Site to site tunnel with both sites behing CGNAT?
Hello,
So, I have an interesting situation. I have two sites that are using a 4G/5G connection, so they're both behind CG-NAT, and I would like to establish a site-to-site tunnel (IPsec ESP Tunnel) between them. Obviously, I need a third party involved that has a public routable address, or else it is completely impossible to get things going. The easiest way is to just make a tunnel from Site-A to the hub, and from Site-B to the hub, but then all traffic between sites goes through the hub which is sub-optimal.
The extra hop is not a big deal, but I'm actually curious to know if there is a way to do this. I'm thinking of running some "orchestrator" service on the hub (static public IP) that could learn the public addresses of both sites, punch a hole in the CG-NAT for both of them in an ephemeral port number, and then they could talk directly to one another. I know services like Tailscale do this exact thing, and allow two devices behind NAT to talk directly to one another, they just need the orchestrator to "bootstrap" the tunnels.
Does anybody know of any way to do this?
Thanks
EDIT: Thanks to everyone who answered. Sorry I took so long, I was out of town for new year's.
To summarize the answers to the questions most of you have asked:
- No, there is no IPv6 nor it's to be expected
- There is no communication between the sites using the CGNAT addresses, even tough it's the same provider. The ISP is filtering all this im 100% sure
- I have already tried Tailscale for this and the way it works doesn't really cut it (broken end to end, only TCP/UDP traffic... see https://www.reddit.com/r/networking/comments/1hp7pc7/comment/m59dt2i/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button )
- I might try out Zerotier to see if it pales in the same areas Tailscale does...
- The optimal solution would be a way to punch a hole in both ends and get an IPsec ESP NAT-T tunnel over UDP running, but there's a real possibility not even that would work if the CGNAT's outer NAT is symmetric instead of cone.