Skip to content

OrOrbit is in pre-launch. Downloads, accounts, and sponsorship open at launch.

ip privacy dns cloudflare-tunnel vps reverse-proxy ddos cgnat hide-ip

IP Masking — Hide Your Server IP

Protect your home IP address when self-hosting OrOrbit.

beginner ⏱ 10 min 🌐 Connectivity Updated 2026-04-07

When you self-host OrOrbit, your public IP address is visible in DNS records. This guide covers options to hide it.

🤔 Why would I want to hide my IP?

Your public IP reveals your approximate location and can be used for targeted attacks (DDoS). Streamers, public figures, and privacy-conscious users may want to mask it. For private servers shared only with trusted friends, IP exposure is usually fine.

Option 1: Cloudflare Tunnel (Free)

The easiest and most popular option. A Cloudflare Tunnel routes all traffic through Cloudflare’s network, so your real IP never appears in DNS.

  • No ports need to be opened on your router
  • Works behind firewalls and CGNAT
  • Free forever

See the full Public Access guide for Cloudflare Tunnel setup instructions.

Option 2: Pulsar Proxied Mode (Paid)

If your server is registered with Pulsar, you can upgrade to a proxied connection. Cloudflare proxies all traffic to your server, hiding your origin IP behind Cloudflare’s network.

  • Requires Pulsar+ or Pulsar Pro subscription
  • Enable in Admin Panel → Network → Pulsar → Proxied Mode
  • No additional software or configuration needed

ℹ️ Info

The free Pulsar tier uses DNS-only mode, which exposes your IP in DNS records. Proxied mode is a paid upgrade.

Option 3: VPS Reverse Proxy

Run a cheap VPS ($3-5/month) as a reverse proxy. Your home server connects to the VPS via a WireGuard or SSH tunnel, and the VPS forwards traffic. Your home IP never appears in DNS.

1

Set up a VPS

Rent a small VPS from any provider. A $3-5/month instance is sufficient for proxying traffic.

2

Create a tunnel

Set up a WireGuard or SSH tunnel between your home server and the VPS. Your OrOrbit server connects out to the VPS, so no ports need to be opened at home.

3

Configure the proxy

On the VPS, run nginx or Caddy as a reverse proxy. Point your domain at the VPS IP. The proxy forwards requests through the tunnel to your home server.

Example nginx config
nginx.conf 
server {
  listen 443 ssl;
  server_name chat.yourdomain.com;

  ssl_certificate /etc/letsencrypt/live/chat.yourdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/chat.yourdomain.com/privkey.pem;

  location / {
      proxy_pass https://10.0.0.2;  # WireGuard peer IP (port 443 is default)
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
  }
}

Option 4: Accept It

For private servers shared only with trusted friends, IP exposure may be perfectly acceptable. Your IP reveals your approximate location (city-level) but not your exact address.

ℹ️ Info

If your server is invite-only and you trust everyone who has access, IP masking is a nice-to-have, not a necessity. Focus on keeping your server software updated and your firewall configured properly.

Comparison

OptionCostComplexityIP hidden
Cloudflare TunnelFreeEasyYes
Pulsar Proxied$3-6/moNoneYes
VPS Reverse Proxy$3-5/moModerateYes
Accept itFreeNoneNo

What's next?

Custom Domain Setup