Tethered Webhosting

The public IP address belongs to the infrastructure—not to the server.

An experimental architecture for portable self-hosting

Run real web and mail services from virtually anywhere—your home lab, a client's office, or even behind Carrier-Grade NAT. A lightweight VPS provides a stable public IPv4 and IPv6 presence, while the actual services run on a backend connected through an outbound WireGuard tunnel.

The public network identity stays with the VPS, not the server itself. Move the backend to another internet connection, relocate it to a different site, or keep a warm standby ready elsewhere: as long as the backend can establish the tunnel, the outside world continues to reach the same services using the same public addresses.

Inbound: Visitor Request Reaching the Web Server

📡 Visitor                          216.73.216.88
     │  TCP SYN → port 80/443
     ▼
🖥️  VPS — public side               217.160.218.27
     │  🛡️  SYNPROXY (handshake + syncookie, MSS 1380)
     │  🔀 nat/OUTPUT DNAT → 100.96.128.2
     │
     │  🔒 WireGuard tunnel (wg0)
     │     VPS side:   100.96.128.1
     │     VM side:    100.96.128.2
     ▼
🏠  VM — private side (tunnel)       100.96.128.2  /  10.48.48.203
     │  ↩️  CONNMARK + policy routing (table 200) → return via wg0
     ▼
🌐  Web server                       port 80 / 443
     (this page — REMOTE_ADDR = 216.73.216.88)

Outbound: Response Returning to the Visitor

🌐  Web server                       port 80 / 443
     │
     │  HTTP response
     ▼
🏠  VM — private side (tunnel)       100.96.128.2  /  10.48.48.203
     │  ↩️  CONNMARK recognizes existing connection (mark=1)
     │  🧭 policy routing (table 200) → forces route via wg0
     │
     │  🔒 WireGuard tunnel (wg0)
     │     VM side:    100.96.128.2
     │     VPS side:   100.96.128.1
     ▼
🖥️  VPS — public side               217.160.218.27
     │  🔄 conntrack un-DNAT (source 100.96.128.2 → 217.160.218.27)
     │  ✅ FORWARD chain: ctstate ESTABLISHED,RELATED → ACCEPT
     ▼
📡 Visitor                          216.73.216.88 — receives response

You're looking at a live demonstration of an experimental hosting architecture that decouples a server's public network identity from its physical location.

The VPS owns the public IPv4 and IPv6 addresses and acts as the permanent entry point for all incoming traffic. Instead of terminating HTTP or acting as a reverse proxy, it transparently forwards TCP connections over a WireGuard tunnel to a backend VM currently running ISPConfig on Debian GNU/Linux.

Unlike many VPN-based hosting solutions, the backend receives the original client IP address. Traffic is forwarded using transparent DNAT without masquerading, allowing web servers, mail services, logging, GeoIP lookups, and Fail2Ban to work exactly as they would on a directly connected server.

The public edge is protected by Linux SYNPROXY before traffic ever enters the tunnel. Half-open connections and SYN floods are handled on the VPS, reducing unnecessary load on both the tunnel and the backend.

The WireGuard tunnel is always initiated by the backend. Because every connection starts outbound, the backend can operate behind NAT or Carrier-Grade NAT without requiring inbound port forwarding. It can even be moved to another internet connection—or another physical location altogether—without changing DNS records or exposing a different public IP address.

The current implementation supports both IPv4 and IPv6 and is still evolving. You're looking at a live experiment, so occasional changes or rough edges are to be expected.