Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with client on a firewalled LAN?

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 2 Posters 918 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rich W.
      last edited by

      I have a LAN on an Internet service that provides me with a dynamic IP address. The service provider has a firewall which blocks ALL inbound traffic — i.e., I can initiate connections outbound from my LAN to the Internet, but any attempts to initiate a connection inbound to my LAN from the outside simply WILL NOT get through (even if my router's external IP address is known, so a dynamic DNS service won't help). Can I use OpenVPN in such a situation? Or does OpenVPN demand that each endpoint must be able to connect directly to the IP address of the other endpoint? If OpenVPN is not usable in my environment, can anyone suggest an alternative that will work?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Rich W.
        last edited by viragomann

        @Rich-W said in OpenVPN with client on a firewalled LAN?:

        The service provider has a firewall which blocks ALL inbound traffic — i.e., I can initiate connections outbound from my LAN to the Internet, but any attempts to initiate a connection inbound to my LAN from the outside simply WILL NOT get through (even if my router's external IP address is known

        Maybe you have a CG-NAT address?

        Can I use OpenVPN in such a situation?

        You mean to access your network?
        It's the same as with other services, you might be able to run an outbound connection, i.e. an OpenVPN client.

        So you can get a VPS with a static public IP and install an OpenVPN server on it, then connect your client to it.
        Then you can forward traffic to the public IP to your LAN devices.

        You can also connect to the VPN server from your device, when you're out to access your home network.

        R 1 Reply Last reply Reply Quote 0
        • R
          Rich W. @viragomann
          last edited by

          More details on how to do this, please?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Rich W.
            last edited by

            @Rich-W
            What exactly? What is your purpose? You didn't mention.

            R 1 Reply Last reply Reply Quote 0
            • R
              Rich W. @viragomann
              last edited by

              I have a private, local e-mail server (I set this up before Gmail was a thing, btw, and it would be too big of a hassle to migrate to Gmail at this point).

              Everything worked just fine when I had my home LAN connected to the Internet via a public, static IP address. My family recently moved to a small community which is exclusively serviced via a fibre network that provides me with only a dynamic IP address that cannot be connected to from the outside

              If I can't have my in-house mail server accessible from the Internet (via SMTP and IMAP), I'll need to set up mirror ports on a cloud server and tunnel these ports to the corresponding ports on my mail server. This, however, will require me to devise a way to tunnel into the mail server from the outside — hence my question.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @Rich W.
                last edited by

                @Rich-W said in OpenVPN with client on a firewalled LAN?:

                My family recently moved to a small community which is exclusively serviced via a fibre network that provides me with only a dynamic IP address that cannot be connected to from the outside

                A dynamic public IP doesn't necessarily mean that it is not accessible from the internet.
                As mentioned, it could be a CG-NAT, I don't know, since you didn't tell. If that's the case, you're lost for sure.
                Incoming access could also be blocked by the ISP, but this is uncommon.

                So maybe you can elaborate that before you start with a workaround.

                R 1 Reply Last reply Reply Quote 0
                • R
                  Rich W. @viragomann
                  last edited by

                  How do I determine whether my dynamic IP is a CG-NAT or not?

                  All I know right now is that if I try to connect to my LAN's IP address from the outside in any way — even by pinging it — I get an "unreachable" error.

                  What I want to do is to set up a VPN tunnel between a host on my home LAN and a cloud server which I run outside of my home LAN. Then I would set up NAT so that connections to services on my cloud server would be redirected to my home LAN.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @Rich W.
                    last edited by viragomann

                    @Rich-W
                    It uses a certain IP range (normally).
                    https://en.wikipedia.org/wiki/Carrier-grade_NAT

                    Or even any other private IP range.
                    https://en.wikipedia.org/wiki/Private_network

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      Rich W. @viragomann
                      last edited by

                      But if I can establish some sort of connection initiated from my home LAN to my cloud server on the public Internet, and then use that connection to establish tunnels from my public cloud server to my home LAN, then I don't understand why it should matter whether CG-NAT is involved or not.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @Rich W.
                        last edited by

                        @Rich-W
                        It doesn't matter for outbound connection, and the mentioned VPS as a relay to get access from outside would be possible anyway.
                        But I try to find out, if this is even necessary. However, since you don't give details on this, we stuck here.

                        R 1 Reply Last reply Reply Quote 0
                        • R
                          Rich W. @viragomann
                          last edited by

                          I was able to get my ISP to give me a publicly accessible IP address for my WAN. This has solved my problem. Thanks for all the suggestions.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.