How to access from outside your network

Public IP

Home routers with a public IP assigned to them, often leased (i.e they expire after a certain time and then you are assigned a new one), which you get from an ISP that assigns your router with a public IP for internet access comes with a firewall installed, though not always enabled fully by default.

These firewalls varies in how advanced security features they have available on them but there are a couple basic ones you might encounter on a home router’s firewall such as port flooding protection, ip filtering, mac filtering, port scan protection, port forwarding etc.

Port Forwarding

This feature may or may not be enabled (accessible) on your router depending on your ISP.

One of the firewall’s basic function for a home network is to block network traffic on the outside of your home network (i.e the internet) from accessing the network on the inside and the devices connected in the home network. At the same time it also allows you to download or request data from outside the home network to the inside, this is what happens when you navigate to a website for example.

To lift this restriction, in a way, is what the Port Forwarding feature does by open up a specific port on the outside and expose it to another port of a network device on the inside, specified by IP-adress usually, allowing traffic from the outside through the firewall to the device with the set IP address and port.

In order for you to access your Nextcloud from the outside of your house, you need to allow ports 80 and 443 and forward them to the IP-adress of the device that runs your NextcloudPi instance.

The port forwarding is set up in your routers configuration interface accessible by entering the default gateway IP-adress in a browser, or if your router has UPnP, and it’s enabled, you can try nc-forward-ports which uses miniupnpc to attempt to open the ports on your router automatically via UPnP.

  1. Navigate to nc-forward-ports via the CLI or in the WebUI.

  2. Set the ports your Nextcloud runs on.
    (Defaults are recommended, 80 & 443)

    • If it succeeded, that’s great!
      However, it’s recommended to turn off UPnP so when finished, login to the router again and turn it off.
  • Is UPnP Safe?
    The UPnP service becomes dangerous if it establishes connections with devices that are infected with malware. Such connections make DDoS attacks possible.

    But when UPnP allows safe devices to connect, the established network is safe. So the original intention of UPnP technology is safe. It only becomes dangerous when infected devices are involved.

    UPnP offers zero-configuration, meaning no human authentication is required to establish a connection. Ports are automatically forwarded to establish a connection when a UPnP request is received. With such an autonomous, and liberal, networking mechanism, it becomes clear how easy it is for the establishment of infected connections to spiral out of control.


In order to access Nextcloud from outside of your house a domain name is needed (e.x. or a sub-domain name ( Domain names reside on a nameserver, or domain name server (DNS), and they (in a simplified way) holds a data table to translate a human-readable webaddress to the destination IP-address of a server for that domain name.

Now if you have a public IP assigned to you by your ISP that stays the same all the time (i.e static IP) that’s great, you are good to go!

However, not all home users have a static IP address assigned to them and instead are assigned a dynamic IP address which changes from time to time. (Remember the lease period mentioned earlier?)

For that reason, in order to keep your DNS record pointing to the correct public IP address that is assigned to you in case of a change, a DDNS (Dynamic DNS) service is used.

NextcloudPi has two different DDNS clients for two different DDNS providers(FreeDNS, No-IP), you have to register for an account on their website.
There you can create a subdomain for free, or connect a domain name you have purchased.

It also isn’t uncommon for your router to support a DDNS service, such as for example, so take a look around in the firewall settings of your router and you might just find a DDNS setting.

FreeDNS (

Run nextcloud-config in a CLI or use the WebUI.
Log in to and click “Dynamic DNS”. Right click on “Direct URL” next to your record. Paste it in a text editor and select only the hash (the characters after the “?”).

  1. Navigate to freeDNS in the TUI or the WebUI.
  2. Change ACTIVE to yes
  3. Change the UPDATEHASH with yours (delete the example and paste with ctrl+shift+V)
  4. Change DOMAIN with your domain name you have registered.
  5. (Optional) Change the UPDATEINTERVAL to the interval time you want the client to update your IP.
    (The default of 5 min should suffice)
  6. Click Run or Start.

Now try and visit the domain name that you have registered and configured in your browser and it should take you to your Nextcloud instance.

No-IP (

Run nextcloud-config in the CLI or use the WebUI.

  1. Navigate to no-ip in the CLI or the WebUI.
  2. Change ACTIVE to yes.
  3. Change USER with your user name.
  4. Change PASS with your password.
  5. Change DOMAIN with your (sub)Domain Name.
  6. Change TIME with the interval time you want to update the DNS record.
    (Default 30 min)
  7. Click Run or Start.

Now try and visit the domain name that you have registered and configured in your browser and it should take you to your Nextcloud instance.

Automatic signed SSL certificates

In order to trust a connection to a website and send your user name and password, you need a SSL certificate. The SSL certificate ensures that the communication is encrypted, so everything you send can only be viewed by the server and not someone who impersonates him. By default NextcloudPi provides a self signed SSL certificate in order to encrypt your communication but it is strongly recomended that you use a certificate from a certificate athority. The NextcloudPi can run the Let’s Encrypt client which gets a certificate from for your domain name.

NextcloudPi also configures the web server to use it and renews the certificate once a month.

To configure automatic signed SSL certificates (run nextcloud-config in the terminal (CLI) or use the WebUI):

  1. Navigate to letsencrypt in the terminal (CLI) or the WebUI.
  2. Change the DOMAIN with your (sub)Domain Name.
  3. Change the EMAIL with your Email address. (It is recomended to use a valid Email address)
  4. Click Run or Start.

Carrier Grade NAT


What is CG-NAT? and what does it have to do with IPv4 and IPv6?

With most of our devices still using IPv4, we can use something called CG-NAT, known as ‘Carrier Grade NAT’ or ‘Carrier Grade Network Address Translation’ to help us with staying on an IPv4 network as IPv6 adoption grows.

CG-NAT is used in IPv4 residential network designed to basically pool out and share public IP addresses among residential areas. CG-NAT futureproofs IPv4’s and solves the IPv4 shortage to maintain the existing telecom infrastructure, simply by sharing out a public IPv4 address to a number of houses, rather than you having your own individual IPv4 address. Although CG-NAT doesn’t resolve the IPv4 address exhaustion, it is a necessary interim solution whilst the world transitions to IPv6.

How do I access from the outside?

The short and simple answer is via VPN or a Proxy service such as ngrok or


You have to create an account to use this service, they do have a free tier.

Remember that all free tiers services do have their limitations so check them out in their respective docs so you can see when and if they change.

This service has a free tier as well and one that doesn’t require a sign up.

Remember that all free tiers services do have their limitations so check them out in their respective docs so you can see when and if they change.

VPN services

  • TODO

We hope this doc was helpful, if you encounter any issues please reach out to the community. These docs are written by volunteers, please consider becoming one of them, you can contact the wiki team at Matrix or Telegram

1 Like


I must first thank you for spending the time to write up.

However, there is something I would like to draw your attention to, that’s CG-NAT.

Gone those days when consumers would get a Public IP to their routers. Now days, overwhelming number of ISPs are using CG-NAT based WAN network IPs for CPE (Customer Routers).

This guide is not at all applicable for those. Kindly consider including a disclaimer about Public IP and CG-NAT IP.


Here in Germany a lot of users changes from e.g. 25.000 DSL to 100.000 glas fibre or more and then only get IPv6 with IPv4-NAT. In Germany the name is DS-Lite. Normal users without on-prem Nextcloud at home will not notice anything.

Hands off if the provider offers you a faster connection but a miserable connection from the outside. Not all devices uses IPv6. Also there are often access problems from companies who uses only IPv4-proxies. IPv4-to-IPv6 is very bad. It is simply not true that you can do without IPv4.

If i had DS-Lite and used Nextcloud at home, i would change providers and get a real IPv4.

Would either of you be willing to help re-write and update this article? We are in need of volunteers.

If so, you can access a draft by joining our documentation group on the forum. Thanks either way for the follow up.

1 Like


I don’t think I am expert enough to write about Pi setup. I don’t even own a Pi. However, networking setup in general is same with any computer. So here is my take. Feel free to modify / rectify and include in any of the article.

Accessing NextCloud Server from outside via Internet

Basic Understanding of IPs

One needs to have access to a Public IP attached to this server to allow it work with incoming connections via Internet. There are 3 basic classification of IP addresses,

  • LAN (local network IPs) → They may usually look like this, 192.168.xx.xx and they are used inside your LAN network but they are not accessible via Internet (for incoming traffic)
  • WAN IP (Wide Area Networks) → They may look like 172.xx.xx.xx and they are mainly used within large campus or companies to connect multiple small LAN networks together. They are not accessible via Internet (for incoming connections)
  • Public IP → They may look like this, and they are accessible via Internet for incoming connections since they are unique for the entire internet.

Your Home Network IP Structure

Your ISP (which can be a service provider or your school or housing building or the organization you work for) sends a cable (fiber / LAN / DSL) into your CPE (Customer Premises Equipment) and your Router (CPE itself may function as router) gets connected to that CPE (via various verification methods) to obtain an IP address and get you connected to the Internet. Further, your router may redistribute that internet connection by creating local network (LAN) and by assigning LAN based NAT IP addresses to each of your devices.

  1. Your ISP may choose to assign a Public IP for your Router
  2. Your ISP may use a single Public IP (at their backend) and create a WAN Network to assign a WAN IP for your router. (This is to reuse a Single Public IP for multiple customers). This process of IP distribution is commonly referred as CG-NAT based IP.

Depending of what kind of IP address you are getting in your router, process of making your nextcloud server accessible via internet may differ.

If your Router has a Public IP

In this case, its easier.

You may need to forward Port 80/443 (or any custom port you are using for NextCloud) from your router to your NextCloud Server LAN NAT IP. You may consult your router manufacturer documents for the process but majority of the routers do support this feature.

You may need to open up the firewall of your NextCloud server to accept internet traffic on port 80/443. Further, you may need to add your Public IP as a trusted domain in nextcloud configuration file.

Anyone from Internet can now access your NextCloud server by entering your Public IP address in their browser address bar.

If your Router is getting CG-NAT IP

If you may notice, this kind of IP addresses are not accessible via Internet and your server can’t be accessed from Internet without a Public IP. So what can you do?

  1. If you are using school / building / housing / organization / society based Internet connection, you may ask the Network Admin to port forward (80/443) from the main router with Public IP to your WAN / CG-NAT IP. If this is achievable, then you may follow the process above to port forward from your router, adding the public ip in nextcloud configuration file and you are good to go.

  2. In case you are using a professional ISP where this request is not entertained then you may need to pay extra (to your ISP) for a Public Static IP for your internet connection. If that is also not feasible, then the last option is to use a commercial VPS (Virtual Private Server) for VPN traffic forwarding.

How to use a VPS with traffic forwarding for home nextcloud server

There are various technologies, software and configuration methods to achieve this. None of these software are nextcloud product or part of the community project. So we shall share a general idea about the process.

First, What is a VPS?

Virtual Private Server is just a Virtual Machine (VM) hosted by some large company in their cloud data center or by an individual enthusiast in his garage.

Why do you need VPS

Most commercial VPS will come with it’s own dedicated Public IP and that is what you need since your home internet connection doesn’t have access to a Public IP for processing the incoming traffic.

How to use the VPS

You may need a Linux based VPS with root access. You may need to install a VPN (Virtual Private Network) server software (like OpenVPN, WireGuard) in that VPS and corresponding client in your nextcloud server. You may need to configure a static VPN IP for the NextCloud server (in this case, VPN client) via that VPS software you are using. You may need to make necessary configuration in your (both server/client) firewall for this VPN connection to work.

Once the connection is active, you can forward all incoming traffic (on port 80/443) of the VPS server public NIC to your NextCloud Server via that VPN static IP.

Now if you add the Public IP of your VPS in the configuration file of the NextCloud server, anyone from internet accessing that Public IP will be able to reach your Home NextCloud Server.


Article updated. Take a gander.