Running a node on cgnat

Hi all,

I’m changing my isp soon (to a starlink connection actually!). But this means I am going to lose my static ipv4 address and get stuck behind a cgnat.

I see there’s quite a bit of guidance for port forwarding around on cgnat by using a vpn service. But I’m wondering if anyone is running a cardano node (and stake pool) on cgnat? If so, any recommendations for a vpn service?

Have a look at wireguard, it will take care of your changing BP IP. You can set your BP up to connect with your relays (static IP) over private IPs which will enable them to reach back to the BP.

I’m now on my cgnat connection. Just for context, my servers are bare metal so are running on my internal network.

I have setup a ngrok tunnel for the relay node to receive traffic on. However, I think I am having a bit of trouble with the as my public ip address that it reports is my cgnat address, which isn’t the address that my ngrok tunnel is on.

If I manually set my ngrok tunnel address in by changing “Change Me” I get an error, as the address doesn’t match the requesting address. Is there a way around this?

I assume without a valid topologyUpdater request I won’t be listed in the topology database and won’t be getting incoming connections :frowning:

You are right, the incoming connections are essential.
I am not familiar with cgnat and ngrok, so be warned my next advice might be stupid.
Are you able to get a domain and identify your relays by domain names instead of IPs?

My main issue is using the topologyupdater script. As without that I am relying on others to manually connect to my relay (i.e. manually enter my details). The topologyupater script seems to be the main method for other relays to find other relays. But because the script only “sees” my CNGAT public address, it isn’t reporting the right ip/domain.

Or is there something I am missing in this whole thing?

I think from more reading I need to setup an outbound proxy for these topologyupdater requests, so it is originating from my ngrok address via their proxy.

Yes, that is the way to go.