You have a machine connected to the internet via a shiny new cellular modem, that you want to manage remotely. You quickly check the external IP address and try to log in from another PC. Try what you want, SSH just won’t connect. What gives?
The reality of the modern internet is that most customers are no longer given a unique IPv4 address. There just isn’t enough left to walk around. Instead, most telecom operators use it Carrier Grade Network Address Translation This allows a single external address to be shared by many customers. This can stand in the way of direct connection attempts from outside. Even if it doesn’t, most cellular operators block incoming connections by default. However, there is a way around this problem – by using a VPN.