I would say the biggest problem of CGNAT is that it is essentially double-NAT: your home router did one layer of NAT, and the ISP also did another layer of NAT on the edge that is close to your home, not only the latency could add up (although so far it is not a problem in general), but also that another point of failure to be concerned too.
I happen to come across this having CGNAT in my parent's house, luckily they have a backup IPv6 so I can access it from remote "directly".
I use https://getpublicip.com to deliver a public IP address to my home lab. I use them over Cloudflare tunnels and Tailscale because I run a email server at home and I dont want encryption terminating in the cloud (as is the case with Cloudflare tunnels). Its also a TCP / UDP level solution which means I can host anything I want.
It's not so bad IMO. I self-host a lot but I use a mesh VPN, tailscale to get to it. It's much safer not having my stuff exposed to the whole internet, I don't need to have incoming ports open, I don't care if my IP changes etc.
Yes. They run public DERP servers. I'm no longer on an ISP with CGNAT, but never had an issue - marginally (like 10%?) throughput penalty, but not enough to notice with only a few users. I understand you can run your own DERP, though I never had the need, and it Just Worked.
I prefer mesh vpn because it's an extra authentication layer that Cloudflare tunnels don't have. But if you need to offer services publicly it's a good option true.
Interestingly, you say this. During my AI-driven research that led me toward tunnels, I found that VPN was the less secure approach.
For SSH/Mosh, for example, I chose a WARP tunnel. I set it up with a certificate that expires immediately after each connection. My MFA was explicitly limited to password and Duo SSO Push.
As I mentioned, though, my decision was primarily based on an Agent Mode prompt to ChatGPT, so I'm far from an expert.
Why would a VPN be less secure? It's an extra hurdle for attackers to take. You can still use whatever authentication you can on the service. And with a mesh VPN you also don't need to open any ports.
However when I look into it it seems like WARP is also a vpn-like service, just a cloud one. Also, I do self-hosting so a "cloud native" solution as cloudflare calls it is explicitly not what I want. If your homelab is all about cloud then of course you would want something like this.
AI driven research tells you everything you need to know about your conclusions; there's a hint of truth that's hiding an incredible web of misconceptions.
Mesh VPNs as a security mechanism replacing having secure server to server communication is just replacing one soft-center security mechanism with another. Mesh VPNs as the gateway to services that are themselves well secured is well over doubly secure over just having publicly accessible services; now you need the security holes to line up.
No IPv6 support? Still? That’s the real problem if so.
Agree. Surely the ISP can assign customers a real IPv6 range, and also a NAT'd IPv4 address for legacy stuff?
I hardly notice if IPv4 stops working, these days.
I would say the biggest problem of CGNAT is that it is essentially double-NAT: your home router did one layer of NAT, and the ISP also did another layer of NAT on the edge that is close to your home, not only the latency could add up (although so far it is not a problem in general), but also that another point of failure to be concerned too.
I happen to come across this having CGNAT in my parent's house, luckily they have a backup IPv6 so I can access it from remote "directly".
I use https://getpublicip.com to deliver a public IP address to my home lab. I use them over Cloudflare tunnels and Tailscale because I run a email server at home and I dont want encryption terminating in the cloud (as is the case with Cloudflare tunnels). Its also a TCP / UDP level solution which means I can host anything I want.
It's not so bad IMO. I self-host a lot but I use a mesh VPN, tailscale to get to it. It's much safer not having my stuff exposed to the whole internet, I don't need to have incoming ports open, I don't care if my IP changes etc.
Do you get direct connections or are you stuck with the backup relays ?
Can tailscale connect to hosts behind CGNAT?
Yes. They run public DERP servers. I'm no longer on an ISP with CGNAT, but never had an issue - marginally (like 10%?) throughput penalty, but not enough to notice with only a few users. I understand you can run your own DERP, though I never had the need, and it Just Worked.
You can create a tunnel from a cheap VM (or appropriately sized set of VMs) in a cloud.
It's a different, new calculus. The result is still that you have the same server power in your home, if that's what you want.
I prefer mesh vpn because it's an extra authentication layer that Cloudflare tunnels don't have. But if you need to offer services publicly it's a good option true.
Interestingly, you say this. During my AI-driven research that led me toward tunnels, I found that VPN was the less secure approach.
For SSH/Mosh, for example, I chose a WARP tunnel. I set it up with a certificate that expires immediately after each connection. My MFA was explicitly limited to password and Duo SSO Push.
As I mentioned, though, my decision was primarily based on an Agent Mode prompt to ChatGPT, so I'm far from an expert.
Why would a VPN be less secure? It's an extra hurdle for attackers to take. You can still use whatever authentication you can on the service. And with a mesh VPN you also don't need to open any ports.
However when I look into it it seems like WARP is also a vpn-like service, just a cloud one. Also, I do self-hosting so a "cloud native" solution as cloudflare calls it is explicitly not what I want. If your homelab is all about cloud then of course you would want something like this.
My concern was specifically about other devices on the same home network, outside the homelab, becoming vulnerable.
I don't remember the details. Not relevant to you if you don't want to use cloud-native services.
Personally, I like proprietary security-oriented code where possible, cloud-native or not. That factored into the decision.
AI driven research tells you everything you need to know about your conclusions; there's a hint of truth that's hiding an incredible web of misconceptions.
Mesh VPNs as a security mechanism replacing having secure server to server communication is just replacing one soft-center security mechanism with another. Mesh VPNs as the gateway to services that are themselves well secured is well over doubly secure over just having publicly accessible services; now you need the security holes to line up.
Yep I access my raspberry pis using rathole via vm. Easy enough.