One of my kids lives in a building that is wired with Internet using CGNAT (Carrier-grade NAT). I am guessing the IPFire device will work fine except for VPN (like IPsec).

I am wondering how other CGNAT homes/businnesses have gotten VPN to work. Is it possible?

I’ve searched the ISP web-site and there is nothing mentioned about requesting non-CGNAT or even a static IP address. They seem like a small company…

Hi @jon.

In my experience, within a CGNAT you have to ask the operator to take you out of that mode.

As an operator I have DIGI and they have CGNAT. For OpenVPN to work, I had to get out of CGNAT for 1 Euro more per month (dynamic ip).

I don’t know if there is another way to do it, but that’s my experience.

You will tell us.


1 Like

From what I have read it looks like the only option, other than asking for a non-CGNAT connection, is to make a connection to an external VPN server, so that IPFire is the client.

That could be done either with a commercial VPN provider or you could set up a hosted machine at an external hosting company that gets a VPN server installed on it. That machine then acts as the VPN server with IPFire as the VPN client.

Neither is an easy option but those are what I found mentioned as how to overcome the CGNAT issue for VPN connections.

Sorry I can’t be more helpful.


Not built into WUI of ipfire.

So no free solution.

Son VPN into your ipfire from CGNAT then
He can VPN into your ipfire from remote location back to his home.
Firewall rules abound.


thank you for your thoughts and comments! Not sure what I’ll do at the moment.

Maybe a part-time (as needed) Net-to-Net IPsec VPN connection from the remote kid IPFire to the home IPFire.

Thanks again!