diff --git a/add.go b/add.go
index e26befb..0997ee8 100644
--- a/add.go
+++ b/add.go
@@ -17,7 +17,7 @@ func Add(hostname string, owner string, description string) { //, publicKey stri
 		Hostname:     hostname,
 		Description:  description,
 		PublicKey:    publicKey,
-		PrivateKey:   privateKey,  // omitted from server config JSON!
+		PrivateKey:   privateKey, // omitted from server config JSON!
 		PresharedKey: GenerateJSONKey(),
 		AllowedIPs: []JSONIPNet{
 			JSONIPNet{
diff --git a/init.go b/init.go
index cc3b6f7..3915712 100644
--- a/init.go
+++ b/init.go
@@ -2,8 +2,10 @@ package dsnet
 
 import (
 	"fmt"
+	"io/ioutil"
 	"math/rand"
 	"net"
+	"net/http"
 	"strings"
 	"time"
 )
@@ -53,11 +55,27 @@ func getExternalIP() net.IP {
 
 	localAddr := conn.LocalAddr().String()
 	IP := net.ParseIP(strings.Split(localAddr, ":")[0])
+	IP = IP.To4()
 
 	if !(IP[0] == 10 || (IP[0] == 172 && IP[1] >= 16 && IP[1] <= 31) || (IP[0] == 192 && IP[1] == 168)) {
 		// not private, so public
 		return IP
 	}
-	// TODO detect private IP and use icanhazip.com instead
+
+	// detect private IP and use icanhazip.com instead
+	client := http.Client{
+		Timeout: 5 * time.Second,
+	}
+	resp, err := client.Get("https://ipv4.icanhazip.com/")
+	check(err)
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		body, err := ioutil.ReadAll(resp.Body)
+		check(err)
+		IP = net.ParseIP(strings.TrimSpace(string(body)))
+		return IP.To4()
+	}
+
 	return net.IP{}
 }
diff --git a/types.go b/types.go
index 736806e..2c3304a 100644
--- a/types.go
+++ b/types.go
@@ -20,7 +20,7 @@ type PeerConfig struct {
 	Description string `validate:"required,gte=1,lte=255"`
 
 	PublicKey    JSONKey `validate:"required,len=44"`
-	PrivateKey   JSONKey `json:"-"`  // omitted from config!
+	PrivateKey   JSONKey `json:"-"` // omitted from config!
 	PresharedKey JSONKey `validate:"required,len=44"`
 	// TODO endpoint support
 	//Endpoint     net.UDPAddr `validate:"required,udp4_addr"`
@@ -52,14 +52,14 @@ type Peer struct {
 type DsnetConfig struct {
 	// domain to append to hostnames. Relies on separate DNS server for
 	// resolution. Informational only.
-	ExternalIP   net.IP    `validate:"required,cidr"`
-	ListenPort   int       `validate:"gte=1024,lte=65535"`
-	Domain string `validate:"required,gte=1,lte=255"`
+	ExternalIP net.IP `validate:"required,cidr"`
+	ListenPort int    `validate:"gte=1024,lte=65535"`
+	Domain     string `validate:"required,gte=1,lte=255"`
 	// IP network from which to allocate automatic sequential addresses
 	// Network is chosen randomly when not specified
-	Network      JSONIPNet `validate:"required"`
-	InternalIP   net.IP    `validate:"required,cidr"`
-	InternalDNS  net.IP    `validate:"required,cidr"`
+	Network     JSONIPNet `validate:"required"`
+	InternalIP  net.IP    `validate:"required,cidr"`
+	InternalDNS net.IP    `validate:"required,cidr"`
 	// TODO Default subnets to route via VPN
 	ReportFile   string  `validate:"required"`
 	PrivateKey   JSONKey `validate:"required,len=44"`