Is it possible to connect to my OpenWrt router via wireguard behind a CGNAT? Conceptually, I am thinking of this as a double NAT. So I think this is not possible (searching seems to support this statement) without the IPS setting up a forwarded port. I did find this post, but I think it is about connecting to a wireguard peer that has a public IP from behind a CGNAT which is a bit different.
It is certainly possible other way, or pin port open using ddns and natpmpcli.
Short answer: no, cgNAT makes it impossible to open ports to the open internet, as a consequence your remote roadwarrior doesn't have anything it could connect to.
Medium answer: You could connect from your cgNATed router to an intermediary server (outgoing) with a public IP, so both roadwarrior and router both connect to a common intermediary server/ network and find each other that way.
Long answer: There are options like skype has been doing, hole punching its way through the NATs/ firewalls, unetd is such an implementation (but it's rather underdocumented).
tl;dr: so even though it is not possible, there are still ways to cheat around it in a way to make it working.
Post scriptum: I'm using wireguard and am behind cgNAT myself, my solution is to use IPv6 (exclusively) to reach my router's wireguard endpoint, this works reasonably well (all wired ISPs offer at least dynamic IPv6 prefixes by now (sadly private hotspots, guest networks, enterprise networks often don't enable it, nor does international roaming, most of the time) and all (most?) mobile carriers do support IPv6 by now as well (might need setting a special APN and explicitly opting into their IPv6 programme). For me, that (in combination with my semi-static /56 IPv6 prefix, before that with a different ISP and dynamic prefixes, I used Hurricane Electric's 6in4 /48 tunnel for that purpose) that is 'good enough™' to reach my own home network, so I didn't need to look into unetd myself.
2 Likes
Thanks for the detailed reply. I read about using a VPS as a middle-man and also about going with an IPv6 setup. I might consider the VPS if the IPS I am using cannot provide me with a public IP or forward a port for me.
Hmm... did find some mentions of using coturn but it seems that using it also requires a public IP address.
Besides unetd/ wireguard, nebula or tailscale might help as well.
2 Likes
Similar to Nebula and Tailscale, Zerotier is also an OpenWrt package and relatively easy to use.
2 Likes
In thinking through the VPS option, that seems like a really bad idea since the WireGuard configuration with access to my home network would be out of my control. Is there something I’m not considering when I make that statement?
It does involve quite a lot of trust into the server hosting, yes. In case of a v-server even more than in case of bare-iron hosting, but in both cases you do hand the keys to your home network to a third party, on the promise that they won't use it (and we have seen law enforcement getting quite greedy about this aspect as well).
I would still prefer this over trusting a commercial VPN operator offering this service (as in virtual intermediary networks, these are also sold commercially as a product), because that's a step further into the trust-me pit than relying on a good hoster, but neither is great.
That -and the ongoing monthly costs- is what keeps me on IPv6, because that's free and entirely on my premise.
I agree with @mk24! All SD-WAN solutions can handle CGNAT, like Zerotier or Tailscale (which btw is built on Wireguard). It's way easier than Wireguard, you just install the client and the rest of the configuration is managed through a central website.
Thanks for the discussion. I think I will just pay the ISP for a static address and call it good.
@slh - I have a pure IPv4 setup here and do not have a very good understanding of setting up IPv6. If I read your reply correctly, you have IPv6 only on your WG interface. Is that setup/configuration easy?
Setting up IPv6 (unless your ISP messed up) is easy, configuring wireguard on top is easy as well.
There are two approaches:
- just using IPv6 for the tunnel (your endpoint/ gateway address), but ignoring IPv6 beyond that (as in not enabling it for the data passing through the tunnel and keeping that IPv4-only), this is trivial - basically nothing to do (dDNS for IPv6 and off to the races you go)
- a fully IPv4+IPv6 enabled tunnel is also possible, but requires a (semi-)static IPv6 prefix, as wireguard needs to hardcode the IPv6 addresses. I have done that (after getting the first option to work), as I really want it to be fully IPv6 capable - and because it was easy for me (he.net tunnel at first, now (can't use he.net anymore, due to cgNAT not allowing 6in4 - no way to open protocol 41 with cgNAT) my ISP gives me a semi-static prefix (which changed once, after pre-announced maintenance, in four years)).
- if your ISP doesn't provide an (effectively-) static prefix, it's still possible, but gets complex rather fast (NAT64, using the ULA prefix instead of global IPv6 addresses for the transport network)
2 Likes
A basic setup where you use IPv6 only for the outside of the tunnel really just requires IPv6 service at both peers, and registering the house's IPv6 address with IPv6 DDNS. The LAN does not need to have IPv6. You could use v4 only inside the tunnel to your v4 only home network.
1 Like
Thanks for the replies, and info, all. I just found out that the majority of the WiFi networks I tend to use when away do not support IPv6, so I guess paying $10 more a month for a static IP is in the cards.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.