Posted: Tue Mar 22, 2022 20:33 Post subject: Port forwarding behind CG-NAT(4G/LTE modem) possible? SOLVED
- HOW TO BE ABLE TO USE PORT FORWARDING WHILE BEING BEHIND A CG-NAT CONNECTION (4G/LTE MODEM)?
- AND HOW TO ESTABLISH A SOLID LTE CONNECTION WITHOUT THE ISP BLOCKING IT (AVOID BEING DETECTED AS A HOTSPOT)?
UPDATE: Solved (and a little guide, in case someone has a similar use case than mine)
Hi again! Long time since I posted this thread, but since I received great help (and let alone having a free, constantly updated and rock solid firmware deserves at least some effort from users too), I wanted to post how I finally solved this situation, in hopes it could help someone that’s at the same situation as I was (and please tell me if I should post this somewhere else). I was tempted to ask for more help at some point, but I felt like I could solve this with the info you provided, so that’s why I didn’t bother you anymore
PS: I’ll leave the original post below, for reference.
A little background:
My parents live in a rural area, they have health issues so they mostly stay at home, I live a little far away from them, but I wanted to help them with their network/internet because of the following reasons:
- There isn’t a cabled solution (ISP) for them where they live, and they need internet.
- They need decent internet speed (my dad loves cinema, so he watches a lot of Netflix, and I also built a Linux server at my place with a nice Plex movie library).
- I installed four IP cameras (Reolink. Btw, I really recommend their cameras, there’s no monthly fee of anything and the app is top notch. Enough for the off topic), and they need to be accesible both locally and remotely. They are real IP cameras, no Cloud or streaming through a third party server or anything like that, real direct connection to the IP/ports of the cameras.
- In the future I plan to build another linux server to keep it at their place, so I can move the Plex library there so they don’t depend that much on the ISP bandwidth. And also to have a device there that I can Teamviewer to or something like that, for troubleshooting purposes. For the meantime, there’s no device there for that purpose.
- Because of my job I don’t have that much time to visit them as often as I wanted, so there are few (and short) occasions available for troubleshooting on site.
NETWORK / DEVICES AT MY PARENT’S:
- Main router (gateway): Netgear R7000
- Firmware: DD-WRT r49361. I’ve experienced some random and short wifi disconnections with newer builds, and found some threads with people experiencing the same behavior. One of them said that apparently r49361 was the last build that didn’t have that issue. Idk if he was right or not, but since I’m using this build, although a little old, the disconnections indeed stopped.
- Three Google Nest Wifi, for their main wifi mesh (the wifi they use with their smartphones, notebooks, etc).
- Four Reolink IP cameras.
- Four Phillips Hue lights.
- LG C1 SmartTV.
- A couple of Iphones, two notebooks and a tablet.
NETWORK CONFIGURATION:
- I purchased a Netgear LM1200 4G/LTE modem an installed an activated SIM card (then set up the APN profile manually). Its LAN port is connected to the WAN port or the R7000.
- Modem set up as router, no bridge. For some reason, if I set it up as bridge and set up the WAN of the R7000 to auto DHCP, it gets the public IP and have internet for a while, but randomly the IP is lost and have to renew it. Dhcp disabled on the modem, though.
- R7000 set up as gateway, with dhcp and dnsmasq disabled, spi firewall enabled, static IP for WAN (with an IP on the same subnet as the modem, and the modem’s IP set as the gateway. I used 8.8.8.8, 8.8.4.4 and 1.1.1.1 for DNS).
- Remote access disabled (more on that later).
- No DDNS. More on that later.
- Connection from LAN port of the R7000 to the WAN port of the Google Nest. Google Nest mesh with different subnet, of course.
- WAN of the Google Nest set up as static IP, with an IP on the same subnet of the R7000, with a static lease. Used the R7000 IP for gateway at the Google Nest.
- IP cameras with static IPs, all with static leases.
- No port forwarding, more on that later.
- LG C1 connected via 2.4 Ghz wifi to the R7000. Static IP (main router with dhcp and dnsmasq disabled).
- All other devices (smartphones, notebooks, etc, using the Google Nest mesh).
All works great locally, including local viewing of the cameras.
MAIN PROBLEMS:
- There’s no ISP here that provides 4G/LTE with static or dynamic IP, only CG-NAT, and they apparently hate hotspots.
- With CG-NAT: forget about DDNS and port forwarding, so no access to the cameras from the outside.
- No remote access to the router’s GUI.
ISSUES / SOLUTIONS:
FIRST ISSUE:
Being able to maintain a 4G/LTE connection without it being detected as a hotspot.
SOLUTION:
Take care of two main aspects: MTU and TTL.
MTU:
Had to find out which MTU was correct for my LTE connection. Currently is set at 1372, but I’ve used 1400 too.
TTL:
Since the modem is Natting (configured as router), it counts as a hop. The ISP should see a ttl of 64 (Iphones) on every packet it receives, so because of the hop, the outgoing packets from the R7000 must be set to 65. Commands for that (each on its own line, and then save firewall for these commands to run at startup):
On the R7000, the WAN interface is vlan2. You can check that, and that the outgoing rule was correctly applied, with the following command:
Code:
iptables -t mangle -vnL POSTROUTING
Reboot the router.
With the above, no matter how many devices connect to the Google Nest Mesh or how many devices I have connected to the R7000 with static IPs, I have decent and stable 4G/LTE internet. The ISP most likely is seeing a single device connecting to them, receiving packets with a ttl of 64 (IPhone), and the connection is stable for every app/program because the MTU is correct for this particular LTE (and not too big, so packets can get lost).
SECOND ISSUE:
Even with internet on the entire network, because of the unavoidable CG-NAT, there’s no port forwarding possible, nor remote access to the router. So no remote troubleshooting, and most importantly, no outside viewing of the cameras. CG-NAT simply assigns your device a “private” IP from their pools, but your public IP is different and shared with other users of the same ISP.
SOLUTION:
Setting up a site-to-site setup with Wireguard, between the R7000 and my main router (also a R7000, same firmware). That’s possible because at my place I get dynamic IP, so DDNS is usable.
GENERAL IDEA:
The three subnets (my parents, mine and Wireguard’s) are different, but should see each other as part of the same local network. That way, I set up the Reolink app (cameras) from my parents phones pointing to my main router (DDNS), and set up port forwarding at my place, so the apps can connect to my network, and get to the cameras using port forwarding (now possible, because I’m not behind a CG-NAT).
WIREGUARD set up at both routers following egc’s excellent guides. Mostly followed the Wireguard Server guide.
WIREGUARD SETTINGS:
- Three different subnets (my parent’s, mine and Wireguard’s tunnel).
- Wireguard’s IP of 10.4.0.1 at my place, 10.4.0.11 at my parent’s.
- Same listen port (custom one)
- NAT via tunnel disabled on both routers.
- CVE-2019-14899 Mitigation disabled on both.
- MTU of 1312, to play safe. Same value on both routers.
- Firewall inbound and Kill switch disabled on both.
- Allow clients full LAN access enabled on both.
- No PBR.
- Watchdog enabled (used 8.8.8.8 )
- Public keys correctly set on both.
- PSK enabled and correctly set on both (not strictly necessary, but it works and I feel safer).
- Peers set up on both, with endpoint enabled on my parent’s R7000, pointing at my router’s DDNS and Wireguard port.
- Route Allowed IPs via Tunnel enabled on both.
- Allowed IPs:
At my place: 10.4.0.0/24,my parent’s subnet/24
At my parent’s: 10.4.0.0/24, my router’s subnet/24
- Persistent keep alive: 20 on both (to ensure the connection doesn’t drop because of lack of use).
That’s it. Now, with the Wireguard setup, I have a big “local” network with different subnets, regardless one of them being miles away, with my gateway being able to port forward because it uses dynamic IP and I can DDNS.
So now, if I need access to any device at my parent’s or at my place from the outside, even them being double Natted with no port forwarding possible, I just access them as if they were all at my place behind a dynamic IP. And all of that with a good and stable LTE connection without the ISP detecting it as a hotspot.
And the same goes for troubleshooting, no need for remote access to my parent’s R7000, since, first, it’s not possible, and second, it’s not necessary because the connection is seen as local (different subnet than mine, but on the same local setup thanks to the Wireguard tunnel). I just use Chrome or Firefox to connect to my DDNS with the port of the device I want to connect, no matter if it’s in my place or at my parent’s.
And it doesn’t matter how many devices are connected to their Google Nest Mesh. Aside from it being triple Natted (different subnet than their gateway, and then CG-NAT), with the commands mentioned all outgoing packets from their network will be 64 (65 minus one, since the modem set up as a router counts as a hop).
POSSIBLE ISSUES / WORKAROUNDS:
So that’s the way I managed to solve my situation. It took a lot of time mainly because of the time gaps between my visits, but my main issues where I got stuck for some time (in case anyone is facing a similar situation) were:
- Trying to set up the modem as bridge and the WAN of the R7000 as auto dhcp: It works, but the connection drops (Idk why). It got solved by setting the modem as router (but with dhcp disabled), and setting the IP of the R7000 WAN to one on the same subnet as the modem, with the modem’s IP as gateway.
- Incorrect TTL: apparently, if the modem is set as bridge, it doesn’t count as a hop, so in that case the TTL should be set to 64 instead of 65. In case others don’t have my connection dropping issue when set as bridge.
- WAN MTU set up too high: find out the correct MTU for the LTE connection. I’ve read that 1428 is the default, but some recommend to lower it to 1420, 1400 or even 1372, to ensure no packets are lost.
- Wireguard MTU set up too high: as a rule of thumb, use the WAN MTU minus 60 (I’m currently using a WAN MTU of 1372 and a Wireguard MTU of 1312).
- Using endpoint on the R7000 that points to the router that’s behind a CG-NAT: DDNS is not useful in that case, so endpoint should only be enabled on the router pointing to the one that can use DDNS (in my case, mine).
- Setting the Allowed IPs incorrectly: the tunnel IP should be different on both routers, but on the same subnet. So it works if you set 10.4.0.0/24 on both if the subnet is 10.4.0.x. And the other side’s subnet should be set up on both routers, separated with a comma from the tunnel’s subnet (for example, 192.168.1.0/24 if the other router’s subnet is 192.168.1.x).
- Not giving enough time for the tunnel connection to be made: if you use DDNS, the IP is resolved only at startup, so first, you have to give it some time, and second, I believe having persistent keepalive at a reasonable value (I use 15-20) makes the ddns’s IP resolved again (not sure about that last statement, please correct me if I’m wrong).
- Not considering random disconnects of the LTE: sometimes the LTE connection is lost. I believe it happens because it goes into sleep mode if there’s no traffic. It got solved by setting a regular ping to the outside to keep the connection awake.
- Not considering random disconnects between the R7000 and the modem: idk why it happens, but sometimes the connection between the modem and the R7000 is lost when setting up the modem as router (with the WAN IP of the R7000 being on the same subnet of the modem). Idk if it has something to do with time leases, but dhcp is disabled on the modem. Anyway, it got solved by setting keep alive to reboot the router on a daily basis, and also setting up WDS / Connection watchdog (using 8.8.8.8 8.8.4.4 1.1.1.1. They have to be separated by a space, not commas, and there can only be a max of three). If for some reason the connection between router and modem is lost, rebooting the router fixed it, so with the watchdog feature the router will reboot if it can’t ping to the three IP after a not so long period of time.
I think that’s all I can say about how I managed to solve the situation for my use case (with your help, of course. And I can’t stress enough how useful egc’s guides turned up to be for me). Idk if someone else has a similar use case as mine (need of port forwarding while being CG-NATed), but I hope it helps someone. If not, I think it’s still useful info.
Thanks again guys, to BS for building this fantastic firmware, to Kong (because I used his firmwares for a long time. When I knew he wouldn’t be working on his DD-WRT builds again, it was a sad day for me), to egc (for taking the time to write those guides and also help me here at the forums), and anyone that tried to help me with this. Now my parents are happy with my Plex library, Netflix, internet, and they feel safer having the possibility to access the cameras locally and from the outside. That’s a world to me, so thanks again, I really mean it (and the least I could do is to write down in detail how the situation was solved).
Have a nice day 👍
————————————————
ORIGINAL POST
Quote:
Hi, first of all, thanks to BS and all the members of this community, I’ve been using DD-WRT for a long time with great results. Great firmware, great community, can you ask for more?
Well, in my case, yes because I need some help 😬. And I’m kind of in a hurry, I’m at my parent’s house now til the weekend and need to sort this out before leaving (more details below). Here’s the scenario:
Note: Sorry for the long post, but I want to give you every (hopefully useful) detail you may need to help me with this matter. Details of configured devices/networks at the bottom.
Note 2: sorry for my English 🤷🏻♂️
The story:
I’m configuring a network in my parents house (like 2,000 kms away from my house), and I’m installing some devices with local static ips (ip cameras, smart plugs, a printer, a Smart TV, etc). I’m disabling dhcp and dnsmasq on the main router (DD-WRT), I’m mainly using it for static leases, port forwarding, etc, and for receiving the internet through the WAN port. The dhcp part comes with a mesh system (Google Nest Wifi. I know many people don’t like it and that you can’t tweak almost nothing, but it’s what I got and it just works for what I need). I’m connecting it to a lan port of the primary router, just to get internet for them (they mainly do things like browsing, Netflix, etc. They don’t know anything about tech stuff, and the house is big, so a mesh system with dhcp works wonders for them). I configured the WAN port of the mesh system as a static ip inside the main router subnet, and connected the WAN port of the mesh to a LAN port of the main router. Mesh system is on another subnet obviously, and with dhcp enabled.
I just don’t want to go only with the mesh system. Easiest thing would be to just go modem -> WAN of the mesh, but I need the port forwarding and that mesh system doesn’t allow that. Besides, I like the idea of having DD-WRT as primary router for stability for the cameras, and I just feel more secure being behind DD-WRT’s firewall.
I’ve done this type of configuration before with great results (in fact, the exact same concepts apply to my house, and it’s been working great for years), so I know it works and know how to do it. So, I’m making the exact (and I mean, exact) same configuration in my parents house, but here comes the problem/only difference: my parents house is a little far from the city and can’t get cabled internet, so I went the 4G LTE modem route (I bought a Netgear lm1200. Works great). So, the only difference between both networks (my house and my parent’s) is the modem that connects to the WAN port of the DD-WRT main router (both automatic dhcp), mine is a regular broadband modem with dynamic ip (so when I need to access my network when I’m traveling port forwarding is already set and ddns configured in DD-WRT is the answer, and it works), but with the lm1200 (bridged) at my parent’s… guess what? CG-NAT (and I already tried to ask the company for a dynamic or static ip even paying them, and there’s not a chance).
One important thing: one of the main things I need to sort out is that we need their ip camera (which doesn’t connect to a cloud service, I can only see it / configure it through ip and its respective ports. One port for gui, one for actually watch through it) to be permanently accesible from everywhere. So CG-NAT with an ip camera that can only be accessed by ip/hostname is already a problem.
So, I’m stuck with CG-NAT and because of that port forwarding with ddns is out of the table, and I really need some ports to be forwarded. And also because I want to be able to configure and troubleshoot their main DD-WRT router (and cameras) from my house, and can’t do it if its public ip it’s double natted at isp side.
So, what I’m trying to do (before giving up) is going the OpenVPN route.
First of all, I have to mention that VPN is a new world to me, I’m still learning, but I already know some basic stuff. I already managed to create certificates/keys and connected (server-client) my main DD-WRT router to theirs, successfully (apparently).
My questions/ issues are:
- My most basic question: for the intended purpose of what I’m doing, the OpenVPN server should be my DD-WRT router, or theirs (and which one should be the client)? The tunnel should be permanently working, they are double natted and I need a working public ip for them with the possibility to port forward because, well, you never know when you will want to watch through the camera. And they can’t mess with DD-WRT or any tech stuff (and I’m not always available to help them with that, and live far away from them), they just open their Iphone app to watch the camera (and the app, in the case of my house, accesses my personal ip camera through ddns and its media port without issues. I hopefully want the same for them). I know it’s a pretty basic question, but which router should be the server and which one should be the client in this situation, where I want a permanent tunnel and the ports to be forwarded are the ones inside their network and not mine?
- In some cases I may only want certain ports to go through the vpn tunnel, while others (of the same device) to go through their/mine regular isp. I’m looking into pbr for that (new stuff for me, I’m learning), but I don’t know if it can be port based, or if it’s only device/local ip based. Is that possible? Some devices have more than one port, and I only want some of them to (permanently) go through the tunnel, and the others through the isp route.
- Perhaps another basic question: in this particular situation, how can I access DD-WRT GUI (of my parent’s router) from everywhere to troubleshoot if necessary? I do it all the time with mine, but in my case I just browse to my hostname:DD-WRT GUI port. DDNS obviously is not an option at my parent’s. Would pbr work in the case of the router’s GUI itself? If so, how can I configure it and how do I access it? Connecting to my router (one end of the vpn tunnel) and pbr set at my parent’s router? If so, how can do that if their router’s GUI has a port that’s not the default one? Again, this is because of my ignorance about this matter, I just don’t know yet how to call for a specific port of a specific device that’s behind a CG-NAT through a vpn tunnel (if possible).
I’ve looked into site to site vpn routing, but I think that’s not an option for me. I really don’t need a permanent single subnet between the two locations, and I could enable the vpn on my router per demand when I want to troubleshoot, but I need the 24/7 availability of the ip camera. And I don’t know what happens with internet traffic when doing site to site routing (like I said, I want both locations to use their respective isp for almost everything else besides troubleshooting and the ip camera, which are the problem here because of being double natted).
To sum up, what I want is to have both networks to use their own isp for almost everything, except that I need permanent 24/7 access to certain devices/ports in both locations (mine is not an issue, I’m not double natted at isp side) from everywhere, and CG-NAT at my parent’s is making me bang my head against the wall. And their isp doesn’t even give the option to pay for a dynamic/static ip (and I can’t go with another isp either. It’s the only one with decent coverage there).
I’ve read a lot about these topics these days before looking for help, but I’m running out of time before leaving 🤷🏻♂️
Devices/configurations:
- Both primary routers (my parent’s and mine) are R7000, and both with 40270 Kong firmware. Both started from scratch, nvram erase before and after flashing.
- Both routers with different subnets. Mine 192.168.1.1, theirs 192.168.11.1, both with dhcp and dnsmasq disabled and every important device has static ip.
- At my parents, Google Nest Wifi router’s WAN port is connected to a LAN port of the main router, its WAN port is set to a static ip inside the main router subnet, and its LAN network is on another subnet. It just works.
- At my parent’s, internet comes from a Netgear lm1200 4G LTE modem. CG-NAT, double natted at isp side and there’s nothing I can do to change that. It’s bridged, and connected to the WAN port of the main router (automatic dhcp). The entire network works, I have decent internet, all the devices have their respective static ip and working without issues. And for smartphones, guests and things like that, the wifi mesh works properly and assigns ips by dhcp on a different subnet.
- In my house, same configuration, the only difference is that I have a dynamic ip so I use DD-WRT DDNS feature to access my network from the outside. Port forwarding works as it should.
- 5 Ghz wifi disabled at both routers, 2.4 enabled (wpa2, AES) at both. I have 2.4 Ghz enabled because I use it for Smart TVs (each configured with static ips, since dhcp is disabled) and a wireless printer (also static ip).
- All the other settings are set at default (except custom ports for DD-WRT GUI remote management for both main routers).
- And about OpenVPN, I used easy-rsa 3 for the certs/keys, both using udp protocol, adaptive compression, TUN, standard port (1194), and network ip at the server set at 10.10.10.0 and 255.255.255.0 netmask (not sure about these two settings, though). All the other OpenVPN settings are left at default on both routers. At least the status page says at server side that the connection is successful and shows the correct public ip of the client (the real public ip. For the meantime I’m just testing, and the server is my router at home and the client is my parent’s router, but I’m still confused if it shouldn’t be the other way around). But since VPN stuff is new to me and since I haven’t had the chance to really read about the topic because of the hurry, I managed to get to this point, but I still don’t quite know how to use the VPN tunnel for my intended purposes.
Hope you can help me, and sorry for the long post, but I really need to solve this and I only have like four days left at my parent’s to make everything work. Hopefully you can point me in the right direction, and also thanks in advance.
PS: I forgot. I don’t have the chance to leave a notebook or something like that to troubleshoot through TeamViewer from my house, my parents only have smartphones and I don’t have the time to go and buy a cheap notebook or build a small server (which would be the ideal solution. Perhaps on another visit).
Last edited by raulo1985 on Fri Jul 21, 2023 17:17; edited 12 times in total
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Tue Mar 22, 2022 21:29 Post subject:
Build 40270 is very old and no longer supported and has safety issues.
Upgrading to a recent build is highly recommended (current is 48540)
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
A VPN *server* (OpenVPN, WireGuard etc) needs to be accessible from the internet.
Behind CGNAT that usually is not possible.
So the only option is to run a Client on your parents house and the Server on your house.
With a site-to-site setup the servers side can reach the client side (and of course the other way around).
You use the site-to-site setup only for the local traffic, normal internet traffic goes out via the WAN.
Thanks for your reply, I really appreciate it (I really mean it).
Regarding the firmware version, I went with last Kong’s version because I’ve been running that one on my R7000 since Kong left the project, and it’s been rock steady. And since Kong tested his versions with his routers (and I read that R7000 was one of the most tested routers by him), I never felt the need to upgrade. I usually don’t use fancy/advanced stuff, VPN is the most advanced feature I’m starting to use. And since stability is my main concern (more than performance) because I can’t travel 2,000 kms every time there’s a problem, I went with what I felt was the safest choice. But now that I’m going to use OpenVPN, I guess there’s been improvements on that area since that version, so I’ll take your advice and will flash the last BS build today 👍
As for the solution you mention, it sounds good to me. I wasn’t sure about what happened with normal internet traffic when doing a site to site setup (like I said, I never learned about VPN before and I had to learn all I could about it in a couple of days because of this). I was afraid that some of it went through the tunnel, making my parent’s internet stability/performance dependent on my isp/router, but thanks for clearing that out for me 👍.
So, bottom line, and since you read what I wrote and know my setup and situation (again, thanks for taking the time), would you say that a 24/7 site to site setup is what you would go for if you were me? Is that the “correct” way to achieve what I need, or would you advice to go for another kind of setup? I’m all for learning all about this stuff, and I surely will, but considering my hurry (and the clock is ticking) I don’t have the time now to learn, implement and test different kinds of setups for what I need, so I want to spend the remaining time I have here doing what must be done instead of experimenting. Would you say that a 24/7 site to site setup would be the correct answer? The client being my parent’s main router and mine being the server?
And after doing that, port forwarding would work as if my parent’s devices (and router) ips were local (on my side), so all the port forwarding would have to be configured on my router as if those devices were just added to my local network? I’m going to read everything I can today about site to site if you think is the way to go, but just to know, since everything would be inside the same “local” network, should their devices be in the same subnet as the ones of my network?
Should I read this guide too? I surely will, I want to learn this stuff properly, but I have to choose wisely what guides to read now because, well, I’m leaving in a couple of days 😕 (and the guide you sent me, I must confess I saw that post yesterday, but the guide seems to be very complete, so I didn’t want to spend my remaining time reading something like that without being sure it’s the way to go).
And I also found this link, when I want to learn something new about networks and DD-WRT I usually read the forums or the wiki, but since I have little time left I made a quick Google search and at least the tittle sounds like the perfect answer to my question, and apparently the article is written for people who don’t know much about VPN. Should I go this route? I’ll obviously read the guide that you suggest too.
Sorry, I’m just trying to target the essential stuff I need to read in my remaining days at my parent’s to solve this, but I’ll read all I can when I get home. And thanks again, this is important to me and I really appreciate your help. Your answer already cleared some things I was confused about (like the basic “which should be server and client” thing. I was already banging my head against the wall because of simple things like that), so I can’t thank you enough 👍
PS: and sorry for my English 😕, I hope I’ve made myself clear enough.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed Mar 23, 2022 15:10 Post subject:
Indeed a 24/7 site-to-site setup would work, you can connect to your parents from your own home just by typing http://192.168.11.1 and you will get to the router of your parents.
Port forwarding (if necessary at all) should be done on your own router and you then port forward to 192.168.11.1.
But not sure if that is necessary, if you want to connect to your parents router when you are on the road then simply connect to your own VPN server, when connected you can reach everything connected to your own network and your parents network.
If you are going to use your VPN server to connect to when on the road and also use the site-to-site setup you have to work with CCD files and multiple client certificates.
Hi there, I came to report. Sadly, I couldn’t manage to build the OpenVPN setup on time . Since I wasn’t getting anywhere trying to build a site-to-site setup and I’m learning about VPN on the run, I went down to basics and tried to establish a simple VPN tunnel between both routers (server-client), using your guide (almost same values as your screenshots) because I had the impression I was doing something wrong at a basic level. Turns out I couldn’t even establish the most standard VPN tunnel, the status page didn’t show any connections. So I looked at the syslog and there were some critic issues.
First, and idk why since I’m still a noob in this, tls auth didn’t work, I could get past that error message choosing tls crypt. Then I got an error message about not being able to resolve the host address. I figured it could be something related to dns, so I added dhcp-option DNS 8.8.8.8 in advanced config on the client router and could get past that (not sure if that’s a problem on the ISP dns servers not resolving ddns hostnames or something like that, but at least it worked using Google’s dns server), then lost client access to internet at some point (and couldn’t manage to troubleshoot it, I was in a hurry so I just nvram erased the client and configured it from scratch), had to trial and error the choice of cyphers (I managed to solve that with a particular combination which I don’t remember now sadly, but I think CHACHA20-POLY1305 didn’t work. I think the one that worked was AES-128-CBC, but can’t confirm), etc. It was a messy way of setting things up and perhaps I introduced issues because of that messiness (and didn’t have the time to collect logs), but because of that I nvram erased the routers from time to time to clear those possible issues up.
The wall that I couldn’t get past was a tls handshake time out error message that didn’t gave much info to know why that was happening. I would have come to you with the logs by then, but I’m talking about my last attempts at 4 am, with my flight taking off at 8 am, so all I could do by then was giving up setting up the VPN tunnel and getting their router back to its original configuration (modem bridged, router as gateway and wireless AP, pretty standard). I won’t be able to access their network as was the plan, but at least I left them with a working wifi and internet. Just because my parents know absolutely nothing about tech stuff other than browsing and youtubing, not a chance they can help me to set up OpenVPN, and sadly I don’t have a server or notebook there to just Teamviewer it and work things out from here. Things didn’t work out as I would have wanted to, but I learned a lot and I’m still learning about VPN, because I’m not giving up, I plan to travel again perhaps next month and solve this.
I know I didn’t give useful information to troubleshoot the issues, but I barely managed to restore their wifi and catch my flight (it was kind of an stressful day tbh), and for now I just wanted to report, and to let you know that I’ll be back (that sounded like a Terminator ) to finally solve this. I know I’m doing something wrong and that the setup I want is possible, so no reason to give up. I may get back to you and revive this thread (or make a new one) when I go there again if I can’t figure out things by myself, and I’ll use this time to read all I can about this topic (I like solving things by myself and learn, but sometimes you need a little help). And, well, I wanted to thank you again for your selfless help, even though the setup didn’t work, your advices and guides were a turning point in my process of understanding this feature (which I never felt the need to learn about) and I feel I’m on the right direction now. Thanks again 👍
A couple of questions
In the meantime, since idk when I’m going back to my parents, I wanted to ask you a couple of things (not sure if I should open another thread or not):
- I always looked at OpenVPN because of its history and tons of info, but I’m tempted to go with Wireguard. I’ve already read some about it and its pros and cons, but would you say it would be a better choice over OpenVPN considering my use case? I’ve read that a site-to-site setup is also possible, and I’m not sure how important is the IP logging “issue” every Wireguard review talks about as a security flaw of the protocol. What do you think? Which protocol would you use in my situation?
- Is current DD-WRT Wireguard implementation (server and client) good enough, or is it not as reliable as OpenVPN (mainly because its a newer protocol than OpenVPN)? I’ll surely read your guides anyway, doesn’t hurt to learn, but I wanted to know your opinion from an experience point of view (if you have any, of course) using Wireguard server and client from DD-WRT, not just on paper.
- The whole point of what I want to achieve is being able to access their devices for troubleshooting purposes when I’m not there (router, ip cameras, Google Nest wifi, etc), and for port forwarding (because of the ip cameras. Now they are able check them through the app locally, but those cameras don’t have a cloud service so the only way to check them outside of the house is by port forwarding, and they’re behind CG-NAT ). For now I don’t need to use the tunnel for other purposes, and surely I want both networks to use their respective ISP for internet traffic. Since I won’t be troubleshooting all the time, and we do need 24/7 remote access to the cameras per demand, would you advice to keep the tunnel working all the time? Or, for some reason, it would be wiser to disable the server side of the setup (my router, which has dynamic ip and I can access it with my phone whenever I want), and enable it just when I need to troubleshoot something / check the cameras? My point is that I really don’t know if, given my use case, keeping the tunnel up 24/7 could be less safe, or if it could shorten the lifespan of the routers because of constant workload. If you ask me, it would be simpler to have the tunnel working all the time so if my parents want to check the cameras they don’t have to talk to me to enable the server and re establish the tunnel, but it’s not a high price to pay if indeed is not a good idea to keep the tunnel up permanently if we are going to use it not as often. Of course, I’m assuming that, if I disable the server and don’t have access to the client, if I enable the server again the VPN connection will be automatically re established though, not sure about that.
Anyway, thanks again for your help. Next time I go to my parents I hope to have greater knowledge about this topic, so things go a little smoother than the last time. Greatly appreciate the time you take to reply (and for writing those great guides).
PS: all (failed) attempts at setting up the OpenVPN were done while using 48540 BS build on both routers (AC5300 as server, R7000 as client), and both nvram erased and set up from scratch. Pretty sure the issue is between the keyboard and the chair, hope to have better luck next time.
Last edited by raulo1985 on Sat Apr 09, 2022 21:53; edited 1 time in total
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Apr 09, 2022 16:13 Post subject: Re: Help needed (I’m in a hurry) for OpenVPN/PBR behind CG
raulo1985 wrote:
can you ask for more?
Clearly yes! At least you presented a good case and aren't afraid to make an effort and typing a detailed description of the issue(s). So indeed thanks for that, often people who seek help cant even be bothered to type more than two sentences, expecting the world in return.
So this is a thanks from me for your effort.
You're in good hands, egc is the openvpn/wireguard expert around these parts, this community is lucky to have him and I personalty appreciate the hell out of his contributions and efforts.
As a side suggestion even if its too late, you could have always enabled remote access to the router in order to solve the issue remotely.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Sat Apr 09, 2022 16:31 Post subject:
My advice start simple with setting up the OpenVPN server on your router and test if that works with your phone on cellular, then you know you have a working server.
To keep it simple do not use TLS-auth/TLS-crypt key so just leave the key box empty.
You can always check if your DNS is working with the command:
nslookup
Both from the CLI of the router or from a connected client.
From the VPN troubleshooting guide:
Quote:
TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE
To check if you can reach the server from the client you can use the ping utility.
Beware not all servers answer to ping.
From the Windows cmd, the Fing app on your phone or ping from the CLI (telnet/Putty) if your client is a DDWRT or other router use:
ping ip-server-address
e.g. ping 8.8.8.8
If your server is a DDWRT router then by default it does not answer to ping so for this test you should disable/uncheck "Block Anonymous WAN Requests (ping)" on the Security tab of the DDWRT OpenVPN server.
It is possible that on your parents side with CG-NAT they are blocking certain ports e.g. 1194, consider using TCP4 and port 443
As a side suggestion even if its too late, you could have always enabled remote access to the router in order to solve the issue remotely.
Good luck.
Thanks for your words. I’m on your boat, the way I see it this is a fine peace of software that in a way improves our quality of life (by not having to deal with basic/unstable stock firmware, and letting us tweak all the settings that we should be able to tweak from the start, after all we paid for the thing), and we get it for free. The devs have lives, and still keep this project going for the joy of a lot of us. Least one can do is to put a little effort trying to solve things that most likely can be solved by yourself if you’re not lazy. I try to seek for help when I realize that I need it, not before. Asking without even knowing if the issue can be solved by yourself is just lazy imo.
And having to guess what other’s issues are by a few details that sometimes don’t even help, is kind of disrespectful towards the devs and community, I’ve never liked that kind of attitude. I’m a little old fashioned on that regard, if you want help, first make sure you need help by putting some effort. And if you realize you need help, give the info you think it’s relevant so others don’t lose their time trying to solve a problem by trying to understand what the problem is in the first place.
Appreciate the words, but I think that’s how always things should be, and not the other way around. I’m the one that’s grateful for people that I don’t know spent their time reading a lot of info just to try to help me without expecting nothing in return. I just can wish you the patience to help people that ask as if you already knew what’s happening, I don’t think they have bad intentions or anything like that so no point in being harsh, but that doesn’t mean asking for help thinking that people reading your problem can read your mind is not getting a little old. I don’t know if I had the patience to reply all those times.
Sorry, back on topic. You mean enabling remote web access? But they’re double natted at ISP side (CG-NAT), they don’t have a valid public ip. That’s the point of the VPN, to be able to port forward at the server by using a VPN tunnel and having my personal router be the server (I get dynamic ip, so ddns solves the problem). Unless you meant something else, remote access can’t be used, or am I wrong?
The plan is to make a site-to-site setup so that the client’s lan network can be accessed at server side, which has a public ip (dynamic, ddns). If I’m not mistaken, every device should be accesible from the outside by port forwarding (server). So: access to DD-WRT GUI, to ip cameras, etc. I understand that this is the only way to be able to use port forwarding when you’re behind CG-NAT, but I’m no expert. If you meant something else by enabling remote access, then discard all I said, and my apologies
egc wrote:
My advice start simple with setting up the OpenVPN server on your router and test if that works with your phone on cellular, then you know you have a working server.
To keep it simple do not use TLS-auth/TLS-crypt key so just leave the key box empty.
You can always check if your DNS is working with the command:
nslookup
Both from the CLI of the router or from a connected client.
From the VPN troubleshooting guide:
Quote:
TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE
To check if you can reach the server from the client you can use the ping utility.
Beware not all servers answer to ping.
From the Windows cmd, the Fing app on your phone or ping from the CLI (telnet/Putty) if your client is a DDWRT or other router use:
ping ip-server-address
e.g. ping 8.8.8.8
If your server is a DDWRT router then by default it does not answer to ping so for this test you should disable/uncheck "Block Anonymous WAN Requests (ping)" on the Security tab of the DDWRT OpenVPN server.
It is possible that on your parents side with CG-NAT they are blocking certain ports e.g. 1194, consider using TCP4 and port 443
As the making of the keys is integrated it is somewhat simpler to setup but still needs intermediate skills and some studying to setup in that respect it is not different form OpenVPN.
One big advantages of WireGuard is that it is much faster
Hi there, like I said earlier, thanks again man. Things didn’t work out as expected, but your guides are excellent and I’m sure I’ll be more prepared the next time I go see my parents. The setup is possible, the firmware supports it, firmware version has been reasonably tested, and both routers are perfectly fine. Ergo, I surely made a (or many) mistakes. But that’s good news, because that’s something I can change, and for free. But I’ll shout for help here if I’m stucked again, that’s for sure
I’ll start reading the Wireguard guides. But on the meantime, asking for some of your experience/knowledge doesn’t hurt. A couple of questions/comments:
- I’ll do what you suggest (start from scratch, set up the OpenVPN server and test with my phone).
- Just to know, tls auth and crypt are not adviced to be used in DD-WRT for now? Or did you mean doing that only for testing/troubleshooting purposes?
- Yep, next time I’ll use nslookup. But could it be an ISP dns server problem that prevented the client to resolve the host address? Everything was configured almost exactly as your guide screenshot, that issue got fixed as soon as I added the dhcp-option… line, so it wasn’t an issue of the ddns service I used. Anyway, Google’s dns server solved that issue, just wanted to mention it, I found that interesting.
- For the record (sorry, didn’t mention it), I used the standard port, but then changed it to 1198 thinking 1194 could be a port blocked by the ISP, but it didn’t fix the issue. Didn’t try with other free ports, though, just 1198 (random choice. Perhaps I should have tried with a different free port, I wasn’t very creative with that one).
Always used UDP, never tried TCP. And SFE was always disabled on both routers. The dns issue was solved and I got to the handshake error. That was the point were I gave up, seemed like an issue that I was going to spend some time troubleshooting, and the plane wasn’t going to wait for my VPN tunnel to be up and running. But I felt like I almost got there, so I’ll most likely have better luck next time.
Bonus question:
Most likely you saw this one coming . In my situation and considering your experience on this matter, would you choose OpenVPN or Wireguard, and why? I didn’t start reading a little about Wireguard because it’s known to be easier to set up, I have no problem learning if things are more complicated than I thought, it was because of Wireguard being faster. I don’t need that much bandwidth for accessing the router or configuring a couple of devices, but because of the cameras not having a cloud service, they can only be viewed through a TCP connection, so I guess that traffic is going to go through the tunnel and not by regular internet. And the cameras use a decent amount of bandwidth.
I don’t think they are close to being restricted by OpenVPN max bandwidth, though, so I’m not sure if Wireguard’s performance would make a difference in my case. What do you think? Any particular reason why you would choose one over the other? Or just personal preference (and if so, why )?
The routers are AC5300 (server) and R7000 (client), and probably they’re going to have the same DD-WRT build flashed, to avoid possible issues (probably latest BS stable build).
About TLS-auth/TLS-crypt key, I do not use it as I am perfectly fine (=safe) without it.
Got it. Do you know if current DD-WRT implementation is better with auth or crypt? Can’t find a clear answer to that question.
egc wrote:
If you want it at least do not start with it, start simple and get a working connection first and then add complexity.
Will do. Last time was a mess, it wasn’t enough time, I tried to learn on the run and managed to get past some issues, but got stuck and didn’t have time to come here with the logs. Tried my best, but with the clock ticking, so it wasn’t a clean config at all. Next time I’ll be more knowledgeable/prepared, and will go one step at a time to not break things up.
I got a feeling that at some point I even got nvram issues after a nvram erase, the router became very unstable and had to reset. I added too many unnecessary steps, and ultimately had to give up because of time. But good thing is that I got a good grasp of what this topic is about (very basic knowledge, but it’s a start and didn’t have it before), so it doesn’t feel as wasted time even though the results were back to square one. But regarding knowledge, I may not be an advanced user at all (yet), but I’m not in square one anymore 👍 . That’s better than nothing.
egc wrote:
I use both OpenVPN and WireGuard, WireGuard is somewhat easier to setup but it is your call.
Only when you are a high level government target and want the absolute proven safety I would use OpenVPN (with tls-crypt key)
But that is just my personal opinion
The difficulty of setting them up, unless we are talking about compiling, C++ Linux voodoo stuff, it’s not a problem. I knew nothing about setting up a VPN and tried to do it learning about OpenVPN in a couple of nights, I usually don’t have a problem learning if what I’m learning is worth it. Anyway, apparently OpenVPN, if only talking about a site-to-site setup, just differs in small details and in the cert and key making process compared to Wireguard (which I already learned and created using easy-rsa 3 for OpenVPN), difficulty in that particular regard is not an issue.
And well, I’m not a government target other than for taxes 🤷🏻♂️, so I guess I’m good with both of them. You mentioned the above because OpenVPN is a little safer than Wireguard? I read that they were equivalent in recent builds, but I’m no expert. And I’ll test without auth or crypt first, but if things work out, is it advisable tls-crypt over tls-auth? Any impact with that setting performance wise?
Ultimately, the purpose of all of this is clear: to build a site-to-site to my parents network (another subnet), because they are double natted at ISP side (CG-NAT, I hate it), and need port forwarding for their IP cameras (troubleshooting and viewing) and to troubleshoot the router itself. As I understand, the IP cameras traffic would go through the tunnel as local, so port forwarding can be used at server side (my home network, which has public ip and ddns) to access and also view through the cameras. Their media traffic, as far as I understand won’t go through client’s WAN, they don’t have a cloud service and their local IP/port is not reachable from the outside without a VPN tunnel to a server that has a public IP.
If that’s correct, wouldn’t be Wireguard advisable in my use case? Safety wise both are apparently equal, and I don’t need that much bandwidth to access the cameras or router, but the media is another story. So far there’s one 5MP camera there that usually transfers at 6,000-8,000 kbps, but in the future I plan to install two or three more (so probably three cameras using that bandwidth 24/7, and perhaps a fourth one afterwards). Wireguard is known to be a lot faster than OpenVPN because it works at kernel space instead of user space, but I don’t think the bandwidth I’m going to use maxes out OpenVPN capacity. But thinking long term, who knows.
Is there a particular reason besides the apparently slighter better security that you choose OpenVPN over Wireguard? If not using tls-crypt or auth, would you still go with OpenVPN? Or if taking out the security aspect it all comes down to a personal preference in your case? Like I said, difficulty or a steeper learning curve is not an issue for me, I should be able to set both up with a little more effort.
In my use case, the stating routing issue that use to appear in Wireguard reviews could be an issue for me?
If not maxed out, do you think that performance is similar (OpenVPN vs Wireguard), or do you notice any difference with same tasks (because of some latency differences or things like that)?
For now, I see both options as valid for my intended purposes, both can achieve a site-to-site setup, my routers and firmwares support it, and key and cert creation is already done (and learnt how to). So would you go with Wireguard because of performance considering the cameras? Or OpenVPN is still more than enough if someday I go crazy and install like 8 cameras? Security is not a big deal in my case, I know both protocols are very safe even without tls encryption and I’m not an intersting dude to be hacking.
Oh, and I already read some things about Wireguard. Since it’s a newer tech and OpenVPN has a bigger user base, do you see Wireguard as the future of VPN? Or do you think OpenVPN is gonna catch Wireguard up in performance and Wireguard could slowly fade away in OpenVPN’s favor? Just curious
. Since I wasn’t getting anywhere trying to build a site-to-site setup and I’m learning about VPN on the run, I went down to basics and tried to establish a simple VPN tunnel between both routers (server-client), using your guide (almost same values as your screenshots) because I had the impression I was doing something wrong at a basic level. Turns out I couldn’t even establish the most standard VPN tunnel, the status page didn’t show any connections. So I looked at the syslog and there were some critic issues.
