7473,7474],{},"Copy the following script to your server and configure it to run periodically using cron or systemd timers:",[110,7476,7478],{"className":112,"code":7477,"language":114,"meta":54,"style":54},"#!\u002Fbin\u002Fbash\n\n# Configuration\nINTERFACE=\"pi0\"  # This is your wireguard interface\nMAX_HANDSHAKE_AGE=300  # 5 minutes in seconds\n\n# Get the latest handshake time from wg show\nhandshake_line=$(wg show \"$INTERFACE\" latest-handshakes | head -n 1)\n\n# Check if we got any output\nif [ -z \"$handshake_line\" ]; then\n    echo \"No handshake information found for interface $INTERFACE\"\n    exit 1\nfi\n\n# Extract the timestamp (second field)\nlast_handshake=$(echo \"$handshake_line\" | awk '{print $2}')\n\n# Get current time in seconds since epoch\ncurrent_time=$(date +%s)\n\n# Calculate time since last handshake\ntime_diff=$((current_time - last_handshake))\n\necho \"Interface: $INTERFACE\"\necho \"Last handshake: $time_diff seconds ago\"\n\n# Check if handshake is older than 5 minutes\nif [ \"$time_diff\" -gt \"$MAX_HANDSHAKE_AGE\" ]; then\n    echo \"Handshake older than 5 minutes. Restarting WireGuard...\"\n    \n    # Restart WireGuard\n    wg-quick down \"$INTERFACE\"\n    sleep 2\n    wg-quick up \"$INTERFACE\"\n    \n    echo \"WireGuard restarted successfully\"\n    exit 0\nelse\n    echo \"Handshake is recent. No restart needed.\"\n    exit 0\nfi\n\n",[105,7479,7480,7484,7488,7492,7505,7518,7522,7527,7562,7566,7571,7590,7601,7607,7611,7615,7620,7646,7650,7655,7672,7676,7681,7702,7706,7717,7730,7734,7739,7765,7772,7777,7782,7796,7804,7817,7821,7828,7835,7839,7846,7852],{"__ignoreMap":54},[118,7481,7482],{"class":120,"line":121},[118,7483,6884],{"class":1372},[118,7485,7486],{"class":120,"line":55},[118,7487,1388],{"emptyLinePlaceholder":1387},[118,7489,7490],{"class":120,"line":440},[118,7491,6906],{"class":1372},[118,7493,7494,7497,7499,7502],{"class":120,"line":487},[118,7495,7496],{"class":3082},"INTERFACE",[118,7498,6914],{"class":2221},[118,7500,7501],{"class":128},"\"pi0\"",[118,7503,7504],{"class":1372},"  # This is your wireguard interface\n",[118,7506,7507,7510,7512,7515],{"class":120,"line":502},[118,7508,7509],{"class":3082},"MAX_HANDSHAKE_AGE",[118,7511,6914],{"class":2221},[118,7513,7514],{"class":128},"300",[118,7516,7517],{"class":1372},"  # 5 minutes in seconds\n",[118,7519,7520],{"class":120,"line":594},[118,7521,1388],{"emptyLinePlaceholder":1387},[118,7523,7524],{"class":120,"line":605},[118,7525,7526],{"class":1372},"# Get the latest handshake time from wg show\n",[118,7528,7529,7532,7534,7536,7538,7540,7542,7545,7547,7550,7552,7555,7557,7560],{"class":120,"line":616},[118,7530,7531],{"class":3082},"handshake_line",[118,7533,6914],{"class":2221},[118,7535,7167],{"class":3082},[118,7537,200],{"class":124},[118,7539,2218],{"class":128},[118,7541,6961],{"class":128},[118,7543,7544],{"class":3082},"$INTERFACE",[118,7546,6968],{"class":128},[118,7548,7549],{"class":128}," latest-handshakes",[118,7551,2222],{"class":2221},[118,7553,7554],{"class":124}," head",[118,7556,4946],{"class":337},[118,7558,7559],{"class":337}," 1",[118,7561,7187],{"class":3082},[118,7563,7564],{"class":120,"line":627},[118,7565,1388],{"emptyLinePlaceholder":1387},[118,7567,7568],{"class":120,"line":641},[118,7569,7570],{"class":1372},"# Check if we got any output\n",[118,7572,7573,7575,7577,7579,7581,7584,7586,7588],{"class":120,"line":6949},[118,7574,6952],{"class":2221},[118,7576,6955],{"class":3082},[118,7578,6958],{"class":2221},[118,7580,6961],{"class":128},[118,7582,7583],{"class":3082},"$handshake_line",[118,7585,6968],{"class":128},[118,7587,6971],{"class":3082},[118,7589,6974],{"class":2221},[118,7591,7592,7594,7597,7599],{"class":120,"line":1235},[118,7593,6979],{"class":6893},[118,7595,7596],{"class":128}," \"No handshake information found for interface ",[118,7598,7544],{"class":3082},[118,7600,7036],{"class":128},[118,7602,7603,7605],{"class":120,"line":6991},[118,7604,7007],{"class":6893},[118,7606,7010],{"class":337},[118,7608,7609],{"class":120,"line":7004},[118,7610,7016],{"class":2221},[118,7612,7613],{"class":120,"line":7013},[118,7614,1388],{"emptyLinePlaceholder":1387},[118,7616,7617],{"class":120,"line":7019},[118,7618,7619],{"class":1372},"# Extract the timestamp (second field)\n",[118,7621,7622,7625,7627,7629,7631,7633,7635,7637,7639,7641,7644],{"class":120,"line":7024},[118,7623,7624],{"class":3082},"last_handshake",[118,7626,6914],{"class":2221},[118,7628,7167],{"class":3082},[118,7630,7112],{"class":6893},[118,7632,6961],{"class":128},[118,7634,7583],{"class":3082},[118,7636,6968],{"class":128},[118,7638,2222],{"class":2221},[118,7640,7181],{"class":124},[118,7642,7643],{"class":128}," '{print $2}'",[118,7645,7187],{"class":3082},[118,7647,7648],{"class":120,"line":7039},[118,7649,1388],{"emptyLinePlaceholder":1387},[118,7651,7652],{"class":120,"line":7044},[118,7653,7654],{"class":1372},"# Get current time in seconds since epoch\n",[118,7656,7657,7660,7662,7664,7667,7670],{"class":120,"line":7050},[118,7658,7659],{"class":3082},"current_time",[118,7661,6914],{"class":2221},[118,7663,7167],{"class":3082},[118,7665,7666],{"class":124},"date",[118,7668,7669],{"class":128}," +%s",[118,7671,7187],{"class":3082},[118,7673,7674],{"class":120,"line":7078},[118,7675,1388],{"emptyLinePlaceholder":1387},[118,7677,7678],{"class":120,"line":7086},[118,7679,7680],{"class":1372},"# Calculate time since last handshake\n",[118,7682,7683,7686,7688,7691,7693,7696,7699],{"class":120,"line":7093},[118,7684,7685],{"class":3082},"time_diff",[118,7687,6914],{"class":2221},[118,7689,7690],{"class":3082},"$((",[118,7692,7659],{"class":124},[118,7694,7695],{"class":128}," -",[118,7697,7698],{"class":128}," last_handshake",[118,7700,7701],{"class":3082},"))\n",[118,7703,7704],{"class":120,"line":7098},[118,7705,1388],{"emptyLinePlaceholder":1387},[118,7707,7708,7710,7713,7715],{"class":120,"line":7103},[118,7709,7112],{"class":6893},[118,7711,7712],{"class":128}," \"Interface: ",[118,7714,7544],{"class":3082},[118,7716,7036],{"class":128},[118,7718,7719,7721,7724,7727],{"class":120,"line":7109},[118,7720,7112],{"class":6893},[118,7722,7723],{"class":128}," \"Last handshake: ",[118,7725,7726],{"class":3082},"$time_diff",[118,7728,7729],{"class":128}," seconds ago\"\n",[118,7731,7732],{"class":120,"line":7118},[118,7733,1388],{"emptyLinePlaceholder":1387},[118,7735,7736],{"class":120,"line":7140},[118,7737,7738],{"class":1372},"# Check if handshake is older than 5 minutes\n",[118,7740,7741,7743,7745,7747,7749,7751,7754,7756,7759,7761,7763],{"class":120,"line":7145},[118,7742,6952],{"class":2221},[118,7744,6955],{"class":3082},[118,7746,6968],{"class":128},[118,7748,7726],{"class":3082},[118,7750,6968],{"class":128},[118,7752,7753],{"class":2221}," -gt",[118,7755,6961],{"class":128},[118,7757,7758],{"class":3082},"$MAX_HANDSHAKE_AGE",[118,7760,6968],{"class":128},[118,7762,6971],{"class":3082},[118,7764,6974],{"class":2221},[118,7766,7767,7769],{"class":120,"line":7151},[118,7768,6979],{"class":6893},[118,7770,7771],{"class":128}," \"Handshake older than 5 minutes. Restarting WireGuard...\"\n",[118,7773,7774],{"class":120,"line":7159},[118,7775,7776],{"class":3082},"    \n",[118,7778,7779],{"class":120,"line":7190},[118,7780,7781],{"class":1372},"    # Restart WireGuard\n",[118,7783,7784,7787,7790,7792,7794],{"class":120,"line":7195},[118,7785,7786],{"class":124},"    wg-quick",[118,7788,7789],{"class":128}," down",[118,7791,6961],{"class":128},[118,7793,7544],{"class":3082},[118,7795,7036],{"class":128},[118,7797,7798,7801],{"class":120,"line":7223},[118,7799,7800],{"class":124},"    sleep",[118,7802,7803],{"class":337}," 2\n",[118,7805,7806,7808,7811,7813,7815],{"class":120,"line":7231},[118,7807,7786],{"class":124},[118,7809,7810],{"class":128}," up",[118,7812,6961],{"class":128},[118,7814,7544],{"class":3082},[118,7816,7036],{"class":128},[118,7818,7819],{"class":120,"line":7243},[118,7820,7776],{"class":3082},[118,7822,7823,7825],{"class":120,"line":7255},[118,7824,6979],{"class":6893},[118,7826,7827],{"class":128}," \"WireGuard restarted successfully\"\n",[118,7829,7830,7832],{"class":120,"line":7270},[118,7831,7007],{"class":6893},[118,7833,7834],{"class":337}," 0\n",[118,7836,7837],{"class":120,"line":7277},[118,7838,7386],{"class":2221},[118,7840,7841,7843],{"class":120,"line":7282},[118,7842,6979],{"class":6893},[118,7844,7845],{"class":128}," \"Handshake is recent. No restart needed.\"\n",[118,7847,7848,7850],{"class":120,"line":7287},[118,7849,7007],{"class":6893},[118,7851,7834],{"class":337},[118,7853,7854],{"class":120,"line":7295},[118,7855,7016],{"class":2221},[668,7857,7859,7864,7867,7870,7873,7895],{"className":7858,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,7860,7863],{"className":7861,"id":7862},[675],"crontab-configuration","Crontab Configuration",[16,7865,7866],{},"The watchdog script needs to run periodically to check the WireGuard connection status. A crontab entry is added to automatically execute the script every 5 minutes. This ensures continuous monitoring of your VPN connection without requiring manual intervention.",[16,7868,7869],{},"The crontab entry runs the watchdog script as root, allowing it to restart the WireGuard interface if needed. The script checks the handshake time and only restarts the connection if it detects a problem, so it won't interfere with healthy connections.",[16,7871,7872],{},"If you need to manually add the crontab entry or the automatic installation didn't work, use the following crontab configuration:",[110,7874,7876],{"className":112,"code":7875,"language":114,"meta":54,"style":54},"*\u002F5 * * * * \u002Fusr\u002Fbin\u002Fwireguard-watch\n",[105,7877,7878],{"__ignoreMap":54},[118,7879,7880,7882,7884,7886,7888,7890,7892],{"class":120,"line":121},[118,7881,3079],{"class":2221},[118,7883,3083],{"class":3082},[118,7885,3079],{"class":2221},[118,7887,3088],{"class":2221},[118,7889,3088],{"class":2221},[118,7891,3088],{"class":2221},[118,7893,7894],{"class":3082}," \u002Fusr\u002Fbin\u002Fwireguard-watch\n",[16,7896,7897,7898,7901,7902,7905],{},"To add this manually, run ",[105,7899,7900],{},"crontab -e"," as root and add the line above. The cron expression ",[105,7903,7904],{},"*\u002F5 * * * *"," means the script will run every 5 minutes.",[351,7907,7908],{},"html pre.shiki code .sHkqI, html code.shiki .sHkqI{--shiki-default:#A6E22E}html pre.shiki code .s7s5_, html code.shiki .s7s5_{--shiki-default:#AE81FF}html pre.shiki code .s_Ekj, html code.shiki .s_Ekj{--shiki-default:#E6DB74}html pre.shiki code .s8I7P, html code.shiki .s8I7P{--shiki-default:#F92672}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .snpHw, html code.shiki .snpHw{--shiki-default:#88846F}html pre.shiki code .sYf5A, html code.shiki .sYf5A{--shiki-default:#66D9EF}html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .sW0Xf, html code.shiki .sW0Xf{--shiki-default:#FD971F;--shiki-default-font-style:italic}",{"title":54,"searchDepth":55,"depth":55,"links":7910},[7911,7912,7913,7914,7915],{"id":6818,"depth":55,"text":6819},{"id":6835,"depth":55,"text":6836},{"id":6870,"depth":55,"text":6871},{"id":7470,"depth":55,"text":7471},{"id":7862,"depth":55,"text":7863},"2025-01-16T16:26:00.000Z","Keep your WireGuard VPN connection stable with a simple watchdog script that monitors handshakes and automatically restarts the connection when network conditions change. Prevent hanging connections caused by ISP IP address changes.",{},{"title":7920,"icon":7921,"description":7922},"WireGuard Watchdog Script","mdi-shield-check","A simple watchdog script to monitor and restart WireGuard connections when network conditions change.",{"title":6806,"description":7917},"guides\u002Fself-hosting\u002Fwireguard-simple-watchdog-script","dgQa85qjjDc1V2DxF_yZl6gOfQU9mEW1PNVbznGJ0ho",{"path":7927,"title":7928,"icon":1218,"children":7929},"\u002Fguides\u002Fstatic-public-ip-address","Static Public Ip Address",[7930,8291],{"id":659,"title":660,"body":7931,"createdAt":1193,"description":1194,"extension":61,"faq":8279,"meta":8288,"navigation":8289,"path":1210,"seo":8290,"stem":1212,"updatedAt":1193,"__hash__":1213},{"type":8,"value":7932,"toc":8265},[7933,7935,7942,7971,8000,8039,8130,8167,8200,8263],[11,7934,666],{"id":665},[668,7936,7938],{"className":7937,"rounded":54,"max-width":677},[671,672,673,674,675,676],[16,7939,680,7940,685],{},[682,7941,684],{},[668,7943,7945,7947,7951,7961,7967],{"className":7944,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,7946,692],{"id":691},[16,7948,695,7949,699],{},[682,7950,698],{},[16,7952,695,7953,705,7955,709,7957,713,7959,717],{},[682,7954,704],{},[105,7956,708],{},[105,7958,712],{},[105,7960,716],{},[16,7962,720,7963,724,7965,729],{},[682,7964,723],{},[83,7966,728],{"href":727},[16,7968,732,7969,736],{},[682,7970,735],{},[668,7972,7974,7976,7978,7988,7992],{"className":7973,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,7975,743],{"id":742},[16,7977,746],{},[110,7979,7980],{"className":749,"code":750,"language":751,"meta":54,"style":54},[105,7981,7982],{"__ignoreMap":54},[118,7983,7984,7986],{"class":120,"line":121},[118,7985,758],{"class":124},[118,7987,761],{"class":128},[16,7989,764,7990,769],{},[83,7991,768],{"href":767},[16,7993,7994,775,7996,779,7998,783],{},[682,7995,774],{},[105,7997,778],{},[105,7999,782],{},[668,8001,8003,8005,8009,8013],{"className":8002,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8004,790],{"id":789},[16,8006,793,8007,797],{},[682,8008,796],{},[16,8010,800,8011,804],{},[682,8012,803],{},[806,8014,8015,8019,8023,8027,8031,8035],{},[41,8016,8017,813],{},[682,8018,812],{},[41,8020,8021,819],{},[682,8022,818],{},[41,8024,8025,825],{},[682,8026,824],{},[41,8028,8029,831],{},[682,8030,830],{},[41,8032,8033,837],{},[682,8034,836],{},[41,8036,8037,843],{},[682,8038,842],{},[668,8040,8042,8044,8046,8048,8052,8056,8060,8062,8064,8068,8072,8074,8076,8080,8084,8088,8090,8094,8098,8124],{"className":8041,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8043,850],{"id":849},[852,8045,855],{"id":854},[16,8047,858],{},[16,8049,8050,864],{},[682,8051,863],{},[16,8053,8054,870],{},[682,8055,869],{},[16,8057,873,8058,769],{},[83,8059,877],{"href":876},[852,8061,881],{"id":880},[16,8063,884],{},[16,8065,8066,889],{},[682,8067,863],{},[16,8069,8070,894],{},[682,8071,869],{},[852,8073,898],{"id":897},[16,8075,901],{},[16,8077,8078,906],{},[682,8079,863],{},[16,8081,8082,911],{},[682,8083,869],{},[16,8085,914,8086,769],{},[83,8087,918],{"href":917},[852,8089,922],{"id":921},[16,8091,925,8092,929],{},[682,8093,928],{},[16,8095,8096,210],{},[682,8097,934],{},[806,8099,8100,8104,8108,8112,8116,8120],{},[41,8101,8102,942],{},[682,8103,941],{},[41,8105,8106,948],{},[682,8107,947],{},[41,8109,8110,954],{},[682,8111,953],{},[41,8113,8114,960],{},[682,8115,959],{},[41,8117,8118,966],{},[682,8119,965],{},[41,8121,8122,972],{},[682,8123,971],{},[16,8125,8126,979,8128,983],{},[83,8127,978],{"href":977},[83,8129,982],{"href":65},[668,8131,8133,8135,8143,8145,8163],{"className":8132,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8134,990],{"id":989},[16,8136,993,8137,996,8139,779,8141,1001],{},[682,8138,728],{},[105,8140,778],{},[105,8142,782],{},[16,8144,1004],{},[806,8146,8147,8151,8155,8159],{},[41,8148,8149,1012],{},[682,8150,1011],{},[41,8152,8153,1018],{},[682,8154,1017],{},[41,8156,8157,1024],{},[682,8158,1023],{},[41,8160,8161,1030],{},[682,8162,1029],{},[16,8164,1033,8165,769],{},[83,8166,1036],{"href":727},[668,8168,8170,8172,8174,8190,8194],{"className":8169,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8171,1043],{"id":1042},[16,8173,1046],{},[806,8175,8176,8184],{},[41,8177,695,8178,1054,8180,1058,8182,1062],{},[682,8179,1053],{},[682,8181,1057],{},[682,8183,1061],{},[41,8185,695,8186,1068,8188,1072],{},[682,8187,1067],{},[682,8189,1071],{},[16,8191,1075,8192,1079],{},[682,8193,1078],{},[16,8195,1082,8196,1086,8198,769],{},[682,8197,1085],{},[83,8199,1089],{"href":876},[668,8201,8203,8205,8212,8221,8228,8235,8242,8249,8256],{"className":8202,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8204,1096],{"id":1095},[1098,8206,8208,8210],{"className":8207},[1101],[1103,8209,1105],{},[16,8211,1108],{},[1098,8213,8215,8217],{"className":8214},[1101],[1103,8216,1114],{},[16,8218,1117,8219,1121],{},[105,8220,1120],{},[1098,8222,8224,8226],{"className":8223},[1101],[1103,8225,1127],{},[16,8227,1130],{},[1098,8229,8231,8233],{"className":8230},[1101],[1103,8232,1136],{},[16,8234,1139],{},[1098,8236,8238,8240],{"className":8237},[1101],[1103,8239,1145],{},[16,8241,1148],{},[1098,8243,8245,8247],{"className":8244},[1101],[1103,8246,1154],{},[16,8248,1157],{},[1098,8250,8252,8254],{"className":8251},[1101],[1103,8253,1163],{},[16,8255,1166],{},[1098,8257,8259,8261],{"className":8258},[1101],[1103,8260,1172],{},[16,8262,1175],{},[351,8264,1178],{},{"title":54,"searchDepth":55,"depth":55,"links":8266},[8267,8268,8269,8270,8276,8277,8278],{"id":691,"depth":55,"text":692},{"id":742,"depth":55,"text":743},{"id":789,"depth":55,"text":790},{"id":849,"depth":55,"text":850,"children":8271},[8272,8273,8274,8275],{"id":854,"depth":440,"text":855},{"id":880,"depth":440,"text":881},{"id":897,"depth":440,"text":898},{"id":921,"depth":440,"text":922},{"id":989,"depth":55,"text":990},{"id":1042,"depth":55,"text":1043},{"id":1095,"depth":55,"text":1096},[8280,8281,8282,8283,8284,8285,8286,8287],{"question":1105,"answer":1108},{"question":1114,"answer":1198},{"question":1127,"answer":1130},{"question":1136,"answer":1139},{"question":1145,"answer":1148},{"question":1154,"answer":1157},{"question":1163,"answer":1166},{"question":1172,"answer":1175},{},{"title":1207,"icon":1208,"description":1209},{"title":660,"description":1194},{"id":8292,"title":5481,"body":8293,"createdAt":2499,"description":8500,"extension":61,"faq":8501,"meta":8512,"navigation":8513,"path":876,"seo":8516,"stem":8517,"updatedAt":2499,"__hash__":8518},"docs\u002Fguides\u002Fstatic-public-ip-address\u002Fhow-to-get-a-static-ip-address.md",{"type":8,"value":8294,"toc":8493},[8295,8298,8337,8369,8430,8460],[11,8296,5481],{"id":8297},"how-to-get-a-static-ip-address",[668,8299,8301,8315,8323,8324,8328,8331,8334],{"className":8300,"rounded":54,"max-width":677},[671,672,673,674,675,676],[8302,8303],"v-img",{"src":8304,"alt":8305,"min-width":7514,"max-height":8306,"className":8307},"\u002Fimages\u002Fguides\u002Fhouse_in_cyber_space_mobile.webp","A house loaded with server in cyber space serving clients","400",[8308,8309,8310,8311,8312,8313,8314],"hidden-md-and-up","float-md-left","ml-sm-auto","mr-sm-auto","mr-md-5","mr-lg-6","mr-xl-3",[16,8316,8317],{},[421,8318],{"alt":8305,"className":8319,"format":5973,"height":8321,"preload":54,"quality":209,"src":8322,"width":8321},[8320,8309,8310,8311,8312,8313,8314],"hidden-sm-and-down",268,"\u002Fimages\u002Fguides\u002Fhouse_in_cyber_space.png","\n   ",[20,8325,8327],{"id":8326},"what-is-a-static-ip-address","What is a static IP address?",[16,8329,8330],{},"A static IP address is a unique numerical identifier assigned to a device or server that does not change and is unique to that server or device. Think about it being your unique postal address on the internet, if you want to receive mail then you need your own address so that people know where to send the mail to reach you.",[16,8332,8333],{},"Unlike dynamic public IP addresses, which are assigned by Internet Service Providers (ISPs) and can change at any time or are behind carrier grade NAT (many ISP customers sharing 1 IP address) a static IP does not change and so allows you to be reachable by other people on the internet.",[16,8335,8336],{},"A static IP address allows you to host your own websites, email servers, chat applications etc.",[668,8338,8323,8340,8344,8354,8357,8360,8363,8366],{"className":8339,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8341,8343],{"id":8342},"why-do-i-want-a-static-ip-address","Why do I want a static IP address?",[8302,8345],{"src":8346,"alt":8347,"min-width":7514,"max-height":8348,"className":8349},"\u002Fimages\u002Fguides\u002Fat_home_with_server.webp","A man showing off his home server setup in his home","380",[8308,8350,8310,8311,8351,8352,8353],"float-md-right","ml-md-5","ml-lg-6","ml-xl-3",[8302,8355],{"src":8346,"alt":8347,"min-width":8306,"max-height":8348,"className":8356},[8320,8350,8310,8311,8351,8352,8353],[16,8358,8359],{},"A static IP address allows you to repatriate your data, emails, messages and online life to your own server in your home or office. In an era of excessive surveillance and censorship on cloud platforms performed on an industrial scale, is your data safe on their servers? When your data is on another mans computer, is it really your data?",[16,8361,8362],{},"Servers have become very cheap and powerful so home users are able to host their own email servers, chat applications, file storage services all within their home without a cloud company selling their data to be used to train AI or handing it over to over zealous government department on a fishing expedition.",[16,8364,8365],{},"Businesses have also started to repatriate services to on site servers to save exorbitant cloud costs, have more control over their data, stop business information falling into their competitors hands or have a cloud platform use their data to compete directly with them. There are massive cost savings involved in having a on site server compared to cloud offerings.",[16,8367,8368],{},"Server hardware is affordable and easily available for home and small businesses but in order to host services and have a online presence then you need a static IP to network with the rest of the internet and have your services available.",[668,8370,8372,8376],{"className":8371,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8373,8375],{"id":8374},"what-are-my-options-to-get-a-static-ip-address","What are my options to get a static IP address?",[1230,8377,8378,8404],{},[1233,8379,8380,8384,8387],{"cols":1235,"lg":1236,"xl":1236},[852,8381,8383],{"id":8382},"ask-your-isp-for-a-static-ip","Ask your ISP for a static IP",[16,8385,8386],{},"Most ISP will provide a static IP address for a modest fee however its now considered the worst way to get a public static IP address.",[806,8388,8389,8392,8395,8398,8401],{},[41,8390,8391],{},"Most ISPs are difficult to deal with and many staff dont know what a static IP address is because its a rare request",[41,8393,8394],{},"It costs a lot more than anywhere else",[41,8396,8397],{},"You will need to configure your router and enable your firewall",[41,8399,8400],{},"Most internet services block residential static IP addresses. Its almost impossible to send out email on a residential IP address",[41,8402,8403],{},"You cannot move your server to a different location as your IP is tied to your ISPs connections",[1233,8405,8406,8410,8413],{"cols":1235,"lg":1236,"xl":1236},[852,8407,8409],{"id":8408},"use-getpublicip","Use GetPublicIP",[16,8411,8412],{},"We provide static public IP addresses for use in your home or office. We offer many advantages over a ISPs static IP address.",[806,8414,8415,8418,8421,8424,8427],{},[41,8416,8417],{},"Our service is the easiest way to get a static public IP address",[41,8419,8420],{},"Its cost competitive",[41,8422,8423],{},"Its more secure, we block all ports by default, use our admin tool to open ports to your server",[41,8425,8426],{},"You can move your server anywhere, our solution works over any internet connection. If your ISP goes down you can fail over your server to 5G and keep it online.",[41,8428,8429],{},"We only deal in getting your server online, we can support and help you.",[668,8431,8433,8437,8440],{"className":8432,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8434,8436],{"id":8435},"what-is-the-best-way-to-get-a-static-ip-address","What is the best way to get a static IP address?",[16,8438,8439],{},"Use GetPublicIP to get a static public IP address delivered to your home or office. We make it easy and secure to get your home or office server online without the hassle of dealing with your ISP or paying for expensive cloud providers.",[806,8441,8442,8445,8448,8451,8454,8457],{},[41,8443,8444],{},"Your traffic is delivered over a secure encrypted VPN tunnel.",[41,8446,8447],{},"All ports are blocked by default, our admin panel makes opening ports easy.",[41,8449,8450],{},"No fixed contracts, pay by month, cancel anytime.",[41,8452,8453],{},"We provide many locations around the world so you can get a IP address close to you in order to reduce latency.",[41,8455,8456],{},"This is all we do, our support team is knowledgeable and ready to help you get online.",[41,8458,8459],{},"We do not terminate SSL \u002F TLS connections. This means the SSL \u002F TLS connection will terminate in your home or office. This is the most secure way to do it. When you configure your own SSL \u002F TLS encryption it means that will not be in plain text over our infrastructure, it will be fully encrypted from the client to your server. No one else offers this level of privacy and security.",[668,8461,8463,8467,8470],{"className":8462,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8464,8466],{"id":8465},"what-are-the-downsides-to-having-my-own-static-ip-address","What are the downsides to having my own static IP address?",[16,8468,8469],{},"While a static IP enables you to take control of your data and host services in your home or office there are downsides to consider when undertaking this endeavour. You will have make sure the services you are hosting is secure and locked down. Patches will need to be regularly applied and when vulnerabilities get revealed in your services you will need to patch them straight away. There are strategies you can employ to isolate these services to themselves and from the rest of your home or office network. Data centre operators have expensive backup equipment in place to handle power failures and connection outages, but all factors can be managed by home and office users.",[806,8471,8472,8475,8478,8481,8484,8487,8490],{},[41,8473,8474],{},"You will need to make sure your server is secure and locked down",[41,8476,8477],{},"Patch your server on a regular basis",[41,8479,8480],{},"Monitor your server for vulnerabilities",[41,8482,8483],{},"Make sure your server is backed up",[41,8485,8486],{},"Isolate your server from the rest of your home or office network",[41,8488,8489],{},"Protect your server from power failures and internet outages",[41,8491,8492],{},"You will need to make sure your server is protected from physical theft",{"title":54,"searchDepth":55,"depth":55,"links":8494},[8495,8496,8497,8498,8499],{"id":8326,"depth":55,"text":8327},{"id":8342,"depth":55,"text":8343},{"id":8374,"depth":55,"text":8375},{"id":8435,"depth":55,"text":8436},{"id":8465,"depth":55,"text":8466},"Get a static IP address for secure, dedicated internet access. Learn about the benefits, how to obtain one, and choose the best plan for your needs.",[8502,8504,8506,8508,8510],{"question":8327,"answer":8503},"A static IP address is a unique numerical identifier assigned to a device or server that does not change. Unlike dynamic IP addresses assigned by ISPs that can change at any time, a static IP remains constant, allowing you to host websites, email servers, chat applications and other services that need to be reachable from the internet.",{"question":8343,"answer":8505},"A static IP address allows you to host your own services — email, file storage, chat applications, websites — from your home or office server. This gives you full control over your data, eliminates reliance on cloud platforms, and can provide significant cost savings for businesses compared to cloud hosting.",{"question":8375,"answer":8507},"You can request a static IP from your ISP, which is often expensive and comes with residential IP limitations like poor email reputation. Alternatively, GetPublicIP delivers dedicated public IP addresses to your home or office server with no router configuration needed, better security with all ports blocked by default, and the flexibility to move your server anywhere.",{"question":8436,"answer":8509},"GetPublicIP is the easiest way to get a static public IP address. Your traffic is delivered over a secure encrypted VPN tunnel, all ports are blocked by default with an easy admin panel to open them, there are no fixed contracts, and we do not terminate SSL\u002FTLS connections — meaning your traffic is fully encrypted from client to server with no one else able to see it in plaintext.",{"question":8466,"answer":8511},"You are responsible for securing your server, applying patches regularly, monitoring for vulnerabilities, maintaining backups, isolating the server from your home or office network, and protecting against power failures and internet outages. These are manageable for most users but require ongoing attention.",{},{"title":5481,"icon":8514,"description":8515},"mdi-ip-network","We discuss what a static IP address is, what your options are to get one, and the best way to get a static IP address.",{"title":5481,"description":8500},"guides\u002Fstatic-public-ip-address\u002Fhow-to-get-a-static-ip-address","PP_YJbOv3PqP7D61sspMOnC1r1doGfvNiFe16Uh8BIs",{"path":8520,"title":8521,"icon":1218,"children":8522},"\u002Fguides\u002Fuse-cases","Use Cases",[8523,8681],{"id":8524,"title":8525,"body":8526,"createdAt":8670,"description":8671,"extension":61,"faq":59,"meta":8672,"navigation":8673,"path":8677,"seo":8678,"stem":8679,"updatedAt":8670,"__hash__":8680},"docs\u002Fguides\u002Fuse-cases\u002Fhome-server.md","Self-Hosting at Home - Privacy & Independence",{"type":8,"value":8527,"toc":8665},[8528,8532,8596,8649],[11,8529,8531],{"id":8530},"home-server-freedom-with-getpublicip","Home Server Freedom with GetPublicIP",[668,8533,8535,8540,8543],{"className":8534,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8536,8539],{"className":8537,"id":8538},[675],"why-self-host-at-home","Why Self-Host at Home?",[16,8541,8542],{},"In an era of centralized tech giants, self-hosting at home offers the ultimate privacy and control. By running your own services, you take back custody of your data and remove dependencies on third-party cloud providers.",[1230,8544,8547,8548,8547,8585],{"className":8545},[8546],"mt-4","\n  ",[1233,8549,8551,8552,8547],{"cols":1235,"md":8550},"7","\n    ",[806,8553,8554,8555,8554,8564,8554,8571,8554,8578,8551],{},"\n      ",[41,8556,8559,8560,8563],{"className":8557},[8558],"mb-3","\n        ",[4062,8561,8562],{},"Data Sovereignty:"," You know exactly where your data is—physically sitting on a disk in your home. You own it, you control it, and you decide who has access to it.\n      ",[41,8565,8559,8567,8570],{"className":8566},[8558],[4062,8568,8569],{},"End-to-End Encryption:"," With GetPublicIP, your traffic is encrypted from your server to the internet. We pass the encrypted traffic directly to you, so we never see your data.\n      ",[41,8572,8559,8574,8577],{"className":8573},[8558],[4062,8575,8576],{},"True Privacy:"," Stop trading your personal information for \"free\" services. Running your own Nextcloud, PhotoPrism, or Jellyfin means no more ad tracking or data mining.\n      ",[41,8579,8559,8581,8584],{"className":8580},[8558],[4062,8582,8583],{},"Independent Tech Stack:"," Build a fully independent digital life. Host your own email server (Postfix\u002FDovecot), chat platform (Matrix\u002FSynapse), or password manager (Bitwarden\u002FVaultwarden) without relying on Google, Meta, or Microsoft.\n      ",[1233,8586,8551,8588,8547],{"cols":1235,"md":8587},"5",[8302,8589,8551],{"src":8590,"alt":8591,"className":8592,"height":8595,"cover":54},"\u002Fimages\u002Fguides\u002Fhome_server.jpg","Home server privacy and encryption",[8593,8594],"bg-grey-lighten-2","rounded",400,[668,8597,8599,8604,8607],{"className":8598,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8600,8603],{"className":8601,"id":8602},[675],"benefits-of-getpublicip-for-home-labs","Benefits of GetPublicIP for Home Labs",[16,8605,8606],{},"We solve the biggest headaches of hosting from a residential connection, making it simple to run enterprise-grade services from your living room.",[1230,8608,8547,8610,8547,8618],{"className":8609},[8546],[1233,8611,8612,8613,8547],{"cols":1235,"md":8587},"\n     ",[8302,8614,8551],{"src":8615,"alt":8616,"className":8617,"height":8595,"cover":54},"\u002Fimages\u002Fguides\u002Fhome_server2.jpg","Home lab setup",[8593,8594],[1233,8619,8551,8620,8551,8627,8631,8636,8640,8645,8547],{"cols":1235,"md":8550},[852,8621,8626],{"className":8622,"id":8625},[8623,8624],"text-h6","mb-2","bypass-cgnat-isp-restrictions","Bypass CGNAT & ISP Restrictions",[16,8628,8630],{"className":8629},[675],"Most ISPs use Carrier Grade NAT (CGNAT) which blocks incoming connections. GetPublicIP bypasses this entirely, giving you a real, static public IP address that routes directly to your home server.",[852,8632,8635],{"className":8633,"id":8634},[8623,8624],"host-anything-even-email","Host Anything - Even Email",[16,8637,8639],{"className":8638},[675],"Unlike residential IPs which are often blacklisted, our clean IPs allow you to run a full mail server with deliverability. Host your own domain's email and say goodbye to Gmail.",[852,8641,8644],{"className":8642,"id":8643},[8623,8624],"work-on-any-connection","Work on Any Connection",[16,8646,8648],{"className":8647},[675],"Whether you are on Fiber, Starlink, 5G, or a restricted apartment WiFi, GetPublicIP works seamlessly. Your server maintains the same public IP even if you switch ISPs or move to a new house.",[668,8650,8652,8657,8662],{"className":8651,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8653,8656],{"className":8654,"id":8655},[675],"start-your-independence-today","Start Your Independence Today",[16,8658,8661],{"className":8659},[8660],"mb-6","Ready to unplug from big tech? GetPublicIP gives you the connectivity foundation to build your own sovereign cloud at home. Support is available to help you configure your first tunnel.",[8663,8664],"contact-form",{},{"title":54,"searchDepth":55,"depth":55,"links":8666},[8667,8668,8669],{"id":8538,"depth":55,"text":8539},{"id":8602,"depth":55,"text":8603},{"id":8655,"depth":55,"text":8656},"2025-12-14T14:26:00.000Z","Take back control of your data. Host email, chat, and private cloud services from your home with a dedicated public IP.",{},{"title":8674,"icon":8675,"description":8676},"Home Server Solutions","mdi-home-account","Build a sovereign personal cloud. Get a public IP address delivered to your home server so you can run your own email and chat services.","\u002Fguides\u002Fuse-cases\u002Fhome-server",{"title":8525,"description":8671},"guides\u002Fuse-cases\u002Fhome-server","sgCIUjHny53bEOZvcaroqMWBnEvmzY1EFxyMf7x6O7g",{"id":8682,"title":8683,"body":8684,"createdAt":8828,"description":8829,"extension":61,"faq":59,"meta":8830,"navigation":8831,"path":8834,"seo":8835,"stem":8836,"updatedAt":8828,"__hash__":8837},"docs\u002Fguides\u002Fuse-cases\u002Foffice-server.md","Office Server Solutions & Benefits",{"type":8,"value":8685,"toc":8823},[8686,8690,8743,8809],[11,8687,8689],{"id":8688},"office-server-solutions-with-getpublicip","Office Server Solutions with GetPublicIP",[668,8691,8693,8698,8701],{"className":8692,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8694,8697],{"className":8695,"id":8696},[675],"benefits-of-using-getpublicip-for-servers-in-offices","Benefits of using GetPublicIP for Servers in Offices",[16,8699,8700],{},"Deploying servers within your office environment has never been easier. GetPublicIP streamlines the process, removing traditional networking hurdles and providing enterprise-grade connectivity.",[1230,8702,8547,8704,8547,8736],{"className":8703},[8546],[1233,8705,8551,8706,8547],{"cols":1235,"md":8550},[806,8707,8554,8708,8554,8715,8554,8722,8554,8729,8551],{},[41,8709,8559,8711,8714],{"className":8710},[8558],[4062,8712,8713],{},"No ISP Public IP Required:"," You don't need to provision a static public IP address from your local ISP. This eliminates negotiations with providers and additional monthly fees.\n      ",[41,8716,8559,8718,8721],{"className":8717},[8558],[4062,8719,8720],{},"No Networking Changes:"," It works on any internet connection. No complex router configurations, port forwarding, or firewall changes are required to get started.\n      ",[41,8723,8559,8725,8728],{"className":8724},[8558],[4062,8726,8727],{},"Secure Isolation:"," The solution is able to be isolated within a VM environment and kept separate from the main office network, ensuring security and compliance.\n      ",[41,8730,8559,8732,8735],{"className":8731},[8558],[4062,8733,8734],{},"High Availability & Portability:"," If power or internet connectivity goes down, the server can be physically relocated to a home or another office and will come back online immediately without any further configuration.\n      ",[1233,8737,8551,8738,8547],{"cols":1235,"md":8587},[8302,8739,8551],{"src":8740,"alt":8741,"className":8742,"height":8595,"cover":54},"\u002Fimages\u002Fguides\u002Foffice_server.jpg","Office workers around a server",[8593,8594],[668,8744,8746,8751,8754,8757],{"className":8745,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8747,8750],{"className":8748,"id":8749},[675],"why-companies-are-choosing-to-host-in-office","Why companies are choosing to host in-office",[16,8752,8753],{},"Businesses are increasingly seeing the value of bringing specific workloads back on-premise. The combination of modern hardware availability and cost management makes office hosting a smart choice.",[16,8755,8756],{},"While the cloud offers elasticity, it often comes with a premium price tag for always-on resources. Office servers provide a predictable, high-performance alternative for stable workloads.",[1230,8758,8547,8760,8547,8768],{"className":8759},[8546],[1233,8761,8612,8762,8547],{"cols":1235,"md":8587},[8302,8763,8551],{"src":8764,"alt":8765,"className":8766,"height":8767,"cover":54},"\u002Fimages\u002Fguides\u002Foffice_server2.jpg","Server hardware in office",[8593,8594],300,[1233,8769,8551,8770,8551,8775,8779,8784,8792,8797,8801,8806,8547],{"cols":1235,"md":8550},[852,8771,8774],{"className":8772,"id":8773},[8623,8624],"affordable-high-performance-hardware","Affordable High-Performance Hardware",[16,8776,8778],{"className":8777},[675],"The ex-lease market makes server hardware incredibly affordable. You can acquire servers packed with powerful CPUs and large amounts of RAM for a fraction of the cost of new hardware or equivalent cloud instances.",[852,8780,8783],{"className":8781,"id":8782},[8623,8624],"significant-cost-savings","Significant Cost Savings",[16,8785,8787,8788,8791],{"className":8786},[675],"GetPublicIP has saved businesses over ",[4062,8789,8790],{},"$60k per year"," in AWS fees by moving development, testing, and back-office functions off cloud services like AWS and Azure and into a server in the office.",[852,8793,8796],{"className":8794,"id":8795},[8623,8624],"agile-resource-allocation","Agile Resource Allocation",[16,8798,8800],{"className":8799},[675],"If developers need a VM or other compute resource, they can use the office server immediately instead of going through a lengthy procurement process for cloud infrastructure. This speeds up development cycles and reduces friction.",[852,8802,8805],{"className":8803,"id":8804},[8623,8624],"ideal-for-non-mission-critical-workloads","Ideal for Non-Mission Critical Workloads",[16,8807,8808],{},"It is the perfect solution for moving non-mission critical workloads off expensive cloud services, giving you control and predictable pricing without sacrificing performance.",[668,8810,8812,8817,8821],{"className":8811,"rounded":54,"max-width":677},[671,672,673,674,675,676],[20,8813,8816],{"className":8814,"id":8815},[675],"we-help-you-setup-and-configure","We help you setup and configure",[16,8818,8820],{"className":8819},[8660],"Adopting an office server strategy doesn't mean you are on your own. GetPublicIP can help you setup and configure servers inside your offices, ensuring you have the right architecture and security from day one.",[8663,8822],{},{"title":54,"searchDepth":55,"depth":55,"links":8824},[8825,8826,8827],{"id":8696,"depth":55,"text":8697},{"id":8749,"depth":55,"text":8750},{"id":8815,"depth":55,"text":8816},"2025-12-16T10:33:00.000Z","Discover why businesses are moving servers back to the office with GetPublicIP. Save on cloud costs, simplify networking, and gain flexibility.",{},{"title":8832,"icon":3858,"description":8833},"Office Server Solutions","Discover why forward-thinking companies are moving specific workloads back to the office to reduce cloud spend and increase agility.","\u002Fguides\u002Fuse-cases\u002Foffice-server",{"title":8683,"description":8829},"guides\u002Fuse-cases\u002Foffice-server","QaXLIgaSmzhEHi2yZN1gf1aIGUrCtEfQbKASOhyTAnM",1776315930127]