Access network behind private nat isp ip

My ISP gives me dynamic ip from a pool behind a nat and we can't really open ports directly on this ip (as the real public ip is different than the one assigned)
Can i take a public ipv4 in some way with a tunnel for example?

The main reason would be access home network with a local vpn server

1 Like

Your options:

  • Buy a public IP from your ISP if possible.
  • VPN provider which can give a public IPv4.
  • VPS provider.

You can also use IPv6 if both client and server have IPv6 connectivity.
However, IPv6 tunnel brokers usually need a public IPv4, so in your case it would require native IPv6 on the server side.

If you just need to traverse NAT, SoftEther VPN should be able to do it using 3-rd party servers.

Can you explain better the softether solution?

Why not DDNS?

Because he does no have a public IP.

Sorry. Missed that

I do not use it, but NAT traversal and another similar feature are declared in the official documentation.
Several people reported that it works and can run on OpenWrt.

1 Like

Have you considered Hamachi?

1 Like

This way 3rd party is involved. I should mark second post from @vgaetera as a solution

Edit: or it my be an attempt to tamper with corporate network security policies. If you can not control network endpoint, why to bother?

Yes I think nat traversal is a solution but I need to search how to actually set up and access them. I already use softether but in a more common way (public IP with ddns)

Is your ISP modem/ONU in bridge mode?

No but I can control it (I have root access)

So. Configure it your way
Give us topology at least

Because the ISP modem is (probably) doing double NAT

My ISP (Fastweb Italy) gives me a private IP that is behind a NAT. And the pool share the same IP. I don't have much to configure on the mode. It's just Dhcp.

So, it has nothing to do with Openwrt. Just basic networking. End

Well I'm just asking suggestion... Also I will install this to my openwrt router so... I don't think it's that OT... If someone have other idea to test, I will test them and I will report back.

Did you see my comment?
I think your ISP modem is doing double NAT so your router will only get a private address. Set it to bridge mode if possible.

Very unlikely in this case, new ISPs (fibre, cable, …) just don't get a large enough IPv4 subnet to serve each of their users a single one, so they use DS-Lite instead (cgNAT IPv4 out of the range).

Other than only using IPv6 for external access, there isn't a whole lot you can do. Options beside this would involve switching to a business contract (those typically have a dedicated IPv4 address, eventually even a static one) or the VPN route @Ansuel already implicated. While the VPN option would be possible, it's not easy and messy - as -for optimal results- you'd have a second 'free' IPv4 address on the VPN server, an IPv4 address you could allocate freely, without affecting the operations of the VPN host (possible, but finding a hoster that will offer this might take a while). There are some commercial vendors who offer these services though (full-service). Sharing the same IPv4 address with the VPN host is technically only possible with very tricky firewall/ forwarding rules, possible, but not for the faint of heart.

I'm actually bothering about the same issue myself, ftth with DS-Lite or sticking to VDSL with native dual-stack… tough decision, I haven't made up my mind yet (the business contracts would not be economically viable)…


In my case I have a host with a dedicated public IP so I think softether bridge would work. IF NAT traversal works.
So to sum up... To access a local network behind dslite I need another public IP and total control over it right?

1 Like