Remote connection with CG-NAT

[mrcross]

Setup is an Asus ZEN WIFi AX Hybrid connected to City Fibre in UK and a Huawei B535-333 4G VOLTE connected to the Free Mobile network in France. In France I have cameras, smart plugs and central heating controller all connected by WiFi and I can connect to them from anywhere. What I can’t do is connect the two LAN’s with a VPN. I understand the issue is caused by CG-NAT at the French end. What is iit that allows me to access devices such as smart plugs on both LANs but prevents me from connecting a VPN?

 

[Crimliar]

The common technique is that your smart devices in France will have created a connection with a server, and they'll do just enough to keep that connection alive. Then when you log in, you'll either log in traversing that server (acting as a proxy) or the server will notify the remote device to connect to you if they can.
I'm sure there are other techniques, and you might be able to figure some of it out using packet-sniffing software.

 

[mrcross]

I'm intrigued as to how the smart devices remain accessible when a VPN can't connect. The Huawei is fairly limited and doesn't support remote admin so I can only fiddle with it when in France. I use it because a) I need a 4G router as it's in the sticks with no phone lines or fibre for miles and b) it supports VOLTE so I have a cordless plugged in to make and receive calls. I get about 120 Mb/s download using an external antenna. There seems to be a dearth of 4G or 5G VOLTE routers with decent WiFi on the market. I did try hanging an Asus RT-AC66U on the back of it and using that to establish an OpenVPN link but that didn't work either. It's odd that the smart devices are can be accessed but a VPN can't.

 

[Tech9]

I understand the issue is caused by CG-NAT at the French end.

Not sure about your specific Internet connection in France, but most mobile networks don't allow inbound connections even if you have public IPv4 address or use IPv6. Many IoT devices work behind CGNAT and firewalls using outbound connections to cloud services.

 

[mrcross]

I've got that. What puzzles me is that if a smart device in France can connect to a cloud service and I can then access it inbound why can't I establish an outbound VPN connection to UK? The French connection is metered (pretty generous at 300 Gb/month). Whatever's providing the inbound connection to the cameras, smart switches and central heating seems able to do it with minimal data overhead. It seems odd that it works OK on proprietary systems but there doesn't seem to be a way to build your own. This is really just idle curiosity.

 

[Crimliar]

@mrcross it's all to do with NAT (Network Address Translation). Your devices can start a conversation with devices outside of your NAT realm. Still, without some additional help, new conversations can't be initiated from outside the NAT realm your devices exist within. When using an additional server (as a helper) the overhead is low because mostly the device within the NAT realm is just keeping the conversation alive and no, or very little real data. IPv6 ought to make things easier, but for a whole load of reasons, it often doesn't!
*This is all grossly oversimplified - just consider could an AI manage such poor grammar!

 

[eibgrad]

I've got that. What puzzles me is that if a smart device in France can connect to a cloud service and I can then access it inbound why can't I establish an outbound VPN connection to UK? The French connection is metered (pretty generous at 300 Gb/month). Whatever's providing the inbound connection to the cameras, smart switches and central heating seems able to do it with minimal data overhead. It seems odd that it works OK on proprietary systems but there doesn't seem to be a way to build your own. This is really just idle curiosity.

The smart devices are most likely connecting to servers on the internet from which they receive control information and are able to tunnel back into your network. You would have to do the same thing. Establish a VPS (Virtual Private Server) from the likes of Digital Ocean, Linode, etc., install an OS (e.g., Ubuntu), and install a VPN server. Now your router behind CGNAT establishes a connection to that VPN server, along w/ your remote clients, with the server acting as a gateway back into your home network. Or else use a third-party solution to create and manage the VPN server on your behalf (Tailscale, ZeroTier, etc.).

 

[Tech9]

why can't I establish an outbound VPN connection to UK?

VPN Client from France is not an issue.

You can't have VPN Server there accepting inbound connections.

 

[sfx2000]

two places to start...

zerotier - https://www.zerotier.com/

tailscale - https://tailscale.com/

Both are fairly adept...

 

[mrcross]

While it should in theory be possible to set up a VPN connection outbound from the French mobile router to the UK router, in practice it doesn't work. The Fibre teminates on an ONT with an RJ45 connection to the router. If I try to set up the Asus as a VPN host I get "The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x or 172.16.x.x). Please refer to the FAQ and set up the port forwarding." From what I can glean it seems that City Fibre uses GPON, effectively the ONT seems to perform NAT between the Fibre and UTP so I have double NAT at both ends. AIUI the port forwarding would have to be set up on the OLT, to which of course I have no access. I guess this might be solveable if there was some way to decide you want to use only IPV6 however it doesn't appear possible to tell any of the kit to do this. AIUI CG-NAT is a workround for the IPV4 address shortage and IPV6 was supposed to be the longer-term answer. (I'm no expert). I can access the UK router from France using Asus's DDNS address so that seems able to cope with it.

 

[ColinTaylor]

While it should in theory be possible to set up a VPN connection outbound from the French mobile router to the UK router, in practice it doesn't work. The Fibre teminates on an ONT with an RJ45 connection to the router. If I try to set up the Asus as a VPN host I get "The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x or 172.16.x.x). Please refer to the FAQ and set up the port forwarding." From what I can glean it seems that City Fibre uses GPON, effectively the ONT seems to perform NAT between the Fibre and UTP so I have double NAT at both ends. AIUI the port forwarding would have to be set up on the OLT, to which of course I have no access. I guess this might be solveable if there was some way to decide you want to use only IPV6 however it doesn't appear possible to tell any of the kit to do this. AIUI CG-NAT is a workround for the IPV4 address shortage and IPV6 was supposed to be the longer-term answer. (I'm no expert). I can access the UK router from France using Asus's DDNS address so that seems able to cope with it.

Your posts are very confusing. You first said you couldn't establish an outbound connection from France. Now you're saying it's because you can't setup a VPN server on the Asus in the UK. You also say the UK Asus is in double NAT and yet you "can access the router from France using Asus's DDNS address" (how are you accessing it?).

Who is your ISP? CityFibre only provide the network infrastructure. Some of their ISP resellers provide non-CGNAT services.

 

[Ripshod]

Who is your ISP? CityFibre only provide the network infrastructure. Some of their ISP resellers provide non-CGNAT services.

Many ISPs will also provide a static IPv4 if requested. Some make a small charge, some are free.
TL;DR

 

[mrcross]

Sorry if I've caused confusion. I think the only answer is going to be a fixed IP. My ISP is Toob but that doesn't alter the network architecture used by their wholesaler, City Fibre. Asus provide their own DDNS service and using their DDNS URL for my UK router I can get straight on to the router's admin interface. As explained earlier the Huawei mobile router in France doesn't provide any external admin interface so no dice in that direction. My puzzlement was caused by the fact that I CAN access the cameras, heating controls and smart devices in France using the dedicated apps (IVMS, Frisquet Connect and TAPO. I CAN also access the smart devices in UK using their apps (TAPO again and Residio by Honeywell). So those apps can get to the devices despite double NAT but I'm prevented from getting through with a VPN. Just wondered if anyone had any magic solution. Sorry if I caused confusion.

 

[cptnoblivious]

two places to start...

zerotier - https://www.zerotier.com/

tailscale - https://tailscale.com/

Both are fairly adept...

^ this.

I've run tailscale in a double NAT environment, no issues.

 

[Tech9]

IPv6 may be another option to explore.

 

[ColinTaylor]

I think the only answer is going to be a fixed IP. My ISP is Toob but that doesn't alter the network architecture used by their wholesaler, City Fibre.

That was my point. Some City Fibre ISPs offer static IPs (for a cost), so it's not an inherent limitation of the architecture.

Asus provide their own DDNS service and using their DDNS URL for my UK router I can get straight on to the router's admin interface.

This is where the confusion comes in. On the one hand you're saying you don't have remote access to this router because of CGNAT. Then you say you can "get straight on to the router's admin interface" using DDNS. DDNS is just a name resolution service, nothing more. I suspect that when you use it to get to the admin interface you are doing so from inside your UK LAN and not from a remote location.

 

[sfx2000]

IPv6 may be another option to explore.

True, but a lot of ISP's are filtering by default all inbound connections over IPv6...

Makes no sense, I agree...

 

[Tech9]

This mobile ISP in France is almost guaranteed killing everything inbound IPv4 and IPv6. I use 2x ISPs in North America and they allow IPv6 inbound, but they also offer public IPv4 for free. I use 2x ISP in Europe, one offers public IPv4 and allows IPv6 inbound, the other is CGNAT and still doesn't offer IPv6. It's a total mess and when IPv6 is actually useful - not available or filtered. When IPv6 is not really needed - all works as expected. Go figure.