Access Network on the VPN Client Side? CGNAT troubles!

[NetNewb124]

Here's what I have:

Location 1: AX86U - static IP - LAN: 10.1.1.x (OpenVPN server IP: 10.10.0.x, Wireguard IP: 10.6.1.x)
Location 2: AX86U - static IP - LAN: 10.2.1.x (OpenVPN server IP: 10.20.0.x, Wireguard IP: 10.7.1.x)
Location 3: AC86U - CGNAT - LAN: 10.3.1.x (no OpenVPN server, no Wireguard server)

I don't need/want the networks to be intertwined or linked (i.e. all the devices can talk to all the other devices). However, I need to be able to access the network/devices occasionally from a single device (laptop, mobile etc.). As it stands, without any real difficulty or issue, that single device is a Macbook that has both OpenVPN and Wireguard clients running - from this device, I can connect to Location 1 or Location 2 by either protocol and access their respective network/devices. It works!

I have a new location that only has CGNAT - I need to be able to achieve the same. I can connect the AC86U as an "OpenVPN client" to Location 1 (example), this in turn exposes the entire Location 1 network/clients to it. It isn't *really* an issue. Here's the issue:

Location 3 shows as connected to Location 1 on remote IP: 10.10.0.2 - I can ping that IP from any device on Location 1 and it returns successfully. But I cannot access any of the devices, nor the ASUS webUI at 10.3.1.1. Obviously, it works the other way. Any device on Location 3 can ping 10.1.1.1, access the webUI and all the devices etc.

How can I achieve what I'm trying to here, with the limitation of CGNAT? Is it not possible for Location 3 to connect in as a "client" to Location 1 and then in return allow a device on Location 1 to access its network?

Or is there another obvious solution I'm missing?

 

[jksmurf]

Here's what I have:

Location 3: AC86U - CGNAT - LAN: 10.3.1.x (no OpenVPN server, no Wireguard server)

I have a new location that only has CGNAT - I need to be able to achieve the same. I can connect the AC86U as an "OpenVPN client" to Location 1 (example), this in turn exposes the entire Location 1 network/clients to it. It isn't *really* an issue. Here's the issue:

How can I achieve what I'm trying to here, with the limitation of CGNAT? Is it not possible for Location 3 to connect in as a "client" to Location 1 and then in return allow a device on Location 1 to access its network?

Or is there another obvious solution I'm missing?

I'm biased ( ) but maybe consider Tailscale for Router 3? Set it up as a Subnet Router, which can get past CGNAT.
It's the primary reason I and quite a few others use it.

And it just so happens that @Viktor Jaep made a wonderful TAILMON Addon, just for the Tailscale install on a Router and set up.

Alternatively if you do not wish to delve into amtm and Addons, do what I 'used' to do and set up a RPi with Tailscale (that's my write up, probably a bit wobbly) or easier still set up an Apple TV running TVOS 17 or later (IIRC later HD and 4K Models) with Tailscale (it's a TVOS App), configure it as a Subnet Router, attach it to your Router 3 with an Ethernet Cable and that will feed past CGNAT.

You will need to add your other two devices to the Tailnet if you would like them to inter-operate. If you just want to get past the CGNAT, then just add Tailscale to some other client device e.g. a Windows PC or an iPAD and use that to access Router 3 and the subnet devices attached to it (which do not need to be added to the Tailnet).

Let us know how you get on .

 

[NetNewb124]

Hi @jksmurf, I had heard of Tailscale but because I knew the AC86U doesn't support Wireguard natively, I didn't even think to consider Tailscale!

I'd even considered an L2TP tunnel as a bypass for CGNAT. Well, colour me impressed.

I followed the link to @Viktor Jaep 's TAILMON and I've managed to get things set-up perfectly. It just works. AC86U is now a "subnet router", I can hop on/off the network, ping and access all the networked devices etc.

Wonderful, thanks ever so much!

 

[jksmurf]

Hi @jksmurf, I had heard of Tailscale but because I knew the AC86U doesn't support Wireguard natively, I didn't even think to consider Tailscale!

I'd even considered an L2TP tunnel as a bypass for CGNAT. Well, colour me impressed.

I followed the link to @Viktor Jaep 's TAILMON and I've managed to get things set-up perfectly. It just works. AC86U is now a "subnet router", I can hop on/off the network, ping and access all the networked devices etc.

Wonderful, thanks ever so much!

Awesome, thanks for the feedback, much appreciated. Glad it worked out well for you .

 

[Anthonywkho]

hi everyone, I am new to this forum and I actually would like to find a solution of a three routers access problem I had with VPN access(OpenVPN client and PPTP client).

Here is my situaion: I have three routers in my home network, TP Link AX 55 connected to cable modem and internet with an USB drive 1, TP Link AX23 connected as a mesh node of TP Link AX 55, Asus AC87U lan port to lan port connected to TP Link AX 55 and disabled NAT DHCP DNS etc. Asus AC87U attached an USB Drive 2

I have TP link enabled with pptp and openvpn server. When I am on home network (either on wifi or wire of TP Link or Asus), I can access Asus USB drive and AX 55 usb drive. But when I am outside the network, I used VPN (either PPTP and OpenVPN client) back to TP Link, I cannot access Asus USB drive but can access TP Link AX 55 USB drive) Is there a way to config the routers to make it work. I researched a lot about this, some say using port forwarding and lan route, but I have no luck with any of these. Please advise, thanks in advance.

 

[eibgrad]

hi everyone, I am new to this forum and I actually would like to find a solution of a three routers access problem I had with VPN access(OpenVPN client and PPTP client).

Here is my situaion: I have three routers in my home network, TP Link AX 55 connected to cable modem and internet with an USB drive 1, TP Link AX23 connected as a mesh node of TP Link AX 55, Asus AC87U lan port to lan port connected to TP Link AX 55 and disabled NAT DHCP DNS etc. Asus AC87U attached an USB Drive 2

I have TP link enabled with pptp and openvpn server. When I am on home network (either on wifi or wire of TP Link or Asus), I can access Asus USB drive and AX 55 usb drive. But when I am outside the network, I used VPN (either PPTP and OpenVPN client) back to TP Link, I cannot access Asus USB drive but can access TP Link AX 55 USB drive) Is there a way to config the routers to make it work. I researched a lot about this, some say using port forwarding and lan route, but I have no luck with any of these. Please advise, thanks in advance.

Please create your own new thread. Even when an existing thread seems similar, you're usually better off to create your own and provide links to other threads that you feel might be helpful. If you don't, then many times such posts will get ignored (users just move on).

All that said, it's not obvious this is even an ASUS problem, or that you're even using AsusWRT-Merlin. After all, the primary router is TP-Link and (presumably) is providing the VPN servers. And it sounds like it might be a VPN configuration issue, where perhaps the server side IP network is NOT being pushed to the VPN client(s). Or perhaps some firewall issue.

 

[Anthonywkho]

Please create your own new thread. Even when an existing thread seems similar, you're usually better off to create your own and provide links to other threads that you feel might be helpful. If you don't, then many times such posts will get ignored (users just move on).

All that said, it's not obvious this is even an ASUS problem, or that you're even using AsusWRT-Merlin. After all, the primary router is TP-Link and (presumably) is providing the VPN servers. And it sounds like it might be a VPN configuration issue, where perhaps the server side IP network is NOT being pushed to the VPN client(s). Or perhaps some firewall issue.

Thanks for the advice