Bypassing CGNAT with WireGuard - Possible Configurations?

Hi. Recently, my ISP implemented CGNAT, which has prevented me from accessing the WireGuard server on my router. However, I do have a VPS with WireGuard server and a static IP. Is there a way to configure my router to connect to this VPS server, so that it becomes accessible through the VPS's IP, while ensuring that my LAN clients do not route their internet traffic through the VPN?

Yes. "Customize Routing Rules" allows multiple site-to-site network behind CGNATs. No need to access even to the LuCI.

I'm not sure which routing rule to apply for the router's WireGuard client. I've already set up a rule for 192.168.1.0/24, but it's not working. I need all devices connected to the same VPN network to be able to access the router's LAN.

image2090×620 43.6 KB

Quidn post means how to use the proxy mode to route the traffic of the LAN clients.

There is not public IP for the CGNAT. The simple way is creating a VPN server in the VPS, the GL Router and other devices as the VPN clients.

Okay, I've found a solution. My initial goal was to access my IP cameras from outside the local network. Previously, I could achieve this by using the WireGuard server functionality on my router. However, after my ISP implemented CGNAT, this method became ineffective. So, what did I do? I connected my router to my VPS via WireGuard. I added the IP addresses of my cameras to the 'allowed IPs' list in my router's client configuration on the VPS. Then, in the router VPN settings, I selected the option 'VPN Policy Based on the Client Device' and added my IP cameras to the list. Now, any client connected to my VPN can directly access the cameras via their IP addresses.

Why not just use something like Tailscale?

Firstly, I'm not familiar with that. Secondly, I'd prefer to avoid using any third-party services that are beyond my control, if possible.

That could be a workaround, but against to your requirement:

while ensuring that my LAN clients do not route their internet traffic through the VPN

Security concerns aside, to accurately reflect your requirements,

• On the VPS: Enter your LAN CIDR block(e.g., 192.168.8.0/24) into allowed_ips
• On the router's WireGuard Client menu:
  -- Enter your WireGuard network CIDR block(e.g., 10.0.0.0/24) into allowed_ips and create a route rule of it
  -- Turn on Remote Access LAN
  -- Turn off IP Masquerading

That's it. If you have just one site and every other peers are just client devices, nothing more to config.

In this setup, because of OP already running own WG server, using Tailscale is more complex I feel. Moreover there's nothing pro because it's just one site which behind the CGNAT.

One of so great thing about GL.iNet routers is that you can do setup like this by very easily in the default UI of stock firmware. This is very unique advantage which I really impressed. So... Tryout!

With my always changeable topology and frequent double (and occasionally even triple nat-ting) as well as frequent reliance on LTE WAN failover using CGNAT, Tailscale has never once failed me even with my own WG and OVPN servers running. It is the stuff of magic...

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.