How to host a website behind CGNAT in 2026

If you've tried to expose a home server in the last few years, you've probably noticed something has fundamentally changed. The straightforward path — get a static IP, forward port 80, done — quietly stopped being available for most of the world. Mobile carriers have always been CGNAT. Fiber ISPs followed. Even "business broadband" packages from regional ISPs now hand out CGNAT'd IPv4 and a half-broken IPv6 path you can't port-forward through.

This post walks through the realistic options in 2026, from least to most friction, with honest costs.

First: figure out exactly what you have

Before picking a solution, know what you're working with:

curl -s ifconfig.me           # your public IPv4 (or shared CGNAT one)
curl -s ifconfig.co/ip        # second-opinion check
ip -6 addr show               # do you have IPv6 at all?
curl -s -6 ifconfig.co/ip     # if so, what's the public IPv6?

The four common shapes:

1. Real IPv4, no port-forwarding. Your router blocks inbound. Look at router config first.
2. CGNAT'd IPv4 + working IPv6. Use the IPv6 side directly — this is the cheapest path. See "Just use IPv6 directly" below.
3. CGNAT'd IPv4 + broken / missing IPv6. This is the wayangi sweet spot. Read on.
4. Mobile data only. CGNAT everywhere, IPv6 sometimes available depending on carrier. Same as case 2 or 3.

Option 1: Just use IPv6 directly (if you have it)

If curl -s -6 ifconfig.co/ip returns an address, your ISP gave you usable IPv6. The free path: bind your service to :: (all-IPv6-interfaces), open the IPv6 port on your router's firewall (most home routers default to blocking inbound IPv6), point an AAAA record at your address.

Catch: most ISPs use SLAAC and your prefix rotates every few hours to days. You'll need either a dynamic DNS provider (DuckDNS, Cloudflare API + cron) or a static delegated prefix from your ISP (rare on residential). And IPv6-only means IPv4-only clients can't reach you — though in 2026 that's a smaller share than it used to be.

Cost: free. Friction: low if your ISP is generous with IPv6, infinite if they're not.

Option 2: Cloudflare Tunnel (HTTPS-only)

Free for HTTPS exposure. Install cloudflared on your home server, sign in with a Cloudflare account, point a Cloudflare-managed domain at the tunnel. Done.

Limits: only HTTPS (no raw TCP / UDP on the free tier). Your DNS must be on Cloudflare. Your traffic traverses Cloudflare's edge — which is fine for most cases but means you don't own the address. If Cloudflare ever decides your site violates their terms, the URL stops working.

See our cloudflared comparison page for the longer breakdown.

Cost: free. Friction: medium — DNS on Cloudflare, HTTPS-only, traffic through their edge.

Option 3: Tailscale Funnel

If you already run Tailscale, Funnel exposes one tailnet device on a *.ts.net subdomain over HTTPS. Free tier covers 100 devices in the tailnet but Funnel itself has a 1 GB/month bandwidth cap. Still HTTPS-only on a Tailscale-managed subdomain — same shape as cloudflared but inside the Tailscale ecosystem.

Cost: free if you stay under bandwidth + already use Tailscale. Friction: low if Tailscale is already in your stack.

Option 4: ngrok / PageKite (ephemeral tunneling)

Both give you a relayed HTTPS endpoint. ngrok's reserved-domain feature ($8/mo Personal) gets you a stable URL; the free tier rotates the URL every session. Good for development and webhooks. Less good for a permanent self-hosted service — you're paying per-tunnel and the address belongs to the vendor, not you.

Cost: $8/mo ngrok Personal. Friction: medium — domain belongs to the vendor.

Option 5: wayangi — dedicated public IPv6

The path we obviously think is the right call, and which works regardless of what your ISP gives you. wayangi assigns your device its own routable public IPv6 address from a /48 prefix we operate via dalang.io's Indonesian carrier-grade DC. The agent runs a single static binary, opens an outbound WireGuard tunnel on UDP/443, and your device becomes reachable on its assigned IPv6 from any IPv6 host worldwide.

What you get:

• One dedicated public IPv6 per device — point an AAAA record at it.
• Raw TCP / UDP / anything that opens a socket. Not just HTTPS.
• No third-party proxy in the data path.
• $5/mo per device, transparent pricing, all tiers visible.
• Free tier: 3 mesh-only devices for trying it out, no card needed.

The setup:

curl -fsSL https://wayangi.dalang.io/install.sh | sudo sh -s -- --token=YOUR_TOKEN

# Bind your service to ::
caddy respond --listen :8080 "hello from home"

# Point a DNS record at the assigned IPv6
# (shown in the dashboard at wayangi.dalang.io)
# myhome.example.com AAAA 2001:df6:d2c0:1400::42

# Done. Curl it from anywhere:
curl https://myhome.example.com:8080

This is the cleanest answer when you want a permanent home server, an IoT fleet, or a game host that anyone can reach without making them install a client. Verify your tunnel works with our public reachability probe — it tells you in 3 seconds whether your IPv6 is reachable from the open internet.

Cost: $5/mo per IPv6. Friction: low — single install command, single binary, single dedicated address.

Option 6: Cheap VPS + reverse SSH tunnel

For the DIY crowd: rent a $5/mo VPS, run ssh -R 443:localhost:443 vps-user@vps from your home server. Works. Painful at scale. No HA, no encryption beyond ssh, you re-establish on disconnect. Worth it if you already manage a VPS and need exactly one tunnel.

Cost: $5/mo VPS. Friction: high — full sysadmin, no HA, no failover.

Decision matrix

Closing

The "you need a static IPv4 to host anything" mental model is 15 years out of date. In 2026 the question is which trade-off you want to make: vendor-owned domain (Cloudflare / Tailscale / ngrok), vendor-owned IPv6 (wayangi), or DIY-managed VPS. Each has a clear best-fit use case.

If you specifically want a permanent address that's yours, that you can point any domain at, and that supports raw protocols — wayangi is the shape that fits. Start with the free tier (no card) or browse the full pricing.