Setting up tunnel through CGNAT
-
I have a home network with a pfSense router. I currently have two WAN interfaces, a DSL modem that gets a dynamic public IP and a t-mobile 5G that is behind CGNAT. I have been using DynDNS with the DSL WAN to get remote access. I currently have ipsec VPN configured for inbound traffic and some local rules to route some devices out the DSL so they can get inbound connections (think game consoles).
I would like to ditch the DSL and replace it with some kind of VPN connection to an external entity with a public IP. I would like to still get back into my home network from the internet via VPN and be able to forward ports from something to devices on the local network. Is such a scenario possible? My research so far has not come up with obvious solutions but I am likely missing something obvious.
I have started an experiment:
My home router:
Hardware: Netgate SG-2440
pfSense+ version: 23.05.1-RELEASE (amd64)Linode:
pfSense community edition version: 2.7.0-RELEASE (amd64)I have setup a VPS on Linode and installed pfSense on that. I have installed Wireguard on both the VPS and the local router and the tunnel appears to be up and will reconnect if something disrupts the connection. On the local router I created an Interface for the WireGuard tunnel named Linode, here is its configuration:
I then setup a Gateway on the local router for the Interface named Linode. Here is its configuration:
On the Linode I have an Interface for the WireGuard tunnel named Home, here is its configuration:
I then setup a Gateway on Linode for the Interface name Home. Here is its configuration:
Here is the status of my local router:
and here is the status of my linode router:
A couple of things are not working.
- The gateway status on both routers for the tunnel is showing as offline.
- If I change my local router to use the Linode gateway and then use whatismyip.com, the ip address that comes back is still the ip associated with the t-mobile gateway and not the fixed ip of my linode.
I am not a network engineer and only cobbled what I have by finding various guides on the these forums and other places on the internet. There are definitely holes in my knowledge one could drive a semi through. I apologize if I have missed some obvious guides and documentation.
I would appreciate any help and advice getting my experiment working or pointing out any services that might more easily accomplish my goal. If I can provide any more information I will be happy to do so.
Thanks in advance.
-
@jonsteinmetz You should determine the type of VPN you want to run and then figure the rest of it out.
Typically with a CGNAT VPN you need the CGNAT side to be relatively generic and it will connect to the non-RFC1918/CGNAT connection on demand -- the remote side cannot start this conversation in any situation.
You can keep using this thread but you have to determine WHICH vpn platform you want to use and then it can be moved, however I would suggest making a new post in the proper spot instead.
-
@rcoleman-netgate OK, thanks, I can repost this in the WireGuard section. I thought I would keep it more generic since I guessed there might be suggestions for other services or VPNs.
-
@rcoleman-netgate I have created the re-post here: https://forum.netgate.com/post/1119159.
Should I delete this thread to keep things clean?
Thanks
-
R rcoleman-netgate locked this topic on