Using Wireguard to bypass CGN

CGN, also known as Carrier-Grade NAT, is a technology ISP's are using increasingly more to help reduce the demand for IPv4 addresses. The downside of this technology is that it prevents port forwarding from working, removing the ability for customers to self-host services available to the internet easily.

A way I've found to work around this is to leverage a 3rd party server, and use it as a bastion host that can forward traffic for self-hosted services from your home connection to the internet without port forwarding.

Overview

The simplest setup consists of 2 machines,

  • One on your local network, that you want to access from the internet
  • One on a VPS provider, like Amazon Lightsail or Digital Ocean
    • Generally the cheapest provider with sufficient bandwidth should be fine, the server doesn't need much memory or CPU power.
  • A domain name

The server hosted on a VPS provider should be accesible via the internet already, the goal then becomes to create a bridge between both servers and to teach the VPS server how to handle requests that go to the other server.

This bridge can be any type of VPN software that allows the server behind a NAT to be accessed by the VPS server.

If you're only hosting HTTP accesible services, like Jellyfin, Plex or Nextcloud, an NGINX Reverse Proxy or some other reverse proxy technology should be sufficient. This step requires that each service be located in a sub-domain, or unique path so the reverse proxy is able to direct traffic appropriately. Anything more complex might need a load balancer or other mechanisms.

Example Setup

As an example, my current setup is as follows:

  • A number of services hosted, behind GNAT
  • A VPS hosted by Digital Ocean

The VPS is a Wireguard VPN server, with the home server connected as a client.

The VPS server runs an NGINX reverse proxy inside of docker, which routes trafic to either other docker container services or services hosted behind GNAT via their VPN address. These are routed to based on subdomains or paths. These end up hitting another reverse proxy or a port directly.

For example:

VPS Reverse Proxy

VPS Docker Services

  • Nginx static site - subdomainA.aruiz.io
  • Wordpress - subdomainB.aruiz.io

GNAT Services

  • Jellyfin - subdomainC.aruiz.io
  • Nextcloud - subdomainD.aruiz.io
Copyright © Andres Ruiz 2020