Announcing an IPv4 Reverse Proxy

With some of our users reaching out with issues with their IPv4 reachability, it became apparent that we needed to provide a bridge to the IPv4 internet.

While our more advanced users were already using Cloudflare for their IPv4 reachability, it comes with several hurdles and the obvious security choice of including another entity in the middle of your traffic. However, most tutorials online assume IPv4 reachability and the ones with TLS require it for letsencrypt's challenge response.

We needed to provide an easier way, so we built a fast Server Name Indication (SNI) reverse proxy server. While our users have already been informed, some asked us how it worked - we figured this would make for a great first blog post!

So let's dive in!

IPv6rs IPv4 Reverse SNI Proxy Under the Hood

Our proxy instantiates itself and listens on the gateway IP across all important TLS ports, including IMAPS, SMTPS, POP3S, IRCS, HTTPS, etc.

Upon a new connection, it listens for the initial packet. In HTTPS, the initial packet is not encrypted and includes the target server name. With this, we essentially pipe the traffic to said target including the initial packet.

How The Proxy Determines What to Reverse Proxy

When a request is made and the server name is detected, the reverse proxy checks the DNS AAAA record for this name. If found and verified to be pointing at an IP in the IPv6rs network, the data is automatically piped. This is why any IPv6rs user can simply set an AAAA record to their IPv6rs IPv6 IP and an A record to their gateway's IP and immediately start receiving IPv4 ingress traffic without any further setup required.

We hope you enjoy our reverse proxy and hope this better explains how it works under the hood, and thank you to all of our beloved users, the future of the internet!