Wgserver with CGNAT

boris099 · January 25, 2026, 5:27pm

I am opening a new topic cause I think the last one opened was using a wrong title.

I am facing the problem that after changing the ISP and also from DSL to 5G mobile my wgserver isn’t working anymore. I have learnt that is obvious a CGNAT issue .
New is now a Zyxel 5G router set to IP passthrough mode connected to my Cudy WR3000s

The provider is German Telekom and user egc told me to check if I can reach the IPv6 address when pinging from my mobile using cellular network. I think (not sure) also IPv6 isn’t reachable.

I just did ifstatus wan6 and getting this result, I am lost with these details …
BTW: can somebody tell me which is the IPv6 address I should enter when ping from mobile?
I think I tried all with the result “unknown host”

 OpenWrt 24.10.5, r29087-d9c5716d1d
 -----------------------------------------------------
root@Diele:~# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 101092,
	"l3_device": "wan",
	"proto": "dhcpv6",
	"device": "wan",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a01:599:c42:xxxx::2",
			"mask": 128,
			"preferred": 71708,
			"valid": 71708
		},
		{
			"address": "2a01:599:c42:xxxx:82af:xxxx:fe7f:f911",
			"mask": 64
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a01:599:c42:xxxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::7e77:16ff:fe0f:65c0",
			"metric": 640,
			"valid": 1555,
			"source": "2a01:599:c42:xxx:82af:xxxx:xxxx:f911/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::7e77:16ff:fe0f:65c0",
			"metric": 640,
			"valid": 1555,
			"source": "2a01:599:c42:xxx::2/128"
		}
	],
	"dns-server": [
		"2a01:598:7ff:0:10:74:xxx",
		"2a01:598:7ff:0:10:74:xxx"

When this really isn’t a reachable address IPv6 what else can I do?
In the guide from egc I can see something with netbird is this maybe a solution?
I do have a DDNS service up and running can this help me here to reach my home network via DDNS/wireguard

psherman · January 25, 2026, 5:42pm

Your previous thread actually sufficiently covered your topic, IMO, and had room for additional questions/answers. But... here you go.

Your most direct option for WireGuard in this situation is to use IPv6. You don't have a path to use IPv4 unless you setup a 'relay.' The typical approach for a 'relay' is to setup a VM server somewhere (could be Digital Ocean, GCP, AWS, etc.) with a public IPv4 address and have both your home and your remote devices connect to the WG relay host and the relay will help route between them. The key here is that the relay host (i.e. VM somewhere) has the necessary public IPv4 address.

The other approach would be to use a VPN solution that has a 'connection broker' incorporated into the protocol -- this specifically helps the situation where you don't have a public IPv4 address on any of the nodes. For this, you'd be looking at Tailscale, ZeroTier, or NetBird.

boris099 · January 25, 2026, 11:22pm

Sorry to say but no, so far it wasn't covering the solution I was looking for.

Sure it is my problem.

I thought it would be easier to solve that issue that CGNAT is ”disturbing” the standard well documented wgserver functionality.

Just realized that also DDNS isn't working anymore, same issue “CGNAT”

But is this really an issue what hits me alone, or is it not something worth to get a bit more support and guidance, maybe some kind of documentation?

Now I will try to follow the guide from egc cause he mentioned some things what might help me here.

Sure I am not satisfied with my decision to change to 5G, cause I lost immich and seafile access and the reported issue that I have lost access via wgserver.

In other words that's really s..., right?

Please allow me to report or ask for further support, cause as mentioned so far my problem is far away from sufficiently covered

psherman · January 25, 2026, 11:31pm

You don't have control of the CG-NAT issue (at least not directly, although you can ask your ISP if they can give you a public IP, possibly for additoinal cost). But it is essentially the same as if you were to plug a device into any network you don't control -- you can't get the public IP directly on your device, nor can you create port forwards on the main router.

DDNS clients simply look at either your wan port's IP address or your apparent public IP as seen from the internet. In the case of CG-NAT, this results in a situation where the DDNS (if it even accepts the IP in the first place) won't actually effect a usable path to your home network.

This is not a problem related to or unique to OpenWrt. It's a carrier/ISP thing.

And there is documentation all over the internet in the form of the alternatives I provided earlier:

IPv6 (where possible)
A public IP holding host with a WG interface to which both your home and remote devices connect
Another VPN solution such as TailScale, ZeroTier, or Netbird

Within the construct of OpenWrt related questions, sure. But understand that the options I have laid out are the primary ones you've got available -- please do a bit of reading on those topics.

But, to be clear, this is really one and the same issue as the original thread, just with a more specific title.

slh · January 26, 2026, 12:11am

I'm behind cgNAT as well, IPv4 doesn't work - but IPv6 is a way out, both for DDNS and the wireguard endpoint. As long as your clients (your mobile/ cellphone ISPs; all of the big ones here do) support IPv6, that just works - problems occur in office networks and hotspots, which generally don't have IPv6. While not all is golden, for me it works 'well enough' (considering the limitations of my ftth ISP).

egc · January 26, 2026, 7:39am

I have full dual stack (publlic IPv4 and IPv6 with /56 PD) with my cable provider, I recently got fibre to my home, internet via fibre is much cheaper and much faster but it is CGNAT with IPv6 so I decided to stick to my cable provider.

My phone company (vodafone one of the largest here) has IPv4 only, so if I switch my home to fibre I could not reach my home via WireGuard any more.

and this is in 2026 you pay a lot and receive little

But for you IPv6 might be the way out and otherwise use e.g. Netbird

boris099 · January 26, 2026, 2:55pm

Hi, in your guide you are writing that netbird is able to be installed on the router, I will take a look, even I am not a specialist, maybe that is a possible solution for me.

Just to mention I do use a paid version from proton vpn for my wgclient, and you said there might also be a possibility to overcome CGNAT for wgserver?
Ok but this is a paid service and I would need to stay with proton... And netbird send to be free, right?

egc · January 26, 2026, 3:07pm

Proton supports port forwarding via the vpn.

So you can use this to connect.

It works like this.

You have setup a wg tunnel to proton.
On the proton website you enable port forwarding the port you get from proton is used by your wireguard server.

In the firewall make sure you open the wg client zone for that port.

Use DDNS via the wg client tunnel to get your public ip address ( which is the proton ip address). Use this as endpoint for you phone to connect to the wg server

But netbird, tailscale, zerotier etc are also alternatives

boris099 · January 27, 2026, 12:59pm

OK i do have Proton Wgclient permanently running. But I don't understand what you mean with

“Use DDNS via the wg client tunnel to get your public ip address ( which is the proton ip address). Use this as endpoint for you phone to connect to the wg server”

DDNS is an external provider how to push that into the wgtunnel?

egc · January 27, 2026, 1:06pm

DDNS runs on the router and will get your external IP address which it publishes via your DDNS domain.
This DDNS domain is what your wg clients then use as endpoint in the WG config.

But you have to setup the DDNS client on your router to use the proton tunnel as interface and not the wan.

boris099 · January 27, 2026, 6:32pm

Yes, DDNS is already running on the router and you mean the network selection in the tab Advanced , right?

Here I will select my wgclient interface instead WAN (as today) as soon as I enabled port forwarding for my already and permanently running wgclient with proton?

and where in firewall will I need to open wgclient with port, in traffic rules?

Edit: I am just on the proton page and try to change the setting to port-forwarding.
Found that - and just reading their description …
What I don’t understand where do I get the port from you are mentioning above?
Do I also need to adjust the proton server to an as the say special P2P server?

boris099 · January 28, 2026, 4:40pm

Short update.

Verified with my ISP if they provide a public ip4 but they don't, and also ipv6 isn't public.

SoI I think easiest will be to get it up and running with proton as you suggested. Could you please have a look at my last question above, I need a bit further support from you if possible?

egc · January 28, 2026, 5:44pm

It starts with proton, have you checked the website and followed the instructions (hint: I think you need nat-pmp and script you need to run periodically)?

I do not have proton so cannot help you with that.

If that part is covered you can usually get the public IPv4 address needed as endpoint for your WireGuard server client by simply pointing your webbrowser to ipleak.net if you have default routing via the WireGuard Proton client enabled unless protons instructions tell you to use a different IP address.

The WireGuard server setup is the same but the listen port is the port you get from proton and the traffic rule to open up the port, it uses the same port but instead of source zone wan you use the the firewall zone of the WG client interface (if this is in the wan zone then you use the wan zone of course).

I do not have proton so cannot give you specific instructions

boris099 · January 28, 2026, 6:53pm

OK just created a new config with NAT-PMP activated. As far as I understand that config lasts a year.

Questions:

I see in the config file created the IP called endpoint with port 51280 this is the standard WG port, right?
This is the endpoint config (IP and port) I use for the WGclient peer, right?
Stupid OWRT doesn’t let me enter the “Public key” it always overwrites it with the old value
restart doesn’t help - are there any dependencies I need to take care with?
Just struggeling when the wgclient is reconfigured with this new proton config do I even need to do something with that peer information, cause in OWRT I just assigned one SSID (VPN) to the interface VPN and device br-lan.4, but do I need to use the peer config there?

mk24 · January 28, 2026, 7:08pm

The interface public key is derived from your private key. There is a process to convert a private key to a public key, but not the reverse. The public key on the Interface page is shown for information purposes only (you would communicate it to the peer, so they can link to you without knowing your private key). The way to change your own public key is to generate a new private key.

The peer pubic key is the one you get from the peer. They keep their private key secret.

If you're using Proton only to receive incoming WG connections from your phones etc on Proton's publicly reachable IPv4 address and forward them to a second Wireguard interface (VPN inside a VPN) you do not need to set up any forwarding to the Proton interface as would typically be done to use Proton for outgoing Internet connections.

egc · January 28, 2026, 7:09pm

You just import the new proton wireguard config into the the wireguard interface.

See the wireguard client setup guide

boris099 · January 28, 2026, 8:22pm

Now I know why and I thought that is me who is too stupid copying the public key …

boris099 · January 28, 2026, 8:27pm

Thanks a lot so far

OK so easy if you know how…

It is up and running. ipleak.net is clean, surprisingly when I test now with ookla speedtest there is no Proton server used anymore but ipleak.net is clean maybe this is caused by that setting NAT-PMP?

Tomorrow i will go further with the rest of the setup, whereby I didn’t get where exactly to adjust the firewall, there are so many possibilities for the firewall settings

egc · January 29, 2026, 8:29am

If you do not have Route allowed IPs enabled then default route is via the wan and not via the VPN, this is fine if you use PBR to route certain sources via the VPN but then only the sources routed via the VPN will show the proton servers as IP address when using ipleak.net.

Using a proton server which supports nat-pmp has nothing to do with how you setup your WireGuard client or how that behaves, but connected to this proton server give you the ability to request a port forward with nat-pmp which you then use for the setup of your WireGuard server.

boris099 · January 29, 2026, 5:25pm

You are right “Route allowed IPs” is not activated in the wgclient peer, but I have assigned the whole interface/device (and use also a SSID VPN), so I am pushing only these devices connected to SSID VPN in the wgclient. For test purposes I tried some specific devices but don’t need that.