Overcoming CGNAT Constraints with Tailscale
January 3, 2025
This article explores how Tailscale’s VPN solution can help users regain the ability to host servers, forward ports, and establish direct connections behind CGNAT.
The internet relies on two main versions of the Internet Protocol (IP) for communication: IPv4 and IPv6. IPv4, the older version, uses 32-bit addresses and can support around 4.3 billion unique addresses. However, with the rapid growth of internet-connected devices, the world has faced a shortage of available IPv4 addresses. To mitigate this issue, network address translation (NAT) and carrier-grade NAT (CGNAT) have been implemented. NAT is a technique used by routers to conserve public IPv4 addresses by assigning private IP addresses to devices within a local network and translating them to a single public IP address. CGNAT takes this a step further by adding another layer of NAT, typically implemented by Internet Service Providers (ISPs) to further conserve public IPv4 addresses.
Many ISPs, including those offering 5G and satellite internet services, heavily rely on CGNAT to manage the limited availability of IPv4 addresses. The use of CGNAT allows these ISPs to serve a large number of customers while using a smaller pool of public IPv4 addresses. This is particularly important for 5G and satellite ISPs, as they face the challenge of providing internet access to a rapidly growing number of devices in a cost-effective manner. However, the widespread use of CGNAT by these ISPs also means that many users face the limitations imposed by CGNAT, such as the lack of port forwarding capabilities.
IPv6, the newer version of the Internet Protocol, uses 128-bit addresses and can support an astronomical number of unique addresses, effectively eliminating the need for NAT and CGNAT. However, the adoption of IPv6 has been slow, and many ISPs and networks still heavily rely on IPv4 and CGNAT. Home internet using CGNAT (like T-Mobile 5G or Starlink) lacks a dedicated public IP, making it difficult to host servers, use port forwarding, or establish peer-to-peer connections.
This is where Tailscale comes into play. It’s a VPN service that enables devices on different networks to seamlessly connect, effectively bypassing the limitations of CGNAT. By using Tailscale, you can establish direct connections and configure features such as subnets or exit nodes. In my setup, I followed this guide o configure my Apple TV as both an exit node and a subnet router.
To validate my setup, I connected my desktop and phone to the Tailscale network. While my desktop and Apple TV remained on the same home Wi-Fi, my phone used cellular data. I then ran a simple “Hello World” server on my desktop using the Python code shown below.
| import http.server | |
| import socketserver | |
| PORT = 8080 | |
| class MyHandler(http.server.SimpleHTTPRequestHandler): | |
| def do_GET(self): | |
| # Send a 200 OK response | |
| self.send_response(200) | |
| self.send_header("Content-type", "text/plain") | |
| self.end_headers() | |
| # Write the response body | |
| self.wfile.write(b"hello world") | |
| if __name__ == "__main__": | |
| with socketserver.TCPServer(("", PORT), MyHandler) as httpd: | |
| print(f"Serving HTTP on port {PORT} (Ctrl+C to stop)") | |
| httpd.serve_forever() |
Next, I retrieved my desktop’s Tailscale IP from the Tailscale app. By navigating to that IP address and appending “:8080” in my web browser, I successfully loaded the “Hello World” page—demonstrating that the Tailscale connection works smoothly, even behind CGNAT.
Ultimately, although home internet from satellite or 5G ISPs often imposes CGNAT limitations, Tailscale provides a powerful way to bypass these constraints. By enabling direct device-to-device connections and support for subnets or exit nodes, Tailscale empowers users to host servers, forward ports, and enjoy the full benefits of the internet—even behind CGNAT.
Reach out to me at farzinadil@gmail.com for any questions, suggestions, or feedback.