CGNAT Killed Your Static IP—Get Back Online with a 10-Minute Cloudflare Tunnel

Posted on
A home server establishing an outbound Cloudflare Tunnel, bypassing carrier-grade NAT to reach the public internet
Networking · Self-Hosting · How-To

CGNAT Killed Your Static IP Get Back Online with a 10-Minute Cloudflare Tunnel

3 July 2025 · GeoSaffer.com

Your ISP quietly swapped your static IP for CGNAT and your self-hosted server vanished from the internet. Here’s exactly how to get it back — in ten minutes, for free — using Cloudflare Tunnel.

1 What Is CGNAT?

Carrier-Grade Network Address Translation (CGNAT, also called LSN — Large-Scale NAT) moves the NAT function from your home router up into the provider’s core network. Every subscriber receives a private IPv4 address in the 100.64.0.0/10 range, while tens of thousands of customers share a single public IP. ISPs deploy it to stretch the remaining IPv4 pool — you won’t always be told, and many people only notice when their server disappears.

Outbound — Still Works

  • Your router dials out normally
  • CGNAT tracks the session state
  • Return packets arrive fine
  • Browsing, streaming, gaming — unaffected

Inbound — Broken

  • No port-forwarding on the carrier’s hardware
  • No route to your private address from outside
  • Servers, VPNs, CCTV — all invisible
  • Dynamic DNS can’t fix it — packets stop at the carrier’s edge
2 Two Cloudflare Models — Why Only One Works

Cloudflare offers two distinct ways to protect and deliver your site. They look similar in the dashboard but behave completely differently behind CGNAT.

Standard Orange-Cloud Proxy

Cloudflare’s edge opens a TCP connection back to your origin on port 80/443. Requires a routable public IP. Fails behind CGNAT.

Cloudflare Tunnel (Zero Trust)

Your server makes outbound HTTPS+WebSocket connections to Cloudflare. No public IP required. Works perfectly behind CGNAT.

The tunnel flips the connection model — your server dials out, so CGNAT never sees unsolicited inbound traffic. Visitors hit Cloudflare’s edge; Cloudflare forwards requests down the persistent tunnel your server opened.

3 Step-by-Step: Setting Up Cloudflare Tunnel
  1. 1

    Create a free Cloudflare account and add your domain

    Transfer DNS to Cloudflare’s nameservers if it isn’t there already. The free plan covers everything in this guide.

  2. 2

    Install cloudflared on your server

    Packages are available for Windows, Linux (apt/rpm), macOS, and Docker. Download from the Cloudflare Zero Trust dashboard or the GitHub releases page.

  3. 3

    Authenticate, create the tunnel, and route DNS

    Run these commands on your server. The login step opens a browser window to complete OAuth with your Cloudflare account:

# Authenticate — opens browser for Cloudflare login cloudflared tunnel login # Create a persistent named tunnel cloudflared tunnel create mysite # Point a DNS hostname at the tunnel cloudflared tunnel route dns mysite example.com # Run the tunnel (foreground — Ctrl+C to stop) cloudflared tunnel run mysite
  1. 4

    Install as a system service

    Run cloudflared service install to register a systemd or Windows service so the tunnel survives reboots. For Docker, add restart: unless-stopped to your Compose file.

  2. 5

    Harden access with Zero Trust policies (optional)

    Add Google, GitHub, or email OTP authentication gates via Cloudflare Access on the same free tier — no VPN required to protect your admin interfaces.

Firewall note: Ensure outbound TCP and UDP on port 443 is permitted from your server. The tunnel uses both protocols for latency optimisation — UDP-only or TCP-only firewalls will degrade performance.
4 What You Get for Free

Solving CGNAT is just the start. Running through Cloudflare Tunnel gives you several production-grade extras at no additional cost.

Automatic TLS

  • Free Universal SSL certificate
  • Auto-renews — no certbot or cron needed
  • HTTPS enforced at the edge

IPv6 Support

  • Cloudflare speaks IPv6 to clients
  • Works even if your LAN is IPv4-only
  • No reconfiguration on your end

Multi-Service Tunnels

  • Expose SSH, RDP, MQTT, or custom ports
  • Route multiple hostnames down one tunnel
  • Cloudflare Access provides per-service auth gates

Performance & Protection

  • Routes through nearest Cloudflare PoP
  • Often faster than a direct residential path
  • DDoS mitigation included at no cost
5 Alternatives If Tunnel Isn’t for You

Cloudflare Tunnel is the right answer for most self-hosted web services, but there are other paths depending on your specific constraints.

Business Static IP Pay your ISP for a dedicated address — solves the root problem but typically costs $20–80/month extra.
Native IPv6 Serve your site over IPv6 directly; use Cloudflare or a NAT64 service for legacy IPv4-only visitors.
VPS Reverse Proxy Rent a cheap VPS, then set up WireGuard or an SSH reverse tunnel back to your home server.
Move Off-Premise Migrate to a VPS or managed hosting if local hardware access is no longer a hard requirement.

If you need raw TCP beyond HTTP/S — game servers, RTSP streams, custom protocols — Cloudflare Spectrum (paid) or a WireGuard-based VPS proxy are the better fits. For a standard web server or home lab dashboard, the free tunnel wins every time.

Running a home lab or self-hosted setup? GeoSaffer covers networking, hardware, and practical maker projects — no fluff, just things that work.

Explore GeoSaffer.com →