Is remote access behind CGNAT possible?

eiger3970 0

Remote access on the home network used to work with VNC and Remmina on a remote laptop.
However the ISP's CGNAT stops it working.

From reading, a VPN or tunnel might be needed?
Is there an easy setup using pfSense for remote access?

I tried OpenVPN but it needs a public WAN IP.
I've started looking at TailScale, but it's all new to me.

Just a simple home network solution would be good if a free VPS or something is needed?

bmeeks

For security reasons, any remote access should use a VPN!

There are two ways to work this VPN access.

1. The easy and free version is to configure the VPN server on pfSense and put a certificate on your remote clients (PCs, iOS devices, etc.). You would also configure an account with a dynamic DNS hosting provider (there are some free ones and ton of paid ones). Then you can securely remote into your home network. But this mostly free method will not work behind CGNAT.

2. The method required to get around CGNAT is to host your VPN server on some public host. So far as I know, all of those require some payment, but shopping around can produce a very reasonable (as in low) fee. You set up your VPN server on the public host, then on your pfSense firewall you configure a full time VPN tunnel to your VPS (virtual private server). You create another public VPN server on the VPS and configure your remote clients to connect to that VPN server. The traffic is then relayed securely into pfSense and your home network.

michmoor

@bmeeks
Option 3 is to use Tailscale which works with CGNAT. Its available as an option on pfSense

bmeeks

@michmoor said in Is remote access behind CGNAT possible?:

@bmeeks
Option 3 is to use Tailscale which works with CGNAT. Its available as an option on pfSense

Yes, I forgot about Tailscale.

It's sort of a re-engineered and easier version of option #2 from my list. The Tailscale tailnet wraps the whole VPS thing the way I understand it. The setup is much easier and free for some basic amount of tunnels.

Popolou

Cloudlare Tunnels are free and allow a single device to be routed out. Should work for this purpose.

eiger3970 0

@Popolou
I'm trying TailScale for now, however whilst setup and connection was easy via pfSense and actually 'just worked'!, it's not clear how to view and control the GUI?

OpenVPN failed as it needs a public WAN IP to issue a certificate.

Might try WireGuard if I can't solve TailScale's remote viewing and control.

eiger3970 0

@eiger3970-0
Well I'm using a work around now with a remote access client and server.
Bit confusing why I need a VPN or Tunnel, apart from security right?
Even when a VPN or Tunnel is installed, I haven't been able to setup remote viewing, say with VNC and RealVNC on the phone.