VPN CGNAT options?

I've traditionally been using wireguard with a public IP to access my network, but my new ISP sits me behind CGNAT. I'm trying to determine the openwrt community's mindshare for various remote/VPN access for an openwrt router sitting behind CGNAT.

My current shortlist is:


Self hosted via a VPS:
Self rolled wireguard proxy

Live with 90% functionality via cloudflare tunnels (I'd lose CIFS acess but pretty much keep the rest).

Any input welcome!

Do the ISP provide only CGNAT without providing IPv6, that's bad. I get 5 public IPv4 addresses from my ISP. :slight_smile:

Anyway I would recommend a VPS, I use it myself to get a static IPv4 address for services which need that (smtp mainly).

Hopefully you have IPv6

Apparently I do, but openwrt wasn't requesting a lease correctly so it's something I'd have to look into.

And also I'm a little terrified of v6 - is it possible to just use it for the wan interface and bridge it to the rest of my existing v4 network? A brief answer will do - if that's how it'll work I'll have a play and ask for help in a new thread.

If the WAN interface is configured with an IPv6 address and the remote peers also support IPv6 then you can run WireGuard over IPv6. The traffic you send inside the tunnel can be IPv4 or IPv6 (or both, AKA dual-stack).

Here is the guide if you want to have a VPN server on your IPv6 network. Using an old laptop or raspberry pi as a server is recommended.

Thanks. Why wouldn't I continue using the OpenWrt router for this usecase?

If your OpenWrt router is fast enough to meet your throughput expectations (~the contractual speeds of your WAN connection), there's not reason not to use it as VPN endpoint (but VPN encryption is rather CPU intensive, so you might need more CPU performance than your router can give you).