Linux bind IP that doesn’t exist with net.ipv4.ip_nonlocal_bind

How do I allow Linux processes to bind to IP address that doesn’t exist yet on my Linux systems or server?

You need to set up net.ipv4.ip_nonlocal_bind, which allows processes to bind() to non-local IP addresses, which can be quite useful for application such as load balancer such as Nginx, HAProxy, keepalived, WireGuard, OpenVPN and others. This page explains how to bind IP address that doesn’t exist with net.ipv4.ip_nonlocal_bind Linux kernel option.
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux
Est. reading time 5m

Why use net.ipv4.ip_nonlocal_bind under Linux operating systems?

HAProxy acts as a load balancer (LB) and a proxy server for TCP and HTTP-based applications. Similarly, Keepalived software provides High-Availability (HA) and Load Balancing features for Linux using VRRP protocol. It acts as an IP failover (Virtual IP) software to route traffic to the correct backend. We can combine HAProxy (or Nginx) along with Keepalived to build a two-node high availability cluster for our applications.

However, LB in HAPorxy, Nginx, and Keepalived need the ability to bind to a non-local IP address. The problem is we can have an IP (Virtual IP) address assigned to one node at a time. So other nodes running Nginx/HAProxy will refuse to start. You will often see an error that as follows:

Nginx: cannot bind socket.

We want to allows a running LB instance to bind to an IP that is not local for failover.

Linux bind IP that doesn’t exist with net.ipv4.ip_nonlocal_bind

Use the sysctl command to find the current value of net.ipv4.ip_nonlocal_bind:
# sysctl net.ipv4.ip_nonlocal_bind
# sysctl net.ipv6.ip_nonlocal_bind

We can use the cat command as follows too:
cat /proc/sys/net/ipv4/ip_nonlocal_bind
To bind IP that doesn’t exist yet under Linux, run:
sudo sysctl -w net.ipv4.ip_nonlocal_bind=1

Linux bind IP net.ipv4.ip_nonlocal_bind

We can use the following syntax too:
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
For IPv6:
sudo sysctl -w net.ipv6.ip_nonlocal_bind=1

Binding to Non-local IP addresses in Linux permanently

Edit the /etc/sysctl.conf or /etc/sysctl.d/99-custom.conf
sudo vi /etc/sysctl.d/99-custom.conf
Append the following line:
## allow Nginx to start and bind to non local IP ##

Save and close the file. To load changes, run:
sudo sysctl -f /etc/sysctl.d/99-custom.conf
How to Linux bind IP that doesn't exist with net.ipv4.ip_nonlocal_bind

Understanding sysctl command options

The -w option enable writing a value to Linux kernel variable. The -a option show all variables. For more info type the following man command:
man sysctl
sysctl --help
Sample outputs:

  -a, --all            display all variables
  -A                   alias of -a
  -X                   alias of -a
      --deprecated     include deprecated parameters to listing
  -b, --binary         print value without new line
  -e, --ignore         ignore unknown variables errors
  -N, --names          print variable names without values
  -n, --values         print only values of a variables
  -p, --load[=<file>]  read values from file
  -f                   alias of -p
      --system         read values from all system directories
  -r, --pattern <expression>
                       select setting that match expression
  -q, --quiet          do not echo variable set
  -w, --write          enable writing a value to variable
  -o                   does nothing
  -x                   does nothing
  -d                   alias of -h
 -h, --help     display this help and exit
 -V, --version  output version information and exit

See “How to reload sysctl.conf variables on Linux” for more info.


You learned how to set net.ipv4.ip_nonlocal_bind to 1 to configure a high available load-balancer (LB) under Linux. See “Handling nginx Failover With KeepAlived” and Linux kernel docs here for more info.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • numlock_x86 Sep 30, 2020 @ 5:43

    thank you so much, i have openvpn and wireguard server running and all services used to fail. i used to bind ssh and apache to private ip space. it was driving me nuts. setting fixed it:
    sysctl -w net.ipv4.ip_nonlocal_bind=1

    • Sai Prasad kumar Jan 9, 2021 @ 16:57

      same here. I have OpenVPN and ssh would fail as OpenVPN will started after ssh. I had to use the console to login to fix this mess. After hours of searching this solution worked for me. Back in the days we had /etc/rc.local but systemd got rid of that useful feature.

  • Bogdan Jan 9, 2021 @ 21:44

    Or you can use pacemaker and corosync with haproxy and nginx. The cluster will monitor the resources and the nginx or haproxy will start only on the node with the ip address configured. On the other node the software resource is stopped so there is no need to set non-local bind. Of course, if the collocation is configured to do so.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum