--- title: "Vast.ai Behind CGNAT: Public Ports for GPU Hosts Without Router Access" description: "Learn why Vast.ai and GPU hosts behind CGNAT cannot receive inbound traffic and how to publish SSH, APIs, dashboards, and service ports." image: "https://needports.com/og-image.svg" canonical: "https://needports.com/vast-ai-behind-cgnat.html" html: "https://needports.com/vast-ai-behind-cgnat.html" --- # Vast.ai behind CGNAT: why inbound ports fail Learn why Vast.ai and GPU hosts behind CGNAT cannot receive inbound traffic and how to publish SSH, APIs, dashboards, and service ports. ## Quick diagnosis checklist 1. Confirm the service is listening locally. 2. Confirm the service responds from the host itself. 3. Check host firewall rules before changing router rules. 4. Compare the host/router WAN address with the public IP seen by the internet. 5. Test from a different network, not from the same LAN. 6. If inbound traffic still times out, use a public forwarded endpoint instead of relying on upstream NAT. ## Commands to run first ``` # What public IPv4 does the internet see? curl -4 ifconfig.me # What is listening locally? ss -tulpen sudo ss -tulpen # Test a local web/API service curl -v http://127.0.0.1:8080 curl -v http://127.0.0.1:8000/health # Check common Linux firewalls sudo ufw status verbose sudo iptables -S sudo nft list ruleset ``` ## Setup example **YOUR_SETUP_TOKEN is shown after signup/trial checkout and binds the client to your assigned endpoint.** ``` curl -fsSL https://api.needports.com/install | sudo bash -s YOUR_SETUP_TOKEN --accept-tos sudo needports setup --dry-run sudo needports expose custom --public-port 30000 --local-port 8080 --name "Service" --confirm --restart curl -v http://your-needports-endpoint:30000 ``` ## Security notes - Expose only services you intend to make public. - Use SSH keys, HTTPS/TLS, app authentication, or IP restrictions where appropriate. - Never expose the Docker daemon socket or unauthenticated admin panels. - Keep a private fallback access method for critical systems. ## Related guides [CGNAT port forwarding](/cgnat-port-forwarding.html), [Vast.ai port forwarding](/vast-ai-port-forwarding.html), [NeedPorts client commands](/client-commands.html), and [NeedPorts security model](/security.html). ## FAQ **Why is my Vast.ai host online but not reachable?** The host may be able to make outbound connections while inbound traffic is blocked by CGNAT, upstream firewalling, Docker bind settings, or a local firewall. **Does Vast.ai always provide public inbound ports?** Not always. Your machine, ISP, datacenter, or rented network path may still prevent unsolicited inbound connections. **Can NeedPorts expose SSH for a Vast.ai host?** Yes, map an assigned public port to local SSH, then connect with ssh -p. Use SSH keys and avoid password-exposed root login. **Can I expose Docker services or APIs?** Yes. Expose the host port that Docker publishes locally, then test the public NeedPorts endpoint from outside. **Do I need router access?** No. NeedPorts uses an outbound tunnel, so it can work when router access or ISP port forwarding is unavailable. ```json { "@context": "https://schema.org", "@graph": [ { "@type": "Organization", "@id": "https://needports.com/#organization", "name": "NeedPorts", "url": "https://needports.com/" }, { "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://needports.com/" }, { "@type": "ListItem", "position": 2, "name": "Guides", "item": "https://needports.com/guides.html" }, { "@type": "ListItem", "position": 3, "name": "Vast.ai Behind CGNAT: Public Ports for GPU Hosts Without Router Access", "item": "https://needports.com/vast-ai-behind-cgnat.html" } ] }, { "@type": "Article", "headline": "Vast.ai Behind CGNAT: Public Ports for GPU Hosts Without Router Access", "description": "Learn why Vast.ai and GPU hosts behind CGNAT cannot receive inbound traffic and how to publish SSH, APIs, dashboards, and service ports.", "mainEntityOfPage": "https://needports.com/vast-ai-behind-cgnat.html", "author": { "@id": "https://needports.com/#organization" }, "publisher": { "@id": "https://needports.com/#organization" } }, { "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "Why is my Vast.ai host online but not reachable?", "acceptedAnswer": { "@type": "Answer", "text": "The host may be able to make outbound connections while inbound traffic is blocked by CGNAT, upstream firewalling, Docker bind settings, or a local firewall." } }, { "@type": "Question", "name": "Does Vast.ai always provide public inbound ports?", "acceptedAnswer": { "@type": "Answer", "text": "Not always. Your machine, ISP, datacenter, or rented network path may still prevent unsolicited inbound connections." } }, { "@type": "Question", "name": "Can NeedPorts expose SSH for a Vast.ai host?", "acceptedAnswer": { "@type": "Answer", "text": "Yes, map an assigned public port to local SSH, then connect with ssh -p. Use SSH keys and avoid password-exposed root login." } }, { "@type": "Question", "name": "Can I expose Docker services or APIs?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Expose the host port that Docker publishes locally, then test the public NeedPorts endpoint from outside." } }, { "@type": "Question", "name": "Do I need router access?", "acceptedAnswer": { "@type": "Answer", "text": "No. NeedPorts uses an outbound tunnel, so it can work when router access or ISP port forwarding is unavailable." } } ] } ] } ```