Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is remote access behind CGNAT possible?

    Scheduled Pinned Locked Moved
    Virtualization
    4
    7
    4.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eiger3970 0
      last edited by eiger3970 0

      Remote access on the home network used to work with VNC and Remmina on a remote laptop.
      However the ISP's CGNAT stops it working.

      From reading, a VPN or tunnel might be needed?
      Is there an easy setup using pfSense for remote access?

      I tried OpenVPN but it needs a public WAN IP.
      I've started looking at TailScale, but it's all new to me.

      Just a simple home network solution would be good if a free VPS or something is needed?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        For security reasons, any remote access should use a VPN!

        There are two ways to work this VPN access.

        1. The easy and free version is to configure the VPN server on pfSense and put a certificate on your remote clients (PCs, iOS devices, etc.). You would also configure an account with a dynamic DNS hosting provider (there are some free ones and ton of paid ones). Then you can securely remote into your home network. But this mostly free method will not work behind CGNAT.

        2. The method required to get around CGNAT is to host your VPN server on some public host. So far as I know, all of those require some payment, but shopping around can produce a very reasonable (as in low) fee. You set up your VPN server on the public host, then on your pfSense firewall you configure a full time VPN tunnel to your VPS (virtual private server). You create another public VPN server on the VPS and configure your remote clients to connect to that VPN server. The traffic is then relayed securely into pfSense and your home network.

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by

          @bmeeks
          Option 3 is to use Tailscale which works with CGNAT. Its available as an option on pfSense

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          bmeeksB 1 Reply Last reply Reply Quote 2
          • bmeeksB
            bmeeks @michmoor
            last edited by

            @michmoor said in Is remote access behind CGNAT possible?:

            @bmeeks
            Option 3 is to use Tailscale which works with CGNAT. Its available as an option on pfSense

            Yes, I forgot about Tailscale.

            It's sort of a re-engineered and easier version of option #2 from my list. The Tailscale tailnet wraps the whole VPS thing the way I understand it. The setup is much easier and free for some basic amount of tunnels.

            1 Reply Last reply Reply Quote 1
            • P
              Popolou
              last edited by

              Cloudlare Tunnels are free and allow a single device to be routed out. Should work for this purpose.

              E 1 Reply Last reply Reply Quote 1
              • E
                eiger3970 0 @Popolou
                last edited by

                @Popolou
                I'm trying TailScale for now, however whilst setup and connection was easy via pfSense and actually 'just worked'!, it's not clear how to view and control the GUI?

                OpenVPN failed as it needs a public WAN IP to issue a certificate.

                Might try WireGuard if I can't solve TailScale's remote viewing and control.

                E 1 Reply Last reply Reply Quote 0
                • E
                  eiger3970 0 @eiger3970 0
                  last edited by

                  @eiger3970-0
                  Well I'm using a work around now with a remote access client and server.
                  Bit confusing why I need a VPN or Tunnel, apart from security right?
                  Even when a VPN or Tunnel is installed, I haven't been able to setup remote viewing, say with VNC and RealVNC on the phone.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post