OpenVPN with client on a firewalled LAN?
-
I have a LAN on an Internet service that provides me with a dynamic IP address. The service provider has a firewall which blocks ALL inbound traffic — i.e., I can initiate connections outbound from my LAN to the Internet, but any attempts to initiate a connection inbound to my LAN from the outside simply WILL NOT get through (even if my router's external IP address is known, so a dynamic DNS service won't help). Can I use OpenVPN in such a situation? Or does OpenVPN demand that each endpoint must be able to connect directly to the IP address of the other endpoint? If OpenVPN is not usable in my environment, can anyone suggest an alternative that will work?
-
@Rich-W said in OpenVPN with client on a firewalled LAN?:
The service provider has a firewall which blocks ALL inbound traffic — i.e., I can initiate connections outbound from my LAN to the Internet, but any attempts to initiate a connection inbound to my LAN from the outside simply WILL NOT get through (even if my router's external IP address is known
Maybe you have a CG-NAT address?
Can I use OpenVPN in such a situation?
You mean to access your network?
It's the same as with other services, you might be able to run an outbound connection, i.e. an OpenVPN client.So you can get a VPS with a static public IP and install an OpenVPN server on it, then connect your client to it.
Then you can forward traffic to the public IP to your LAN devices.You can also connect to the VPN server from your device, when you're out to access your home network.
-
More details on how to do this, please?
-
@Rich-W
What exactly? What is your purpose? You didn't mention. -
I have a private, local e-mail server (I set this up before Gmail was a thing, btw, and it would be too big of a hassle to migrate to Gmail at this point).
Everything worked just fine when I had my home LAN connected to the Internet via a public, static IP address. My family recently moved to a small community which is exclusively serviced via a fibre network that provides me with only a dynamic IP address that cannot be connected to from the outside
If I can't have my in-house mail server accessible from the Internet (via SMTP and IMAP), I'll need to set up mirror ports on a cloud server and tunnel these ports to the corresponding ports on my mail server. This, however, will require me to devise a way to tunnel into the mail server from the outside — hence my question.
-
@Rich-W said in OpenVPN with client on a firewalled LAN?:
My family recently moved to a small community which is exclusively serviced via a fibre network that provides me with only a dynamic IP address that cannot be connected to from the outside
A dynamic public IP doesn't necessarily mean that it is not accessible from the internet.
As mentioned, it could be a CG-NAT, I don't know, since you didn't tell. If that's the case, you're lost for sure.
Incoming access could also be blocked by the ISP, but this is uncommon.So maybe you can elaborate that before you start with a workaround.
-
How do I determine whether my dynamic IP is a CG-NAT or not?
All I know right now is that if I try to connect to my LAN's IP address from the outside in any way — even by pinging it — I get an "unreachable" error.
What I want to do is to set up a VPN tunnel between a host on my home LAN and a cloud server which I run outside of my home LAN. Then I would set up NAT so that connections to services on my cloud server would be redirected to my home LAN.
-
@Rich-W
It uses a certain IP range (normally).
https://en.wikipedia.org/wiki/Carrier-grade_NATOr even any other private IP range.
https://en.wikipedia.org/wiki/Private_network -
But if I can establish some sort of connection initiated from my home LAN to my cloud server on the public Internet, and then use that connection to establish tunnels from my public cloud server to my home LAN, then I don't understand why it should matter whether CG-NAT is involved or not.
-
@Rich-W
It doesn't matter for outbound connection, and the mentioned VPS as a relay to get access from outside would be possible anyway.
But I try to find out, if this is even necessary. However, since you don't give details on this, we stuck here. -
I was able to get my ISP to give me a publicly accessible IP address for my WAN. This has solved my problem. Thanks for all the suggestions.