Another solution I don't see mentioned (yet) is have both ends connect to a VPS running your WG endpoint. Then both sides only have to have egress ability, nothing coming in, no CGNAT to worry about.
this post was submitted on 16 Dec 2025
13 points (100.0% liked)
Selfhosted
53786 readers
473 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
If only one side is behind a NAT then so long as that one initiates the tunnel it should work fine. NAT only really is a problem on the inbound side.
The firewalla is set up to wait for and respond to WireGuard tunnel requests and we like that as it is. We want to keep using that. We just don’t know if T-Mobile will fuck that up.
Right, and if both sides have their public ally routable IPs on their respective firewalls it'll work. If on gets put behind a NAT of some sort then it would be able to speak outward, but would require specific packet routing inward (port forwarding) to have someone connect in. Stateful sessions will be fine so long as the one inside a NAT is the initiator.
Does their current equipment (and yours) support IPV6? If so CGNAT won't be involved.
Our side supports ipv6 but I have no idea about T-Mobile’s setup.
TMO has had IPV6 implemented for mobile devices for years. There's no way they only implemented IPV4 on a home/business service that uses the same network and the same towers.
Their sales rep emailed me back saying they use CGNAT and block WireGuard.
Yeah, i would not consider blocking wireguard to be even remotely (heh) acceptable in 2025. Tell your bro to go back to arguing with AT&T, maybe just with their resi service.
ISP may offer a static IP, and/or help bypassing CGNAT if either are useful. I've done it for a 5G failover with VPN, with the gateway in passthru, and a firewall behind it. At a glance, it looks like the FX4100 supports all of this
it seems they do offer a static IP. I dont mind if the IP changes, we already have DDNS up and running fine. its more of a concern with CGNAT wrecking the VPN.
This was years ago - but I feel like the solution for CGNAT at the time required a static, and we also implemented DDNS for their TLD. It definitely wasn't T-Mobile. It took some time to find someone at the mobile ISP who understood what we needed, and what options existed.
since spectrum is screwing them on price
In my locale, Spectrum is considered a utility much like electricity, water, or any other utility you are accustomed to. They made it that way because a long while ago, Spectrum contracted with the authorities having jurisdiction, to be the sole provider of internet to all the schools in this area. There is a complaint form on our city's webpage. Still, about the only way to make the pricing all work in your favor is to be the loudest complainer, which is a pretty shitty business model.