Getting around NAT, firewalls, and IPv6-only networks¶
This section is incomplete
This section needs another gloss over to make sure that all details are relevant and actually correct.
If you're hosting at home, chances are you are behind NAT, and/or have a firewall that you may not be able to configure. The easiest way around this is to use a VPS (cloud server). This cloud server will have a public facing IP address, usually both an IPv4 AND IPv6, and will also likely have a static IP address, which is important for federation.
If you are not planning to host Continuwuity on your own hardware, you should skip this section - I am only recommending cloud servers for getting around NAT/firewall issues. If you are hosting Continuwuity on a cloud server, I expect that you already know how to pick what you need.
Cloudflare Tunnels
You can just use Cloudflare Tunnels, however this allows Cloudflare to snoop on your traffic, and further centralises the internet, which is counter-productive to the goals of Matrix. I won't cover it here.
Picking a cloud provider¶
You can use an Oracle Cloud Free Tier instance, but be aware that they are not reliable, and may be suspended at any time.
I cannot recommend any other "free" providers, as they have all so far proven to be sketchy. It's worth noting that some server administrators will also firewall block IP ranges that are frequently abused (such as free cloud providers'), meaning that your federation with them will be hampered, and E2EE with them will not work.
I personally recommend any of the following providers (having used them myself):
| Provider | Product | Price/mo | Specs | Notes |
|---|---|---|---|---|
| NetCup | VPS 250 G11s iv | €4 (£3.42) | 2 vCPU, 2GB RAM, 64GB SSD, ∞ traffic | I'm not a fan of their web UI, but it's functional. |
| Linode | Nanode | $5 (£3.75) | 1 vCPU, 1GB RAM, 25GB SSD, 1TB traffic | Expensive for what you get, but reliable and trustworthy. |
| Hetzner | CX22 | €4.55 (£3.88) | 2 vCPU, 4GB RAM, 40GB SSD, 20TB traffic | Hetzner is great, I currently host my backup server there. |
| DigitalOcean | Tiny Basic Droplet | $6 (£4.50) | 1 vCPU, 1GB RAM, 25GB SSD, 1TB traffic | DO is fine, bit pricy. You can get away with the even smaller droplet, but I can't recommend it. |
| OVH | VPS Starter | £4.70 | 1 vCPU, 2GB RAM, 40GB SSD, ∞ traffic (250Mbps throttle) | Great NetCup competitor, more regions than other providers. |
Note: The prices listed here as as of 2025-04-25, and are currently very likely to change, especially the conversion rates. $currentYear and all that.
Setting up Tailscale¶
Note: You need sudo/root access to your VPS, local server, and own device.
This section will be brief, and expects you to know how to SSH into your server. This also assumes you picked Debian or Ubuntu as your OS.
Here, we're going to install Tailscale, a remote-access solution that uses wireguard to create a secure tunnel between your server and your home network. This will be used to allow your server to communicate with your home network, and vice versa.
First of all, create an account on Tailscale. After signing up you will need to select "personal use", and then you will be given the instructions to install Tailscale on your own device.
After you have installed Tailscale, you will need to log in. On Linux, just run sudo tailscale up, and it will give you a link to open in your browser. Open the link, and log in with the same account you just created.
You can then go back to the welcome screen, and will have a view like this:
Next, you will need to connect to the server that you intend to run Continuwuity on, and install Tailscale there too.
Follow the same steps, and then the tailscale website will show you a new device and a ping command to test the connection with. Once you've confirmed that the connection is working, go ahead and install Tailscale on your VPS, following the same steps as before.
After installing Tailscale and confirming the connection on all three devices, you will want to go to the Tailscale admin console. It will look something like this:
In order to prevent the connection between your VPS and your home server from being interrupted, you will want to make sure that neither devices expire. To do this:
- Click on the three dots next to the device you want to persist.
- Click on "Disable key expiry".
Do the same for each server in the chain. After you've done this, your admin dashboard should look like this:
(note that in this example, vm is my "personal device")
And that's it! You now have a secure connection between your home server and your VPS, which persists through the NAT/firewall. Details on how to set up the reverse proxy and Continuwuity follow.