Starlink's CGNAT blocks inbound connections, breaking corporate VPNs for remote workers

Remote workers in rural areas who depend on Starlink are stuck behind Carrier-Grade NAT (CGNAT), meaning multiple subscribers share a single public IP address. This blocks all unsolicited inbound connections, which breaks site-to-site VPNs, SSL VPN concentrators (like Fortinet and Cisco AnyConnect) that require direct IP reachability, self-hosted services, and IP-based security policies that corporate IT departments enforce. The real pain: a rural employee who moved to a small town for affordable housing discovers during onboarding that their company's VPN flatly refuses to connect through Starlink. IT tells them 'get a real ISP,' but there is no other ISP. They either buy a $10/month third-party static IP tunnel (Tailscale, ZeroTier, or Core Transit's Static IP Anywhere), convince their IT department to reconfigure the entire VPN topology, or lose the job. This persists because Starlink cannot allocate individual IPv4 addresses to millions of subscribers (IPv4 exhaustion), and most corporate IT departments have never tested their VPN stacks against CGNAT because it was historically a mobile-carrier-only problem, not a home-internet problem.