6

I have a 4G router in a remote place to connect to the internet.

My ISP does not give my router a public IP, instead it seems to put multiple sim cards into some private network behind a NAT (which I obviously have no control over).

So it probably looks a bit like this:

--------------------------------------

                Internet

--------------------------------------
               ISP NAT
--------------------------------------
    My 4G Router
------------------------
    My hardware firewall
------------------------
    My local network
------------------------

My hardware firewall can act as a VPN server and preferrably I would like o use that one, but I'm also willing to run a separate VPN server on a computer in my local network to solve this.

In this situation, is ther ANY way I can run a VPN server that can accept incomming VPN connections (I CAN initialize VPN connections to outside VPN servers from within my local network. But I want to be able to initiate connections from the outside to a VPN server inside my network)?

matthias_buehlmann
  • 488
  • 1
  • 6
  • 19

3 Answers3

10

Answering my own Question:

SoftEther https://www.softether.org/ is exactly what I was looking for. It allows to run a VPN Server behind a NAT and has Nat Traversal features so that clients can connect to it from the outside. For stubborn firewalls it also offers a free Handshake service (https://www.vpnazure.net/) to build up a tunnel between server and client even if both are behind NATs (traffic does not run through the handshake server).

On top of that it is really easy to setup and very feature rich, allowing various VPN clients to connect to it.

matthias_buehlmann
  • 488
  • 1
  • 6
  • 19
2

Simple answer is: you do not. Period. There is no way to expose a port or route something into NAT if you do not have any control over the NAT. Any solution requires an external point to start coordinating at least.

Complex answer is you still do not - you have your internal VPN server make a bridge with an external VPN server that people connect to. This CAN run on the cloud. I was having this same issue for years in our old office (best internet connection through a cable provider that simply did not understand "business" and I basically used a VPS to run a VPN server in the cloud and connected outward through the VPN to it.

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • Thanks! I understand that there is such a thing as NAT hole punching. Skype afaik works like this in the sense that even if two parties are behind nats, a connection server (which is directly addressable in the public web) acts as an intermediary to open the ports and then rely these 'punched open' holes to both clients. Of course this also requires a VPS, but the difference is, that the actual traffic will not need to go through the VPS (so your VPS can be much cheaper and does not need to have a fast connection). Is something like this possible with a VPN server? – matthias_buehlmann Apr 08 '20 at 11:23
  • Assuming your assertions are correct (and this is dubious) It might be to technically possible, but I am unaware of any implementations. Skype and other software will be taking advantage of "related ports" in connection mapping if it does work in this mode. I believe, however, that where both clients are behind NAT, unless upnp can be invoked, the Skype routes all traffic between the sites through Skype's network. – davidgo Apr 08 '20 at 11:39
  • Skype and other software do not go related ports - they use an external coordination not to find and establish initial connection, Assume the other side is behind non controlled nAT, too. On top, Skype was written for this - VPN software generally is not. Unless you plan to write your own protocol you are bound to use what is there. – TomTom Apr 08 '20 at 11:54
  • @TomTom obviously, so I wonder if there are services that support this, or maybe specific VPN implementations that have such a feature. (this aricle states skype is doing this: https://web.archive.org/web/20110810233331/http://www.h-online.com/security/features/How-Skype-Co-get-round-firewalls-747197.html ) – matthias_buehlmann Apr 08 '20 at 12:18
  • Since this technique seems to be fairly general, I could imagine that there could be generic public services, like a dynDNS that additionally to the dynamic update of the dns entries also stores some port mapping that can be queried by devices that want to connect to the service behind the nat. The article states tha UDP is better suited for this than TCP. OpenVPN afaik can work over UDP. – matthias_buehlmann Apr 08 '20 at 12:24
  • I did find https://github.com/samyk/pwnat which promises to allow any client behind a nat to connect to any server behind another nat without 3rd party involvement. I'm currently investigating it, but could no yet evaluate. – matthias_buehlmann Apr 08 '20 at 12:29
  • Nope. Using this would NOT be an answer. See, YOU formulated the question pretty specific. Adding a proxy that has to run on both ends is not a solution to the question asked. More in particular, this requires to be run by any CLIENT that needs to connect which means it is not using a (standard) VPN software anmore, which means it is not answering this question and in fact is off topic here as it does not follow standard busienss IT practices - heck, I can tell you most people will not know how to set this up, they already have problems with VPN. – TomTom Apr 08 '20 at 13:03
1

Yes you can if you want to install vpn server on linux device.

Firstly you need a active pc on your local network which is run linux. You can also use Windows PC but i do not recommend using Windows for network solutions.

You can reach natted pc with teredo. It is needs a little bit client and server side configuration.

Server Side

Install teredo

sudo apt install miredo
sudo service miredo restart
sudo ifconfig teredo

Now you have a IPv6 address . To showing your server ip use ifconfig teredo | grep '200' command.

Use Dinamic DNS (DDNS)

Teredo IPs is changes some times due to reconnecting internet. It is not static ip. Also you have to use dinamic dns to point domain to your vpn server address, other wise every reconnection requires client side configuration change which is replacing server address with new one.
After installing teredo now you can install vpn server at your pc or server. You can found very well documented guidelines for installing openvpn on ubuntu.

Client Side

Windows PC

Some times teredo is not enabled by default. You have to enable teredo at windows pc with single command. Note: Run cmd with administrator privileges.

netsh interface teredo set state client

Linux PC

Install miredo application on client side

sudo apt install miredo
Ahmet Özer
  • 554
  • 5
  • 9