Exposing yourself to the internet (Opening Ports)

Why Can’t People Access My Server?

If you’ve ever tried to host a website or game server, you might have run into the issue where it’s easily accessible on your local network, but accessing it from your public IP doesn’t work, which is kinda frustrating. The internet is supposed to be an interconnected network of computers, right? So what’s blocking the connection?

CGNAT

Many ISPs use CGNAT (Carrier Grade NAT), especially for residential connections. It means you don’t have your own public IP address and you’re sharing a public IP with multiple customers. You can check by comparing your router’s WAN IP address with your public IP. If they’re different, you’re likely behind CGNAT.

So what can you do?

Request a public IP plan from your ISP.
Use IPv6, if your ISP and clients support it.
Use a VPN or a Tunneling service.

Router Blocks Port Forwarding

If you are not behind CGNAT, then by default, most routers will block all incoming connections for security reasons. You’ll need to manually open (port forward) the required ports to your server. This typically means going into your router’s settings and setting up a rule that directs traffic on a specific port to your server’s local IP address.

Tunneling

Tunneling forwards traffic from the internet to your server through a third-party server that does have a public IP. You could use a tunneling service or host your own. Check out this awesome list of tunneling applications and services.

My favorite options that I personally use are:

Cloudflare Tunnel

It works really well, completely free with a couple of caveats:

Requires a domain (can be bought anywhere, just needs to be managed with Cloudflare DNS).
Only recommended for web servers because you can’t tunnel arbitrary TCP without having cloudflared installed on the host and client machine.

Playit.gg

Very easy to set up, can tunnel pretty much everything. The free version comes with a few limitations, most importantly:

You are limited to 2 agents, 4 UDP, and 4 TCP ports.
The URL/IP Address will change every time you restart the tunnel.

frp

You can get a cheap VPS and self-host your own tunneling service. There are no limitations, and it’s a lot easier to manage than a VPN, especially with multiple devices and tunnels.

VPN

The classic solution to remote access, a VPN (Virtual Private Network) allows devices connected to it to communicate as if they are on the same local network. To get started, rent a cheap VPS, install and set up a VPN server, then your clients can connect to each other through their VPN IP addresses.

For VPN servers, I recommend WireGuard; it’s easy to install with many scripts and management tools created for it. Another popular option is OpenVPN, which is widely supported and used by corporations, banks, and governments.

To make a service publicly accessible, the easiest approach is to run a reverse proxy server alongside your VPN server. For that, I would recommend Caddy, because it’s very easy to configure and comes with automatic HTTPS.

Another approach is using firewall rules to forward ports. It’s a lot more involved but it’s an option. Check out this Blog Post and this script.

Be aware that having random numerous services exposed publicly increases your exposure to potential hacks and exploits. To mitigate this risk, it’s highly recommended to implement system hardening measures. Alternatively, if these services are only accessed by a small number of people, consider keeping your remote access private.

Tips

If you want to use SSH with Cloudflare Tunnel, the easiest option is through the browser rendered terminal.
If you’re paying for a good VPN service, it’s possible that they offer port forwarding. It can be limited, with different options depending on the provider, but it can be useful if your service is flexible with port numbers, like torrent clients.
Even if you have a public residential IP address, its probably a dynamic IP and not a static one, meaning it will keep changing, to retain access to your server you want to set up a Dynamic DNS (DDNS) service.