44Net Connect + WireGuard setup for ASL3 nodes behind CGNAT

JGP68 · May 26, 2026, 11:10am

Hello everyone,

I wanted to share a guide I put together (assisted by AI)after successfully moving my ASL3 nodes to 44Net Connect WireGuard tunnels using my own allocated 44Net IP addresses.

This solved the remote-access problem caused by my ISP using CGNAT. With CGNAT, normal inbound port forwarding is not practical or reliable, but using 44Net Connect and WireGuard allows the node to be reachable through a routed 44Net address without depending on my ISP for inbound access.

The guide includes the full process I used:

Clean reset of old WireGuard configuration
Fresh WireGuard install
Key generation
44Net Connect tunnel creation
wg0.conf setup
systemd autostart
DNS optimization to prevent slow ASL node lookups and delayed connections
Basic troubleshooting notes

I would like to thank Dave, N3DMC,for his support helping me resolve my remote connection issues, for originally hosting my nodes through his servers, and for pointing me toward the 44Net Connect resource so I could experiment with my own 44Net allocation and WireGuard tunnels.

I hope this helps other hams who are trying to run AllStarLink nodes behind CGNAT or who want a cleaner routed 44Net-based remote access setup.

I cannot upload the document here, if you are interested send me a note to kx9bby@gmail.com

73,
KX9BBY

N8EI · May 26, 2026, 2:31pm

Please also see the official/supported configuration guide: 44Net Connect for ASL - AllStarLink Manual

If you have suggestions or expansions, it' be great for you to contribute them to the official manual than creating a separate document.

K6CRS · May 27, 2026, 2:31pm

A side question: I've gone through the documentation but my answer wasn't exactly clear. Is 44Net handing out single /32 addresses for each tunnel? Or is this a multi IP delegation?

JGP68 · May 27, 2026, 3:09pm

Hi K6CRS!
Once your callsigns is validated after you register, you can request 44.XXX Network allocation, /29 allocation is auto approved, this will give you 8 IPs Hosts, 6 of those are usable for your experimentation, hope this helps; the rest of my post is the actual programming process to my nodes. Josue - KX9BBY

JGP68 · May 27, 2026, 3:12pm

another note, from your /29 allocation you can subdivide your network to indiviual /32 ips or however you want to subdivide your total usable host.

K6CRS · May 27, 2026, 3:19pm

Thanks. I already have an allocated /26...I was trying to wrap my head around how they were tunneling individual ASL nodes.

I might have to reach out to 44Net and see if they will tunnel my already established allocation.

Cark/K6CRS

N8EI · May 27, 2026, 3:28pm

The 44Net Connect ranges are completely different from any BGP or AmprNet/IPIP allocation you have. For example, I have a separate BGP-announced /24 from my 44Net Connect IP. You get a single /32 by default for one point-to-point public IP.

N8EI · May 27, 2026, 3:29pm

This is not correct for 44Net Connect. By default, you get a single point-to-point IP address allocated to you as a /32.

K6CRS · May 27, 2026, 3:41pm

Ok...that makes sense. Thank you.

Carl/K6CRS

W3KIT · May 27, 2026, 5:46pm

Nice

For me, Vultr do the BGP for me. Then I have 2 VPS running, one is running BIRD IRD and the 2nd I run CHR Mikrotik to hand out wireguard configs. Fairly simple, most of my ALS3 nodes are on Proxmox containers, only ill effect is I can't use any USB radio . Otherwise IAX2 acct work for me and my friends. 73