[kwlug-disc] Remote access to machine behind CG-NAT

John Van Ostrand john at vanostrand.com
Sun May 18 10:24:00 EDT 2025 

On Sat, May 17, 2025 at 9:38 PM Khalid Baheyeldin <kb at 2bits.com> wrote:

> (CG-NAT = Carrier Grade NAT)
> If one has a machine behind a CG-NAT network provider, the
> usual port forwarding techniques and Dynamic DNS no longer
> work.
>

I saw the noose tightening on me too. My Teksavvy (cable) gives me a
routable IP, but at the cottage Bell WHI (mobile data internet) I get
NAT'ed. I've been using a dynamic DNS service that wants to charge me
$3/month if I want to avoid confirming it every month.

What other options do I have?
> There is VPN, where one sets up their own VPN on a virtual
> server. And there are the commercial providers.
>

I quickly discounted a VPN service prejudicially. I didn't want to wade
through the multitude of anonymizing ones to get to one that supported
networks.

I found several virtual server providers that could offer a cheap VPS. I
went with Hetzner and originally opted for a European site, but quickly
found I had overestimated the transatlantic latency (500ms) and switched to
a Virginia-based one (90ms). There are some Canadian ones out there that
are probably cheap enough for what you want. I pay about €5 per month and I
get two cores, 2GB RAM, 40GB SSD, and 1TB of transfer.   I'm not happy
about using Virtginia, but it'll do for now.

I set up OpenVPN and use a client on my phone so I have a three-node VPN
connecting both homes and my cell phone. That gives me access wherever I
am. I use pfSense on each side and OpenVPN integrates fairly well on that.

So I saved on cloud storage (although photos and videos are probably more
easily browsed on cloud clients. I'll be able to switch service providers
without concern about IP addressing (it's not an easy question for them to
answer) and I can avoid the annoying dynamic DNS test every month.

Shopping for new ISPs should save me more than €5 per month now that I
don't need a routable IP and I could use the VPS for simple other things.

WireGuard seems to be the newer technology with less
> resource utilization. TailScale is a Canadian VPN provider
> who provide hosted WireGuard.
> Anyone tried them? Do they have a free (or low cost) tier?
>
> There is also the tried and tested OpenVPN, but it uses
> more resources.
>
> All ideas and recommendations welcome.
>

One last thought. If IPv6 receives enough support we can avoid all this.


-- 
John Van Ostrand
At large on sabbatical
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250518/cbf83bcc/attachment-0001.htm>

More information about the kwlug-disc mailing list