another attempt to overcome/ work with/ find a solution for CGNAT.
of course I have a router from my ISP
today all my devices are behind this ISP router e.g. dump AP (router with openwrt), NVR and cams
With this setup I can use the mobile app - there are two apps one for the nvr and one for the remaining cams (different manufacturer) - on the road to view my cams at home. This is working out of the box for both.
Of course the router of my ISP does by far not have the functionality as openwrt. That is why I prefer this setup:
all my devices are behind the openwrt router e.g. dump AP (router with openwrt) and my NVR and remaining cams
Of course I tried already installing a router with openwrt (everything was working except...) but I did not get access from my mobile apps to either my nvr or remaining cams. I think the issue is that I am sitting behind a CGNAT.
I have searched and found several similar questions/ answers but because I am not the network guru, I would like to understand which solutions are possible and where to find a description?
I already tried zerotier but so far I was not successful... What are simpler alternvatives softether or wireguard server? Is this the right direction?
For IPv4, talk to your ISP to see if they can provide you with a proper public IP (even if dynamic). They may say no, or they may charge you extra for this feature, or if you're lucky, you get a public IP just by asking.
Use IPv6, if your ISP support it.
Zerotier or similar (but you said that didn't work for you).
Wireguard (or another VPN protocol) along with a VPS (virtual private server). Both your router and your remote device(s) would connect to the VPS. The VPS would be responsible for routing between the two remote endpoints.
To add to @psherman 's excellent advice you can research ngrok and tailscale which are similar to zerotier or a VPN provider which allows port forwarding via the VPN, unfortunately my preferred VPN provider Mullvad just stopped allowing it but I have heard that these providers still do it: ovpn.com hoppy
But a VPS in the cloud on which you setup a WireGuard server to tie things together is a viable solution (I have an Oracle cloud VPS which is setup like that (not that I need it I have a public IPv4 and IPv6 )
Unless ending up behind CGNAT coincidentally occurred at the same time as you tried a router running OpenWRT then I wouldn't be convinced this is actually the issue.
Assuming you've been behind CGNAT for a while: If the devices you're using have an app which you could previously access remotely then it seems likely they're using a cloud server as a middle man. My starting point in diagnosing your issue would be to check that, when the OpenWRT device is in place, the cameras/NVR are able to connect to their cloud server.
Typically even better than IPv4, as each internal host will have a routable IPv6 address (you will need to add a stable IPv6 address as most hosts default to IPv6 privacy extensions, and you will need to allow access to that IPv6 in the OpenWrt firewall, OpenWrt allows for rules that are tied to an interface identifier so will work with changing IPv6 prefixes; you might need a dynamic dns service to make your dynamic IPv6 addresses discoverable).
Thank you to all for your feedback! That is an excellent starting point.
Thank you especially for the structured feedback concerning the solutions. Having the overall solution in mind - two mobile apps using home data - I would like to clarify:
IPv4, I am sure I can get a proper public IP (well, of course with a small price tag). After I have got a public IP what is the next step. My assumption is to configure DDNS? In this case I have to check with my nvr and cam(s) whether they support DDNS. Correct?
IPv6, I will check this but my impression is that IPv6 is supported (in openwrt I have seen an IPv4 and IPv6 upstream - again, I will check it). Assuming IPv6 is available, what/ how do I have to check whether my two mobile apps are going to work with it?
I liked the idea of Zerotier because of the extra features despite providing access to my nvr and cam. Of course, I assume that it is a configuration issue. Do you have a link for a how-to (config Zerotier with openwrt latest version)?
Any other experiences with such solutions eg softether (maybe a link for the openwrt solution)?
VPS with VPN, in this and the last solution my mobile has to connect with a vpn client to my vpn server. Concerning my two application - is it enough to deactivate internet access and trying the applications with my local wan?
Use a VPN in one of your raspberry pi using IPv6 and access your NVR through it. This is what I am doing. Install Wireguard and open a port in IPv6 firewall and access your internal network from outside.
Thank you for all your input. Summarizing everything I have two interesting options for me:
RPI with IPv6 to access NVR and CAMs
when I got it right so far, I have 'only' to open a port in openwrt for it
more complex: VPS with VPN
I am thinking about a own server which I will setup with proxmox - vpn server/service - backup server. With proxmox I can separate the vpn server/service from the backup server. my last question before I will closed this -
with the latest openwrt version, which vpn solution is simple to setup and stable on openwrt?