How to overcome CGNAT (for nvr)


another attempt to overcome/ work with/ find a solution for CGNAT.

current situation

  1. of course I have a router from my ISP
  2. today all my devices are behind this ISP router e.g. dump AP (router with openwrt), NVR and cams

With this setup I can use the mobile app - there are two apps one for the nvr and one for the remaining cams (different manufacturer) - on the road to view my cams at home. This is working out of the box for both.

future solution

Of course the router of my ISP does by far not have the functionality as openwrt. That is why I prefer this setup:

  1. router ISP
  2. router openwrt
  3. all my devices are behind the openwrt router e.g. dump AP (router with openwrt) and my NVR and remaining cams


Of course I tried already installing a router with openwrt (everything was working except...) but I did not get access from my mobile apps to either my nvr or remaining cams. I think the issue is that I am sitting behind a CGNAT.

I have searched and found several similar questions/ answers but because I am not the network guru, I would like to understand which solutions are possible and where to find a description?

I already tried zerotier but so far I was not successful... What are simpler alternvatives softether or wireguard server? Is this the right direction?

Thanks so far

Your solutions generally look like this:

  • For IPv4, talk to your ISP to see if they can provide you with a proper public IP (even if dynamic). They may say no, or they may charge you extra for this feature, or if you're lucky, you get a public IP just by asking.
  • Use IPv6, if your ISP support it.
  • Zerotier or similar (but you said that didn't work for you).
  • Wireguard (or another VPN protocol) along with a VPS (virtual private server). Both your router and your remote device(s) would connect to the VPS. The VPS would be responsible for routing between the two remote endpoints.

To add to @psherman 's excellent advice you can research ngrok and tailscale which are similar to zerotier or a VPN provider which allows port forwarding via the VPN, unfortunately my preferred VPN provider Mullvad just stopped allowing it but I have heard that these providers still do it:

But a VPS in the cloud on which you setup a WireGuard server to tie things together is a viable solution (I have an Oracle cloud VPS which is setup like that (not that I need it I have a public IPv4 and IPv6 :slight_smile: )

1 Like

How IPv6 can be used for remote access? I have simmilar parameters of isp..

Unless ending up behind CGNAT coincidentally occurred at the same time as you tried a router running OpenWRT then I wouldn't be convinced this is actually the issue.

Assuming you've been behind CGNAT for a while: If the devices you're using have an app which you could previously access remotely then it seems likely they're using a cloud server as a middle man. My starting point in diagnosing your issue would be to check that, when the OpenWRT device is in place, the cameras/NVR are able to connect to their cloud server.

Typically even better than IPv4, as each internal host will have a routable IPv6 address (you will need to add a stable IPv6 address as most hosts default to IPv6 privacy extensions, and you will need to allow access to that IPv6 in the OpenWrt firewall, OpenWrt allows for rules that are tied to an interface identifier so will work with changing IPv6 prefixes; you might need a dynamic dns service to make your dynamic IPv6 addresses discoverable).

Nope, i got no such knowladge about IPv6 and need too much, i just try, thanks

Thank you to all for your feedback! That is an excellent starting point.

Thank you especially for the structured feedback concerning the solutions. Having the overall solution in mind - two mobile apps using home data - I would like to clarify:

  • IPv4, I am sure I can get a proper public IP (well, of course with a small price tag). After I have got a public IP what is the next step. My assumption is to configure DDNS? In this case I have to check with my nvr and cam(s) whether they support DDNS. Correct?

  • IPv6, I will check this but my impression is that IPv6 is supported (in openwrt I have seen an IPv4 and IPv6 upstream - again, I will check it). Assuming IPv6 is available, what/ how do I have to check whether my two mobile apps are going to work with it?

  • I liked the idea of Zerotier because of the extra features despite providing access to my nvr and cam. Of course, I assume that it is a configuration issue. Do you have a link for a how-to (config Zerotier with openwrt latest version)?
    Any other experiences with such solutions eg softether (maybe a link for the openwrt solution)?

  • VPS with VPN, in this and the last solution my mobile has to connect with a vpn client to my vpn server. Concerning my two application - is it enough to deactivate internet access and trying the applications with my local wan?

Bad to hear - I wanted to switch to Mullvad...

VPS solution will be considered!

Yes, I have been behind a CGNAT for a while. Confirmed.

I will test this - with openwrt in place I will checked the access to the middle man. Of course there is a middle man. I expect that these solutions work similar as Zerotier and SoftEther...

If you have a dynamic IP, yes, you'd configure ddns. But you can do this with the router... your other devices do not need to support (or even be aware) of ddns.

This is not my area of expertise... but your devices would need an IPv6 address, so if the nvr doesn't support IPv6, that would be a blocker.

Not me, no. I've never used these two options. Others may be able to help here, though.

Not following yhour question here... can you elaborate?

1 Like

Yes, this is also one of my questions...

wow fast feedback - thank you!

How can I test already now - without having a VPS&VPN solution in place, that my to mobile apps are working with this solution?

wireguard will not work behind cgnat, unless you have at least 1 that will act as a coordinator to all clients that is behind a CGNAT. this coordinator needs to be under public ip to work properly.

you can also get the same stuff wireguard stuff if you use Tailscale

[OpenWrt Wiki] Tailscale

tailscale should be easy enough to configure, its unfortunate that even now we still dont have a luci interface for it.

Cloudflare tunnels would also be a good option here

Use a VPN in one of your raspberry pi using IPv6 and access your NVR through it. This is what I am doing. Install Wireguard and open a port in IPv6 firewall and access your internal network from outside.

1 Like

Thank you for all your input. Summarizing everything I have two interesting options for me:

  1. RPI with IPv6 to access NVR and CAMs
    when I got it right so far, I have 'only' to open a port in openwrt for it

  2. more complex: VPS with VPN
    I am thinking about a own server which I will setup with proxmox - vpn server/service - backup server. With proxmox I can separate the vpn server/service from the backup server. my last question before I will closed this -

with the latest openwrt version, which vpn solution is simple to setup and stable on openwrt?

  • tailscale
  • cloudflare
  • zerotier
  • softether

do you have a howto link for this setup (especially for the IPv6 part)?
do I need a public IPv6 address (I assume yes?!)?

Just to clarify, remote access to your cameras and NVR worked using your router ISP even though you're behind CGNAT? But doesn't work when you add an OpenWRT router behind the ISP router?

Yes correct