Look into tunneling options. Many require either a cheap VPS to act as a tunnel host or paying a monthly fee for the tunnel service, but there are a couple options, such as Cloudflare Tunnel, that are both free and don't require your own VPS.

I know some in the self-hosting community may be opposed to using Cloudflare as it represents centralization, but if you are willing to use them for your domain's DNS then their free tunnel service is a compelling option.

It also (like any Wireguard tunnel, I suppose) obfuscates the nature of your traffic which might be useful if your ISP doesn't allow you to run your own webserver, and hides your home IP from everyone but Cloudflare.

It creates outgoing connections (only) to their servers so no worries about firewall setup; the tunnel daemon can access whichever services on `localhost` you want, without opening any ports to the world (the lack of open ports could prevent DDOS attacks on your server, since they would have no way to directly access your server without passing through Cloudflare first)

I have no affiliation with CF other than using their free services, and you could certainly set up something similar on your own VPS with Wireguard, but this might be cheaper and/or easier.

> No way to get around it.

Well...none of them are particularly easy, compared to punching holes in your local firewall. CGNAT takes you one step closer to digital serfdom (all hail our managed lords!)

That said, I'd say IPv6 would work if you have a public address and a tunnel broker for v4 only networks. Failing that, some kind of overlay (maybe a .onion?) or a reverse tunnel from someone who does have a public v4 address.

> Well...none of them are particularly easy, compared to punching holes in your local firewall.

Yeah. You'll have to use something like Cloudflare's Argo to punch out to the world and let them route the traffic back in. That's more complex and could cost and they probably won't like it if you put your media server behind it. Lol.

I've dealt with this before. It's a pain.

Look at this security research about bypassing NATs: https://www.armis.com/research/nat-slipstreaming-v20/

Look at the section "Creating NAT pinholes to any internal IP using the H.323 ALG" for example.

This is using a bug ("feature") that your CGNAT may have implemented (depending on the brand of CGNAT used). Fairly likely that one of those NAT slipstreaming vectors will allow you to punch a hole through it.

Is this reliable enough to actually use for self hosting stuff? Probably not. If you do, tell me :)

Edit: even the oldest versions of this technique (https://samy.pl/natpin/) may work for you. Depends if you're lucky. You don't need any of the exploit details that make this into an attack, only the basic concept of using NAT ALGs for unintended purposes.

What's stopping you from utilizing vpn tunneling?

My server is also behind a CGNAT but can be accessed through Wireguard tunnel with the cheapest vps I found in my place to be the main gateway.

You could create a ZeroTier public network that anything can join. You can self host the network controller too.

Still means remotes have to install a piece of software though instead of going straight to the host.

No IPv6 I presume? If it’s CGNAT without V6 that is a shit ISP.