vpn server double nat

[adyady]

hello, I have a very annoying problem that bugs me for the last days and can't seem to figure out .
So i have a ax88u router. I want to install a vpn server on it to be able to access my local devices remotely outside the network .
My wan ip is starting with 100.. which means i have double nat.
My router is connected via isp modem which is in bridge mode and i'm ussing ppoe with user and pass in my asus.
I called my ISP and they allow public ip addresses only for businesses but they said they can open certain ports for me if i wanted to.
I even saw a tutorial for tp link on my isp website that teaches you how to use nat forwarding to access your local ip camera remotely .
So what steps should i do be able to access my router devices remotely through openvpn .
I don't care too much about ddns now since that seems to be easy to solve once i am able to connect to my vpn even with the ip directly.

 

[ColinTaylor]

Go to the advanced settings for your router's VPN server. Specify a port of your choosing. The default port is UDP 1194. However I suggest you don't use port 1194 for security reasons and choose a non-obvious (e.g. not 8000, 12345, etc.) random port between 5001 to 32767.



In the example above you would ask your ISP to forward UDP port 14160 to your router.

 

[adyady]

Go to the advanced settings for your router's VPN server. Specify a port of your choosing. The default port is UDP 1194. However I suggest you don't use port 1194 for security reasons and choose a non-obvious (e.g. not 8000, 12345, etc.) random port between 5001 to 32767.

View attachment 43956

In the example above you would ask your ISP to forward UDP port 14160 to your router.

that seems way too easy, i'll call my isp in the morning for a port unblock and ill give it a try,
i am thinking i should generate the ovpn file and make sure inside it it points to my public ip address and the unlocked port if that works just replace the ip with an updated ddns , right?
then if i type in my browser the local ip of my router or device i should be able to access them just like when i'm connected locally to my network ?

 

[ColinTaylor]

that seems way too easy, i'll call my isp in the morning for a port unblock and ill give it a try,
i am thinking i should generate the ovpn file and make sure inside it it points to my public ip address and the unlocked port if that works just replace the ip with an updated ddns , right?

Correct. Edit the file and change the remote line from your 100.x.y.z address to your public IP address or DDNS name.

 

[adyady]

Correct. Edit the file and change the remote line from your 100.x.y.z address to your public IP address or DDNS name.

unfortunately it wasn't that easy as expected.
After a talk with a more technical guy from my isp i understood that all ports are opened except few ports that are blocked so they don't need to open any port from me,
i've setup on asus the vpn server with port 5000 and added an account there.
using openvpn when i try to connect to my public ip and port 5000 it's simple not responding.
i should mention that remote controlling of my router outside the network isn't working either and this is probably because of the double nat and having a private ip.
any other idea?

 

[muzykcb]

unfortunately it wasn't that easy as expected.
After a talk with a more technical guy from my isp i understood that all ports are opened except few ports that are blocked so they don't need to open any port from me,
i've setup on asus the vpn server with port 5000 and added an account there.
using openvpn when i try to connect to my public ip and port 5000 it's simple not responding.
i should mention that remote controlling of my router outside the network isn't working either and this is probably because of the double nat and having a private ip.
any other idea?

Set up DMZ

 

[Jeffrey Young]

Just some confusion in what you are asking for when talking to your ISP. Don't ask to open a port. Ask to to have a port forwarded. Opening a port means entirely different thing.

The port you want forwarded will be the UDP 5000. Your ISP will tell you if that port is available. Personally, I would use a port a little higher, like 50000. I would also choose something a little more random, like 45321. Port scanners are less likely to look for that.

Have the MAC address of your WAN handy as well. Your ISP may have you set your WAN address statically to a specific CGNAT address (100.x.x.x) or have you give them your MAC address and they will setup their side so that you are always handed a specific 100.x.x.x address on a DHCP assignment.

Then to connect to your Server, you will need your ISP public address. Use the public IP address (or setup a DDNS service to create a DNS name for yourself that points to your ISP's public address) to connect to your server.

What happens is that when your ISP receives traffic on port 5000 of their public address (internet facing), they will forward that traffic to the CGNAT address, which your Router is listening on.

Cheers

 

[adyady]

Just some confusion in what you are asking for when talking to your ISP. Don't ask to open a port. Ask to to have a port forwarded. Opening a port means entirely different thing.

The port you want forwarded will be the UDP 5000. Your ISP will tell you if that port is available. Personally, I would use a port a little higher, like 50000. I would also choose something a little more random, like 45321. Port scanners are less likely to look for that.

Have the MAC address of your WAN handy as well. Your ISP may have you set your WAN address statically to a specific CGNAT address (100.x.x.x) or have you give them your MAC address and they will setup their side so that you are always handed a specific 100.x.x.x address on a DHCP assignment.

Then to connect to your Server, you will need your ISP public address. Use the public IP address (or setup a DDNS service to create a DNS name for yourself that points to your ISP's public address) to connect to your server.

What happens is that when your ISP receives traffic on port 5000 of their public address (internet facing), they will forward that traffic to the CGNAT address, which your Router is listening on.

Cheers

the problem is my isp can't port forward ports from my modem

looking at this video that's exactly what i need to do
the problem is my modem is set in bridge mode and i don't even think is possible to access it's menu to port forward, my isp told me that i can port foward in my modem only if is NOT in bridge mode.
also my isp told me to used their ddns service which points to the public ip, i used their ddns in my openvpn config file and it connects fine but only if i'm connected to my local network, if i try to do it from outside the network(used my 4g phone hotspot) , it doesn't connect.
so is there any way around this or i'm doomed

 

[ColinTaylor]

the problem is my isp can't port forward ports from my modem

That's not your problem. Your problem is that the ISP is using CGNAT on your connection. They need to forward that port on their internet gateway equipment. Of course that may not be possible for them in which case they should have said that they "can't forward ports to your modem".

the problem is my modem is set in bridge mode and i don't even think is possible to access it's menu to port forward, my isp told me that i can port forward in my modem only if is NOT in bridge mode.

It's a long shot but you could try changing your modem/router from bridge mode to router mode (and reconfigure the Asus accordingly). It might randomly pick up a different IP address which isn't CGNAT.

 

[adyady]

i see, so basically if my isp doesn't fix their bad setup, i can't be enjoying this feature, there's no other way for me to fix it without my isp changing stuff

 

[adyady]

That's not your problem. Your problem is that the ISP is using CGNAT on your connection. They need to forward that port on their internet gateway equipment. Of course that may not be possible for them in which case they should have said that they "can't forward ports to your modem".


It's a long shot but you could try changing your modem/router from bridge mode to router mode (and reconfigure the Asus accordingly). It might randomly pick up a different IP address which isn't CGNAT.

so i finally spoke with someone more tech savvy from my isp who understood my problem and funny enough he encounters the same problem.
He reseted my internet connection and now i got a public ip but he told me that on a power outrage it could randomly get again a private ip and the only solution is to have a public static ip.
I'm trying to convince my isp to give me a public static ip as some say they can only for businesses, other operators say i can get it on my home network too so i'm waiting for someone to call me and see what we can do. At least for now is working great, thanks all

 

[Jeffrey Young]

Yes, in theory anyone should be able to get a public ip4 address. In practice, there is just not enough to go around. That is why we have CGNAT. ISPs reserve the ip4 address for business as they, presumably, have greater need an are willing to pay inflated premiums to have one.

The real fix is for ISPs to get onboard with ipv6 (same with my ISP - I too have to do the port forward thing). I've been bugging my ISP for ipv6 for a while now.

You should to your ISP and see if ipv6 is an option.

 

[adyady]

Yes, in theory anyone should be able to get a public ip4 address. In practice, there is just not enough to go around. That is why we have CGNAT. ISPs reserve the ip4 address for business as they, presumably, have greater need an are willing to pay inflated premiums to have one.

The real fix is for ISPs to get onboard with ipv6 (same with my ISP - I too have to do the port forward thing). I've been bugging my ISP for ipv6 for a while now.

You should to your ISP and see if ipv6 is an option.

according to my website IPS they support ipv6 too but never asked about over the phone.
Maybe i should be able to ask them to switch me to an ipv6 ip? should i see the ipv6 address on my router wan address?
problem is that i read some discouraging topics about ipv6 not being too safe and making problems with firewalls, vpns etc so i'm note sure if i want to go down that rabbit hole .
based on isp article they can give you both ipv4 and ipv6 at the same time, I'm not even sure how to deal with that.

Edit:
It seems that I was able to activate ipv6 from my router and I can see the ipv6 lan address in my router but on wan address it still shows the ipv4, i'm not sure how can i benefit of ipv6 to bypass that double nat problem, websites don't show ipv6 being active either if im trying to check
Edit2:
now i'm not even sure if my router fully supports ipv6 , on my isp website they they it requires PPPoE/v6 și DHCPv6 and i can find these options in a tp link but not on my asus so i'm not sure if the ipv6 from my asus can help me in any way

 

[Jeffrey Young]

according to my website IPS they support ipv6 too but never asked about over the phone.
Maybe i should be able to ask them to switch me to an ipv6 ip? should i see the ipv6 address on my router wan address?
problem is that i read some discouraging topics about ipv6 not being too safe and making problems with firewalls, vpns etc so i'm note sure if i want to go down that rabbit hole .
based on isp article they can give you both ipv4 and ipv6 at the same time, I'm not even sure how to deal with that.

Edit:
It seems that I was able to activate ipv6 from my router and I can see the ipv6 lan address in my router but on wan address it still shows the ipv4, i'm not sure how can i benefit of ipv6 to bypass that double nat problem, websites don't show ipv6 being active either if im trying to check
Edit2:
now i'm not even sure if my router fully supports ipv6 , on my isp website they they it requires PPPoE/v6 și DHCPv6 and i can find these options in a tp link but not on my asus so i'm not sure if the ipv6 from my asus can help me in any way

Call your ISP to discuss. If the router picked up an IP6 address, and that address starts with 2001, then that is a public address. Your router should be reachable via that address from the net. Now for traffic to move, you may need some further authentication (PPoE, etc.). Call your ISP and discuss. If the router WAN address does not start with a 2001, then the router may just be self assigning a link-local address to itself (address starts with fe80).

Having both an ipv4 and ipv6 is not all that uncommon right now as the world transitions to full ipv6. It called dual stack.

As for security, nothing is 100% secure. Give a determined hacker enough time and he/she will be in. The thing to remember about ipv6 is that it is not just your router that gets a public ip6 address - all your network devices gets a public ip6 address. Now, you can play with this in the router - such turn off RA (router advertisement) and setup a private ip6 network (link-local) or use a nat64 type of thing (I don't even know if you can do that with Asus). The benefit of being behind a CGNAT is that the inner NAT is generally not taking the attack brunt as it does not see the ugly side of the global net.

 

[adyady]

Call your ISP to discuss. If the router picked up an IP6 address, and that address starts with 2001, then that is a public address. Your router should be reachable via that address from the net. Now for traffic to move, you may need some further authentication (PPoE, etc.). Call your ISP and discuss. If the router WAN address does not start with a 2001, then the router may just be self assigning a link-local address to itself (address starts with fe80).

Having both an ipv4 and ipv6 is not all that uncommon right now as the world transitions to full ipv6. It called dual stack.

As for security, nothing is 100% secure. Give a determined hacker enough time and he/she will be in. The thing to remember about ipv6 is that it is not just your router that gets a public ip6 address - all your network devices gets a public ip6 address. Now, you can play with this in the router - such turn off RA (router advertisement) and setup a private ip6 network (link-local) or use a nat64 type of thing (I don't even know if you can do that with Asus). The benefit of being behind a CGNAT is that the inner NAT is generally not taking the attack brunt as it does not see the ugly side of the global net.

my ip 2a02 and connecting directly to my router ipv6 is detected and ipv4 not
however if i connect through the vpn it uses the ipv4,same ip that my router wan sees
the question is,if my router gets again a private ip and vpn stops working ,how can i force it to use the ipv6 on wan to still be able to connect to my vpn??