Pricing Wiki Blog Download
USD IDR
2026-05-24 · 8 min read · federation · mastodon

Self-host Mastodon at home: the IPv6 path

Mastodon federation requires an inbound-reachable address. Most home connections don't have one. Here's the cheapest, most permanent way to fix that in 2026.

Mastodon (and any ActivityPub server: Pixelfed, GoToSocial, Lemmy, etc.) is built around the assumption that your server is reachable from the rest of the fediverse. Other instances need to push you activities — follows, replies, boosts, deletes. If they can't reach your inbox, federation silently breaks: posts don't appear on remote timelines, follows from other instances time out, you get reported as "this account doesn't exist" on other servers' moderator queues.

So Mastodon-from-home runs into a wall that purely-outbound services (Lemmy clients, Matrix clients) don't have. You actually need a public, reachable address.

Why the usual answers fall short for Mastodon

  • Cloudflare Tunnel: HTTPS works, but Mastodon's federation includes some non-HTTPS pieces (Streaming API can be sensitive to long-lived connections through proxies, S3-compatible media storage if you self-host that). Most importantly: your DNS has to be Cloudflare-managed, and Cloudflare reserves the right to drop you for content reasons. For a federated social network, vendor-controlled DNS is a structural problem.
  • Tailscale Funnel: HTTPS-only, 1 GB/mo cap on free, max 3 Funnel devices. Won't scale past a personal instance. Also: subdomain belongs to *.ts.net, you can't run your handle as @user@yourdomain cleanly.
  • VPS + reverse SSH: works, but you're managing a VPS just to forward 443. No HA, you re-establish on disconnect, you're paying for compute you don't use.
  • Rent a small DigitalOcean droplet for $6/mo: works fine but you're paying for cloud compute purely to get one reachable IP. Wasteful if your Mastodon actually runs at home where you have spare CPU + storage.

The IPv6 path

The cleanest 2026 answer: give your home Mastodon server a dedicated public IPv6 address, and federate over IPv6. The fediverse is overwhelmingly IPv6-capable — every major instance (mastodon.social, fosstodon.org, hachyderm.io, etc.) has IPv6 connectivity. Federation over IPv6 just works.

Architecture:

your domain (e.g. social.example.com)
        │
        │  AAAA record
        ▼
    [public IPv6 — 2001:df6:d2c0:1400::42]
        │
        │  routed via wayangi hub in Jakarta
        ▼
    [wayangi WireGuard tunnel over UDP/443]
        │
        ▼
    [home machine — Mastodon + Postgres + Redis]

Step-by-step setup

Assumes you have Mastodon already running locally on the home machine, bound to 127.0.0.1 — typical Docker Compose setup. We're just exposing it.

1. Install wayangi on the Mastodon host

curl -fsSL https://wayangi.dalang.io/install.sh | sudo sh -s -- --token=YOUR_TOKEN

Get the token from your dashboard. For a real social instance you want the /128 tier ($5/mo per public IPv6). The free tier is mesh-only — fine for testing, won't federate.

2. Confirm the IPv6 is yours

wayangi status
# device:   "mastodon-host" (id 01KS...)
# addresses:
#   - 10.66.0.5/32                       ← internal mesh v4
#   - 2001:df6:d2c0:1400:ffff::5/64      ← internal mesh v6
#   - 2001:df6:d2c0:1400::42/128         ← public IPv6 (yours)

3. DNS setup

Two records:

social.example.com   AAAA   2001:df6:d2c0:1400::42
example.com          ALIAS  social.example.com   (or appropriate CNAME-flat record)

Note: no A record. Mastodon clients that are IPv4-only won't reach you, but every modern Mastodon instance you federate with is dual-stack. Friends on IPv4-only home connections might not see your instance's web UI — but they can still follow you from any other IPv6-reachable instance.

4. Caddy in front of Mastodon

Mastodon's docs show nginx setups; Caddy is simpler:

# /etc/caddy/Caddyfile
social.example.com {
    encode zstd gzip

    handle /api/v1/streaming* {
        reverse_proxy localhost:4000
    }
    handle {
        reverse_proxy localhost:3000
    }

    # Mastodon uploads land in /home/mastodon/live/public/system
    handle_path /system/* {
        root * /home/mastodon/live/public/system
        file_server
    }
}

Caddy will auto-request a Let's Encrypt cert over IPv6 (ACMEv2 supports IPv6-only challenges natively). The streaming API needs its own path since Mastodon runs it on a separate port.

5. Configure Mastodon to know its own domain

In .env.production:

LOCAL_DOMAIN=example.com
WEB_DOMAIN=social.example.com
ALTERNATE_DOMAINS=
TRUSTED_PROXY_IP=127.0.0.1
DEFAULT_LOCALE=en
SINGLE_USER_MODE=false   # or true if just you

Restart Mastodon. Visit https://social.example.com, create the admin account, federate.

6. Verify federation works

# From any IPv6-reachable machine
curl -s https://social.example.com/.well-known/webfinger?resource=acct:[email protected]

# From the public reachability probe
curl -s "https://wayangi.dalang.io/check?target=[2001:df6:d2c0:1400::42]:443"

# Follow an account on another instance
# (from your Mastodon UI: paste a remote handle, hit Follow)
# Within 30 seconds it should resolve and let you follow

If WebFinger returns your actor JSON, federation is working. Other instances can discover you, push activities to your inbox, and pull your outbox.

Caveats

  • IPv4-only visitors can't reach your web UI. Mostly fine in 2026 — major mobile carriers, hyperscaler workloads, and most ISPs are dual-stack. A small fraction of users (corporate networks behind older proxies, mobile carriers in some regions) won't see your instance's website directly, though they can still see your posts boosted into their timelines from other instances.
  • Media storage scales fast. Mastodon caches every image/video from every account anyone on your instance follows. A 200-user instance can chew through 100 GB/month. Plan for either object storage (S3-compatible, or self-host MinIO on your wayangi-reachable host) or aggressive media-prune cron jobs.
  • Postgres + Redis + Sidekiq + streaming need real CPU. Single user: a Pi 5 with 8 GB RAM is enough. 50 active users: more like a small NUC with 16 GB RAM and an SSD.
  • Mail relay. Mastodon sends a lot of notification email. Use an SMTP relay (Mailgun, Postmark, Amazon SES) rather than running your own — residential IPs get spam-blocked.

Cost comparison

ApproachMonthly costNotes
DigitalOcean droplet for Mastodon$24/mo (4 GB)You don't use your home compute at all
Hetzner CX22 + bandwidth~$6/moSame story — cloud compute
Home server + wayangi /128$5/moYour CPU, your storage, your domain, public IPv6
Home server + Cloudflare Tunnel$0/moHTTPS only, DNS locked to Cloudflare, possible TOS risk on social content

Why this is the right shape for fediverse software

ActivityPub is built around servers as first-class endpoints — each instance needs a stable URL that other instances can push to. The IPv6+wayangi path gives you exactly that: a permanent address that's yours, not a vendor-rotated subdomain, not a CDN-fronted URL someone else can revoke. For a federated social network where your identity is @user@yourdomain, that ownership matters.

The same shape works for Lemmy, Pixelfed, GoToSocial, Calckey, Misskey, Pleroma, Akkoma, BookWyrm, PeerTube — any ActivityPub server. Same setup, different software bound to the same public IPv6.

If you've been hesitating to self-host fediverse software because "I can't get a reachable address from home", that excuse is solved. Start with the free mesh tier to test the install flow, then upgrade to /128 at $5/mo when you want to federate for real.