Relays and CGNAT

Hi all. I’ve seen quite a lot of debate regarding whether it is possible to run a relay on an internet connection which is subject to CGNAT. It was my impression that it is impossible due to the downstream nature of CGNAT making port forwarding impossible. I’ve seen a few folk stating that it is possible using a VPN or a VPS running Wireguard, using solutions that were used for 4g off-grid Helium setups. Again, I can’t see how this would work for Tor, but I even see a few of the VPN providers claim to have solutions to the CGNAT and port forwarding problem.

I’m aware that running behind a VPN isn’t suitable for a lot of other reasons, just to be clear. However, for the sake of clarity, I wonder if anyone is able to give a definitive answer to the question of whether CGNAT is a show-stopper or if there are ways around it for relay operators?

In theory, you could have something that has a (non CGNATed) public ip, that redirect traffic to a server behind CGNAT using a VPN. I don’t think that setup makes sens for a Tor relay, the usual reason VPN providers allow it is to forward a bittorrent port or something like that.

For the sake of completeness, it also depends a lot on how ISPs do CGNAT. I have one of my accesses to internet behind CGNAT, but I actually have 16384 ports dedicated to me (the provider shares a single IP between 4 customers). I can have a service listen on one of these ports, and have it be reachable from the internet. However this comes with dynamic IP in my case, so not great for a relay, and that’s also not how CGNAT is usually done.

Hi. Thanks for the response. I agree that is not normally how cgnat is done so not an option for most people. The bit I struggle to understand is how a VPS with a public IP in between would help. How could it redirect the traffic to a server behind cgnat? Isn’t it still eventually going to have to send it to the external IP address of the server and hit the NAT. If that’s shared between several customers, won’t it still be impossible for the ISP to know which one the traffic is intended for? I have a feeling there may be a hole in my understanding here :thinking:

when using a VPN, you (the client behind CGNAT) would be the one initiating a connection to the VPN server. Once that connection is initialized the VPN server can send anything over it. Packets it received for you (include ones representing a handshake for a new TCP connections) gets encapsulated so they look like they are part of one big connection between you and the VPN server.

Ah I see, that makes sense. But I suppose it begs the question, why not deploy the Tor relay on the VPS itself, rather than using it to transmit traffic. To your knowledge, are there off-the-shelf VPN services which could do this to enable a tor relay to run behind cgnat? Ow would it require someone to spin up a VPS with wireguard or something like that. Just to reiterate, I’m not thinking of doing this myself. I’m just trying to get to the bottom of whether some of the advice floating around to use a standard VPN to get around cgnat is valid.

Not long ago, Mullvad supported port forwarding through their VPN, so it would have been possible back then. They stopped allowing that recently, but I guess there exists other VPN providers which still support this feature.

1 Like