Currently I'm trying to create a site-to-site connection between two routers (Teltonika RUT955 with RutOS, based on Openwrt) with mobile internet. Both are behind carrier-grade NAT with IPv4. I contacted the carriers and because of security reasons they will not give me a static IP address or port-forwarding.
Overview:
router <-------> Carrier1 <-------> Internet <------> Carrier2 <----------> router
IPv6 would be the solution, but sadly mobile carrier do only provide IPv4 addresses on their mobile networks.
So a central solution is apparently needed (a VPS at a cloud provider with static IP), but I have no idea how to set this up. Is something like a IPsec tunnel to the server with some routing a possible solution? Internet is really letting me down because it's mostly simple tunnel forwarding or only one router behind a NAT.
With cgNAT on both sides there is no chance to reach the other end, at least one of them needs to be accessible from the internet (open port towards the internet, at least IPv6; static IPs are not necessary, but cgNAT is a problem). If that isn't an option, the only way out would be using an intermediary (read a (v-)server in a data centre that is accessible from the outside) to host the VPN, for both clients to connect to.
If that isn't an option, the only way out would be using an intermediary (read a (v-)server in a data centre that is accessible from the outside) to host the VPN, for both clients to connect to.
If you want to try IPsec, also check out the strongSwan documentation for the hub-and-spoke topology and the swanctl/net2net-gw example configuration. The most interesting bits are the traffic selectors local_ts and remote_ts in the swanctl.conf file for gateway carol. On OpenWrt, which still uses the ipsec.conf file, they translate to leftsubnet and rightsubnet.