I'm not sure where I should ask this question so I'm starting on this forum.
I want to access my desktop computer from outside of my home network. I have installed an instance of SearX and want to use that exclusively whether I'm home or not.
Network setup: cable isp -> cable modem -> RPi w/ openwrt running dhcp (and tunnels to wan through wireguard VPN) -> linux desktop.
First i tried setting up dynamic dns on the modem and allowing ping from wan. cannot get a ping. The next step in routing is DMZ on cable modem to static openwrt router with port forwarding that forwards to the desktop (also tried DMZ forwarding all ports). I've tried accessing the desktop from router network, modem network and outside network. The only thing that works is inside router network.
I think my ISP might be blocking internal traffic to my IP from outside. Is there anyway to determine that? both modem and router are setup to allow ping from wan.
As a solution, can I setup an OpenVPN network on a remote VPS and put everything on that network? I'm not even sure where to start with this.
Not sure if I'm behind CGNAT. wan ip is not the same as my public ip pulled on the modem so I assume yes.
Not sure how to use wire guard vpn to set this up. Didn't even know it was possible. Do you have a recommendation on a good tutorial or resource for this task?
As I read this, it is not a conclusive statement about if you are behind CG-NAT vs just a local NAT from your modem.
Is your modem a modem+router combo unit? If it is a combo, is it in routing mode? Is there a pass-through/bridge mode available? Or does it have a DMZ or port-forwarding config available to you?
Does the modem device have an indication of the IP address it is using (on the cable/internet side)? Does that match the IP address that you get if you google "what's my IP"?
You could try calling your ISP and setting up connection in bridge mode. Basically, shutting off all their features on the proprietary modem.
If you have a static ip address from your ISP in business your good, you can build your own stuff. Sounds complicated what your doing, especially that SearX is discontinued.
Looks like it still works...still..., they say its discontinued since 2023.
Anyway, you could try ISP and see what they can do for you. Just need an OpenWRT gate, better than the stuff they use. DONT ask if you have a static ip, check that and see if it changes. They might charge you extra for something you already have.
Modem is a combo with wifi. It is also in routing mode. It does have a bridge mode as well, but that would disable the wifi (which I need to connect to institutions that block VPN traffic). It has DMZ and port forwarding abilities - I have the DMZ setup to point to the RPi router (which is dhcp reserved).
"As a solution, can I setup an OpenVPN network on a remote VPS and put everything on that network? I'm not even sure where to start with this",
Yes you can definitely do this, costs money for the VPS provider and you have to use their provided VM, like a 16.04 ubuntu trusty tahir, older and still working.They are using their hardware, Go with a Wireguard server or even openvpn VPS, then set a client side on your end and administer it with the client. You can even set up an older openwrt router with the config file set up on it for home and use with whatever device you want, android, linux, you can set what and where to who pending on what you are sharing. It is basically a vpn for yourself like the providers, it is your stuff, yet the vps guys want to make sure your on board all the way across with everyone else, it is their hardware. You have to play nice when you do that. I love wireguard, works better on the new stuff.
Assuming that you actually have a public IP on your main router's wan interface, the DMZ that you've setup should allow you to run a VPN such as wireguard without issue.
That said, you mentioned that you have the upstream router in use for services that block VPN... this implies that you have a VPN running on your Pi router now (theoretically a commercial VPN service), so if that's the case, you'll need to use Policy Based Routing to enable both an inbound and outbound VPN.
Also, there may be other ways to approach your entire topology, but that might be for another day, since your main question here was how to setup a method of accessing your computer on your home network while you are out of your home... wireguard should work, likely with PBR if you're using the outbound VPN that I'm guessing is in play here.
in the original post I mentioned that the RPi router tunnels through wireguard VPN service. I think the problem is there is a missing route from my ISP to the modem because my public IP address is different that the internal IP address I'm pulling from the modem. isn't that the CGNAT?
Let's sort out all the different parts of the equation with respect to your IP addresses.
You have a combo modem+router unit connected to your ISP. Hopefully, you have a public IP on the wan of that device. Is there a way for you to determine if that is the case?
Your RPi is connected to the modem+router device upstream, which means that it will get an RFC1918 address. This is, of course, not a public IP, but as long as the ISP router's port forwarding or DMZ works as expected, you should be fine.
You have a VPN running on your RPi. This means that the apparent public IP address of devices connecte through the RPi will be a function of that VPN service's egress points.
Returning to point 1, hopefully your ISP router has a status page that tells you the IP address on its wan. If that address is a proper public IPv4 address, you should see that as your IP address when you check from a computer that is directly connected to the ISP router itself. Have you done this test?
Assuming you have a public IP on the ISP router per the above test, you can setup an inbound VPN (wireguard recommended) and it should work. You will need PBR on your RPi to handle the fact that you have two different VPNs (one inbound, one outbound). PBR is necessary because the inbound VPN requires that the inbound VPN traffic must egress through the upstream network, not the commercial VPN.
"[quote="lleachii, post:13, topic:224349, full:true"]
" Does you VPN provider allow inbound traffic via your already configured WG tunnel? "
[/quote]
No, that's why people build their own with a static ip or if you pay for cheap ip, dyn,etc... you can still have the best of both. When you need some files from home or if you don't trust the internet from where you are you can pipe back home, access files and use your own connection at home on udp WG0 or go with a commercial provider and trust them to what your doing(still, no forward).
There was somebody saying something about before, can't remember, it never took off( inbound traffic through tunnel from commercial vpn)
As to [sumrando]basic problem, you could of been using your RPi for quite a while with a static ip going on for a year or two using that ip was configed in pi from that, maybe there was a BIG RESET from your ISP and you lost the digits. Maybe you just need to redo your RPI
Run your Rpi(if at least a pi4)(container, VM, spare-pc) as the vpn server to get to your LAN resources(resources can be assesed from same unit), if your provider gives a static IP(verify that) use that. Maybe your IP only changes once every nine months.
When I say best of both, if you are paying for Nord or something in that manner, there is no access to your home platform using theirs.
Still cheaper to build your own paying for IP provider(dyn,cheap-ip service) building your own VPN (asses to home and files,and then having a commercial provider for something else.
If you don't have a steady IP, have to pay for that from a provider.(that is another subject)
You are better off not using your providers combo all in one modem with their services at all.
There could be a port forward setting on ISP modem, I don't think so. Was through that with a Cogeco modem, there are millions of them given to the customers. You have to beg them to bridge it (shut off the features please)