Site-2-Site behind CGNAT


I was planning on providing OPNsense firewalls to my parents house across the pond. I am setting up the mini-pc’s up with Opnsense and will deploy the unit when I visit them next. So I thought it’d be great to connect both our firewalls using Site-2-Site VPN. Unfortunately, all ISPs that provide internet to my parent’s house use CGNAT. :frowning:

What are my options to enable connectivity between the 2 houses? I have done some research but the 2 options that I found have some drawbacks.

  1. ZeroTier – I have seen @LTS_Tom 's video (ZeroTier VS VPN and A Look At The Data Stream With Wireshark - YouTube) but I am a bit concerned about my data passing through 3rd party servers. Secondly, if I use the ZeroTier plugin on Opnsense – will all the devices behind these firewalls be able to talk to each other?
  2. VPS serving OpenVPN – additional cost of VPS and having to monitor the bandwidth etc.

Are there any other options in the CGNAT scenario? My preference would be to self host a VPN (Site-2-Site or Road-Warrior style) but I am not sure if that is even possible.

Thanks for your time …

Just a thought, never done it.

If you setup a RAS on your side and a client at your parents you have a tunnel. You now need to tweak the setting on the server for it to now act like a site-to-site (not quite sure which but must be possible - on my to do list as this is what I have instead of site-to-site using this approach as a fallback if something goes wrong).

Additionally if I recall correctly from ages ago, QNAP had some kinda hole-punching VPN approach. They have/had a service allowing access to a QNAP and/or between QNAP devices, basically it must be some kinda solution whereby they host the VPN server and route the traffic between devices. Don’t fully recall but you might want to investigate as it might work out cheaper than a VPS service.

OpenVPN works fine as long as one system has a public IP. So you would set the firewall behind CGNAT to call out to your firewall that is not.

1 Like

Thanks @LTS_Tom – I have a dynamic IP – but that can be handled by DDNS (which I already have setup).

Are you saying that a Road warrior VPN would just work or were you talking about a Site-2-Site VPN? Is there any way to have an “always-on” kind of connection — that would be easier for my totally non-tech parents. But if that is not possible, then maybe I can make it as easy as possible for them to initiate the connection.

@neogrid what kind of RAS were you suggesting? I am trying to see what other options are available.

Then again, if OpenVPN will work as @LTS_Tom has suggested, then I might try that first.

As Tom said but just use a site to site. in OpenVPN a site to site still has a “server” and a “client” so just set your place up as the server and them as the client.

Just out of interest, “other side of the pond” I am guessing you mean the Atlantic pond, which side are you on? I’m in the UK and there are plenty of ISP’s here that do none CGNAT and static IP addressing.

ps. First hand experience, one of my office locations is on a 4g router with cgnat and it connects back to base absolutely fine. I even filter the inbound connection based on IP using Dynamic DNS through a free cloudflare account

RAS is the what OpenVPN refers to as Remote Access Server as opposed to site-to-site.

So you have a OpenVPN server on your side and the client on your parents side.

That’s easy enough to do.

Your next problem is if the client goes down (or something) then you lose the tunnel. The service watchdog might help.

Thanks everyone. I’ll try to set this up and try to simulate a CGNAT on one box and test it out before I visit them next.

Might be handy to have a raspberry pi set up as a second client at your parents, small, cheap and decent backup to the backup. A flight won’t be cheaper.

I am currently setting up the P2P OpenVPN between my house(server - public IP) and my parent’s house (client - behind CGNAT) and also my sister’s house(client - behind CGNAT). Going through @LTS_Tom’s Site-2-Site VPN video (How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense - YouTube) and have the following questions:

  1. Should both the connections Server–Client1 and Server–Client2 be on separate Tunnel networks or can I use the same Tunnel network? What are the repercussions of either option?
  2. Should I be using a /30 Tunnel network instead of a /24 as there would only be the Server and Client --especially if I am using separate Tunnel networks for each client
  3. In the Concurrent Connections option – say if I set this to 2 (does it mean 2 client sites can connect or does it mean only 2 client machines can connect? eg. if 2 computers from client1 connect, no computers from client2 can connect until a connection is released?
  4. If both clients connect to the server, will traffic be routable directly between the 2 clients as well, if I push the appropriate remote networks in the Server configuration?


  1. Same tunnel is fine
  2. leave Inter-client communication turned off if you don’t want them to talk
  3. Concurrent connections is per client connected to VPN, not devices
  4. Should work, we usually use IPSEC for multisite

thanks @LTS_Tom. I have never used IPSEC personally but I’ll look into it and see if I can make sense of it without too much trouble.

Also, as an FYI, most ISP’s will remove you from CGN if specially requested, or lease a static IP for a few dollars per month…

Behind CGNAT it is best to make use of the VPN using IPV6 for site2site.

Zerotier and things like that are only worthwhile for Client2Site

I’ll ask the ISP if they provide IPv6. But that would mean that I would have to switch over to IPv6 too which would be a hassle as I have set up everything on my network to only use IPv4.

@LTS_Tom mentioned earlier that OpenVPN would work in a CGNAT scenario if the client sites would call the Server as long as the Server had a public IP. Will IPSec work across CGNAT too?

Once the VPN connection in initiated, all devices should be pingable from server to client and client to server, correct?

As long as one of the locations has a public Non-CGN IP it can be connected to via IPSEC or OpenVPN.

Even if it is not static, you can always run a Dynamic DNS naming service should the IP change.

In my case on the internal network I use only IPV4, but for VPN I prefer to make a direct connection, no third-party software as this can greatly reduce the VPN bandwidth and complicate troubleshooting.

About the exchange of DNS, nothing simpler than DDNS, in the same way that I always worked with VPN IPV4

Ah if you have 1 side with a valid IP go to OpenVPN, with it the client can be behind a CGNAT that has no problem!

Great. thanks for the confirmation. I do already have DDNS setup which works correctly.

Right, which is why I had concerns about ZeroTier as mentioned in my first post.