Matthew Choo

With 20 years in market research across Telco and Media, I’ve decoded consumer behavior, optimized research, and driven data-led strategies. Now, I’m diving into coding, automation, and tech solutions—where data meets efficiency. This blog is my space to share insights, from Python scripts to research optimizations and life hacks. Join me in exploring smarter ways to work and live!

Remote Home Access in Malaysia: Understanding CGNAT and Solutions

Understanding Malaysia’s CGNAT and Its Impact on Remote Access

CGNAT Remote Access

What is CGNAT, and Why Can’t You Detect Your Home’s Actual IP?

Carrier-Grade Network Address Translation (CGNAT) is widely used by Malaysian ISPs to manage IPv4 address shortages. Instead of assigning a unique public IP to each user, ISPs assign private IPs and use a shared pool of public IPs for outbound connections. This means:

  • Your home router gets a private IP (e.g., 100.64.x.x to 100.127.x.x), not a true public IP.
  • Websites and services see the shared public IP, not your actual home IP.
  • Traditional “what is my IP” checks will only reveal the CGNAT-assigned public IP, which is shared among multiple users.

CGNAT Enhances Security by Hiding Your IP

While CGNAT makes remote access challenging, it provides some security benefits:

  • Your actual home IP is not exposed to the internet, reducing attack surfaces.
  • Direct attacks from the internet (e.g., port scanning, DDoS) are mitigated.
  • Unauthorized remote access attempts are blocked since external connections cannot directly reach your home network.

Why Many Remote Home Solutions Fail Under CGNAT

Due to the lack of a true public IP, many traditional remote access solutions no longer work, including:

  • OpenVPN: Requires port forwarding, which is impossible under CGNAT.
  • Asus DDNS / Other Dynamic DNS Services: Since your ISP does not assign you a public IP, DDNS services cannot map a reachable address to your home network.
  • WireGuard / Any Direct VPN Setup: Without a publicly accessible IP, peers cannot establish direct connections.

Tailscale Login Steps

Solutions That Work: Tailscale and Cloudflare Tunnel

Despite CGNAT limitations, some solutions bypass these restrictions using relay-based approaches.

1. Tailscale (Pro and Con)

Tailscale is a mesh VPN built on WireGuard that works seamlessly behind CGNAT by using NAT traversal and relays when necessary.

Pros:

  • No port forwarding required.
  • Encrypted, peer-to-peer connections when possible.
  • Free for personal use with up to 20 devices.
  • Easy to set up with apps for multiple platforms.

Cons:

  • Requires an account (uses OAuth-based authentication like Google, Microsoft, etc.).
  • Some connections may still be relayed via Tailscale servers if direct NAT traversal fails, adding minimal latency.

2. Cloudflare Tunnel (Pro and Con)

Cloudflare Tunnel (formerly Argo Tunnel) allows you to expose services like a home server or NAS securely without a public IP.

Pros:

  • No need for a static public IP.
  • Works with a free Cloudflare account.
  • No inbound ports are open on your router, improving security.
  • Ideal for hosting self-hosted services (e.g., Home Assistant, Plex, web apps).

Cons:

  • More setup steps compared to Tailscale.
  • Requires Cloudflare DNS to manage domains/subdomains.
  • Free tier has limitations (e.g., no private networking like Tailscale).

Conclusion

With Malaysia’s widespread use of CGNAT, traditional remote access methods no longer work for most users. Instead, solutions like Tailscale and Cloudflare Tunnel provide modern, secure, and effective alternatives for accessing home networks remotely. Depending on your use case, Tailscale is better suited for private network access, while Cloudflare Tunnel is ideal for exposing specific services securely over the web.

You may also enjoy