Tunneling, CGNAT, ngrok and Cloudflare Tunnels

ISPs, especially mobile operators often put their clients behind a CGNAT to save IPv4 addresses. That means there is only one real external IP address for multiple customers. And even if you open all the ports on your own home router, because multiple customers share the same one external IP address, the data will not be forwarded to your computer - even ping won't work.

But we can use tunneling to get around this limitation. Tunneling works by establishing an outbound connection to a server outside your network from within your network, usually using websockets. Now whenever someone wants to send some data to your computer which might be behind CGNAT or multiple layers of firewall with no possibility to open external ports - the user will actually send the data to the tunnel server outside your network, and because there is a persistent connection established between that server and your home network - the data will be forwarded to your network.

ngrok is the most popular tunnel but recently Cloudflare created its own tunnel solution which is much better than ngrok because ngrook free plan does not support custom domains. The Cloudflare tunnel technology is actually called "Zero Trust" and it allows you to add a custom domain (or multiple), add custom http "host" header for each service and gives you automatic TLS certificate which is really cool.

For VPN, there is tailscale and other VPN as a service providers with port forwarding that can give you VPN if you are behind a CGNAT.