Use Tailscale to Connect over CGNAT Devices (ie., SpaceX, Verizon, Tmobile, etc.)
By WretchedGhost
- 5 minutes read - 865 wordsEDITOR’S NOTE – 08-07-2023 – This article has been updated to fill in missing info and explain better some misunderstood concepts.
For those of us using SpaceX satellite internet, we have had a great means to have internet in virtually any location now, but it does come with some caveats. One major one is the fact that SpaceX satellite networks are CGNATed (Carrier grade NAT). For those that don’t know what that means, NAT, which is used by virtually any router/modem to redirect an internal network (ie., 192.168.1.x, etc) to a public IP. This has allowed people and business to have many devices behind a NAT and only require one Public IPv4 address. Due to the limited nature and massive amount of end devices that now exist NATing is very important so that we don’t run out of IPv4 addresses. Another way that phone carriers like Verizon and Tmobile, hence the name Carrier Grade NAT, limit the amount of public IP addresses they need to purchase or maintain is by creating a NAT behind a NAT. This means that most end devices connected to a phone carrier’s network/tower are all within the same private IP range whether it be 192.168.x.x, 172.16.x.x, or 10.x.x.x. They also make it to where clients to see each other for obvious security reason. The one thing that CGNAT does not let you do, which is what I want to focus on for this blog page, is the inability of port forwarding.
CGNAT: end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator’s network, permitting the sharing of small pools of public addresses among many end sites.
So for those of us who are tech savvy and also do homelabing where we host our own webservers, emby server, gitlab or gitea server, bastion servers, pihole servers, or what have you, we are unable to port forward to get passed the CGNAT since that would require the carrier, in this case SpaceX, to port forward outside of their firewall which is something that most carriers do not want to do. They in fact could do so if they wanted to but the idea behind CGNAT is that it is a “military grade” security standard.
The company I work for have been given presentations from Verizon and Motorola engineers regarding the private 3.7GHz airspace that they gobbled up when it went up for sale not too long ago. In the presentation is where I first heard of CGNAT being called “military grade”. Unfortunately, anything labeled as “military grade”, should be taken with a grain of salt. Many members of the military would tell you that most military contracts are often given to the lowest bidder so take that for what its worth.
To the layman who simply consumes the internet and doesn’t need ports opened for external usage, this is great. But for a tech person who likes messing around with computers and networks that means that my work is now much harder since setting up port forwarding for VPN connections are no longer 1:1 and require now an extra hurdle in the case of a bastion/secondary VPN host that needs to be setup in the cloud or whatever.
Ranting aside, one fix to this issue is to implement a VPN tunnel scheme with Wireguard but even then Wireguard alone would not work do to its requirement of needing NAT and a port opened.
That is where Tailscale comes in. They are built on top of wireguard so they benefit from all of its goodness. Tailscale allows for a user to create a secondary network/tunnel on their device and allow only other Tailscale IP and devices within the same account to connect to each other. In my case I have setup a Synology server which can be remotely connected to via their quickconnect website. This is great but doesn’t stop other users, malicious or otherwise, from attempting to login if they knew my quickconnect ID for that particular device. Tailscale will only allow other Tailscale device that have been approved in your account to attempt a login to that other device. This allows me to setup Tailscale on my workstation at work and use the tunnel IP provided by Tailscale on my Synology server at home and connect.
In this case I tried an SSH session which works magically. To further test this I tried to ping this IP from a non-Tailscaled computer and the ping returned with a response that something exists on that IP but trying the same SSH connection on the same non-Tailscailed computer ended with unsuccessfully.
A nmap scan I did shown below, shows quite a bit of open ports on the public IP that my tailscale instance was given. Most of these ports I do not need, and I’d like to see if possible there was a way to get those turned off if not needed, but even if you were able to somehow attempt a connection to the tailscale public IP, my device doesn’t live on that IP and its only a jump host to my device.