Hello everybody,

This is a tough one for me, let me try to explain myself:

I have a chat server accessible through port 5222, which works great on my LAN, but I can't access it over the internet because my router doesn't have a Public IP assigned to its external interface, it has a Private IP assigned to it, just as its internal interface but in another network, so I can't make a port forward to any computer inside my LAN, including my server, the router doesn't even have the port forward option.

Ok now, I know I can use Hamachi, Teamviewer VPN, or any other VPN service out there, BUT, that solution is not all that great, because I would have to use VPN software in tablets, phones, macs, etc, virtually in every device I want it to connect to my chat server...

So... I was wondering if there is some kind of VPN service, but with the ability to assign me a VPN IP, and also a Public IP address assign to my VPN, so I can then make a port forward????...

Something like this:

(LAN IP eth0 and VPN IP tun0) Chat Server --- Router --- INTERNET --- VPN Server (with VPN IP and PUBLIC IP [assigned to my VPN])

So, now, I can access my chat through a Public IP, which port forwards to my servers VPN IP (tun0)

Am I crazy?, or is this really possible?...

Do you have any other ideas?, I'm open to more ideas...

Thank you.

You really do need port-forwarding on your public facing router. If it doesn't have that, then it's time to buy a new one that does.

You can then set up routing between the outside world and your chat server.

Now, if it were me, I would (as I have so often preached here ... ) set up an OpenVPN tunnel such that anyone who wishes to reach your chat server must first be passing through the tunnel. Authorized chat users bearing the crypto certificates that you issued to them can connect and chat away. No one else can see that anything even exists at this public IP-address: there are no "open ports."

Notice that I'm speaking of an OpenVPN server running on your local network, accessible to the outside but being the only service accessible to the outside. (And, hidden from view with tls-auth.) Wanna chat? First you gotta connect. Then you can see the (internal) IP-address of the chat server and connect to it using port 5222. No one can eavesdrop on your chats, nor "barge in."

Not all that do allow port forwarding are on an ISP that has an accessible network. When using a mobile modem, you can easily go through 7 or 8 layers of private networks before getting to any external address. In such a case it's not possible to do anything about those additional layers, only the top layer and that's not enough.

As far as I know there are two ways around that situation, both relying on SSH.

One method would be to have an external machine and create a reverse tunnel to it. Then outside clients can connect via that reverse tunnel. It's a two-step connection but can be automated with keys and some lines in ssh_config.

Another method is to set the chat server up as an onion service over Tor. Set it to listen on localhost only, then set up a tor client to forward to that port with the HiddenService directive. Then you need to tunnel the client over Tor, but that can be set up fairly easily.

And, I guess, the third option that is being avoided here is shelling out for a VPS and hosting the chat server on the VPS. That would kind of be half of the first method proposed but without the privacy or control.

Thank you guys for the fast response.

I like this option (number one)... can you elaborate a little bit more please?...

Thanks in advance...

It's not complicated, just hard to explain.

If you have a network with machines A, B, and C such that A is unreachable from outside but B is, then you 1) connect from A to B building a reverse tunnel. Then 2) connect from C to B and then via the reverse tunnel to A.

So connecting from the inside to the outside, make a reverse tunnel:

Leave that connection open (it can be automated with keys, see -N and -f for ssh as well as keys)
Then as long as that connection stays open, you can use B as a jump host (aka bastion) to reach A from C.

So on machine C connect to A via the reverse tunnel on B:
If that works, a shortcut can be made in C's ~/.ssh/config. Then the reverse tunnel from A to B can be automated using keys. MachineA and MachineB need OpenSSH server running, the latter needs to be accessible from anywhere.

Edit: if you have a very recent version of OpenSSH, the -J option is much easier to use for step 2.