Routing a public IPv4 address through a NAT

The FRA-01 server is located behind a NAT without any ability to open the HTTPS and HTTP ports.

There are many ways to work around this problem, including Cloudflare Tunnels, Ngrok, GRE tunnels or WireGuard with IPTables. However, I wanted to keep a dedicated IPv4 address, so I became interested in the concept of proxy ARP.

The goal

Forward ARP requests through a WireGuard tunnel.

How it works

The host server has two public IPv4 addresses assigned to the same network interface. If the second IP is attached to another network interface, it can create issues within the provider's IP block.

The client server binds the second IP address. All traffic then flows through the tunnel.

No performance or bandwidth loss has been observed because WireGuard runs in the Linux kernel.

This IP address can also be reused as a floating IP in case of trouble.