Vacation Home Network behind CGNAT - How to Access the Network?

GMD99

Occasional Visitor
At my vacation home I have Bell (Canada) Wireless Internet which uses a CGNAT design, so I cannot access or see my Asus (RT-AC86U) or any part of my network that isn't part of a cloud service. My objective is to gain access to that network so that I can access my security cameras, my HA system as well as other systems I have running.

Interestingly, on my iPhone I have in the Asus app Remote Connection turned on and as such I can access the Asus router config through the app. However, even though I also have Remote Access configured to allow Web Access from WAN I cannot log into the router from my PC.

I have zero experience with VPN's but I am considering trying to setup a VPN Server either on the Asus Router or on my Synology NAS. However, before I expend a lot of time trying to setup either of these, I am looking for some guidance on whether or not this will even work given that the network is behind a CGNAT. If so, I would appreciate some direction on where I can find some literature on setting this up.
 

L&LD

Part of the Furniture
When you're on CGNAT, you're very limited.

Call your ISP and ask for a public IP.
 

GMD99

Occasional Visitor
The ISP (Bell Canada) does not offer that in the rural area and there are no other ISP's that provide a comparable service.
 

drinkingbird

Very Senior Member
At my vacation home I have Bell (Canada) Wireless Internet which uses a CGNAT design, so I cannot access or see my Asus (RT-AC86U) or any part of my network that isn't part of a cloud service. My objective is to gain access to that network so that I can access my security cameras, my HA system as well as other systems I have running.

Interestingly, on my iPhone I have in the Asus app Remote Connection turned on and as such I can access the Asus router config through the app. However, even though I also have Remote Access configured to allow Web Access from WAN I cannot log into the router from my PC.

I have zero experience with VPN's but I am considering trying to setup a VPN Server either on the Asus Router or on my Synology NAS. However, before I expend a lot of time trying to setup either of these, I am looking for some guidance on whether or not this will even work given that the network is behind a CGNAT. If so, I would appreciate some direction on where I can find some literature on setting this up.

Asus app works because the router establishes an outbound connection to an Asus server then your app connects to that server, similar to how a lot of cameras like Blink work, it is a way around hide NAT (or double hide NAT in your case). If your cameras don't work that way they probably rely on static port mapping or uPNP which won't make it through CGNAT.

If they don't support ipv6 as already mentioned, you have the option of trying to find an IPV6 tunnel service that will work with CGNAT or using a VPN provider (bear in mind most VPN providers charge extra for inbound connectivity/port mapping). Not much else you can do if your ISP doesn't offer a public/static IP service. For the cameras you have the option of using Blink or Ring or other similar ones that initiate an outbound connection and keep it live, but you're probably not looking to replace your hardware.

Best option (other than IPv6) is probably create a VPN between that location and your main home, then from there set up inbound access from the internet for cameras, etc. In theory you should be able to just configure a VPN server at your main home and client at the vacation home (on the Asus). The vacation home has to always initiate the VPN connection since it is behind the double hide NAT. I've never tried it behind CGNAT, not sure why it wouldn't work though.

The catch is if your main home uses dynamic IP you'll need a DDNS service and specify a hostname on the vacation home VPN client to ensure it reconnects when your home IP changes.
 
Last edited:

Smokey613

Very Senior Member
When my ISP had me behind a CGNAT, I was using my AC86U with a dedicated IP vpn service that allowed port forwarding. I setup a vpn client on my router for the dedicated IP, then port forwarded a non standard port on the dedicated IP. I then setup the vpn server on the Asus and then I could connect to my dedicated IP using a vpn client which then fowarded the connection into my Asus router's vpn server. I am not sure if all this is clear... :)
 

PeterR

Regular Contributor
If ipv6 is not available, you could install zerotier on your CGNAT encumbered router. There's a thread on this forum detailing the procedure and make a virtual network.
 

drinkingbird

Very Senior Member
I think in this case setting up a VPN server at the main home and a VPN client at the vacation home is the most flexible solution, and will have some additional benefits too, easier to access stuff there as it will essentially be on the LAN. Should be fairly straightforward to do with DDNS. May want to set the vacation home router to reboot once a day overnight just in case, or even put it on a timer or smart plug to "hard reboot" once a day in case something freezes up.
 

sfx2000

Part of the Furniture
Tailscale is another option...

 

waterdog

New Around Here
When my ISP had me behind a CGNAT, I was using my AC86U with a dedicated IP vpn service that allowed port forwarding. I setup a vpn client on my router for the dedicated IP, then port forwarded a non standard port on the dedicated IP. I then setup the vpn server on the Asus and then I could connect to my dedicated IP using a vpn client which then fowarded the connection into my Asus router's vpn server. I am not sure if all this is clear... :)
This is almost exactly how I access my vpn server on my Asus AX-3000 through a vpn client, but my vpn service uses ddns instead of a fixed IP. It works perfectly if I am not behind CGNAT, but cannot make it work with CGNAT. Smokey613: What address do you use for the Asus vpn server? I am currently using the wan address (see below).
iptables -I FORWARD -i tun11 -p udp -d $(nvram get wan_ipaddr) --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 1194 -j DNAT --to-destination $(nvram get wan_ipaddr)
 

drinkingbird

Very Senior Member
This is almost exactly how I access my vpn server on my Asus AX-3000 through a vpn client, but my vpn service uses ddns instead of a fixed IP. It works perfectly if I am not behind CGNAT, but cannot make it work with CGNAT. Smokey613: What address do you use for the Asus vpn server? I am currently using the wan address (see below).
iptables -I FORWARD -i tun11 -p udp -d $(nvram get wan_ipaddr) --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 1194 -j DNAT --to-destination $(nvram get wan_ipaddr)

Your CGNAT IP is only routable as far as your ISP's network, after which it gets hide-NAT'd behind a public IP (or in some cases dynamically NAT'd to a public IP pool), which is what your VPN provider will see. If your VPN service needs your client IP and the IP they see to match (IP validation), it won't work. Attempting to update DDNS with a CGNAT IP is pointless since that IP is not reachable from outside your ISP's network.

I believe one of the options for VPN is to find your IP using a public server, if you can get that working, then that may work with your VPN provider, since now they'll be seeing the IP you're reporting as what you're actually sourcing from.
 

waterdog

New Around Here
Your CGNAT IP is only routable as far as your ISP's network, after which it gets hide-NAT'd behind a public IP (or in some cases dynamically NAT'd to a public IP pool), which is what your VPN provider will see. If your VPN service needs your client IP and the IP they see to match (IP validation), it won't work. Attempting to update DDNS with a CGNAT IP is pointless since that IP is not reachable from outside your ISP's network.

I believe one of the options for VPN is to find your IP using a public server, if you can get that working, then that may work with your VPN provider, since now they'll be seeing the IP you're reporting as what you're actually sourcing from.
The DDNS is by the VPN provider so I can use the VPN IP to port forward through the OpenVPN client back to my router. The OpenVPN client works fine through CGNAT. I'm trying to access the OpenVPN server on the router through the VPN client. This works fine if the ISP is using a public IP, so I'm not sure if the OpenVPN server has an issue with the local IP address. It seems like there should be a way route it back through the VPN client which has a public IP.
 

Smokey613

Very Senior Member
Setup the vpn server on your Asus router.

Create vpn server remote access users to allow remote access.

Make sure you have a hostname for your Asus outbound vpn client public IP.

On your Asus vpn client settings, go to the Advanced settings.

Enable allow incoming connections on the vpn client settings.

Then point your remote vpn client (on your phone, laptop, etc, to use your public vpn client hostname and port number.

This all hinges on your vpn provider allowing incoming connections and port forwarding.
 

drinkingbird

Very Senior Member
The DDNS is by the VPN provider so I can use the VPN IP to port forward through the OpenVPN client back to my router. The OpenVPN client works fine through CGNAT. I'm trying to access the OpenVPN server on the router through the VPN client. This works fine if the ISP is using a public IP, so I'm not sure if the OpenVPN server has an issue with the local IP address. It seems like there should be a way route it back through the VPN client which has a public IP.

You're trying to access your WAN (CGNAT) IP through the VPN tunnel? Not sure that would work. From your LAN it typically does as the router has loopback enabled but if coming in through a VPN tunnel that may not work.

If the ISP is using a public IP you're probably connecting to that IP outside of the tunnel. Maybe I'm not following what you're trying to do. Sounds like you're having the router connect to a VPN provider to make it accessible through CGNAT, then attempting to connect to your VPN provider inbound to your router to VPN into your internal network?

When using VPN nothing should ever see that CGNAT IP. Your ISP translates it before it hits your VPN provider, and your VPN provider has their own public IP they'll give you for inbound access. Your router firewall should see incoming connections from the remote real IP targeting whatever real IP they've assigned you to use on your router. But like I said I could be misunderstanding your setup/intention.
 

waterdog

New Around Here
Setup the vpn server on your Asus router.

Create vpn server remote access users to allow remote access.

Make sure you have a hostname for your Asus outbound vpn client public IP.

On your Asus vpn client settings, go to the Advanced settings.

Enable allow incoming connections on the vpn client settings.

Then point your remote vpn client (on your phone, laptop, etc, to use your public vpn client hostname and port number.

This all hinges on your vpn provider allowing incoming connections and port forwarding.

Yes, this is how it is setup, except there is no "allow incoming connections" setting. I'm using Merlin firmware which has an "Inbound Firewall" setting, but I leave that as "block" and route the desired ports using iptables. I am forwarding specific ports through my VPN provider.

It is working now. I reset the VPN server settings on my router to default and went through the opvn files for server (created by router) and client (from VPN provider). There had been discrepancy between the compression settings that was likely causing the connectivity issue. I also updated the VPN server address in the itable from the WAN address to 10.8.0.1 (VPN subnet is 10.8.0.0), which eliminates the need to know the WAN address. Once connected to the server, web traffic either goes through the WAN, or can routed back through the VPN client using VPN Director.
 

waterdog

New Around Here
You're trying to access your WAN (CGNAT) IP through the VPN tunnel? Not sure that would work. From your LAN it typically does as the router has loopback enabled but if coming in through a VPN tunnel that may not work.

If the ISP is using a public IP you're probably connecting to that IP outside of the tunnel. Maybe I'm not following what you're trying to do. Sounds like you're having the router connect to a VPN provider to make it accessible through CGNAT, then attempting to connect to your VPN provider inbound to your router to VPN into your internal network?

When using VPN nothing should ever see that CGNAT IP. Your ISP translates it before it hits your VPN provider, and your VPN provider has their own public IP they'll give you for inbound access. Your router firewall should see incoming connections from the remote real IP targeting whatever real IP they've assigned you to use on your router. But like I said I could be misunderstanding your setup/intention.

I was trying to forward a port from the VPN client to the VPN server on the router so I can connect to a remote facility. Without CGNAT, I knew the server listened to the WAN port, and had seen other examples using the WAN port. However, I learned that if the VPN subnet is set to 10.8.0.0, then the VPN server is at 10.8.0.1, at least on Asus routers. So now I am forwarding to10.8.0.1.
 

drinkingbird

Very Senior Member
I was trying to forward a port from the VPN client to the VPN server on the router so I can connect to a remote facility. Without CGNAT, I knew the server listened to the WAN port, and had seen other examples using the WAN port. However, I learned that if the VPN subnet is set to 10.8.0.0, then the VPN server is at 10.8.0.1, at least on Asus routers. So now I am forwarding to10.8.0.1.

Yeah the VPN IP is the one you want, otherwise you're trying to loopback all your traffic through the WAN interface, even if it was working that's not ideal. Glad you got it working.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top