We did. It's called IPv6. It's 20 years old and still not usable universally. At the high end, like enterprise or telcos, it's fantastic. But at the grass roots level of residential and small businesses, it's still a nightmare.
The need is real. You are a service provider. You need to manage equipment at customer sites. You need to access them simultaneously. But all the customers are using the same subnet...
If Bell gave out cellphones with the same phone number, how can you call anybody? But they still do.
Many devices have cloud access, but every manufacturer is different. It is a nightmare at scale.
That does not happen here. The CGNAT addresses are in the VPN tunnel. And the tunnel connects private devices end-to-end. The LAN packets never see the Internet. They are inside the WireGuard packets.
The problem there is you still need to keep track of the subnets. It works for a while, but it's quite complex. NAT is actually easier when you get into hundreds of sites.
The way we did it, roting is not a problem. Any Netrinos client (Windows, Mac, or Linux, including the free version) can act as a gateway. It assigns a unique overlay IP to devices on the local network that can't run software themselves, like cameras, NAS units, or printers, and handles the NAT translation.
Think of it like a router's DMZ feature, but inverted. Instead of exposing one device to the internet, each device gets a private address that's only reachable inside your mesh network.
Hole punching actually works most of the time. A lot more often than you might think. But enterprise firewalls usually don't allow it. And some home routers fail when you check all the anti-intrusion options. But it's the same for other VPNs.
In the residential and small-business space, it's pretty rare. You might need to point it out to the network guy. If the customer wants the service, they should be open to it.
The problem isn’t that it doesn’t work (and it does often not work – one “symmetric NAT” in the old/deprecated terminology is enough), it’s that it’s orders of magnitude more complex than it needs to be.
I’ve also never seen it work for TCP in practice, and not everybody should have to roll their own UDP wrapper for their TCP-expecting application.
IPv6 is very badly supported at the low end of the market. Cheap webcams, doorbells, etc. And that not counting already old equipment...
If we had a nuclear war, we could start over. But for now, we are stuck. Blame it on Cisco for inventing NAT.
man this sounds so realistic, a system administrator saying "yes! Now we can migrate to the IPv6" after the 99.9 percent of the world population is killed
We chose Go as the development language. Go produces statically compiled binaries that include all dependencies. The only external deps are wireguard, nftables, nmap, etc. All easy stuff. So we have no need for Docker. We publish binaries for ARM64 and AMD64. Avoiding Docker has made it much easier to work with.
