Part 4 — The Battle Against CGNAT

There are moments in self-hosting where everything suddenly becomes very real.

For me, that moment was realizing my ISP had quietly placed me behind CGNAT.

At first glance, everything looked normal.

The DDNS updater reported a public IP.
DNS records updated successfully.
The internet appeared reachable.

Except one tiny detail:

My router’s WAN address began with:

10.x.x.x

That was the giveaway.

Because despite appearances, the homeserver was not truly reachable from the internet.

The ISP had effectively placed multiple customers behind a shared public address.

This led to one of the more satisfying support emails I have ever written:

“Could you please provide a public IPv4 address not behind CGNAT?”

To my surprise, the answer arrived quickly.

And suddenly:

Everything changed.

DNS records now pointed to an actually reachable public IP.
The homeserver became publicly addressable.
And the project crossed another invisible threshold:

It was no longer merely self-hosted.

It was internet-facing.

That realization immediately triggered a new wave of concerns:

• security

• reverse proxies

• HTTPS

• attack surfaces

• port forwarding

• infrastructure ownership

This was also the moment I decided against relying heavily on Cloudflare tunnels and third-party routing.

Not because Cloudflare is bad.
But because the entire philosophy behind the project increasingly revolved around ownership and control.

If I was going to build this ecosystem properly, I wanted:

• my domain

• my DNS

• my routing

• my certificates

• my infrastructure

That decision led directly into the most educational part of the entire journey:

Reverse proxies.

And, eventually:

The Great nginx vs Caddy War.