Access IPFire box via VPN through CGNAT

jon · 30 January 2023 22:14

One of my kids lives in a building that is wired with Internet using CGNAT (Carrier-grade NAT). I am guessing the IPFire device will work fine except for VPN (like IPsec).

I am wondering how other CGNAT homes/businnesses have gotten VPN to work. Is it possible?

I’ve searched the ISP web-site and there is nothing mentioned about requesting non-CGNAT or even a static IP address. They seem like a small company…

EDIT:
Incase this is not clear, I am trying to access the Kid IPFire box via the Internet via IPSec VPN

roberto · 31 January 2023 07:01

Hi @jon.

In my experience, within a CGNAT you have to ask the operator to take you out of that mode.

As an operator I have DIGI and they have CGNAT. For OpenVPN to work, I had to get out of CGNAT for 1 Euro more per month (dynamic ip).

I don’t know if there is another way to do it, but that’s my experience.

You will tell us.

Regards.

bonnietwin · 31 January 2023 12:03

From what I have read it looks like the only option, other than asking for a non-CGNAT connection, is to make a connection to an external VPN server, so that IPFire is the client.

That could be done either with a commercial VPN provider or you could set up a hosted machine at an external hosting company that gets a VPN server installed on it. That machine then acts as the VPN server with IPFire as the VPN client.

Neither is an easy option but those are what I found mentioned as how to overcome the CGNAT issue for VPN connections.

Sorry I can’t be more helpful.

hvacguy · 31 January 2023 15:57

Not built into WUI of ipfire.

So no free solution.

Son VPN into your ipfire from CGNAT then
He can VPN into your ipfire from remote location back to his home.
Firewall rules abound.

jon · 1 February 2023 21:12

thank you for your thoughts and comments! Not sure what I’ll do at the moment.

Maybe a part-time (as needed) Net-to-Net IPsec VPN connection from the remote kid IPFire to the home IPFire.

Thanks again!

cfusco · 8 May 2023 14:06

@Jon I recently thought to solve a similar problem using SSH instead of VPN, having the tunnel established from inside of the CGNAT network.

I am planning to use a ssh port forward, to open a tunnel forwarding the wui of a fritzbox of family member behind a CGNAT. This scheme requires an intermediate server with a publicly available IP.

The plan is the following (here I use IPFire WUI as the target instead of a fritzbox):

from IPFire, run a ssh command to connect to my intermediate server, forwarding port 444 to port 8444

ssh -R 8444:localhost:444 -N -f user@intermediate-server

from my laptop at work I can establish the other half of the SSH tunnel

ssh -L 8444:localhost:8444 user@intermediate-server

now I can point my browser to https://localhost:8444 and trough the two halves of the tunnel, I can reach the WUI behind the CGNAT.

The only problem I can anticipate is when the SSH connection from the target network is broken off by an IP change. In this case a script called auto_ssh.sh will probe the ssh connection every 10 min and restart it when it gets broken:

auto_ssh.sh:

#!/bin/sh

REMOTE_USER=user
REMOTE_HOST=intermediate-server
KEY_PATH=/path/to/your/private_key
REMOTE_PORT=8444
LOCAL_PORT=444

# Check if the SSH tunnel is up
nc -z -w 5 localhost $LOCAL_PORT

# If the tunnel is down, reconnect
if [ $? -ne 0 ]; then
  ssh -i $KEY_PATH -R $REMOTE_PORT:localhost:$LOCAL_PORT -N -f $REMOTE_USER@$REMOTE_HOST
fi

chmod +x /path/to/auto_ssh.sh
fcrontab -e

*/10 * * * * /path/to/auto_ssh.sh > /dev/null 2>&1

This is just a preliminary plan but I thought to share it in case you want to try something similar.

To help visualize the scheme, here a simple ascii diagram:

Local Machine              Intermediate Server                CGNAT Network
+------------+             +------------------+              +------------+
|            |  VPN/SSH to |                  |  SSH tunnel  | IPFire WUI |
|            |<----------->|         port 8444|<------------>|port 444    |
|            |  port 8444  |                  | (Remote Port |            |
+------------+             +------------------+  forwarding) +------------+

jon · 8 May 2023 15:44

Thank you!

I had seen solutions similar to this when searching. I do not have the Intermediate Server to use without paying.

And since I’d only use it once every month (maybe once every two months) it did not seem worth the cost.

A Mac has a nice Screen Sharing program so we just use that when it is needed.