Setting up tunnel through CGNAT using WireGuard

jonsteinmetz · Aug 6, 2023, 6:41 PM

I have a home network with a pfSense router. I currently have two WAN interfaces, a DSL modem that gets a dynamic public IP and a t-mobile 5G that is behind CGNAT. I have been using DynDNS with the DSL WAN to get remote access. I currently have ipsec VPN configured for inbound traffic and some local rules to route some devices out the DSL so they can get inbound connections (think game consoles).

I would like to ditch the DSL and replace it with some kind of VPN connection to an external entity with a public IP. I would like to still get back into my home network from the internet via VPN and be able to forward ports from something to devices on the local network. Is such a scenario possible? My research so far has not come up with obvious solutions but I am likely missing something obvious.

I have started an experiment:

My home router:
Hardware: Netgate SG-2440
pfSense+ version: 23.05.1-RELEASE (amd64)

Linode:
pfSense community edition version: 2.7.0-RELEASE (amd64)

I have setup a VPS on Linode and installed pfSense on that. I have installed Wireguard on both the VPS and the local router and the tunnel appears to be up and will reconnect if something disrupts the connection. On the local router I created an Interface for the WireGuard tunnel named Linode, here is its configuration:

I then setup a Gateway on the local router for the Interface named Linode. Here is its configuration:

On the Linode I have an Interface for the WireGuard tunnel named Home, here is its configuration:

I then setup a Gateway on Linode for the Interface name Home. Here is its configuration:

Here is the status of my local router:

and here is the status of my linode router:

A couple of things are not working.

The gateway status on both routers for the tunnel is showing as offline.
If I change my local router to use the Linode gateway and then use whatismyip.com, the ip address that comes back is still the ip associated with the t-mobile gateway and not the fixed ip of my linode.

I am not a network engineer and only cobbled what I have by finding various guides on the these forums and other places on the internet. There are definitely holes in my knowledge one could drive a semi through. I apologize if I have missed some obvious guides and documentation.

I would appreciate any help and advice getting my experiment working or pointing out any services that might more easily accomplish my goal. If I can provide any more information I will be happy to do so.

Thanks in advance.

shmolf · Mar 27, 2024, 6:16 AM

@jonsteinmetz I've not tried this yet, but there's a git repo documenting what someone else has tried, and some alternative options.

https://github.com/mochman/Bypass_CGNAT

Hopefully this helps

elvisimprsntr · Mar 27, 2024, 10:48 AM

@jonsteinmetz

Tailscale will bypass CGNAT without all the added complexity and expense of a VPS.

Clients for every OS distribution on the planet. Takes minutes to set up and works automagically!

Tailscale on pfSense

didyfink · Sep 18, 2024, 11:47 PM

@elvisimprsntr privacy is probably more of a concern than vm expense ! why the hell we can not self hosted tailscale and paie a license to use it ! it's beyond me :)