How to bypass CGNAT using a VPN to access my web server.


Limp Gawd
Jun 16, 2017
I setup a webserver but my ISP blocks port forwarding because I am using mobile internet. The ISP is CGNAT. I need port 80 open

I heard if i setup or use a VPN server i can link it to my webserver then my website will be visible to anyone?

How exactly does this work?

Where is the VPN located beside my webserver? In my house? or on the internet somewhere?

How can i get more information on this, My skills are good i can set this up but need help
Yes... but no? It has to do with your second to last question.

Also as a side note, I've not looked at the rules in forever so I hope I'm not about to break one.

So, you'd need to have another service (another machine on another ISP or virtual hosting which allows you to run programs/VPNs to) to run the other endpoint on. Think of a VPN as a service (software running on a machine) that allows something else to appear as a local device, either routed or broadcast (on the same switch with no routing) Hence the name:
Virtual, runs on top of something else,
Private, explicitly between places and encryted
Network, ... ummm connecting two or more machines.

1. I just remembered that there is the "Privacy" "VPNs" (I have reasons for the quotes) everyone advertises today which may work in this situation too as they are mostly for shifting your traffic. There are gotchas though:
2. Make sure the VPN provider offers port forwarding.
3. I don't know if they'll allow you to select the port you get - AND 80 is the standard web point, you'll be sharing this IP address with many others and if they allow you to pick and get 80, it might already be taken.
4. The address you get will change so you'll need to know the new address often, and while DDNS is a thing, there will be a delay in how quickly it updates.

For example, I have a friend that runs plex but also uses one of these services. When they do, their plex server goes offline. They told me their VPN allows port forwarding but he was getting confused.
What I setup was he gets the port and I use a program (really old) that forwards from one port/ip to another and set the random port he gets to the plex server port. Plex updates the IP on the service and it comes back. He doesn't get to choose it and has to tell the little program what the new port is whenever it changes but he's okay with that.
I think you are SOL. Most off the shelf privacy VPN services are going to have pre configured locations that are used by all of it's users, they aren't going to allow you to hijack port 80 to host a website via a node that thousands of their users are using.

You might be able to make something work if you have hard wired internet service someplace you can configure your own VPN and router at. But at that point just move your webserver there. Even then most point to point VPN solutions I have used need to have some sort of ports forwarded.

1. Build a VPS on AWS, AZure or Oracle cloud (pretty sure oracle still has a free option available for a 6 core arm derivative)
2. Setup tunnel between home and vps
3. Forward from VPS to home
What you would need is this (What Nicklebon said)

1. A webserver set up as a reverse proxy (use nginx) on some webhost, buy a cheap VPS ( or something)
2. Install a VPN server on that
3. tunnel that VPN to you house, so you now need a Router that can do VPN tunnels, or use the VPN software on your webserver (OpenVPN for example)
4. Go go town, may need to do some NAT rules and iptable rules to get traffic back and forth,

But at this point, since your paying for a VPS, you may as well just host your website on that for $5 a month and be done with it

OR, if you can run your website on any other port,. say port 25879 - you set up your NGINX reverse proxy and point it to your ISP IP/Port and off you go.
But at this point, since your paying for a VPS, you may as well just host your website on that for $5 a month and be done with it
This is the real problem and why I didn't bother mentioning it in my post.

There are definitely some options, but they are all going to come at a cost similar to just having your website hosted by someone else.
How critical is this website to have it up all the time?

Is it separated out on your network with in its own VLAN, incase it gets compromised it wont take down your entire network if someone gets access?

Note. no matter where you host it, do not have your main webserver direct on the net, use NGINX in front of it as a reverse proxy / cache server any which way you do it and use it to limit protocols, security and other things.
Check out cloudflared. you run the agent on your server and it creates a tunnel back to cloudflare and cloudflare frontends the website. takes maybe 10 minutes to setup.