CGNAT and OpenVPN

praful · 13 November 2024 21:00

I previously posted on connecting IPFire red network to a fibre box (ONT). I have now got a trial with Community Fibre 1Gbps, which uses CGNAT and doesn’t provide a static or dynamic IP address. I have to upgrade to the 3Gbps package – which is over the top for me (and much more expensive than the 1Gbps package).

In my post, someone linked a post on CGNAT and IPFire but there was no solution.

I do appear to have a static/stable IP6 address, according to https://test-ipv6.com/

What are my options for connecting to my IPFire OpenVPN box using VPN through CGNAT?

Options that come to mind:

I persuaded a friend to use IPFire, which he has setup so I could connect my box to his? Net-to-net OpenVPN? How would I do this?!
Use IP6 for the red network? I’ve seen posts from 2019 that IP6 is not supported. Is it now? If so, how could I configure the red network to use it?

Other options?

I use VPN to connect to a file server on my home network and also to be “at home” when I’m abroad.

Thanks for reading post.

praful · 14 November 2024 11:34

I’ve some back and forth, Community Fibre have given me a dynamic IP address. I’d still be interested in any ideas.

I have another issue, which I’ll post separately.

ms · 14 November 2024 12:18

If you don’t have a static IPv4 address you won’t be able to connect to OpenVPN as a Roadwarrior client.

If you have a public IPv6 address that might slightly help but we disable this currently. This would also require that you are always on a remote network that has IPv6 connectivity which is rare in hotels, airports, etc.

An alternative could be to install IPFire on a cheap VPS for some pennies a month and use it as a jump host.

praful · 14 November 2024 12:24

Thank you for your reply.

By jump host, do you mean I would set up my home IPFire server with OpenVPN Net-to-Net Virtual Private Network then use the generated file to add client package on the VPS via Net-to-Net Virtual Private Network (Upload Client Package)?

ms · 14 November 2024 12:29

The other way around. The VPS would be the server and the one behind CGNAT would be the client. That is the solution to get around the NAT because the client will establish the connection to the server.

IPsec works as well as the link between the two hosts.

You will then connect your mobile devices to the VPS as usual and push the extra routes to allow them to go through the N2N tunnel.

nickh · 14 November 2024 17:56

Can’t you use DDNS and connect by FQDN? I say thins without having studied the OpenVPN configs, but the “remote” line in the client config should be able to point to an FQDN.

ms · 14 November 2024 18:58

A FQDN in the OpenVPN configuration is always a good idea to be able to change anything without touching the client configuration.

However, that does not matter for the one-directional NAT problem. There is no way around it.

praful · 14 November 2024 19:10

Thanks. @nickh for suggestion. In case you’ve not seen it, ipfire has dynamic DNS, which sends the current public IP address, in my case, to dynu, where I’ve defined a FQDN. This is handy now that I’ve change provider because previously I had a static address and if I’d hardcoded that in the client config, I’d have to change all the clients.

In the case of CGNAT, the ISP NATs all their customers so one public IP address maps to many clients, which, as @ms said, means you can access in one direction only: inside out but not outside in.

Apologies if this is all familiar to you. It wasn’t to me until relatively recently!