Can't use external IP on Hetzner VPS

Hetzner had stopped assigning public IPv4 addresses to virtual servers. As far as I can tell this change happened when they changed the product name from VQ to CX. The usage of NAT is not mentioned in the product description though.

Eventually Hetzner introduced a newer cloud platform in which VMs get real public IPv4 addresses and a routed /64 IPv6 prefix. Both versions share the CX name.

Virtual servers ordered in 2012 and 2013 would keep their public IPv4 address until 2019 when the VQ line was discontinued. But virtual servers ordered in 2016 only have an RFC1918 address, and Hetzner will not route a public IPv4 address to such a virtual server.

They still allocated a dedicated public IPv4 address to each virtual server, which they NAT to the assigned RFC1918 address. Hetzner believed this was not a problem because it was a 1:1 NAT.

As you found out, this is error prone when configuring the server. You have to know about this NAT. And you have to look up the mapping whenever you configure something. For the first virtual server we got in such a configuration it got misconfigured twice in the first couple of days due to this.

Any software which relies on knowing the public IPv4 address will either break or need special configuration. Additionally some VPN and IP-tunnel can have problems because tunneled packets won't be NATed.

If you have established that these potential problems do not affect your intended usage, and if you are comfortable with having to take the mapping between public and private addresses into account when making configuration changes, you can accept the situation.

However be aware that most NAT implementations are stateful. If the NAT is indeed stateful, you may experience TCP connections stalling when state is lost.

I do not know whether the NAT used by Hetzner is stateful or stateless. The most obvious way I could think of testing for statefulness is to tunnel connection establishment and disable the tunnel once a TCP connection is established. Alas this kind of tunneling is exactly what won't work, so in order to perform this experiment one would have to replicate their 1:1 NAT configuration first. I did not attempt this rather complicated experiment.

These are the options you have:

• Upgrade to the newer CX line on which Hetzner will give you a real IPv4 address and a routed /64 IPv6 prefix.
• Accept that your traffic will go through a 1:1 NAT with the drawbacks that introduces.
• Do all your important traffic on IPv6 - as Hetzner do route IPv6 traffic properly with no NAT.
• Switch to a dedicated server (assuming those still get a public IPv4 address, which is hard to figure out since the usage of NAT is not mentioned anywhere in the product description).
• Switch to a different provider.