Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Tue Sep 07, 2021 14:08 Post subject: How to access my network from internet [PROBLEM]
Hi folks, Could you recommend me a solution that I could implement to be able to access my NAS servers or much better to my entire private network from the Internet? (with all the shared folder of all the machines) of couse in a secure way.
The problem is that I have a ZTE F670L fiber modem/router that my ISP in Bolivia (AXS) gives me, but I don't have the username and password of the modem/router; For that reason I have not been able to:
1 enable internet port forwarding to any ports of my mainrouter or server
2 enable DMZ
3 or, I don't have the option of get a public ip (the ISP don't give that service even paid)
I have thought about implement a VPN, but I also have doubts about where I should install that VPN "solution"?:
1 on a standalone machine (server) just for that VPN?
2 on a machine where I already have an existing NAS server? (with debian 10 and OpenMediaVault)
3 on my Netgear R9000 MainRouter?
4 on a another ddwrt router just for that?
I WISH you could advise me because I need it so that my work team abroad can access the data servers and even printers and other shared folders for our work 🙏
my actual network
_________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Tue Sep 07, 2021 15:18 Post subject:
There are a couple of possibilities.
Connect to a commercial VPN provder which supports port forwarding (Mullvad, TorGuard etc)
Run your own VPN server in the cloud, you router connects as a client (site-to-site setup) and all your associates also connect to that VPN server so that you have a secure access.
If you want cheap use ngrok or zerotier, ngrok has a free account available maybe zerotier also
The nice part about using a commercial OpenVPN provider that supports port forwarding is YOU don't have to manage the server. It just becomes a configuration issue on each end of the tunnel. And if you're already in need of a OpenVPN provider for *outbound* purposes anyway, it's possible there's no additional cost associated w/ using it for *inbound* purposes as well. But that will vary from provider to provider.
Just beware. NOT all commercial OpenVPN providers that support port forwarding are created equal. Some have various restrictions, w/ the worst imo (at least historically) being PIA (only *one* port forward allowed, port must be determined dynamically at runtime, involves implementation of their API within the router, etc.). OTOH, something like AirVPN is far simpler and more straight-forward.
All the other solutions involve some sort of additional software installation and configuration, w/ building your own OpenVPN server on a VPS being the most complex.
Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Tue Sep 07, 2021 16:59 Post subject:
egc wrote:
Connect to a commercial VPN provder which supports port forwarding (Mullvad, TorGuard etc)
Run your own VPN server in the cloud, you router connects as a client (site-to-site setup) and all your associates also connect to that VPN server so that you have a secure access.
If you want cheap use ngrok or zerotier, ngrok has a free account available maybe zerotier also
ngrok can run on your server at home, for zerotier I believe there is an Entware client so you can run it on the router but I have no experience with that
thanks Now i'm checking mullvad, torguard; as ngrok and zerotier too try to undertand better this kind of option options _________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Tue Sep 07, 2021 17:18 Post subject:
eibgrad wrote:
The nice part about using a commercial OpenVPN provider that supports port forwarding is YOU don't have to manage the server. It just becomes a configuration issue on each end of the tunnel. And if you're already in need of a OpenVPN provider for *outbound* purposes anyway, it's possible there's no additional cost associated w/ using it for *inbound* purposes as well. But that will vary from provider to provider.
On the one hand it is good because it would avoid the learning curve in configuration and it would be more 'simple' however I must review monthly or annual costs (Which I don't like that's why I always prefer to make my own servers) of those solutions to know if it is within my reach or not... and the other hand of course... it would eliminate the Geek feeling of programming something from scratch, developing and getting work on, which I'm starting to love.
eibgrad wrote:
Just beware. NOT all commercial OpenVPN providers that support port forwarding are created equal. Some have various restrictions, w/ the worst imo (at least historically) being PIA (only *one* port forward allowed, port must be determined dynamically at runtime, involves implementation of their API within the router, etc.). OTOH, something like AirVPN is far simpler and more straight-forward.
thanks i will check that page too as you said keeping in mind when choosing among these solutions. _________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Wed Sep 08, 2021 19:28 Post subject:
thanks to the recommendations you have given me, I have seen that the best solution for what I want is a VPN installed on the router because all my devices connected to my network would be protected, otherwise I would have to take a service per device; some plataform have solutions for 6 or 8 devices covered and between cell phones, TVs, laptops, PCs, cameras etc I have more than... 27 devices: shock:: shock:
What I should look for is a service that does not slow down my internet and of course besides the most important thing is to connect to me or my work team from Internet to my NAS and preferably to my entire network for the use of printers and other shared folders of some special machines that i got in my network...
I checked the list that was recommended to me and thanks to you, now I know a little better what to look for
expresvpn --> in router ddwrt yes --> 99.95 1st 15 months
nordvpn --> in router ddwrt yes --> 59$ 1st year
airvpn --> in router ddwrt yes --> 58.11$ 1st year
zerotier --> in ddwrt (kind of... using entware) free until 50 clients
ngrok --> no ddwrt free as well but in own server
My 1st option would be zerotier, it seems to be very simple and functional and it gives exactly what I need, which is to access securely my private network from the internet period... I used it and unfortunately it gives me some troubles on some android devices since its client apparently does not work on The latest android versions, in win10 it also gives an error but with an older client version it seems to work just fine, and in linux I have not tried yet but I want to imagine that it works well.
I kept testing, they do not support only by community and dont kwon how are they.
the other solution that I saw is NordVPN that in the chat they told me that they could do what I want with them and they could even help me to implement it in my mainrouter...
in ExpresVPN they did not know if I could access from the internet...
I would love to know if there is any way to test the speed that slows down each vpn or solution even before making the decision for one... I will keep learning _________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Wed Sep 08, 2021 20:24 Post subject:
eibgrad wrote:
If by referring to ExpressVPN, NordVPN, and AirVPN, you're considering using them for remote access purposes back to your home network, I know for a fact that ExpressVPN does NOT support port forwarding over the VPN.
Aaa then ExpressVPN stay out immediately thanks _________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Wed Sep 08, 2021 21:42 Post subject:
kernel-panic69 wrote:
You will have to use a VPN provider as you are behind CGNAT, it seems. If you don't have a public IP address, and your WAN is 100.x.x.x, then yep.
YEEAH kernel I just learned that what I have is a fu$%*#@ CGNAT which its ruin my live
😭 yeah I think that zerotier will not work for me because on YouTube I only see videos of remote desktops and it is not what I want...
I already set the zerotier on multiple pcs even on the NAS but I can't access any shared folder, so I don't think it works for me, I want to be able to use the shared folders with all their files that are on my network (most of my NAS server), In addition to the possibility of sharing folders on my remote device and that can be seen on other devices (of my private network of course and mostly to make little backups on my NAS server), also use the printers connected to the network... more than remote desktops that is the only thing that I see that they teach with zerotier, which is also fine but it is not exactly what I need now... I use teamviewer or VNC for that but it is not what my work team need or myseflf when I am away from home
keep reading and cheacking _________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Given the OP's latest comments, something else to keep in mind.
Use of an OpenVPN provider that supports port forwarding is going to be a *routed* (tun) tunnel, NOT bridged (tap). That means that network discovery is NOT going to work over the tunnel. Although I haven't used it myself, zerotier appears to be essentially the equivalent of Hamachi (now owned by LogMeIn), which I am familiar with going way back, which is a layer 2 distributed virtual network. In addition to supporting network discovery, it supports shared folders and printers, else what's the point? If zerotier isn't working similarly, it sounds more like a configuration issue w/ the firewall (maybe the zerotier network has incorrectly been configured as a public network, when it should be private, just a guess).
Anyway, if network discovery is a must-have requirement, that limits your options to either your own bridged OpenVPN server on a VPS, or an SD-WAN solutions like zerotier. Even running your own bridged OpenVPN server on a VPS could be problematic since mobile clients typically don't support bridged VPNs. But given that zerotier claims to have an iOS client (and perhaps Android as well), presumably that provides the means to get a bridged VPN on a mobile device.
Joined: 07 Jun 2007 Posts: 244 Location: La Paz, Bolivia
Posted: Thu Sep 09, 2021 3:28 Post subject:
it work!... in a raw way but work's
my private subnet lan its 192.168.2.0/24 from 1 to 27
and my zerotier test its 192.168.100.0/24 just 5 machines to test
private network 192.168.2.0/24
then I conected y laptop to the wifi of my cell using zerotier network 192.168.100.0/24
I only had to put the ip manually and the folders and accesses of each device connected to zerotier came out... I i also tried to do a printed test but I was unsuccessful but I think it is a matter of time so that it is also achieved...
I made an iperf3 from my laptop with zerotier through the mobile connection H4 of my cell to my NAS server (which transfer acomplish 1gbps wired to mairouter and modem) the result was
Between 75~100mbps... but the ping between them was 30~170ms 😲
I think I should keep working on that... but its a start
i guess that im gonna to start working to install the entware in my MAINROUTER trying of using this wiki https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware to next install zerotier in it, because of that way all my devices conecter to it will be in my zerotier network... as well the printers too
Could it work don't you think? _________________ Fiber Modem/Router: ZTE-ZXHN F670L ►►►►►► Internet 1
2G,3G,4G Modem: Amplimax FIT Elsys EPRL18 ►► Internet 2 (failover)
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Sep 11, 2021 17:18 Post subject:
i also used zerotier on my iPhone and computer, laptops and other devices...that's an easy task to accomplish...the difficult is to run it/set it on DDWRT router level...as there is no info about it, DDWRT runs a GCNAT with SPI and other issues to address...it would be great if there was a guide...like for OpenWRT...
Meanwhile zerotier creates an UDP punch in the firewall and this must be also considered...
there is a guide for ngrok on DDWRT with a good attention to the details...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327087&postdays=0&postorder=asc&start=0 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Sep 11, 2021 19:45; edited 1 time in total
It seems as if you are not following the discussion here. The user's server resource(s) is/are behind CGNAT; hence the reason for using ZeroTier to connect point-to-point since the normal method of using VPN server / client for a direct point-to-point connection is not possible. This is perhaps an opportunity for us to get a good write-up to transfer to a wiki article; why shoot this opportunity down with negativity?
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Sep 11, 2021 19:27 Post subject:
d33b0_n4p41m wrote:
It seems as if you are not following the discussion here. The user's server resource(s) is/are behind CGNAT; hence the reason for using ZeroTier to connect point-to-point since the normal method of using VPN server / client for a direct point-to-point connection is not possible. This is perhaps an opportunity for us to get a good write-up to transfer to a wiki article; why shoot this opportunity down with negativity?
d33b0_n4p41m if you have any knowledge of, how to make zerotier or tailscale to work on DDWRT via Entware please share it...i know some basics of ngrok based on the link i shared above...and i know of Wireguard and OpenVPN servers with port forwarding via egc guides...
If you consider 'negativity' of discussing a security side of those above, used on router level...please elaborate why we shouldn't point that out too... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913