I have a gl.inet mango travel router with wireguard and ovpn clients and servers, as well as full WRT functionality. I also have access to VMs with public IPs. I am behind CGNAT with every ISP i have (three total right now, we'll see what starlink has - probably CGNAT as well) when i want to host a game on nintendo switch or whatever, people cannot join because i am NAT type B or worse - i've seen nat type F which means no peer to peer games at all, even if i want to connect to them! So there's a few ways around this. There's Connectify for windows, which will make a hotspot using a wifi card or dongle. Then you need Speedify as well, or any "gaming VPN" service, speedify is integrated with connectify, so i tried that. That worked pretty well, but it costs money. I also have access to a full cone NAT via a fortigate VPN server, but fortigates are expensive, and you have to have a place to put them. So maybe we can use free tier of AWS, google cloud, or azure to get a public IP, and route everything the switch does through it? turns out, YES! with NAT type *A*! i used several articles as a base: https://www.stavros.io/posts/how-to-configure-wireguard/ | http://fileserv.projectftm.com/9e1fcb.png this was how i originally set up the client and the server. https://www.purevpn.com/port-forwarding/diablo-iii | http://fileserv.projectftm.com/2a4e78.png this says that diablo III (and the switch in general) needs *all* UDP ports fwd https://github.com/xiahualiu/wg_gaming_installer/blob/main/wg-gaming-installer.sh | http://fileserv.projectftm.com/c5ea46.png This gave me an idea that i could try full cone https://jramtech.gitlab.io/post/getting-over-cgnat-wireguard-gce/ | http://fileserv.projectftm.com/c4fb34.png this was the next to last article i found, and this NEARLY fixed it! So here's what i did. 1) Reset GL.inet to factory. 2) install gentoo (or whatever) on your server with a public IP 3) enable net.ipv4.ip_forward in /etc/sysctl.conf -> net.ipv4.ip_forward = 1 4) install wireguard-tools (in gentoo you need to have USE="wg-quick" emerge -vaN wireguard-tools) 5) reboot the server 6) log into server and type: umask 077 && wg genkey | tee privatekey | wg pubkey > publickey 7) type: cat *key 8) copy both lines, the top one is privatekey, the bottom one is public key. these are the server keys. 9) paste those somewhere and annotate them 10) rm *key 11) repeat steps 6-9 but annotate these as your peer keys. 12) think about what subnet you're going to use. I used 192.168.2.0/24 for my wireguard subnet, i decided the client will be 192.168.2.2 13) type: ip a s | grep eth0 | tail -n 1 | awk '{print $2}' | sed 's/\/32//' # replace eth0 with whatever your public NIC is (ip a) 14) copy and paste that IP address to your file and annotate it "public IP" 15) sudo nano /etc/wireguard/wg0.conf: paste in [Interface] Address = 192.168.2.1 PrivateKey = server private key (copy and paste) ListenPort = 51820 PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 22 -j DNAT --to-destination 192.168.2.2; iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 192.168.2.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source SERVER-PUBLIC-IP PostDown = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 22 -j DNAT --to-destination 192.168.2.2; iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 192.168.2.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source SERVER-PUBLIC-IP [Peer] PublicKey = client public key (copy and paste) AllowedIPs = 192.168.2.0/24 16) edit the above to copy and paste your server's private key and client public key where they go, and to edit "eth0" and the SERVER-PUBLIC-IP to the correct values. 17) save this (ctrl-o, ctrl-x) 18) try: sudo wg-quick up wg0 19) if that works, you're done on the server side, if not, you made a typo or something. It will usually say iptables (legacy) ERROR MESSAGE if you made a typo somewhere. 20) go onto your router (or whatever) with wireguard client, log in and set it up: interface: IP Address: 192.168.2.2 private key: paste the client private key here listen port: 51820 dns: 1.1.1.1 (or whatever you want to use - it can't use your existing ones, so you have to put something here) MTU: default i guess? peer: public key: paste your server public key here endpoint host: paste your server ip, then a colon, then 51820, e.g. 55.55.55.55:51820 allowed ips: 0.0.0.0/0 this is important, it forwards ALL traffic through wireguard! keepalive: 25 I have to set this due to weirdness on my end, but 25 is recommended, or 0 for "off" 21) save/apply/whatever 22) connect your switch to your gl.inet or whatever has wireguard on it. 23) go to firewall and port forwarding, and add a rule: Forward 1-65535 from wireguard interface to the switch IP address port 1-65535 24) save the rule. 25) turn the wireguard connection ON. 26) ideally, at least on the gl.inet, you want to enable "internet kill switch" which blocks all traffic in and out of the WAN and forces everything to use the wireguard interface instead. 27) on your nintendo (or whatever) reconnect to your gl.inet wifi. Test connection after it connects. the IP shown should be the SERVER IP the NAT type should be "A" speed test should be "garbage" 28) you're done. I hope this helps. this is mostly to document the changes i had to make with very specific hardware (and gentoo). I may or may not edit this.