Seeking advice for service access behind CGNAT

Hello everyone, I am looking for advice to setup proper way to access services that are Double-NAT/CGNAT.

TL;DR How to access services sitting behind a CGNAT in site 2?

At the moment i have two sites, Site-1 (S1) and Site-2 (S2). S1 has a dynamic IPV4 and /64 IPV6 address space and is also equipped with OPNSense and some services like nextcloud, home asssitant, gitea, etc.,. Presently only IPV4 is used internally, wireguard is setup to access services without any issues and stuffs all working fine here. Basically no issues with S1 and i have control over the site and services

S2 is a different story. Its on another continent and behind CGNAT as the ISP router shows WAN in the 10.x.x.x address space and has a different public IPV4. There is local-linked IPV6 available, but not sure if it can be properly utilised. This ISP router can be accessed by a person in S2, some settings and basic firewall, vlan tagging, etc., can be changed for LAN side. Its internal LAN IPV4 is set as 192.168.10.0/24.

Now, i would like to add some services to S2 including a home assistant and a IP camera. I don’t want the camera to have any internet access and so i plan to include a OpenWRT router and block outgoing for camera. But, such setup unfortunately will lead to a Double-NAT situation.

While looking online for solution, it seems mesh networks such as tailscale/headscale, zerotier and netbird seems to be suitable. Since i have not used any of them, i would appreciate your insights.

Questions:

  1. What would be an ideal way to access services behind CGNAT ?
  2. If i self host netbird (or headsclae) in S1 and configure S2 OpenWRT as a client, would this work and help allow access to services in S2 ? Basically S1 acting as a VPS host.
  3. Or would it suffice to simply do a site-site wireguard vpn between S1 and S2 ? I can configure in S1, but not sure about how to reach S2 wireguard to complete site-site.

I appreciate your insights and feedback. Thanks

I don’t know if this would be helpful, because my thing is not that complicated, but my ISP at home also uses dynamic IPv4s with CG-NAT and no IPv6 at all.

My son installed Tailscale in my laptop and a Linux machine to be able to see those devices from his place, works just fine even though I have no idea how… but he can RDP to the laptop, for example, or SSH to the Linux box without needing to use IPs as each of them gets assigned a name and their DNS thing does the resolving.

Perhaps something like that for the machine(s) you’ll have running the services you want to access at S2?

1 Like

Hi Carliste, thanks for your inputs. Its encouraging to see tailscale is working. I believe what you described is similar to my question 2, where S1 being the tailscale/headscale coordination (like your son’s place) and then install clients in S2 (like in your laptop). Let me check this out.

Cloudflare Tunnels could also be an option.

Just place it in front of the devices you want to use over VPN if you’re concerned about double nat and there’s no need to involve *scale at all. Unless it’s very bandwidth heavy just tunnel it via site S1 using wireguard.