This is an automated archive made by the Lemmit Bot.
The original was posted on /r/selfhosted by /u/Same_Detective_7433 on 2025-07-28 00:27:47+00:00.
Too many people still seem to think it is hard to get incoming IPv4 through a Starlink. And while yes, it is a pain, with almost ANY VPS($5 and cheaper per month) you can get it, complete, invisible, working with DNS and all that magic.
I will post the directions here, including config examples, so it will seem long, BUT IT IS EASY, and the configs are just normal wg0.conf files you probably already have, but with forwarding rules in there. You can apply these in many different ways, but this is how I like to do it, and it works, and it is secure. (Well, as secure as sharing your crap on the internet is on any given day!)
Only three parts, wg0.conf, firewall setup, and maybe telling your home network to let the packets go somewhere, but probably not even that.
I will assume you know how to setup wireguard, this is not to teach you that. There are many guides, or ask questions here if you need, hopefully someone else or I will answer.
You need wireguard on both ends, installed on the server, and SOMEWHERE in your network, a router, a machine. Your choice. I will address the VPS config to bypass CGNAT here, the internals to your network are the same, but depend on your device.
You will put the endpoint on your home network wireguard config to the OPEN PORT you have on your VPS, and have your network connect to it, it is exactly like any other wireguard setup, but you make sure to specify the endpoint of your VPS on the home wireguard, NOT the opther way around - That is the CGNAT transversal magic right there, that's it. Port forwarding just makes it useful. So you home network connects out, but that establishes a tunnel that works both directions, bypassing the CGNAT.
Firewall rules - YOU NEED to open any ports on the VPS that you want forwarded, otherwise, it cannot receive them to forward them - obvious, right? Also the wireguard port needs to be opened. I will give examples below in the Firewall Section.
You need to enable packet forwarding on the linux VPS, which is done INSIDE the config example below.
You need to choose ports to forwards, and where you forward them to, which is also INSIDE the config example below, for 80, 443, etc....
Here is the config examples - it is ONLY a normal wg0.conf with forwarding rules added, explained below, nothing special, it is less complex that it looks like, just read it.
wg0.conf on VPS
# local settings for the public server
[Interface]
PrivateKey = <Yeah, get your own>
Address = 192.168.15.10
ListenPort = 51820
# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# port forwarding
###################
#HomeServer - Note Ethernet IP based incoming routing(Can use a whole adapter)
###################
PreUp = iptables -t nat -A PREROUTING -d 200.1.1.1 -p tcp --dport 443 -j DNAT --to-destination 192.168.10.20:443
PostDown = iptables -t nat -D PREROUTING -d 200.1.1.1 -p tcp --dport 443 -j DNAT --to-destination 192.168.10.20:443
#
PreUp = iptables -t nat -A PREROUTING -d 200.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.20:80
PostDown = iptables -t nat -D PREROUTING -d 200.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.20:80
#
PreUp = iptables -t nat -A PREROUTING -d 200.1.1.1 -p tcp --dport 10022 -j DNAT --to-destination 192.168.10.20:22
PostDown = iptables -t nat -D PREROUTING -d 200.1.1.1 -p tcp --dport 10022 -j DNAT --to-destination 192.168.10.20:22
#
PreUp = iptables -t nat -A PREROUTING -d 200.1.1.1 -p tcp --dport 10023 -j DNAT --to-destination 192.168.50.30:22
PostDown = iptables -t nat -D PREROUTING -d 200.1.1.1 -p tcp --dport 10023 -j DNAT --to-destination 192.168.50.30:22
#
PreUp = iptables -t nat -A PREROUTING -d 200.1.1.1 -p tcp --dport 10024 -j DNAT --to-destination 192.168.10.1:22
PostDown = iptables -t nat -D PREROUTING -d 200.1.1.1 -p tcp --dport 10024 -j DNAT --to-destination 192.168.10.1:22
#
PreUp = iptables -t nat -A PREROUTING -d 200.1.1.1 -p tcp --dport 5443 -j DNAT --to-destination 192.168.10.1:443
PostDown = iptables -t nat -D PREROUTING -d 200.1.1.1 -p tcp --dport 5443 -j DNAT --to-destination 192.168.10.1:443
# packet masquerading
PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
# remote settings for the private server
[Peer]
PublicKey = <Yeah, get your own>
PresharedKey = <Yeah, get your own>
AllowedIPs = 192.168.10.0/24, 192.168.15.0/24
You need to change the IP(in this example 200.1.1.1 to your VPS IP, you can even use more than one if you have more than one)
I explain below what the port forwarding commands do, this config ALSO allows linux to forward packets and masquerade packets, this is needed to have your home network respond properly.
The port forwards are as follows...
443 IN --> 192.168.10.20:443
80 IN --> 192.168.10.20:80
10022 IN --> 192.168.10.20:22
10023 IN --> 192.168.10.30:22
10024 IN --> 192.168.10.1:22
5443 IN --> 192.168.10.1:5443
The line
PreUp = sysctl -w net.ipv4.ip_forward=1
simply allows the linux kernel to forward packets to your network at home,
You STILL NEED to allow forwarding in UFW or whatever firewall you have. This is a different thing. See Firewall below.
FIREWALL
Second, you need to setup your firewall to accept these packets, in this example, 22,80,443,10022,10023,5443
You would use(these are from memory, so may need tweaking)
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 10022
sudo ufw allow 10023
sudo ufw allow 10024
sudo ufw allow 5443
sudo ufw route allow to 192.168.10.0/24
sudo ufw route allow to 192.168.15.0/24
To get the final firewall setting (for my example setup) of....
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
51820 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
10022 ALLOW IN Anywhere
10023 ALLOW IN Anywhere
10024 ALLOW IN Anywhere
51821 ALLOW IN Anywhere
192.168.10.0/24 ALLOW FWD Anywhere
192.168.15.0/24 ALLOW FWD Anywhere
FINALLY - Whatever machine you used in your network to access the VPS to make a tunnel NEEDS to be able to see the machines you want to access, this depends on the machine, and the rules setup on it. Routers often have firewalls that need a RULE letting the packets from to the LAN, although if you setup wireguard on an openwrt router, it is (probably) in the lan firewall zone, so should just work. Ironically this makes it harder and needs a rule to access the actual router sometimes. - Other machines will vary, but should probably work by default.(Maybe)
TESTING
Testing access is as simple as pinging or running curl on the VPS to see it is talking to your home network, if you can PING and especially curl your own network like this
curl 192.168.15.1
curl https://192.168.15.1/
or whatever your addresses are from the VPS, it IS WORKING, and any other problems are your firewall or your port forwards.
This has been long and rambling, but absolutely bypasses CGNAT on Starlink, I am currently bypassing three seperate ones like this, and login with my domain, like router.mydomain.com, IPv4 only with almost no added lag, and reliable as heck.
Careful, DO NOT forward port 22 from the VPS if you use it to configure your VPS, as then you will not be able to login to your VPS, because is if forwarded to your home network. It is obvious if you think about it.
Good luck, hope this helps someone.