Internet access without public IP


So, given you have a server with a public IP, and one without.

What’s the best-practice in getting from the private server, to the public internet?

  • I thought of SSH-proxy, which works, but not for apt somehow, so I am unable to install new stuff.
  • I also thought of OpenVPN connection, but as I cannot install anything, I don’t have OpenVPN at the private server.


I remember some people here who has some solutions for allowing outgoing traffic without a private IP. Try a search in the community.


You are right; I completely missed it. A search resulted in nothing, but manually scrolling through all topics let me to this topic:

However, this talks about installing squid3, and using that to create a proxy. However, how am I to install squid3, if I’m not connected …


What I do is buying an IP for an hour using it then remove it.


After a few hours of trying (and failing), I managed to get an internet connection using a specific tunnel.

# From the server that has internet:
$ ssh -R internal_ip_of_without_internet

# From the server without internet
# Make sure /etc/apt/sources.list contains lines like these:
# deb http://localhost:8080/debian/ jessie main contrib non-free

This allows internet from the server without internet, to install other packages (i.e. squid3, tsocks, openvpn, etc.)


Now this makes me wonder why debian doesn’t use


Never heard of before. Too bad it only offers Ubuntu-packages as of right now. That would indeed make it way easier to configure an Ubuntu-server w/o IP, than it would be to configure a Debian-server.


You can setup a socks proxy on the server with internet access and install tsocks on the server without public ip.
After that use something like . tsocks -on and you will have access normally to the internet.

You can use this guide ->


Doesn’t the part “install tsocks on the server without public ip” require internet access in the first place? (At least, on non-ubuntu distros)


No, you can use apt-get download tsocks and then use rsync or scp to transfer the .deb file from the public server to the private server.


My solution was to use a Scaleway host that does have a public IP as a gateway, via a tinc VPN. I didn’t spend too much time making it portable, since I’m just using Debian to bootstrap NixOS, but it’s pretty much a pair of scripts; one to set up tinc on the gateway, one to copy the .debs onto the private-IP hosts and set up tinc there. It works for me on Debian Jessie; I’d expect to work on any Debian-ish system, and with minor modifications on other distros. But it’s convenient for me, and I threw them up on github along with a bit of explanation.

(Incidentally, I also succesfully booted nix using the other part of that repo; now it’s time to clean it up into something that Just Works, though it’s close as is.)


You could enable IP-forwarding on an instance with a public IP and just use NAT/MASQUERADE.

Remember to exclude any non-whitelisted IPs from being forwarded.


Unfortunately, as noted in my repo above, that’s a little trickier than usual, because multiple hosts are likely on different subnets and not directly routable. AFAICT, the standard NAT approach with kernel routing tables requires being directly able to hit the host you’re NATing through from the private server. (More precisely, a command along the lines of route add default gw will fail if you’re on the subnet.)

So my approach as mentioned was to use tinc to put them on the same (virtual) subnet; I’d love to learn a simpler solution, but it seems to me that “Just use NAT!” is missing some important details.