My ISP offered me an upgrade of my existing plan. And despite all assurances that I will maintain my static IP and keep the fiber gateway working in a bridge mode, they of course refused to configure it this way after I cancelled my existing plan and signed the new contract for the next 2 years. And I am now stuck behind a double NAT with no option to revert back (before you ask: living in a country where things don’t work like in Eu or US where I could simply cancel my contract now based on requirements not met - that is not possible in Dubai for now…).
I managed to publish my web apps and home automation via cloudflare tunnels, so that part of a problem is solved. And works surprisingly great. I pushed it even further by publishing things I’ve never published before directly - home assistant portal, sonarr, surveillance web etc (all that behind app authorization policy, which is cool).
But I would still rather VPN-in instead to allow myself the comfort of “local” management… any ways I can achieve that with cloudflare? WARP seems an overkill as it is designed for S2S type of setup. I just want to be able to achieve a kind of Point-to-Site comm link to be able to e.g. RDP into my home workstation.
I even though of setting up a dummy proxmox just so I can publish its web console to access a dummy gateway VM this way, but that seems to be an overkill.
Any ideas how to do it better?
edit: thanks for all great ideas!
Did you look into zerotier or tailscale? Both are free for what you want to achieve.
Solved this by buying the cheapest VPS I could find for like 5€/month, then using OpenVPN to connect to the VPS and then another OpenVPN tunnel from the VPS to my homelab.
It works, it’s stable, I can customize it according to my needs (after all it’s OpenVPN).
So your ISP have put you behind CGNAT after explicitly saying you would keep a global IP? That sucks, or are they trying to charge you more for the static?
Have they at least given you IPv6? If so, that’s your way to do this without resorting to VPS jumpboxes or overlay networks.
That’s one of the big appeals of overlay networks like Tailscale or Zerotier. Since you establish an outbound connection to them, instead of requiring open ports on your end, it pierces through CG-NAT and works just like regular VPN.
This is how I handle remote access to my self-hosted services:
-
YOUR exclusive remote access to the local infrastructure and all services: Use TailScale, WireGuard, or similar.
-
PUBLIC remote access to one or more locally hosted services: Use Cloudflare Tunnels.
-
RESTRICTED remote access to one or more local services to a small, controlled group of people: Use Cloudflare Tunnels + Cloudflare Applications.
All provide remote access without exposing any ports or managing dynamic DNS.
A benefit of a Cloudflare Application is that the authentication happens at Cloudflare’s servers, so my server is never touched until the user passes the Application authentication. Also, I set up some Access Rules (such as from what countries a user can connect) to further restrict access.
BONUS TIP: I have Kasm installed locally behind a Cloudflare Tunnel + Application with several “Server Workspaces” defined pointing to several local resources (PCs, Servers.) This lets me remotely connect securely to these resources via RDP, VNC, and SSH through a Web Browser in addition to Kasm’s other fine services.
(YMMV regarding the debate about Cloudflare privacy.)
Tailscale or VPS running OVPN then client to site connect your network. You want your network to talk to a control server outside that can negotiate your connection.
Apache guacamole is a web based rdp gateway that can be used
Exposing services via reverse tunnel by cloudflare should be possible, right?
If you’re given IPv6, that can be used - it’s how I tunnel.
OP; double NAT, you mean your ISP is using CGNAT, and then you have your regular NATed network inside of that?
I’m also on CGNat. I used zerotier for a while but their android app won’t stay connected like I want.
I bought a $5 per month VPS with unlimited bandwidth. Wireguard tunnel from home router to vps and my phone connects to the vps when I need something. I had to do some static routing on the VPS and get deep into the wireguard documentation but it works well.
VPS with headscale server on it should do the trick
I had exactly the same issue as the author.
Provider technical support was fully OK if I use my own router directly attached to the optical link. I called them.
I bought a microtik router with SFP port (you can use the cheapest, like Hex S).
Bought SFP XPON stick, with SC/APC connector (GPON wavelengths - 1490/1310), Single fiber mode. You can find some on aliexpress.
The SFP has a web UI allowing you to specify old router identification data (including serial
Number and MAC
You can also buy a media converter.
Once it will arrive, I hope to solve it and eliminate that bottleneck.
Will it work with tcp for double nat? I tried and no dice and udp is filtered
ISP ROUTER : DMZ IP of ur router. problem solved.
This. Tailscale makes this super easy.
I used to do it this way, but then I would also like my cellphone’s apps to work, hence I was looking more for a VPN solution that allows me to enter the whole network. But yeah, this seems to be the easiest approach not involving any third parties - just one VPS in the middle and client-to-client directive enabled. Thanks!
Pay less check out RackNerd, I’ve been very happy with them. I have 3 VPS’s now; 1c 1gb, 1c 2gb, and 2c 4gb. All with 40-60gb SSD storage. They have 1gb networks with 3-8tb traffic limits.
I pay $15, $20, and $28 per year for these. I pay 2 years at a time, never had an issue