As the world quickly runs out, or rather have ran out of IPv4 addresses, more and more people are getting their self-hosting dreams curb-stomped by CGNAT, or carrier-grade NAT. Ever notice how the WAN IP on your router doesn’t match up to whatever is shown on public services? A good sign that you’re behind a carrier-grade NAT.

So what’s in it for me? What’s so terrible about CGNAT? I can still access the Internet just fine. And yes, you will be able to. Most services these days – think YouTube, Google, Facebook, Twitter – do not require you to open up a port on your router. Almost all services are based on server-to-peer, and thus do not need open ports on clients’ end.

But for peer-to-peer services – such as torrenting – or in cases where your home computers become servers – such as Plex – that’s where you start to miss port forwarding. Because in these configurations, the peers, the clients, effectively become the servers.

Since this practice of shadowing everyone behind a CGNAT appliance has become commonplace, so has practices of “tunneling out” of these limitations.


This is what people commonly refer to when somebody asks about CGNAT. You set up Zerotier on the computer you want to access, set it up on the computer you want to access it from, and link those two using a network controller. Sounds simple enough, but this requires you to set up Zerotier on all devices you own. You need to remember to turn it on each time you want to connect to your “private network.”

This methodology is similar to that of OpenVPN’s, but there’s less hassle. With OpenVPN, you need to set up your own network controller (or central OpenVPN server) and manage it, which can be extremely cumbersome. It’s also similar to LogMeIn’s Hamachi, but I detest that software because LogMeIn is a greedy company and it doesn’t work very well.

I like Zerotier because it’s free for non-commercial use and open-source. The last bit is really, really important. Remember, it’s tunneling over all of your sensitive and private information. Having a code repository that is scrutinized by hundreds of security experts around the world is probably one of the top qualifications when it comes to VPN appliances.

But since it’s a bit manual, I didn’t use it for my current networking setup. Maybe I’ll test it out in the future and see how it goes. But this solution is used by many (I’ve seen a lot of vouches for it on Reddit).


I actually wrote an article about tinc a couple of weeks ago. You essentially rent a public VPS that does have exposed ports for the world to see, and then use it as the middleman between you and the computer you are trying to access.

This methodology is similar to SSH’s reverse tunneling, but tinc does it way better because it is so damn reliable. I’ve been test-driving it for weeks now and I have never found myself without a connection to my target computer. Yes, sometimes it is slow, but everything in China moves at a glacial pace and I’m accustomed to it. What I just cannot stand is unreliability, something that SSH and AutoSSH is notorious for. (Really, if I had a dollar for every time SSH gave me a packet_read_error/packet_write_error…)

This is good because once the setup is done, you don’t need to remember to activate your tunnels or anything like that. You just connect directly to the VPS as if you’re connecting to the target machine. It’s clean and I recommend using this method if you want a set-up-and-forget solution, or if you’re running something like Plex which performs better over the Internet than it does over virtual LANs.


Quite frequently I see people recommending ngrok to break out of CGNAT, but I believe otherwise. Simply put, ngrok is not intended for that purpose. It’s more for test driving websites and local development applications. Port forwarding and application hosting was not what it was built for.

If it works for you, great! But it only does one port if I remember correctly, and if you want your custom URL I believe you had to pay for it. Bleugh. No thank you.


So there you go, these are all the solutions you can use to construct your own mini-net! I really can’t wait until IPv6 is mainstream, but until then we will have to find workarounds like these to get around stupid CGNAT.