Using ngrok to work around Carrier Grade NAT (CGNAT)

I wrote a while back about my troubles with Carrier Grade Nat (CGNAT), and described a solution that involved tunneling out of CGNAT using a combination of SSH and an AWS server – the full article is here.

That worked ok, but it was pretty fragile and not ideal – connections could be dropped, sessions expired, hosts rebooted etc etc. Passing data through my EC2 host is also not ideal.

My “new and improved” solution to this is to use a local tool like ngrok to create the tunnel for me. This is proving to be far simpler to manage, more reliable, and ngrok also provides a load of handy additional features too.

Here’s a very quick run through of getting it up and running on my Ubuntu VM, which sits behind CGNAT and hosts a webserver I’d like to be able to access from the outside occasionally. This is the front end to my ZoneMinder CCTV interface, but it could be anything you want to host and on any port.

First off, don’t use the default Ubuntu install, that will give you version 1.x which is out of date and didn’t work for me at all – it’s better, quicker and easier to get the latest binary for your platform directly from the ngrok website, extract that on your host and run it directly or add it to you PATH.

wget http://<YourDownloadURL>/


once that’s downloaded and extracted, you can (optionally) add your auth token, which you get when you register on the ngrok site. This is optional, but you get some worthwhile features from doing so.

./ngrok authtoken <YourAuthTokenFromTheNgrokWebsite>

Then you simply run ngrok like so:

./ngrok http 80

which should give you a console something like this:

from here you can get the Forwarding URL (http://<uniqueid> in this example) and your local port 80 should be available on that from anywhere on the internet.

Note I’m using this command:

screen ./ngrok http -region eu 80

to start up ngrok using screen, so I can CTRL+A+D out of that and resume it when I want using screen -r,

Here’s a pic of the console running, showing requests, and Apache being served by the ngrok URL:

That’s it – quick and easy, more stable, and far less faffing too.


There are tons of other options worth exploring, like specifying basic HTTP auth, saving your config to a local file, running other ports etc, all of them are explained in the documentation.

There’s a handy review of ngrok and several very similar tools here:

And some good tips & tricks with ngrok here:
as noted in the comments on that page: you obviously need to be safe and sensible when opening up ports to the internet…



3 thoughts on “Using ngrok to work around Carrier Grade NAT (CGNAT)”

  1. Hi there,
    I’ve just come across your blog as I’ve not long had my new 4G broadband installed. My guess is it’s the same ISP as yours!?
    A few issues…… 2 kids had a shiny new Xbox one for Xmas, which is great until they got their fave game and tried to play it. You see, it’s an online only game which I spent the best part of 6 hours to get going, contact EA games and Xbox Live people. No joy….more research checking everything everywhere on the internet revealed it was probably my ISP! Their support is pretty much useless. I had my service installed by a 3rd party company using a grant, then got a new router as the new router gave me better speed. I’ve also discovered that my AudioPro wifi speakers don’t seem to work on wifi anymore???
    I signed up to get a L2TP but that hasn’t seemed to work. I’m not a huge expert in this stuff……would I need to set up my router (HUAWEI) to solve these problems? Any advice would be hugely appreciated…..bearing in mind, I’m no expert in this stuff!

    1. Hi Chris,

      Sorry to hear about the issues, not good 🙁 Do you get an internet connection through the Xbox at all, is it just certain games that don’t work or everything you try on it? Have you tried connect to your router via Ethernet too?

      I don’t have an Xbox but my old PS3 can connect and play games through a similar sounding setup no problem, and with no special settings.

      This page explains CGNAT and related issues pretty well: and that first pic sums up the issue – lots of connections going out the way over a single address, meaning anything trying to connect inwards (from the internet to your home connection) are not routable. If your XBox is acting as a server in any way (accepting incoming connections from others on the internet) it’ll be listening on that single shared IP address and traffic wont be routed to you, without something like the reverse tunnel I described in this post.

      You’ve probably seen them already, but there are similar issues and a few suggestions here:

      I’ll also send you an email with another idea you could try, and if anyone else sees this post and has a similar issue hopefully they can help!



Leave a Reply

Your email address will not be published. Required fields are marked *