Suggestions for working around CGNAT

luckman212 · April 1, 2026, 11:50pm

Yesterday I was in a tough situation with a time constraint. Alarm vendor had requested a portable temporary internet connection at a site we were working at. So we brought in a RUTX11 with a SIM, the carrier only provides a CGNAT IPv4. They didn’t tell me that they were going to need like 20 ports opened/forwarded to an internal alarm panel for programming.

I thought that it might be possible to string together some complex maze of VPNs or tunnels to provide the needed access. But I couldn’t come up with an answer in the needed timeframe. So it was unsolved.

Does anyone have any suggestions? I wanted to try RMS Connect but it seems that is limited to well-known services like FTP or HTTP, not the arbitrary TCP ports this vendor was asking for.

I think the only setup that might have worked would have been bringing up a tunnel from our datacenter to the customer’s site, then setting up the NAT forwarding from that datacenter to forward traffic across the tunnel to the correct internal port, and asking people to access this service by the public IPv4 of the datacenter.

I didn’t want to do this because we had not arranged ahead of time to provide this dedicated tunnel service and didn’t want to be responsible for it.

Could some Cloudflare product have helped here? Tailscale?

heartless · April 2, 2026, 7:21am

Tailscale is your only option. It is available in Teltonika repository.

luckman212 · April 2, 2026, 12:03pm

I’m not sure if that is really an option. The vendor needs this device on the RUT LAN to be reachable via a certain TCP port.

Neither the LAN device, nor the client which tries to connect to it, would be able to run Tailscale.

Is there some sort of “Tailscale port forwarding” feature I’m unaware of?

heartless · April 2, 2026, 2:44pm

You need two Tailscale capable devices on both ends to achieve this since installing Tailscale on clients is not an option. There is no other way.

Vilius · April 9, 2026, 5:44am

Hi @luckman212 ,

Thanks for reaching out!

Great question, and you’re right to rule out RMS Connect - per Teltonika’s documentation it is limited to SSH, Telnet, HTTP/HTTPS, RDP/VNC, and SFTP, so it won’t help with arbitrary TCP ports.

The core challenge here is that with CGNAT, no inbound connections can reach the RUTX11’s WAN, so any solution needs to work by having the router initiate an outbound tunnel. Here are the viable options, taking into account your constraint that neither the alarm panel nor the vendor’s laptop can run VPN client software:

ZeroTier + Port Forwarding on the RUTX11

ZeroTier is available directly in the RUTX11’s Package Manager and connects outbound through CGNAT without needing any open inbound ports. The trick for your use case is to combine it with port forwarding rules on the router itself - this means the alarm panel needs absolutely nothing installed on it.

Setup outline:

Install ZeroTier on the RUTX11 via System → Package Manager.
Create a free network at my.zerotier.com and join the RUTX11 to it.
In the ZeroTier portal, add a Managed Route pointing the alarm panel’s LAN subnet through the RUTX11’s ZeroTier IP.
On the RUTX11, add port forwarding rules under Network → Firewall → Port Forwards, mapping each required alarm panel port from the ZeroTier interface to the panel’s LAN IP.
The vendor’s technician installs the free ZeroTier client on their laptop, joins the same network, and can immediately reach all required ports on the alarm panel.

The alarm panel itself is untouched. Only the vendor’s laptop needs the ZeroTier client - it’s a small free install on Windows/Mac/Linux.

For more details, please refer to this wiki article:

RMS VPN Hub

If installing anything on the vendor’s laptop is truly off the table, RMS VPN Hub is the cleanest Teltonika-native fallback. It creates an outbound OpenVPN tunnel from the RUTX11 to Teltonika’s RMS platform (works over CGNAT), and with LAN Forwarding enabled, gives full access to any IP and port behind the router - no changes needed on the alarm panel.

For more information, please refer to this wiki article:

Datacenter / VPS Tunnel (the approach you already described)

You outlined this yourself and it’s technically sound: bring up a WireGuard or OpenVPN tunnel from the RUTX11 to a VPS with a public IP, then set up port forwarding/NAT on the VPS to relay vendor traffic through the tunnel to the alarm panel. The vendor connects to the VPS’s public IP with no VPN client needed on their end at all.

This is the only option requiring zero software on either endpoint, but it does need a pre-configured server and someone willing to own that relay infrastructure. For a one-off temporary job it’s operationally heavy, which is exactly why you didn’t want to go down that road.

However, here are configuration examples for both of Wireguard and OpenVPN, that you can refer to if you would like to choose this option.

Option 1 (ZeroTier) is worth a closer look for next time. It only requires the vendor’s laptop to install a lightweight free client - the alarm panel itself needs nothing - and the whole thing can be stood up in minutes with no pre-arranged infrastructure.

Hope this helps!

Best regards,
V.

Mike · April 9, 2026, 6:06am

A thing to note, is that new accounts utilise ZeroTier’s latest UI and not their legacy UI. Unfortunately the latest UI, no longer allows ‘Managed Routes’ without a subscription. I think there may still be a trial ‘free’ period on subscription plans but it used to be only 10 - 14 days if I remember correctly.

p.costa · April 9, 2026, 8:14am

We are currently self hosting a zerotier instance with https://ztnet.network/, it works quite well.