Get a static IP thanks to a VPN

If your ISP don't offer static IP, then you could set up a VPN to use endpoint's static IP.

It also gets handy if :

Here is a scheme of what we're going to achieve :

+-----------+        +---------------------+      +--------------+
| Your own  +<------>+ Server with a       +<-----+              |
| Server    |  VPN   | static IP           |      |   Visitor    |
| -sniper-  |        |     -tank-          |      |              |
+-----------+        +---------------------+      +--------------+
  hidden IP                       Public IP

To avoid confusion, I'll refer your server with "sniper" and the VPN endpoint with "tank".

Warning for pf

⚠ Remember to adjust your pf.conf. Now, incoming traffic is on VPN interface, i.e. "wg0" if you use Wireguard or "enc0" with IKED.

Setup

From now on, we suppose there is a tunnel between sniper and tank using Wireguard.

Now edit pf.conf on tank to add a binat-to rule :

serv_int = "10.0.0.2"
serv_ext = "192.0.2.2"
[...]
pass quick on egress from $serv_int to any binat-to $serv_ext
[...]
# this line is already here
match out on egress from (wg0:network) to any nat-to (egress:0)
[...]
pass on wg0

Make sure to edit "serv_*"

Reload pf and you're done 😊.

Some may want to fine tune their firewall. Use rdr-to rules instead:

serv_int = "10.0.0.5"
ports_tcp = "{ ssh www https smtp submission imaps domain }"
ports_udp = "{ domain spamd-sync }" 
pass in on egress proto tcp from any to egress port $ports_tcp rdr-to $serv_int
pass in on egress proto udp from any to egress port $ports_udp rdr-to $serv_int

Modification des interfaces d'écoute

Daemons on sniper don't listen on egress anymore but on wg0 instead. Adjust configurations if necessary. If you have modified default routes, wg0 belongs to egress group but check with ifconfig to be sure.

As example, httpd configuration could look like this :

server "athome.tld" {
		listen on wg0 port 80
		root "htdocs"
}

Edit DNS

Now, in your DNS zone, your domain name should point to tank's IP.