Today I decided to work on the CGNAT issue of hosting on premise with a CGNAT ISP as the only source of internet. Looking at VPS at either Vultr or DigitalOcean for about $6/month to route traffic via HAProxy.
My end state is to have the VPS be part of a Wireguard or OpenVPN VPN connection to pfSense at the edge of the clients network. And then map inbound connections via HA Proxy to the appropriate internal addresses. This should cover both Web and TCP services.
The question is who is the best provider for features and availability? I narrowed it down to DigitalOcean with their droplets or Vultr. I have used both before in the past and they worked ok but nothing with them was mission critical. What are some opinions on these two vendors.
I used to use Digital Ocean, no issues, moved to Linode (these forums are now hosted there) because of some sponsorship and Digital Ocean changed their affiliate program and it’s worked well. Reily Chase runs HostiFi on Vultr and has not had any problems. Most of this stuff is so cookie cutter I feel all the big vendors don’t have many issues.
Please document this process, I’m kind of in need of the same since I’m locked behind CGNAT too. Cost has been the factor stopping me because I don’t really need to do this, more a want to do this.
I will keep you in the loop, believe me this is going to be more and more of an issue when homes and business adopt wireless 5G and / or Starlink. T-Mobile and other are pushing their business and residential 5G as the solutions over fiber drops.
I have T-Mobile home internet, it is more reliable and faster than our Spectrum cable service was. Had to fight with the person on the phone to cancel Spectrum, they only wanted to upsell us and wouldn’t listen to why we were angry with them. The service was dropping at least 50% each day and sometimes for hours in a day, yet when we had a tech. scheduled they would look at see that it was working and cancel the service call.
That said, I may try and get myself a T-Mobile Business account and maybe with static IP. They do offer this in some areas, if you can prove you are a business. Same low prices with “unlimited” transfer, but I think it still slows down if a large number of phones are present, just like home does. Phones are priority to them.
I have made some progress over the weekend. I was able to stand up a VPS Droplet on Digital Ocean using Ubuntu 24 LTS and installing Wireguard. They had some good documentation on configuring Wireguard on their site. My intention was to have my pfSense act as a dynamic client connecting to the VPS.
This is a good YouTube video on doing pfSense Site to Site that also helped:
I would say after testing TailScale, OpenVPN, and WireGuard, WireGuard was the easiest to set up Site to Site.
Now onto the proxy server on the VPS to take the connections through the tunnel to the hosting servers along with DNS.
Had my second success! This weekend I was able to configure my weather site to be proxied though the VPS with HA proxy over the tunnel back to the source webserver and MQTT topic via WebSocket’s. vs. my hosted Nginx Proxy and pfSense open ports.
Learning the configuration nomenclature of HA proxy though their documentation was assisted with asking various AI agents to provide configurations. I will say it took a lot of piecing together the parts but now that learning experience is over, I can now focus on the other services I host.
