Double CG-Nat 4G-ISP crossing by Wireguard tunnel between OpenWrt Router (Server) and Android Phone (Client)

I have an OpenWrt Router ( as Gateway) with other devices (IPCameras -> 192.168.1.x) connected in a local network in a Village in Spain.
The router has Wireguard installed package (SERVER) and gets the internet by a 3G/4G Usb dongle with SIM-phone-number inside from a local ISP Called Simyo that uses CG-Nat (first CG-Nat to pass).

Wireguard OpenWrt Server with local network devices:
Router which is the gateway -
Internet source -> USB Dongle 3G/umts with SIM card by Simyo CG-Nat ISP
Other machines (IPCams) - all on 192.168.1.x subnet

I have a 4G Android Phone with Wireguard app installed (CLIENT) that also gets the internet from a second SIM-phone-number also from Simyo (second CG-Nat to pass).

Wireguard Android Client:
Internet source -> SIM card by Simyo CG-Nat ISP

I have succeeded Wireguard tunnel connection running by "lan" between Android Client and OpenWrt Server. Turning off Android phone internet and connecting the Phone to the Openwrt Router AP wifi I can even get internet in the phone comming from the wireguard tunnel by wifi from the router.

But NULL success in Wireguard tunnel connection running by "wan" between Android Client and OpenWrt Server with internet pumped from the 2 SIM cards in phone and router (wifi disabled in the Android phone).

I think the main problem by "wan" is that the tunnel must cross 2 cg-Nat layers and in the router special firewall settings should be applied (out of my reach).

I found this related post:
Wireguard site to site to allow access to CGNAT network

My situation has not a Linux PC Client but a cheap Android phone.

If Mr. vgaetera could help me in a similar way I would be able to view the village cameras from tens of kilometers away with my Android Phone, or even from Rusia with 4G operators roaming :slight_smile:

1 Like

With the traditional client-server model, CGNAT on the client side is irrelevant.
Accessing a server behind IPv4 CGNAT is possible with IPv6, or something like ZeroTier.
Or buy a cheap VPS, set up a VPN server there, and use the router and phone as VPN clients.


You were right Mr vgaetera, Zerotier worked like a swish watch crossing my 2 4G ISP cg-Nats in Spain, and I now can finally view my IPCams located in the village supported by a fast Youku YK-L1 OpenWrt small Router with just a simple USB Dongle plugged for the internet, FROM my Android phone in almost any region of Spain.

In my country IPv6 for almost all 3G/4G/5G providers is expected for future years, but not now.

Price is the barrier for all and 5€ month for just 4Gb of 4G overall internet transfer is the more afordable option here, to have internet in a rustic place with NOTHING ELSE source achive connection (as a remote village) . A poor user as me has to pay another 5€ month for the second SIM in the android phone, RESULTING 10€ month overall cost of the REAL site to site MINIMAL self depending infraestructure (no free wifi from others) -> low quote ALSO MEANS cg-Nat to face with.

I would have been happy to follow your suggestion of "BUY a cheap VPS" to be able to try Wireguard working WAN to WAN, but all I found was RENTING VPS providers with minimal 3€ month cost.

To be honest I found a "only in theory" free VPS from Google Free Tier, but "NOT IN PRACTICE" for me, because THEY REFUSED my Mastercard Credit Card with the excuse "it is not an extrict CREDIT card" (those exposing bank accounts) , as mine is a "prepaid" Credit Card (those with balance to reload) . So they refused the account proccess with that excuse, in spite they promise NEVER will take funds of the "DISCRIMINATING" Credit Card they want.

Oracle offers a similar free VPS VM option with also Credit Card condition , but thinking I would finally find previous situation -> I DIDN'T Try.

Marvelous Joe Ramirez Blog Post about cg-Nat and Google "free" had for me the Credit Card trap and couldn't be tried.

So finally I followed Mr Warning clear steps:

I was only familiar with the green "LAN" and red "WAN" zones in luci, so the new brown "VPN" custom zone in "unmanaged" protocol was intimidating.

It took me 2 days to get it working, the first day only got TX packets out in luci (RX always 0), same situation as I had with WireGuard installed before I opened this topic.

The hardest to get finally RX packets scoring was in ZeroTier web control panel -> I had to click the "bone" icon in "members" row to get displayed the purple area with "Allow Ethernet Bridging" THAT MUST BE CHECKED (in Router member and also in Android member too) .THAT WAS THE MIRACLE to get RX working finally in router.

But so much effort had the reward -> CAMS are fastly displayed now in the Android phone just writing in Chrome Browser of Android the of local cam web server plugged to Router in the other side hundreds of kilometers away in the remote LAN.

Most modern IPCams don't allow direct video in browsers so easy, but classic Wancam HW0024 IPCam allows this in low cga video format from a mobile.

The real problem "that created the necessity for me" last year was that Wancams bastards stopped in 2020 supporting the previously promised "forever dns service" and remotely viewing for their cameras by PC or by phone by E-View7 became IMPOSSIBLE. E-View7 app literally DIED in phones (and it was even removed from Google Play).

With Zerotier I could revive this old cameras.

2 options untested by me that I also found in the way:

1 -> ngrok
2 -> tailscale

I decided not to test any of them because I think they are not so well documented for OpenWrt as ZeroTier is.

ngrok has good press, but I think there is not a package for OpenWrt and only a github option to implement it by ssh. Even bringing it to work in an Openwrt Router with devices plugged in LAN, it has the defect that clients must receive a public key that system creates every time the router is rebooted. That made me skip to try it.

What I have understood about Tailscale is that they of use internally WireGuard and they offer their Corporation web servers in a free limited option for the users for site to site connections working through cgNats. Even found an ENORMUS PACKAGE (really 2 packages) that have been reported working in some OpenWrt Routers with lot of free Ram (as my Youku has) , but not so well documented as Mr Warning did with ZeroTier.

¿Any comment about if it could be possible to get working the enormus Tailscale package group in OpenWrt and luci in a similar way as Mr Warning did with KeroTier -> creating a "TS" interface by "Unmanaged" protocol and with special "VPN" zone?

Thanks Mr. vgaetera.

1 Like

Hi, I am with similar case

I have two openwrt routers with wireguard installed ñ, both of them behind CGNAT

Also I have a free tier Google VM with wireguard installed and also with other services (mosquito, nodered, grafana,....) some of them, of course, open to internet. Google VM has a static public IP.

I want to configure something that you have said, I want to get openwrt routers as clients, and VM as server so devices connected to both openwrt could see each other and also could see the VM services. (Normally to store data).

I am not used to Linux, but at this moment I have already configured a tunnel between one openwrt router and VM working well.

Could someone please help me to configure this option?


Many ISPs with cgNAT at least offer IPv6 in addition, which can be used for wireguard.

Thanks but it is not my case, I don't have IPv6, and my problem is not the use of wireguard, is "how to configure it". Thanks a lot.

May be @vgaetera could have a little time to show us an example of config files for wireguard in "googleVM-sever", "openwrt-client1" and "openwrt-client2" and, of probably, to add more clients in future we will need to "clone" client1 and 2 files..

Thanks in advance.

He has been inactive for some time (about 1 year). In the future, you may wish to create a new thread. Setting up Wireguard in a VPS is quite common.

In your case, you would omit the endpoint host parameter for the device on Public IP when configuring the OpenWrt peer. This is a quite normal Wireguard setup.

Hi Lleachii, thanks a lot for your answer.

I will post a new thread. About your link I think that is not my case, but I prefer to open a new thread with an "scheam" of what I am trying to do. Thanks
NOTE: I will add the link to new thread if someone could reach this point. Link is now added:

Thanks, I am not sure if here in Spain, I had no success with wireguard working out of my local network, so finally abandoned wireguard and used Zerotier. With zerotier I could connect through the 2 moviles internet connection between city anda village

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.