No IPv6 support? Still? That’s the real problem if so.

Agree. Surely the ISP can assign customers a real IPv6 range, and also a NAT'd IPv4 address for legacy stuff?

I hardly notice if IPv4 stops working, these days.

It's not so bad IMO. I self-host a lot but I use a mesh VPN, tailscale to get to it. It's much safer not having my stuff exposed to the whole internet, I don't need to have incoming ports open, I don't care if my IP changes etc.

Do you get direct connections or are you stuck with the backup relays ?

Can tailscale connect to hosts behind CGNAT?

Yes. They run public DERP servers. I'm no longer on an ISP with CGNAT, but never had an issue - marginally (like 10%?) throughput penalty, but not enough to notice with only a few users. I understand you can run your own DERP, though I never had the need, and it Just Worked.

You can create a tunnel from a cheap VM (or appropriately sized set of VMs) in a cloud.

It's a different, new calculus. The result is still that you have the same server power in your home, if that's what you want.

Yep I access my raspberry pis using rathole via vm. Easy enough.

I prefer mesh vpn because it's an extra authentication layer that Cloudflare tunnels don't have. But if you need to offer services publicly it's a good option true.

Interestingly, you say this. During my AI-driven research that led me toward tunnels, I found that VPN was the less secure approach.

For SSH/Mosh, for example, I chose a WARP tunnel. I set it up with a certificate that expires immediately after each connection. My MFA was explicitly limited to password and Duo SSO Push.

As I mentioned, though, my decision was primarily based on an Agent Mode prompt to ChatGPT, so I'm far from an expert.