Historically, broadband connections gave a public IPv4 address which made hosting servers relatively easy with a dynamic DNS service. Increasingly, newer ISPs such as Starlink, T-Mobile and fast-growing Asian ISPs like Jio use Carrier Grade NAT to conserve their public IPv4 address pool. In addition, some users use university and mobile networks where port forwarding is unavailable for security concerns or technical limitations.

Carrier Grade NAT has one disadvantage: the inability to forward ports. While some ISPs offer a static IP service at a premium, many do not. Despite that, there are workarounds, including special VPNs such as Fourplex’s Static IP Tunneling service.

What is Static IP Tunneling

Born out of a frustration of certain ISPs limiting server hosting, Static IP Tunneling is a L2TP (Layer 2 Transport Protocol) VPN providing a static IPv4 address and IPv6 prefix. However, the focus of this service is on self-hosting rather than privacy and streaming offered by mainstream providers, and hence is unencrypted.

L2TP is also used by many leading telcos such as Bell, BT, CenturyLink and BSNL to aggregate connections with PPPoE. This is the norm in countries where telcos are legally required to allow other DSL and fiber ISPs, or have other security requirements.

Configuring Static IP Tunneling on Linux

While Static IP Tunneling can be configured on many operating systems and routers, the most common is to configure it on Linux.

Note: This depends on the xl2tpd package which may or may not be in your distribution’s repositories.

1. Ensure the following kernel options are set or the corresponding modules are available:
   1. CONFIG_PPPOL2TP
   2. CONFIG_L2TP
2. Install xl2tpd on your Linux box. On Ubuntu and Debian, you can use sudo apt-get install xl2tpd.
3. Edit /etc/xl2tpd/xl2tpd.conf to contain the following (adjust to suit your distribution):
   [lac fourplex]
lns = nyc.vpn.fourplex.net
require authentication = no
pppoptfile = /etc/ppp/options.fourplex
4. Create /etc/ppp/options.fourplex containing the following (change the name and password to match your L2TP login details):
   +ipv6
ipv6cp-use-ipaddr
name username
password "password"
noauth
   Replace username and password with your L2TP username and password. The quotes between the password are important.
5. Start the xl2tpd service:
   systemctl start xl2tpd
6. Tell the daemon to connect to Fourplex:
   echo "c fourplex" > /var/run/xl2tpd/l2tp-control

Note: if systemctl doesn’t start xl2tpd, you can try manually:

xl2tpd -D

and then restart step 6.

To make it permanent edit /etc/crontab and add the following:

@reboot root bash -c "xl2tpd -D &"
@reboot root bash -c "sleep 5 && echo 'c fourplex' > /var/run/xl2tpd/l2tp-control"

After this, the server’s IPv4 address can be used like a VPS IP, where server software can be run directly without port forwarding.

You can also configure Static IP Tunneling on Windows, macOS or BSD variants.

Using a router

In some cases, a VPN terminating router can also be used. This is useful if you want an isolated network for your servers. However, with this, port forwarding is required.

For Fourplex, I recommend the MikroTik hEX as it’s under $60 USD. Other supported router models include refurbished Cisco ISR routers, TP-Link’s Omada and Ubiquiti’s EdgeRouter. You can also run a software-based termination router using an x86-based PC or virtual machine using OPNsense, pfSense, MikroTik CHR or even Linux/BSD directly.

Keep in mind that all routers won’t work. Some common unsupported router types include:

• Consumer-level routers (Eero, Orbi, et al.)
• ISP-provided routers
• Ubiquiti UniFi gateways
• VyOS-based routers

In that case, you can daisy chain a supported router like the hEX, or alternatively use the tunnel directly on a server. Some consumer-level routers may work with alternative firmware such as OpenWrt, while VyOS can be replaced with a supported platform.

Conclusion

While Carrier Grade NAT can be, and often is frustrating, it shouldn’t be a deterrent from hosting servers. People in universities, fast-growing Asian markets and rural areas often lack a public IPv4 from their ISP, and usually can’t purchase one as an option. For instance, Starlink and Jio require pricey business plans for static IPs.

While high-bandwidth servers like Jellyfin and Tor relays are best served by ISPs directly, Fourplex’s Static IP Tunneling is better suited for most homelab, self-hosting and security activities. It’s easier to use, less disruptive, more economical, and can be used anywhere in the world. Switched ISPs? Moved abroad? Your IP is yours as long as you keep your service.