How to Port Forward on Starlink and Bypass CGNAT (2026)

How to Port Forward on Starlink and Bypass CGNAT: A Practical Guide for Remote Access

Starlink, SpaceX’s satellite internet service, has rapidly expanded its user base across rural and underserved regions, delivering high-speed connectivity where traditional options fall short. But as more users switch to Starlink, many discover a frustrating roadblock—traditional port forwarding doesn’t work. Why? Because Starlink uses Carrier-Grade Network Address Translation (CGNAT), a method that shares a single public IP address among multiple users.

CGNAT prevents direct inbound connections from the internet to your home network. This complicates everything from self-hosted game servers to remote desktop access and DIY cloud storage setups. Static IPs, once the standard approach, are unavailable through Starlink's default configuration. Without a public IP address, port forwarding becomes impossible through standard routes.

This guide breaks down the technical barriers. It explains how CGNAT works, why you can't open ports like you used to, and—more importantly—how to bypass these limitations using tunneling software, reverse proxies, VPNs, or third-party services. Whether you're a gamer looking to reduce latency and improve matchmaking, a developer running a local server, a remote worker needing secure access to a home office, or a hobbyist experimenting with IoT devices at scale, the solutions you'll find here are actionable and battle-tested.

Ready to take back network control? Let’s move past CGNAT and open the door to real remote access.

Understanding CGNAT and Why Starlink Relies on It

What Is Carrier-Grade NAT (CGNAT)?

Carrier-Grade NAT (CGNAT) is a technique used by internet service providers to conserve IPv4 addresses. Unlike traditional NAT, which operates on a home router level, CGNAT works at the ISP level. ISPs assign private IP addresses to customers and map multiple users onto a single public IPv4 address.

This system consolidates IP usage while preserving connectivity across the internet. Internally, users still connect to the web as normal, but from the outside, hundreds or even thousands of users appear to share a single IP. Every data packet flows through the CGNAT gateway before reaching its destination, with the system tracking and routing each connection separately.

How CGNAT Pools Users

Under CGNAT, Starlink assigns private RFC1918 IP addresses (typically in the 10.0.0.0/8 or 100.64.0.0/10 range) to customer terminals. All outbound traffic exits through a common pool of public IPs, with dynamic port address translation dictating which user corresponds to which session.

Each user's internal IP is translated into a shared public IP with an assigned port range.
Translation tables inside Starlink’s infrastructure keep track of each session in real-time.
Inbound unsolicited requests — required for hosting servers or remote access — get blocked or misrouted because the NAT device doesn’t know which terminal should receive them.

Why Starlink Uses CGNAT

IPv4 address depletion is the driving factor. There are only about 4.3 billion IPv4 addresses available, many of which are already allocated. Starlink, like most ISPs operating at scale, can’t assign a unique public IPv4 address to each customer terminal because the resources simply don’t exist.

CGNAT allows Starlink to scale its network worldwide without requiring users to adopt new hardware or delay service activation. The system supports thousands of users across a shared infrastructure without exhausting limited public address space.

How CGNAT Affects Port Forwarding

Because CGNAT removes direct public IP assignments to end users, traditional port forwarding becomes nonfunctional. Home users can't expose services (like game servers, security cameras, or file servers) to the internet because incoming traffic has no clear route through the ISP's NAT system.

Even though local router settings may allow port forwarding within a home network, those configurations have no effect beyond the CGNAT gateway. In practice, this setup blocks external devices from initiating connections to a Starlink-powered home network, making self-hosting and remote access impossible under default conditions.

Why Port Forwarding Fails on Starlink: A Technical Breakdown

How Port Forwarding Normally Works on Standard Routers

Port forwarding directs incoming traffic from the internet to specific devices on a local network. On traditional home networks with a public IPv4 address assigned directly to the router, this process is straightforward. The router opens predefined ports and routes incoming packets to the appropriate internal IP address. For instance, port 3389 might forward to a local Windows machine for Remote Desktop access, while port 25565 could link to a Minecraft server on a LAN device.

CGNAT Disrupts This Flow

Carrier-Grade Network Address Translation (CGNAT) places Starlink users behind a shared public IP address. Instead of assigning a unique public IP to each Starlink terminal, SpaceX aggregates multiple user connections through a single public gateway. This architectural choice severely impacts port forwarding.

Since multiple customers share the same external IP, incoming traffic can't reach a specific user's router directly. There's no static public IP tied to your Starlink terminal, which eliminates the ability to establish traditional inbound NAT rules.

What Happens as a Result?

Self-hosting game servers becomes impossible. Players outside your network can’t connect to your game host without direct port exposure, which CGNAT blocks entirely.
Remote Desktop Protocol (RDP) sessions fail to initiate from outside your network. You end up confined to your LAN or forced to adopt third-party remote-access tools.
Dynamic external IP addresses prevent reliable access points. Even with third-party Dynamic DNS configurations, Starlink frequently rotates external IPs, rendering DNS entries inaccurate within hours.
Starlink-generated IPv4 addresses are not publicly routable. Ranges like 100.64.0.0/10 are reserved for private address space under RFC 6598 and don’t respond to external requests. They live entirely within SpaceX’s infrastructure.

This configuration creates a sandboxed environment: ideal for outbound browsing, streaming, or cloud services—but highly restrictive for any solution requiring unsolicited external connections. Even basic port status checks will show all ports as filtered or closed from the outside.

Need a static, reachable IP? Starlink doesn’t offer one over IPv4, and current hardware doesn’t support bridge mode. Traditional port forwarding solutions don’t apply, which forces users to adopt more advanced workarounds.

How to Effectively Bypass CGNAT on Starlink

Workarounds and Advanced Networking Setups

Carrier-grade NAT (CGNAT) on Starlink presents a clear limitation: direct inbound connections to devices on your local network aren't possible under standard conditions. But several robust solutions allow users to regain control over port accessibility and remote connectivity.

These methods range from commercial VPN services to custom infrastructure using VPS instances, each tailored to different levels of technical proficiency and application use cases—home surveillance, game servers, self-hosted services, or remote shell access, just to name a few.

Understanding Key Terminology Before You Begin

To implement any of these solutions effectively, get familiar with the core components of how traffic flows through a network, especially under CGNAT constraints.

Input Ports vs Output Ports: Input (or inbound) ports receive traffic from the external internet to your local machine, such as TCP port 22 for SSH. Output (or outbound) ports refer to the ephemeral ports your device uses to initiate a connection. Under CGNAT, your router sits behind a shared public IP, receiving only outbound port mappings.
Host Systems: A host system can be a physical server, a local computer, or a virtual instance in the cloud that acts as a communication endpoint. When Starlink assigns a client IP behind CGNAT, your local system cannot become a legitimate host for inbound requests—unless traffic is redirected elsewhere first.
IP Address Allocation: Starlink typically assigns private IPs (100.64.0.0/10 block) to end-user terminals. These addresses are not publicly routable, and since multiple users share the same outward-facing IP, port collisions are inevitable without port forwarding solutions that bypass CGNAT.

Rather than fighting against CGNAT's structural design, each solution introduced later leverages external infrastructure to relay traffic back to your network. The result: port forwarding works, even if Starlink doesn’t allow it natively.

Ready to dive into the first workaround? Let’s look at VPN solutions built for this scenario in the next section.

Method 1: Using a VPN Service (Recommended for Most Users)

Bypassing CGNAT with a VPN: Here's How It Works

Carrier-Grade NAT (CGNAT) shields your Starlink-powered home or office network from direct inbound connections. This makes hosting services—like game servers, remote desktop access, or security cameras—impossible without workarounds. A VPN with port forwarding capability breaks through this limitation by assigning a real public IP address that routes traffic directly to your device.

The VPN acts as a relay, receiving inbound traffic on specific ports, then forwarding it securely to your system, effectively bypassing Starlink's CGNAT restrictions.

Using PureVPN: A Real-World Example

PureVPN offers dedicated IP addresses and optional port forwarding, making it compatible with Starlink users looking to enable open ports. Unlike typical VPNs that rotate shared IPs, PureVPN’s dedicated IP option ensures consistent connectivity for services requiring fixed routing.

Step-by-Step: Configure VPN Port Forwarding with PureVPN

1. Sign Up and Choose a Suitable Plan Go to PureVPN’s website and subscribe to a plan that includes port forwarding. This feature is available as an add-on with both monthly and annual subscriptions.
2. Configure the VPN on Your Router or Host System You can install the VPN on your operating system (Windows/Linux/macOS) or directly on a compatible router. Installing it on the router tunnels the entire network through the VPN, while on a host system, it only applies to that individual device.
3. Set the Desired Input/Output Ports After logging into your PureVPN dashboard, locate the Port Forwarding section. Specify which TCP or UDP ports you want to open for inbound traffic. This can include ports for SSH (22), HTTP (80), or any custom service you're hosting.
4. Adjust Firewall Rules Accordingly Modify OS or router-based firewall settings to allow traffic through the specified ports. Ensure NAT rules (if using a custom router) permit forwarding to the service-hosting device.

Weighing the Pros and Cons

Pros: Enables true port forwarding, avoids CGNAT completely, improves privacy and encryption, offers dedicated IP for consistency.
Cons: Adds ongoing subscription costs, may introduce slight latency depending on the server location, some routers require advanced configuration to run VPNs effectively.

Choosing the Right VPN Protocol

Performance and reliability hinge on the protocol chosen. OpenVPN offers solid security with broad support but can be slower due to its code base. WireGuard, on the other hand, delivers significantly faster performance with fewer lines of code and modern cryptography. PureVPN supports both, and user testing regularly shows WireGuard achieving up to 40% better throughput under Starlink connections compared to OpenVPN.

Ready to configure your VPN? What services are you looking to open ports for—home automation, media servers, or gaming? Knowing the use case helps optimize the configuration for speed, security, and stability.

Method 2: Setting Up a Virtual Private Server (VPS)

How a VPS Provides a Static Public IP Address

Starlink assigns private IP addresses to users through Carrier-Grade NAT (CGNAT), blocking direct incoming connections. A Virtual Private Server (VPS), on the other hand, comes with a static public IP address. This allows you to receive external traffic and forward it to your local Starlink network using tunneling techniques. By routing packets through the VPS, you bypass the CGNAT layer completely.

Choosing a VPS Provider

Several VPS providers offer scalable options with reliable uptime and full root access. Here are three commonly used services:

DigitalOcean: Known for simplicity and developer-friendly tools. Droplets start at $4 per month with 1 TB transfer.
Linode: Similar pricing to DigitalOcean with strong community support and regional availability.
AWS Lightsail: Backed by Amazon’s infrastructure, with predictable pricing and robust networking options.

Step-by-Step VPS Setup

Create a VPS Instance

Choose a Linux distribution like Ubuntu 22.04 LTS when spinning up a new instance. Assign minimal CPU/RAM unless you're running resource-heavy services. Make sure SSH access is enabled, and configure your firewall to allow only essential ports (e.g., 22 for SSH, 80/443 for HTTP/HTTPS, or your custom port).

Use SSH Tunneling or Reverse Proxy

Decide between two tunneling strategies based on your intended use:

SSH Reverse Tunnel: Run a command like ssh -R 1234:localhost:22 user@vps_ip on your Starlink-connected device to forward port 1234 on the VPS to port 22 on your local machine.
Reverse Proxy: Set up NGINX or HAProxy on the VPS to inspect incoming traffic and forward it to ports on your Starlink LAN using WebSocket or TCP tunneling protocols.

For persistent access, configure autossh on your local device to maintain the reverse tunnel in the background even after reboots or network interruptions.

Forward Traffic Through the VPS to Your Starlink IP

Once your tunnel is live, all external requests hitting the VPS can be directed to your internal Starlink device. This enables remote access even when CGNAT blocks incoming connections. You can use tools like systemd to configure a script that re-establishes the tunnel at boot time.

Sample Port Forwarding Configuration Using iptables

Here's a basic iptables rule to redirect TCP traffic received on port 2222 of your VPS to port 22 of your remote Starlink LAN device:

iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.2:22
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT

Adjust the IP address and port as needed. This configuration assumes IP forwarding is enabled on the VPS using sysctl -w net.ipv4.ip_forward=1.

Ideal Use Cases

A VPS-based port forwarding setup works best in scenarios where persistent external access is required. Common examples include:

Hosting a multiplayer game server that must accept player connections at all times.
Running a self-hosted cloud storage solution like Nextcloud accessible from anywhere.
Operating your own web server or remote desktop environment over Starlink.

While this method requires slightly more technical skill than using a VPN service, it offers greater flexibility, full control over network behavior, and scalable performance.

Method 3: Utilizing Reverse Proxies

Redirect Incoming Traffic Using a Reverse Proxy

When Starlink's CGNAT blocks direct inbound connections, a reverse proxy flips the script. Instead of clients reaching out to your server directly, your server maintains an outbound connection to the proxy. The proxy then acts as the public-facing endpoint, routing legitimate requests back through the tunnel. This setup enables external access without requiring public IPs.

Unlike traditional port forwarding, which relies on NAT traversal to punch through layers of firewall, reverse proxies provide a lateral approach—shifting the network architecture’s exposure point to infrastructure under your control.

Popular Reverse Proxy Tools

NGINX: Originally built for performance, NGINX can route HTTP and TCP streams. With its advanced configuration capabilities, NGINX enables precise traffic control on a per-location or per-port basis.
Apache HTTP Server: Apache’s mod_proxy module supports reverse proxying for HTTP, HTTPS, FTP, and more. Useful in complex environments already reliant on Apache.
Cloudflare Tunnel (formerly Argo Tunnel): This SaaS-based solution allows you to expose services through the Cloudflare network securely. No open ports, no public IP needed—it authenticates and encrypts all incoming connections.

Configuration Strategy

To make a reverse proxy effective, bind it to the intended services. First, define which internal services require exposure—examples could be a personal web server on port 80 or an internal admin panel on port 8080.

Modify your reverse proxy’s config file by establishing input listeners. These listeners watch for incoming requests from specified domains or IPs and map them to backend targets. For instance, in NGINX:

server {
    listen 443 ssl;
    server_name yourdomain.com;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
    }
}

This directs all HTTPS traffic received at yourdomain.com to an internal service running on port 8080. Add SSL certificates for encrypted transport. Use Let’s Encrypt for free and automated certificate provisioning.

Reverse proxies also support additional layers such as URL rewriting, connection throttling, and request inspection. These feature sets add flexibility and security beyond a basic port forwarding configuration.

Dynamic Host Rules and Port-Level Customization

You can configure the proxy to respond differently based on request paths or subdomains. For instance, route api.domain.com to a backend API running in Docker, while sending admin.domain.com to a dashboard interface.

List each rule explicitly in your configuration file. Separate services can be sandboxed with different authentication mechanisms, rate limits, or caching policies based on the destination address or port.

For Cloudflare Tunnel, this logic is managed through the dashboard or YAML files. Routes take this structure:

tunnel: tunnel-name
credentials-file: ~/.cloudflared/tunnel-name.json

ingress:
  - hostname: example.com
    service: http://localhost:3000
  - hostname: api.example.com
    service: http://localhost:5000

This makes Cloudflare Tunnel especially powerful for dynamic routing without managing certificates directly or dealing with firewall rules.

Secure Tunneling with SSH or WireGuard: How to Navigate Starlink’s CGNAT

Setting Up SSH Remote Tunnels to a VPS

SSH tunneling operates by creating an encrypted pathway between your local Starlink-connected device and a remote VPS, effectively bypassing CGNAT. By initiating a reverse SSH tunnel, you instruct your VPS to listen on a specific port, which then forwards all inbound data back to your local device.

Here’s the typical syntax for initiating a reverse tunnel from your Starlink device:

ssh -N -R 2222:localhost:22 user@your-vps-ip

This command tells the VPS to listen on port 2222 and direct that traffic to your local machine’s SSH port 22. Any service—from game servers to web interfaces—can be tunneled similarly, provided you adjust the port numbers accordingly. Authentication via public/private key pairs tightens security and reduces login overhead.

Configuring WireGuard for Secure Bi-Directional Access

WireGuard adds persistent VPN functionality with a highly efficient codebase and minimal configuration. Unlike OpenVPN or IPSec, WireGuard maintains a leaner connection profile, which matters on Starlink’s variable-latency environment. It uses UDP transport and operates at the kernel level on most systems, enhancing performance.

Here’s how a basic setup workflow looks:

Install WireGuard on both your Starlink system and remote VPS.
Generate cryptographic key pairs for both systems using wg genkey and wg pubkey.
Define [Interface] and [Peer] sections in configuration files with allowed IPs and endpoint details.
Set firewall rules to accept and forward UDP traffic on the chosen WireGuard port (default 51820 UTC).

Once the tunnel is active, you gain stable, bidirectional access to each system—as though they reside on a private LAN. Services hosted within the tunnel become reachable across Starlink’s locked-down NAT architecture.

Benefits of Encrypted Traffic and Lightweight Setup

Both SSH and WireGuard encrypt all traffic end-to-end, masking content from third parties and reducing exposure to packet sniffing. WireGuard's footprint is negligible—less than 4,000 lines of code. That simplicity translates to faster audits, fewer vulnerabilities, and reliable throughput under Starlink's fluctuations.

SSH doesn’t require any additional software on most systems and is ideal for ad-hoc needs. WireGuard suits users demanding persistent links or multiple client connections over time.

Firewall and NAT Considerations

Starlink's CGNAT prevents unsolicited inbound traffic, but your VPS has no such limitation. Before tunneling begins, configure the VPS's firewall to:

Allow ingress traffic on the SSH port (typically 22) or chosen WireGuard port.
Forward ports to internal services as needed using iptables or nftables.

On your local Starlink device, outbound ports must align with allowed egress traffic, commonly unrestricted unless limited by user-end firewall policies. If using a personal router behind Starlink, ensure NAT rules don’t override tunnel bindings or packet responses.

Want to test tunnel stability? Set up continuous pings or monitor packet loss using mtr. These metrics reveal jitter impacts during peak Starlink congestion.

IPv6 Support and What the Future Holds for Starlink Networking

Does Starlink Offer IPv6 Support Today?

As of early 2024, Starlink does not provide native IPv6 support to residential users. All consumer-tier Starlink connections route traffic over IPv4 through Carrier-Grade NAT (CGNAT), which blocks inbound connections and effectively prevents traditional port forwarding. Without native IPv6 or a public IPv4 address, direct connection hosting remains an issue for most users.

Some users have reported seeing assigned IPv6 addresses internally on Starlink routers, indicating partial backend support or preliminary testing. However, these addresses are not externally routable, and the service still defaults to CGNAT for outbound traffic. SpaceX has not released a public roadmap or documentation confirming full IPv6 rollout for Starlink subscribers.

How IPv6 Can Eliminate CGNAT Problems

IPv6 eliminates the need for CGNAT by assigning publicly routable addresses to every device on a network. When implemented end-to-end, each device gets a globally unique IP, which allows unrestricted inbound and outbound connectivity. In this model:

You can directly access a home server, security camera, or game server without relying on workarounds like reverse proxies or tunneled VPNs.
Port forwarding becomes unnecessary—any port on any device can be accessed from the internet, subject only to firewall rules.
Peer-to-peer applications operate more efficiently, with better latency and fewer failed connection attempts.

IPv6 also supports modern security practices like IPsec natively, and its vast address space solves IPv4 exhaustion permanently. As adoption increases, ISPs that leverage IPv6 avoid the need for complex, large-scale NAT setups.

Current Starlink Firmware and Router Limitations

The standard Starlink router provided with residential service does not allow advanced IPv6 configuration. It lacks an interface for setting custom firewall rules or allocating global unicast delegations to local devices via DHCPv6. The lack of transparency in firmware updates also prevents users from enabling developer options or loading custom firmware like OpenWRT.

Additionally, even if partial IPv6 configurations are visible within diagnostics or debug tools, Starlink's core network still prioritizes IPv4 address allocation through CGNAT. Until the router, satellite firmware, and upstream routing infrastructure synchronize for end-to-end IPv6 delivery, traditional port-forwarding remains off-limits for most Starlink customers.

Future IPv6 support will depend not only on Starlink’s development but also on regional regulators and improvements in device firmware. For now, advanced users seeking true inbound traffic control have to rely on third-party tunneling or VPN-based solutions.

Smarter Remote Access: Configuring Dynamic DNS (DDNS)

Dynamic IP Addresses: The Lingering Challenge with Starlink

Starlink connections are assigned dynamic public IP addresses that can change frequently. Unlike traditional ISPs that may offer static IPs as a premium feature, Starlink relies on Carrier-Grade NAT (CGNAT), which adds another layer preventing you from knowing your true external IP — or even having one you can reach directly. This makes remote access unreliable unless you find a way to dynamically track your network address.

Why Dynamic DNS Eliminates the Guesswork

Dynamic DNS (DDNS) maps a frequently changing IP address to a consistent hostname. Instead of trying to guess your active IP address each time it changes, a DDNS service updates that information automatically, allowing you to point a domain or subdomain (like myhome.duckdns.org) to your current network address in real time.

Combined with tunneling or VPS solutions that bypass CGNAT, DDNS removes the need to manually update IP information when connecting remotely — whether you're accessing a security camera feed, self-hosted application, or SSH terminal.

Reliable DDNS Providers to Consider

DuckDNS – Free, open-source, and easy to integrate. Runs seamlessly with small scripts or Docker containers.
No-IP – Offers a free-tier with automated update tools and optional paid upgrades for custom domains.
DynDNS – Once a go-to service, now mostly used by enterprise or legacy users. Offers strong infrastructure but limited free options.

How to Connect DDNS into Your Setup

Configuring DDNS requires one of two approaches depending on your architecture:

Using a Home Router: Some routers support DDNS natively. Head to the admin dashboard, locate the DDNS section, then input your provider credentials. Supported services vary by vendor — ASUS, Netgear, and TP-Link often include No-IP or DynDNS.
On a VPS Gateway: If you're exposing your home network via a VPS reverse tunnel or VPN, install a DDNS update client on the VPS. It reports the VPS’s public IP address to your DDNS provider. Access is then routed through that stable hostname.

This integration ensures that even when your Starlink IP changes—potentially several times a day—the entry point to your remote service remains consistent and reachable.

Practical Applications of DDNS on Starlink

With DDNS in place, hosting services from home becomes realistic even under CGNAT. Want to monitor a home CCTV feed while traveling? Connect an IoT control panel without breaking cryptographic tunnels? Or stream data directly from a sensor rig in a remote cabin with Starlink as the uplink? DDNS makes all of these scenarios possible with a stable connection point you can bookmark, script against, or automate.

Final Thoughts: Bypassing CGNAT on Starlink with Precision

Starlink’s use of CGNAT doesn’t eliminate the possibility of port forwarding—it changes the strategy. Traditional NAT traversal no longer applies, but CGNAT can be bypassed through practical, well-tested methods.

Here’s what gets results:

VPN with Port Forwarding: Services like PureVPN offer static IPs and built-in port forwarding, streamlining the process for most users without needing server management skills.
Virtual Private Server (VPS): By forwarding traffic through a cloud-based VPS, users gain full control over incoming and outgoing network requests, ideal for hosting servers (e.g., Minecraft, Plex, or web services).
Reverse Proxies: For web-facing applications, solutions like NGINX or Cloudflare Tunnel provide stable inbound connections by relaying requests through an external, reachable IP.
SSH Tunneling or WireGuard: These lightweight and secure methods allow port-specific routing through encrypted tunnels—effective for personal access and light services.

CGNAT doesn’t block you—it just means routing traffic requires a smarter approach. Pair any method with Dynamic DNS to maintain address stability, and always configure firewalls and router settings with security in mind.

For users new to networking, start with a VPN service that includes port forwarding or a Virtual Private Server. Both approaches provide clean workarounds without major changes to local setups.

Ready to move past blocked ports? Choose a method, configure carefully, and monitor connections regularly for the best results.