You set up a WireGuard server, a game server or a NAS at home — and from outside, nothing connects. The missing piece is almost always port forwarding: the router setting that opens a deliberate doorway to a service on your network. This guide explains what port forwarding is, how to set it up, the security risks to respect, and the CGNAT wall that stops it — with the alternative when it does.
What port forwarding is
By default, your router uses NAT to share one public IP across all your devices, and it blocks unsolicited inbound connections — so nothing on the internet can reach a service running at home. That's good for security, but it also means your self-hosted server is unreachable.
Port forwarding creates a controlled exception: a rule that says "traffic arriving on external port X goes to this device's local IP and port." Send WireGuard's UDP port to your server's 192.168.1.50, and suddenly your tunnel is reachable from anywhere.
How to set it up
- Give the device a static local IP (reserve it in your router's DHCP) so the rule doesn't break later.
- Open your router's admin page (often
192.168.1.1), find Port Forwarding (a.k.a. "Virtual Server" or "NAT"). - Add a rule: external port, protocol (WireGuard = UDP), and the device's internal IP and port.
- Save and test from outside — use mobile data, not your own Wi-Fi (many routers don't loop back internally).
For the WireGuard server itself, see self-hosting a VPN on Contabo with WireGuard, and pair port forwarding with dynamic DNS so a changing home IP doesn't break access.
The security side
Every forwarded port is an open door to one service — so the risk is exposing something weak:
- Forward the minimum — ideally one well-secured entry point.
- Keep that service updated and authenticated (no default passwords, no exposed admin panels).
- Prefer a properly configured VPN (WireGuard) as your single forwarded port, then reach everything else through the tunnel, rather than forwarding many services directly.
Never forward a port to a service you haven't hardened.
The CGNAT wall — and the fix
The most common reason port forwarding "doesn't work" isn't a misconfigured rule — it's CGNAT. Many ISPs (especially mobile and some fibre) put you behind Carrier-Grade NAT, where you share a public IP with other customers and have no real public IP of your own. No router rule can forward a port you don't control.
Check: if your router's reported WAN IP doesn't match what a "what's my IP" site shows, you're behind CGNAT. The fixes: ask your ISP for a public IP, use an overlay network (Tailscale/NetBird) that needs no inbound port, or run your service on a cheap VPS with a permanent public IP. A Contabo VPS at €4.99/month gives you a real public IP and a clean WireGuard entry point with no port-forwarding or CGNAT headaches — compare hosts in our best self-hosted VPN guide.
The bottom line
Port forwarding opens a deliberate doorway through your router's NAT so the internet can reach a service at home — essential for a self-hosted WireGuard server, and best paired with a static local IP and dynamic DNS. Forward only what you've secured, prefer a single VPN entry point, and if CGNAT blocks you, a cheap VPS with a permanent public IP is the clean way around it.
Editorial guide based on how NAT, port forwarding and CGNAT work on home networks. Results depend on your ISP and router. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→
