Hello everyone, I am looking for advice to setup proper way to access services that are Double-NAT/CGNAT.
TL;DR How to access services sitting behind a CGNAT in site 2?
At the moment i have two sites, Site-1 (S1) and Site-2 (S2). S1 has a dynamic IPV4 and /64 IPV6 address space and is also equipped with OPNSense and some services like nextcloud, home asssitant, gitea, etc.,. Presently only IPV4 is used internally, wireguard is setup to access services without any issues and stuffs all working fine here. Basically no issues with S1 and i have control over the site and services
S2 is a different story. Its on another continent and behind CGNAT as the ISP router shows WAN in the 10.x.x.x address space and has a different public IPV4. There is local-linked IPV6 available, but not sure if it can be properly utilised. This ISP router can be accessed by a person in S2, some settings and basic firewall, vlan tagging, etc., can be changed for LAN side. Its internal LAN IPV4 is set as 192.168.10.0/24.
Now, i would like to add some services to S2 including a home assistant and a IP camera. I don’t want the camera to have any internet access and so i plan to include a OpenWRT router and block outgoing for camera. But, such setup unfortunately will lead to a Double-NAT situation.
While looking online for solution, it seems mesh networks such as tailscale/headscale, zerotier and netbird seems to be suitable. Since i have not used any of them, i would appreciate your insights.
Questions:
- What would be an ideal way to access services behind CGNAT ?
- If i self host netbird (or headsclae) in S1 and configure S2 OpenWRT as a client, would this work and help allow access to services in S2 ? Basically S1 acting as a VPS host.
- Or would it suffice to simply do a site-site wireguard vpn between S1 and S2 ? I can configure in S1, but not sure about how to reach S2 wireguard to complete site-site.
I appreciate your insights and feedback. Thanks