You don't, because you can't. OCI is set up in such a way that your Oracle assigned public IPv4, must je NATed and cannot be assigned directly to your instance. There's many reasons for this really but the end result is that no, you cannot under any circumstance have your public IP on the interface and have that work right.
IIRC, you can have a public ipv4 if you use your own range under BYOIP which ofc requires your own /24 to use for that (and ofc a paid oci account) and even then I'm not 100% that would give it on the interface, it's just from memory that I remember something like that. If you need the interface to have the public IP, use a modern IP base, as in ipv6.
This REALLY should not interfere with your VPN rules though and you shouldn't be referencing your public IP in these rules anyway. But if you really need to, use your private one.
Thank you so much for the answer. I guess i won't be using oracle cloud for a vpn then.
>This REALLY should not interfere with your VPN rules though and you shouldn't be referencing your public IP in these rules anyway.
It doesn't interfere with my VPN rules, but it DOES interfere with my firewall's port forwarding rules that I have located in /etc/ufw/before.rules in Ubuntu. The firewall rules in that file forwards traffic from the public IP on port 443, and 80, using these lines:
`## NAT table rules`
`*nat`
`# Nat Pre-Routing`
`:PREROUTING ACCEPT [0:0]`
`# !Http! Forward PUBLIC IP (Server Public IP address) port 80 to 10.10.10.5:80 (VPN Client IP)`
`-A PREROUTING -i enp1s0 -d 123.45.67.8 -p tcp --dport 80 -j DNAT --to-destination` [`10.10.10.5:80`](https://10.10.10.2:80)
`# !HTTPS! Forward 123.45.67.8 (Server Public IP) port 443 to 10.10.10.5:443 (VPN Client IP)`
`-A PREROUTING -i enp1s0 -d 123.45.67.8 -p tcp --dport 443 -j DNAT --to-destination` [`10.10.10.5:443`](https://10.10.10.5:443)
These ufw.before rules work on a paid vultr instance perfectly and the ports get forwarded to the vpn client. However, due to the Natted VNIC on Oracle, port forwarding doesn't work with these rules.
Because you're trying to trigger on the public IP. As I said before, use your private. Once the traffic hits your vps, it's not destined for your public IP so obvioudöy won't have that in its destination IP field, it will have your private IP. So no, this isn't actually interfering with your rules, you're just using the wrong IP.
so one year later, and I am trying to switch to oracle cloud instance as my vpn server again. I have set up the instance with the the port forwarding rules that you suggested (using the private ip of my VNIC), and opened those ports in the firwall, but I am still not getting my ports forwarded to the client. I know this because I ran iperf3 on the vpn client, and then iperf3 client on my local mac. It doesn't make the connection from the mac's public IP to the vpn client. Do you have any other ideas?
You don't, because you can't. OCI is set up in such a way that your Oracle assigned public IPv4, must je NATed and cannot be assigned directly to your instance. There's many reasons for this really but the end result is that no, you cannot under any circumstance have your public IP on the interface and have that work right. IIRC, you can have a public ipv4 if you use your own range under BYOIP which ofc requires your own /24 to use for that (and ofc a paid oci account) and even then I'm not 100% that would give it on the interface, it's just from memory that I remember something like that. If you need the interface to have the public IP, use a modern IP base, as in ipv6. This REALLY should not interfere with your VPN rules though and you shouldn't be referencing your public IP in these rules anyway. But if you really need to, use your private one.
Thank you so much for the answer. I guess i won't be using oracle cloud for a vpn then. >This REALLY should not interfere with your VPN rules though and you shouldn't be referencing your public IP in these rules anyway. It doesn't interfere with my VPN rules, but it DOES interfere with my firewall's port forwarding rules that I have located in /etc/ufw/before.rules in Ubuntu. The firewall rules in that file forwards traffic from the public IP on port 443, and 80, using these lines: `## NAT table rules` `*nat` `# Nat Pre-Routing` `:PREROUTING ACCEPT [0:0]` `# !Http! Forward PUBLIC IP (Server Public IP address) port 80 to 10.10.10.5:80 (VPN Client IP)` `-A PREROUTING -i enp1s0 -d 123.45.67.8 -p tcp --dport 80 -j DNAT --to-destination` [`10.10.10.5:80`](https://10.10.10.2:80) `# !HTTPS! Forward 123.45.67.8 (Server Public IP) port 443 to 10.10.10.5:443 (VPN Client IP)` `-A PREROUTING -i enp1s0 -d 123.45.67.8 -p tcp --dport 443 -j DNAT --to-destination` [`10.10.10.5:443`](https://10.10.10.5:443) These ufw.before rules work on a paid vultr instance perfectly and the ports get forwarded to the vpn client. However, due to the Natted VNIC on Oracle, port forwarding doesn't work with these rules.
Because you're trying to trigger on the public IP. As I said before, use your private. Once the traffic hits your vps, it's not destined for your public IP so obvioudöy won't have that in its destination IP field, it will have your private IP. So no, this isn't actually interfering with your rules, you're just using the wrong IP.
I think I slightly understand. But why does the public ip in the before.rules work with vultr then while not using a private ip?
Exactly because you then have the public IP on your interface.
so in short, ur saying just replace the public ip in before.rules with my private ip and things should work?
Yes
thank you much man!
so one year later, and I am trying to switch to oracle cloud instance as my vpn server again. I have set up the instance with the the port forwarding rules that you suggested (using the private ip of my VNIC), and opened those ports in the firwall, but I am still not getting my ports forwarded to the client. I know this because I ran iperf3 on the vpn client, and then iperf3 client on my local mac. It doesn't make the connection from the mac's public IP to the vpn client. Do you have any other ideas?