
Leaving “gifts” behind on dedicated server hosts - weinzierl
https://rachelbythebay.com/w/2018/04/14/flash/
======
wahern
> I don't have an easy solution for this one. Building your own box and doing
> the co-lo thing is just far too annoying for a lot of people.

VPS on Vultr: $2.50/month.

Additional IP address on Vultr: $2.00/month.

Forwarding additional routable IP address to dynamically addressed server with
a 1-line IPSec config on each end: $0.00.

You can of course use OpenVPN or Wireguard instead of IPsec, but it's a little
more complicated as you need to forward the IP across a tunnel with two known
end points[1], which you obviously don't yet have. To get the two known end
points you'd need to establish a privately addressed[2] VPN plus configure
explicit routes to forward the fixed IP over the VPN. With IPSec the initiator
(i.e. the box lacking a fixed external address) can dynamically establish a
tunnel for the additional IP _directly_ , without the indirection.

It's one case (and perhaps the only typical case) where IPSec's flow-based
rather than route-based configuration policies are clearly beneficial.
Otherwise IPSec's flow-based policies are an endless source of confusion as
most people and most systems' network stacks are primarily route based.

[1] Because they use routed-based configuration policies which require, a
priori, having a known end point to route _to_ , as opposed to IPSec's flow-
based policies which can capture a packet and forward to whatever peer (and
whatever IP address) has been most recently authorized (by IKE) to receive it.

[2] Unless you have a whole routable subnet to spare, in which case you
wouldn't even be facing the hosting dilemma.

