CGNAT, Gaming & Remote Access
How Carrier-Grade NAT blocks inbound connections and the recommended fix: a WireGuard tunnel to a VPS with a public IPv4 address for gaming NAT type and remote access via OPNsense.
Carrier-Grade NAT (CGNAT) prevents OPNsense port forwarding from fixing inbound connectivity because the ISP NAT sits upstream of the home router. This page covers the problem, the approaches considered (Tailscale vs. WireGuard via a VPS), the chosen pattern, and its tradeoffs.
The CGNAT Problem
Under CGNAT the ISP does not assign a directly reachable public IPv4 address to the router. Port forwards configured on OPNsense have no effect: the ISP's upstream NAT intercepts inbound packets before they can reach the home WAN interface.
Practical consequences:
- Multiplayer games that require open or moderate NAT type report strict NAT.
- Inbound peer-to-peer game connections fail.
- Remote admin access (direct inbound) is not possible without an alternative path.
OPNsense port forwarding alone cannot fix CGNAT
Adding DNAT rules in OPNsense does nothing when the ISP places the connection behind CGNAT. The missing requirement is a publicly reachable IPv4 address outside the ISP's own NAT.
Recommended Pattern
Use a VPS with a static public IPv4 as the inbound endpoint. Tunnel selected traffic (gaming and/or admin) from the VPS back to OPNsense at home via WireGuard.
Internet / game services
|
Public IPv4 VPS ← receives inbound game UDP and admin traffic
|
WireGuard tunnel
|
OPNsense at home ← policy-routes and NATs traffic into the LAN
|
Gaming VLAN / devicesExample addressing
| Role | Address |
|---|---|
| WireGuard tunnel network | 10.60.0.0/24 |
| VPS WireGuard IP | 10.60.0.1 |
| OPNsense WireGuard IP | 10.60.0.2 |
| Gaming VLAN | 192.168.30.0/24 |
| Example gaming device | 192.168.30.50 |
OPNsense Configuration Strategy
Configure OPNsense to participate in the VPS WireGuard tunnel and steer gaming traffic through it.
- Create a dedicated Gaming VLAN (e.g.
192.168.30.0/24). Use DHCP reservations for consoles and PCs where a stable IP is needed. - Add the WireGuard VPS tunnel as an OPNsense interface.
- Apply policy routing so gaming-VLAN traffic exits through the WireGuard VPS gateway rather than the default ISP WAN.
- Enable Hybrid Outbound NAT with a static-port rule for gaming traffic so the source port is preserved through each NAT hop.
- On the VPS, configure DNAT for selected UDP ports, forwarding them through the WireGuard tunnel to the gaming device or subnet.
VPS DNAT Example
Common UDP ports used by game consoles:
| Port(s) | Protocol | Common use |
|---|---|---|
| 3074 | UDP | Xbox / Call of Duty peer traffic |
| 3478–3480 | UDP | PlayStation Network |
Conceptual DNAT flow on the VPS:
VPS public UDP 3074 → 10.60.0.2 (OPNsense WG) → 192.168.30.50 UDP 3074VPS implementation details vary
The specific commands depend on the VPS operating system and firewall tool (e.g. iptables, nftables). The concept is consistent: DNAT the public UDP port to OPNsense's WireGuard IP, which forwards it to the gaming device.
Single-Device Port-Forwarding Limitation
One external UDP port cannot serve multiple devices simultaneously
Simple DNAT maps one public port to exactly one internal destination. Forwarding UDP 3074 to two gaming devices at the same time via a single static rule is not possible.
Better approach for households with multiple gaming devices:
- Place all gaming devices in a dedicated Gaming VLAN.
- Route the entire Gaming VLAN through the WireGuard VPS tunnel rather than forwarding individual ports.
- Use DHCP reservations to keep device IPs stable.
- Accept that some games or platforms may still impose per-port restrictions that cannot be fully resolved.
Tailscale vs. WireGuard
Both Tailscale and WireGuard address NAT traversal but serve different roles here:
| Tool | Best suited for | Notes |
|---|---|---|
| WireGuard (VPS tunnel) | Public inbound UDP ports, gaming NAT type | Direct, controllable; requires a rented VPS |
| Tailscale | Private remote access, admin connectivity | Simpler mesh setup; not designed for public inbound game ports |
For public inbound game UDP port forwarding, a plain WireGuard tunnel to a VPS with a public IPv4 is clearer and more controllable than Tailscale.
Tailscale remains useful alongside the WireGuard VPS approach for:
- Admin access to OPNsense and Proxmox.
- Backup remote management when the VPS tunnel is down.
- Private access to internal services without exposing public ports.
NAT type may not be perfectly fixable for every title
NAT type behavior depends on the specific game and platform. Some titles may still report a restricted NAT type despite correct port forwarding. This is a platform-level constraint, not a configuration error.
Related Pages
- IP Addressing & VLANs — supernets, VLANs, and WireGuard site-to-site addressing
- Migration Phases — OPNsense rollout sequence including WireGuard and VLAN configuration