How can I bypass CGNAT by using a VPS with a public IPv4 address?

You don't want to forward all traffic. You can do SNAT port forwards across the VPN, but that requires the clients in your LAN to use the VPS as their gateway (I do this for a few services that I can't run through a proxy; its clunky but works well).

Typically, you'll want to proxy requests to your services rather than forwarding traffic.

1. Setup Wireguard or OpenVPN on the VPS as a server VPN. Allow whatever listener port in the firewall (I use ufw on Debian, but you can use iptables if you want)
2. Install HAProxy or Nginx (or Nginx Proxy Manager) on the VPS to act as your frotnend. Those will listen on ports 80/443 and proxy requests to your backend servers. They'll also be responsible for SSL termination, and your public-facing certs will be set there.
3. Point your DNS records for your services to the VPS's public IPv4
4. On your LAN, configure your router to connect to the VPS as a VPN client and route into your LAN from the VPN subnet -or- install the VPN client (WG/OVPN) on each host
5. In your VPS's reverse proxy (HAProxy, etc), set the backend server address and port to the VPN address of your host

I've done this since ~2013 (before CF tunnels were even a product) and has worked great.

My original use case was to setup direct connectivity between a Raspberry PI with a 3G dongle with a server a home on satellite internet. Both ends of that were behind CG-NAT, so this was the solution I came up with.

I use rathole https://github.com/rapiz1/rathole
Its been solid.

I managed this by using tailscale, with a kind of weird setup I think, but it just works.

I have tailscale on the VPS and my local server, let's say its tailscale name is potatoserver

Then with Caddy on the VPS i have something like:

mywebsite.com { reverse_proxy potatoserver:port }

And so mywebsite.com is accessible on the clearnet through the VPS

Though given you're getting rid of cloudflare tunnles I don't know if you'd want to get into Tailscale. There's Headscale too but I haven't worked with it so I can't comment

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

[Thread #635 for this sub, first seen 27th Mar 2024, 18:15] [FAQ] [Full list] [Contact] [Source code]

For single-port traffic with Docker containers (e.g. Plex running in Docker), this has worked great for me: https://github.com/DigitallyRefined/docker-wireguard-tunnel

I don't have to fiddle with IPTables or PostUp / PostDown rules. I just run that container on both my local machine and the VPS, and use the wg0.conf and peer1.conf it spits out for me.

Not sure exactly how good this would work for your use case of all traffic, but I use autossh and ssh reverse tunneling to forward a few local ports/services from my local machine to my VPS, where I can then proxy those ports in nginx or apache on the VPS. It might take a bit of extra configuration to go this route, but it's been reliable for years for me. Wireguard is probably the "newer, right way" to do what I'm doing, but personally I find using ssh tunnels a bit simpler to wrap my head around and manage.

Technically wireguard would have a touch less latency, but most of the latency will be due to the round trip distance between you and your VPS and the difference in protocols is comparatively negligible.

This one works , I myself have done it cause my shitty isp needs a huge payment for a static public ip. A 5$ VPS was much cheaper . Server behind NAT I can help if you got any doubts

Do you have a working Wireguard connection? If so you can setup two reverse proxies.

I had a similar problem like you. My provider only gives me a public IPv6 but no public IPv4. Im using a VPS with an IPv4 with jool to set up SIIT-DC https://nicmx.github.io/Jool/en/siit-dc.html

This converts all IPv4 traffic arriving at the VPS to IPv6 traffic which gets then directly routed to my homeserver.

Not sure if this setup would work for you. This is not a viable solution if you are completly behind a CGNAT without even a public IPv6.

Pro:

• Works without any sensitive Data on the VPS (SSl certificates/passwords...)
• Works for all IP based traffic (TCP,UDP,ICMP)
• The original source IPv4 can be restored by the homeserver Contra:
• AFAIK you cannot choose to only forward some TCP ports. Everything gets redirected.
• You cannot access the VPS via IPv4 anymore since it gets redirected to your homeserver. (I only access my VPS via IPv6)
• No (additional) encryption. (This is no problem for me since all my traffic is already e2e encrypted)

I did this. Works flawlessly for half year now. I have x86 thin client at home running all my stuff, it creates tunnel to my VPS (I use Free tier Oracle VPS - yes, it is a shit company, I know, no need to let me know again in the comments). Works like a charm. This GitHub repo has automated installer for Oracle, Amazon,... https://github.com/mochman/Bypass_CGNAT/wiki/Oracle-Cloud-(Automatic-Installer-Script) - it installs and configures Wireguard on both server (VPS) and client (your home machine).

Here https://wiki.gardiol.org/doku.php?id=router:ssh_tunnel

Yeah you probably need a second IP address on the VPS though.

I open a wire guard tunnel from home to the VPS and then tunnel an Nginx ingress down the VPS.