How to bypass CGNAT

I was trying to setup a Nextcloud AIO server at my home (without any reverse proxy), but couldn’t because port forwarding was not working as my ISP uses CGNAT.
I would like to know if there is any way to bypass CGNAT.

Yes by using a vpn or frontend service like Cloudflare tunnel.

Are there any better options which aren’t performance limiting?

As long as you do not have your own public IP, you either:

• Forwards trafic on your ISP border gateway network, for example if you ISP has a public reverse proxy and is willing to configure it for you (highly unlikely).
• Needs other means of routing your trafic from a public address to your server (VPN, Tunnels etc).

NAT is litteraly killing any chance of trafic to reach your server from the public internet. However, if you have an IPv6 adress, you might be able to use that, but then it will have to be exclusive. This would (unless your ISP is completely shielding you and have NAT on the IPv6) not require anything else than setting up an A record for the ns that manages your public domain, to point to your webservers IPv6 address.

Yeah well, my ISP doesn’t give and IPv6 address either.
Sorry if I sound dumb here, but would it work if I setup a reverse proxy of my own, I didn’t because it is my first time doing thus, and I just wanted to deploy a test run.

No. That reverse proxy needs to be reachable and exposed on the internet with one network card, and be on same network as your webserver (nextcloud) with another netwroc card.

It is simple networking unfortunately. If you do not have a public IP (which is extremely unlikely if behind GCNAT), you needs trafic to be “routed” or forwarded back and forth to and from your own router. Only a VPN or a very friendly ISP can ensure that.

Some ISP providers do actually assign public IP adresses to customers, even though they might be dynamic. If you have one of those, there is simple solutions. if not, VPN or other tunnel solutions are your only option.

Ohhh, I’ll try using Cloudfare tunnel then, at the same time will see how “friendly” my ISP is and try to workout things.
Also if there’s any workaround for nextcloud talk using Cloudfare tunnel, please let me know.

Hello,

I have used various Cloud Server VPS to run an OpenVPN tunnel to forward traffic of 80/443 to my local home server to bypass the CG-NAT… If the VPS service provider has nearby data center location to your city and your ISP has a good reach till that location, there are no noticeable performance penalty.

I can easily max out my ISP allowed bandwidth both in up and download with that tunnel in nextcloud. Yes, may be, at max 5% speed penalty is there but that’s really negligible.

Thanks.

Change to an ISP that at least offers you public IPv6 addresses. If that really isn’t a viable option, I’d go the route @NaXal mentioned. Instead of OpenVPN you could also use Wireguard, which at least in theory, should offer better performance. But of course performance mainly depends on the upstrem bitrate of your internet connection.

Cloudflare tunnels would only be my very last resort, because a) their tunnels have certain limitations, and b) they can read all traffic in clear text.

@bb77 Privacy is not much of a concern right now. I’m a student and deploying this for learning and getting familiar with Nextcloud. So imma go for Cloufare Tunnel as of now.
Ofcourse, I want to deploy for proper use upcoming future. In the meantime I’ll try and negotiate with my ISP for IPv6, if there’s no luck then I’ll try my way with VPS/VPN.
I’m using my old laptop, with docker desktop on windows 10. If there are any tutorials for this scenario, which I can find less of as most are Linux based.
Thanks

If it’s just to learn and become familiar with it, you could install it only locally, and use self-signed certificates, or you could install it directly on a VPS.

Port forwarding or Cloudflare tunnels only make sense when you are using it in production, meaning you are moving all your personal files from Google Drive or Dropbox to your self-hosted Nextcloud. Until you are ready to make that move a 50GB Hetzner, Linode, Digital Ocean etc… VPS is more than enough to learn things.

Btw. You don’t learn how IT technologies work in a Cloudflare dashboard. If dashboards is what you want to learn, you could as well just pay 9.95 € to MS or Google. They have dashboards as well, but at the same time they also store your data.

I understand, I already have one locally running. As I said, I want to take it to production(i.e. moving personal file, not commercial use), but not until I’m a lil more familiar with this.
I’m just doing this because I had an old Laptop lying around which had windows on it and it is what I’m familiar with, and a free domain (the one you get with GitHub student pack), and self hosting would be a good new side skill I could learn in this vacation.

Yeah, the VPS-> VPN solution is definitely more involved. Unfortunately, I have never set up something exactly like this and therefore I don’t have a tutorial at hand.

However, if privacy isn’t the most important thing to you, and Cloudflare can help you get this thing going, you might as well use it for now. You can always check other options later. IT projects are never final, they are an ongoing (learning) process…

If going down the path of buying an ultra small and cheap VPS, then go for an Ubuntu and setup a wireguard VPN tunnel for speed and security. In truth, then that is all you will need to install on that cloud VPS.

Hello,

I have tried both… and in my testing with my setup and available bandwidth (250mbps domestic ISP link), I find absolutely zero difference between Wireguard and OpenVPN performance…

I felt more comfortable with OpenVPN so I went ahead with that.

Thanks.

That is fair. I see a slight improvement for the speed. My main motivation for wireguard was the simplicity of deploying and setting up as well as security. However everyone has their prefferences.