The public IP address belongs to the infrastructure—not to the server.
Run real web and mail services from virtually anywhere—your home lab, a client's office, or even behind Carrier-Grade NAT. A lightweight VPS provides a stable public IPv4 and IPv6 presence, while the actual services run on a backend connected through an outbound WireGuard tunnel.
The public network identity stays with the VPS, not the server itself. Move the backend to another internet connection, relocate it to a different site, or keep a warm standby ready elsewhere: as long as the backend can establish the tunnel, the outside world continues to reach the same services using the same public addresses.
📡 Visitor 216.73.216.88
│ TCP SYN → port 80/443
▼
🖥️ VPS — public side 217.160.218.27
│ 🛡️ SYNPROXY (handshake + syncookie, MSS 1380)
│ 🔀 nat/OUTPUT DNAT → 100.96.128.2
│
│ 🔒 WireGuard tunnel (wg0)
│ VPS side: 100.96.128.1
│ VM side: 100.96.128.2
▼
🏠 VM — private side (tunnel) 100.96.128.2 / 10.48.48.203
│ ↩️ CONNMARK + policy routing (table 200) → return via wg0
▼
🌐 Web server port 80 / 443
(this page — REMOTE_ADDR = 216.73.216.88)
🌐 Web server port 80 / 443
│
│ HTTP response
▼
🏠 VM — private side (tunnel) 100.96.128.2 / 10.48.48.203
│ ↩️ CONNMARK recognizes existing connection (mark=1)
│ 🧭 policy routing (table 200) → forces route via wg0
│
│ 🔒 WireGuard tunnel (wg0)
│ VM side: 100.96.128.2
│ VPS side: 100.96.128.1
▼
🖥️ VPS — public side 217.160.218.27
│ 🔄 conntrack un-DNAT (source 100.96.128.2 → 217.160.218.27)
│ ✅ FORWARD chain: ctstate ESTABLISHED,RELATED → ACCEPT
▼
📡 Visitor 216.73.216.88 — receives response
You're looking at a live demonstration of an experimental hosting architecture that decouples a server's public network identity from its physical location.
The VPS owns the public IPv4 and IPv6 addresses and acts as the permanent entry point for all incoming traffic. Instead of terminating HTTP or acting as a reverse proxy, it transparently forwards TCP connections over a WireGuard tunnel to a backend VM currently running ISPConfig on Debian GNU/Linux.
Unlike many VPN-based hosting solutions, the backend receives the original client IP address. Traffic is forwarded using transparent DNAT without masquerading, allowing web servers, mail services, logging, GeoIP lookups, and Fail2Ban to work exactly as they would on a directly connected server.
The public edge is protected by Linux SYNPROXY before traffic ever enters the tunnel. Half-open connections and SYN floods are handled on the VPS, reducing unnecessary load on both the tunnel and the backend.
The WireGuard tunnel is always initiated by the backend. Because every connection starts outbound, the backend can operate behind NAT or Carrier-Grade NAT without requiring inbound port forwarding. It can even be moved to another internet connection—or another physical location altogether—without changing DNS records or exposing a different public IP address.
The current implementation supports both IPv4 and IPv6 and is still evolving. You're looking at a live experiment, so occasional changes or rough edges are to be expected.