NAT VPS Common Issues & Solutions
"A practical guide to the most common issues when using NAT-type VPS, including SSH connection, port forwarding, service binding, kernel module limitations, and more."
NAT VPS differs fundamentally from a KVM with a dedicated IP: multiple VMs share a single public IP and expose services through port forwarding. This makes them very affordable, but introduces a few unique gotchas. This post covers the most common issues and how to fix them.
1. Can’t Connect via SSH
Symptom: After getting the VPS, ssh root@<IP> fails or returns Connection refused.
Reason: A NAT VPS has no dedicated public IP. The external address is the host machine’s entry host, and SSH is not on port 22 — it’s mapped to a different port via port forwarding.
Fix:
Go to the instance detail page in the control panel and find the SSH section. The system generates the full connection command automatically:
ssh root@<entry_host> -p <host_port>
For example, if the entry host is node1.example.com and the mapped SSH port is 23456:
ssh root@node1.example.com -p 23456
If no SSH command appears, you haven’t added a port forwarding rule for internal port 22 yet. Go to the Port Forwarding card and add a TCP rule:
| VM Port (internal) | Host Port (external) |
|---|---|
| 22 | any available port |
Refresh the page after saving — the SSH command will appear automatically.
2. Port Forwarding Added but External Access Times Out
Symptom: You added a port forwarding rule in the panel, but curl or browser access from outside always times out.
Most common cause: the service is only listening on 127.0.0.1, not 0.0.0.0.
Port-forwarded traffic arrives at the VM through its internal network interface, not the loopback (lo). If your service is bound to 127.0.0.1, the forwarded traffic can never reach it.
Check what address your service is listening on:
ss -tlnp
# or
netstat -tlnp
The Local Address for your port should show 0.0.0.0:<port> or :::<port> (IPv6), not 127.0.0.1:<port>.
How to fix common services:
Nginx:
# Wrong
listen 127.0.0.1:8080;
# Correct
listen 0.0.0.0:8080;
# or simply
listen 8080;
Node.js / Python:
// Node.js — wrong
app.listen(3000, '127.0.0.1')
// Correct
app.listen(3000, '0.0.0.0')
# Python Flask — wrong
app.run(port=5000)
# Correct
app.run(host='0.0.0.0', port=5000)
3. External Port Must Be Above 1024
Symptom: Trying to map internal port 80 or 443 directly to external port 80/443 fails or won’t save.
Reason: Ports below 1024 on the host are reserved by the system or other services. The platform enforces that all external (host) ports must be ≥ 1024.
Fix:
Internal ports have no restriction — they can be any value (22, 80, 443, etc.). Just pick an external port above 1024:
| Internal Port | External Port (example) |
|---|---|
| 80 | 18080 |
| 443 | 14443 |
| 3306 | 13306 |
If you need standard HTTP/HTTPS access via a domain, use the Cloudflare custom origin port approach (see section 6).
4. Can’t Run WireGuard / OpenVPN (Missing Kernel Modules)
Symptom: After installing WireGuard, wg-quick up wg0 errors with Cannot find device "wg0" or RTNETLINK answers: Operation not permitted.
Reason: NAT VPS environments are typically containers without access to /dev/net/tun or WireGuard kernel modules.
Fix: use userspace mode.
Tailscale (recommended): Run with --tun=userspace-networking — no kernel support needed. See Tailscale Userspace Networking Guide.
WARP (Cloudflare exit IP): Run via WireProxy in userspace. See WARP in Userspace Mode.
Check if tun is available:
ls /dev/net/tun 2>/dev/null && echo "tun available" || echo "tun not available"
5. UDP Port Forwarding Not Working
Symptom: After adding a port forwarding rule, TCP services work fine but UDP-based services (games, DNS, some VPNs) get no response.
Reason: TCP and UDP forwarding rules are independent. Adding a TCP rule does not automatically cover UDP on the same port.
Fix: In the Port Forwarding card, add a separate UDP rule for the same internal/external port pair.
Example for Minecraft (default port 25565):
| Protocol | Internal Port | External Port |
|---|---|---|
| TCP | 25565 | 25565+ |
| UDP | 25565 | 25565+ (same external port) |
6. Hosting a Website with a Domain (Cloudflare Custom Origin Port)
NAT VPS external ports are always above 1024, but with Cloudflare as a reverse proxy, visitors still access your site on standard 80/443 — Cloudflare connects to your actual exposed port on the backend. No extra software needed on the VM.
How it works: Visitor → Cloudflare (443) → your entry host:non-standard port → VM service
Steps:
Step 1: Add a port forwarding rule in the panel
Map your VM’s web service port to an external port. Using a Cloudflare natively supported port saves you from configuring Origin Rules:
| Use | Recommended external ports | VM internal port |
|---|---|---|
| HTTP | 8080 / 2052 / 2082 / 2086 / 2095 | 80 (or your actual service port) |
| HTTPS | 8443 / 2053 / 2083 / 2087 / 2096 | 443 |
Cloudflare proxies to these ports without extra configuration. Full list: Cloudflare Network Ports.
Step 2: Add an A record in Cloudflare DNS
| Type | Name | Content | Proxy status |
|---|---|---|---|
| A | @ or subdomain | NAT VPS entry host IP | Proxied (orange cloud) |
Step 3 (optional): Use Origin Rules for any port
If your external port is not in the supported list above (e.g. 18080), configure a custom origin port in Cloudflare:
- Go to your domain → Rules → Origin Rules
- Create a new rule, set match condition to
All incoming requests(or a specific hostname) - Set Destination Port to your external port (e.g.
18080) - Save and deploy
Cloudflare will now route all traffic to entry_host:18080 while visitors still see standard 80/443.
Verify it’s working:
# A cf-ray header in the response confirms Cloudflare is proxying correctly
curl -I https://yourdomain.com
7. IPv6 Direct Access (No Port Forwarding Needed)
Symptom: You want a service to have its own IP, or need direct access without going through port forwarding.
Some NAT VPS nodes provide a full IPv6 address that can communicate directly with the outside world, unrestricted by NAT. Check the machine description before purchasing to confirm IPv6 support.
Find your VM’s IPv6 address:
On the instance detail page, look next to the Entry Host — if an IPv6 address is shown, it’s ready to use. You can also check inside the VM:
ip -6 addr show
SSH directly over IPv6 (no port forwarding required):
# Wrap the IPv6 address in brackets
ssh root@[2001:db8::1]
Make a service listen on both IPv4 and IPv6:
Listening on 0.0.0.0 only covers IPv4. To also accept IPv6 connections:
# Nginx
listen [::]:80;
listen 80;
Note: IPv6 traffic bypasses port forwarding entirely, meaning any port on your VM is directly reachable from the internet. Use a firewall (
iptables/ufw) to restrict access.
8. Forgot SSH Password
On the instance detail page, find the Credentials section — the password is hidden by default, click the eye icon to reveal it.
If you changed the password inside the VM, the panel still shows the original one. Use the Reset Password feature instead:
- Go to the instance detail page
- Click Settings → Reset Password
- Enter a new password, or leave it blank to have one generated
- Wait for the VM to restart, then log in with the new password
Resetting the password restarts the VM, which will interrupt any running services.
9. When Does Traffic Reset
Traffic resets automatically on the 1st of each month at midnight (UTC+8) — no manual action needed.
The traffic progress bar on the instance detail page shows your current month’s usage. If traffic runs out before month end, the VM’s network is suspended and resumes automatically on the 1st of the next month.
10. VM Is Unresponsive / Can’t SSH In
If SSH is down and services are unreachable, use the in-browser Console to access the VM directly:
- Go to the instance detail page
- Click the Console button to open the in-browser terminal
- This works independently of the network and port forwarding
Common troubleshooting steps:
# Check system logs for the root cause
journalctl -xe --no-pager | tail -50
# Check if disk is full
df -h
# Check memory
free -h
# Restart a specific service
systemctl restart <service-name>
If the console is also unresponsive, use the Force Restart button in the panel — it’s equivalent to a hard reboot and usually restores access.
NAT VPS offers great value but has a steeper learning curve than a dedicated-IP VPS. With the tips above, the vast majority of use cases work just fine. If you run into something not covered here, feel free to reach out via a support ticket.