Access IPFire box via VPN through CGNAT

One of my kids lives in a building that is wired with Internet using CGNAT (Carrier-grade NAT). I am guessing the IPFire device will work fine except for VPN (like IPsec).

I am wondering how other CGNAT homes/businnesses have gotten VPN to work. Is it possible?

I’ve searched the ISP web-site and there is nothing mentioned about requesting non-CGNAT or even a static IP address. They seem like a small company…

Incase this is not clear, I am trying to access the Kid IPFire box via the Internet via IPSec VPN

Hi @jon.

In my experience, within a CGNAT you have to ask the operator to take you out of that mode.

As an operator I have DIGI and they have CGNAT. For OpenVPN to work, I had to get out of CGNAT for 1 Euro more per month (dynamic ip).

I don’t know if there is another way to do it, but that’s my experience.

You will tell us.


1 Like

From what I have read it looks like the only option, other than asking for a non-CGNAT connection, is to make a connection to an external VPN server, so that IPFire is the client.

That could be done either with a commercial VPN provider or you could set up a hosted machine at an external hosting company that gets a VPN server installed on it. That machine then acts as the VPN server with IPFire as the VPN client.

Neither is an easy option but those are what I found mentioned as how to overcome the CGNAT issue for VPN connections.

Sorry I can’t be more helpful.


Not built into WUI of ipfire.

So no free solution.

Son VPN into your ipfire from CGNAT then
He can VPN into your ipfire from remote location back to his home.
Firewall rules abound.


thank you for your thoughts and comments! Not sure what I’ll do at the moment.

Maybe a part-time (as needed) Net-to-Net IPsec VPN connection from the remote kid IPFire to the home IPFire.

Thanks again!

@Jon I recently thought to solve a similar problem using SSH instead of VPN, having the tunnel established from inside of the CGNAT network.

I am planning to use a ssh port forward, to open a tunnel forwarding the wui of a fritzbox of family member behind a CGNAT. This scheme requires an intermediate server with a publicly available IP.

The plan is the following (here I use IPFire WUI as the target instead of a fritzbox):

  1. from IPFire, run a ssh command to connect to my intermediate server, forwarding port 444 to port 8444
ssh -R 8444:localhost:444 -N -f user@intermediate-server
  1. from my laptop at work I can establish the other half of the SSH tunnel
ssh -L 8444:localhost:8444 user@intermediate-server
  1. now I can point my browser to https://localhost:8444 and trough the two halves of the tunnel, I can reach the WUI behind the CGNAT.

The only problem I can anticipate is when the SSH connection from the target network is broken off by an IP change. In this case a script called will probe the ssh connection every 10 min and restart it when it gets broken:



# Check if the SSH tunnel is up
nc -z -w 5 localhost $LOCAL_PORT

# If the tunnel is down, reconnect
if [ $? -ne 0 ]; then

chmod +x /path/to/
fcrontab -e

*/10 * * * * /path/to/ > /dev/null 2>&1

This is just a preliminary plan but I thought to share it in case you want to try something similar.

To help visualize the scheme, here a simple ascii diagram:

Local Machine              Intermediate Server                CGNAT Network
+------------+             +------------------+              +------------+
|            |  VPN/SSH to |                  |  SSH tunnel  | IPFire WUI |
|            |<----------->|         port 8444|<------------>|port 444    |
|            |  port 8444  |                  | (Remote Port |            |
+------------+             +------------------+  forwarding) +------------+ 
1 Like

Thank you!

I had seen solutions similar to this when searching. I do not have the Intermediate Server to use without paying.

And since I’d only use it once every month (maybe once every two months) it did not seem worth the cost.

A Mac has a nice Screen Sharing program so we just use that when it is needed.