Bypassing CGNAT: frp, Tailscale, ZeroTier, and Caddy compared for self-hosting

This review evaluates four tools—frp, Tailscale, ZeroTier, and Caddy—for exposing local services behind Carrier-Grade NAT. We assess their suitability for port forwarding, selective application tunneling, and low-latency game servers.

TL;DR

Best for: Tailscale for most users needing a flexible, secure, low-latency solution for both application-specific tunneling and game servers behind CGNAT. Its ease of setup and WireGuard-based performance are strong advantages. Skip if: You only need to expose a single HTTP/S service and prefer a dedicated web server/reverse proxy; Caddy is more appropriate then. If you require absolute minimal overhead for a single port forward and are comfortable with manual configuration, frp offers a simpler, more direct approach. Bottom line: For the diverse requirements of exposing local services and game servers behind CGNAT, Tailscale provides the most comprehensive and user-friendly solution among the options considered.

METHODOLOGY

This v0 review draws on the founder's published claims and public documentation for frp, Tailscale, ZeroTier, and Caddy. Independent benchmarks are pending. Update cadence: re-tested when claims diverge from observed behavior or significant new versions are released.

This review covers:

• frp (Fast Reverse Proxy): Version 0.52.3, observed 2026-05-19. Focus on its direct port forwarding capabilities for TCP and UDP.
• Tailscale: Latest stable release (as of 2026-05-19). Focus on its mesh VPN, NAT traversal, and secure tunneling features.
• ZeroTier: Latest stable release (as of 2026-05-19). Focus on its SD-WAN and virtual LAN capabilities.
• Caddy: Version 2.7.6, observed 2026-05-19. Focus on its reverse proxy and TCP proxy modules.

The source signal, a Reddit post by Kpuku on r/selfhosted, details the challenge of operating behind CGNAT in a country with limited public IPv4 and IPv6. Kpuku specifically asks about exposing services like Soulseek and game servers, requiring both general port forwarding and application-specific tunneling across Windows and macOS, with an emphasis on minimal latency for UDP-based game servers.

What's not covered in this review: Independent performance benchmarks (latency, throughput), long-term workflow integration, or deep dives into specific edge cases for each tool. Our assessment is based on the stated capabilities and architectural design of each tool against Kpuku's requirements.

WHAT IT DOES

Direct Port Forwarding with frp

frp (Fast Reverse Proxy) is an open-source tool designed for exposing local services behind NAT or firewalls to the internet. It operates by establishing a connection from a client (frpc) running on the local machine to a server (frps) on a publicly accessible VPS. Once connected, frp can forward TCP, UDP, HTTP, and HTTPS traffic from the VPS's public IP and port to a specified local service. Its configuration is file-based, making it straightforward for direct, one-to-one port mapping.

Mesh VPN and NAT Traversal with Tailscale

Tailscale builds a secure mesh VPN network using WireGuard. It assigns each device on the network a private IP address, allowing direct, peer-to-peer communication even if devices are behind CGNAT or firewalls. Tailscale handles NAT traversal automatically. For exposing services, tailscale serve can publish local services to the Tailscale network, or a subnet router can expose entire local subnets. It provides clients for Windows, macOS, Linux, and mobile platforms, simplifying setup across diverse operating systems.

SD-WAN and Virtual LAN with ZeroTier

ZeroTier creates a virtual Ethernet network that connects devices globally, regardless of their physical location or network configuration. Similar to Tailscale, it assigns virtual IP addresses and facilitates direct peer-to-peer connections, bypassing CGNAT. ZeroTier's approach allows for fine-grained control over network rules and access policies. It supports a wide range of operating systems, including Windows and macOS, enabling the creation of a unified network for distributed applications and services.

HTTP/S Reverse Proxy with Caddy

Caddy is an open-source web server and reverse proxy known for its automatic HTTPS capabilities. While primarily designed for web services, Caddy can also act as a generic TCP reverse proxy using its tcp proxy module. This allows it to forward arbitrary TCP traffic from a public IP to a local service. However, Caddy's core strength lies in HTTP/S handling, including load balancing, caching, and automatic certificate management via Let's Encrypt. It is less suited for raw UDP forwarding or complex application-specific routing beyond HTTP/S.

WHAT'S INTERESTING / WHAT'S NOT

Kpuku's core challenge is CGNAT, which prevents direct inbound connections. All four tools offer a way around this, but their approaches and suitability for specific use cases vary significantly. The request for minimal latency for game servers (implying UDP) and tunneling only some programs/addresses are key differentiators.

frp is interesting for its simplicity in direct port forwarding. If the goal is solely to expose a single TCP or UDP port from a VPS to a local machine, frp is lightweight and efficient. Its configuration is explicit, which can be a benefit for those who prefer granular control over each forwarded port. What's not interesting is its lack of integrated security beyond the tunnel itself, and its limited capabilities for application-specific routing without complex, manual setups for each program. It doesn't inherently create a network that applications can selectively use.

Tailscale and ZeroTier are particularly interesting because they create a virtual network, allowing devices to communicate as if they were on the same LAN. This is crucial for Kpuku's requirement to tunnel only some programs/addresses. Both offer features like subnet routers or network rules that can be configured to route specific application traffic through the VPS while other traffic uses the local internet connection. Tailscale, with its WireGuard foundation, is known for its performance and ease of setup, making it a strong contender for low-latency game servers (UDP traffic). ZeroTier offers similar capabilities with a different underlying architecture, providing robust SD-WAN features that might appeal to users needing more advanced network control. What's not interesting about these for simple cases is the overhead of a full VPN solution if only a single port needs to be exposed, though their benefits often outweigh this minor complexity.

Caddy is interesting for its automatic HTTPS and ease of configuration for web services. If Kpuku were primarily exposing a web server, Caddy would be the top choice for its simplicity and security features. Its tcp proxy module allows it to technically forward non-HTTP/S TCP traffic. What's not interesting, and indeed a significant drawback for Kpuku's use case, is its poor fit for UDP traffic (essential for many game servers) and its lack of native features for application-specific routing or creating a virtual network for multiple services. Using Caddy for game servers or Soulseek would likely introduce unnecessary complexity and latency, as it's an application-layer proxy rather than a network-layer tunnel.

For Kpuku's specific needs—especially the selective tunneling for applications like Soulseek and low-latency UDP for game servers—Tailscale and ZeroTier offer a more robust and integrated solution than frp or Caddy. They provide the network layer necessary for applications to

Pull quote: “For the diverse requirements of exposing local services and game servers behind CGNAT, Tailscale provides the most comprehensive and user-friendly solution among the options considered.”