How to traverse carrier-grade NAT (large-scale NAT) to reach VPN Server?

Question

I currently run an OpenVPN Server via a home network connection that has a single, public, dynamic IPv4 address.

My provider (AT&T U-Verse) will apparently soon switch to a large-scale NAT and only assign me a private IP address anymore, so as it stands I will be unable to reach my home VPN while on the road.

In the short term, I could change providers, but I expect all other providers to run out of public IPv4 IPs soon enough and implement a similar system.

Thus, I am pondering my options to traverse the LSN barrier:

is there any way that I am missing, for me to reach the box behind the LSN?
until the ISP assigns me an IPv6 address: can I set up an IPv6 tunnel and reach my VPN server on IPv6?

Assuming I somehow get a native or tunneled IPv6 connection to my home router (but due to LSN, not an IPv4 connection):

what can I do to be able to reach my home network, even if I am located in an IPv4-only network somewhere on the planet (coffee shop, for example)?

Sorry for the many questions, but I am a bit lost here and could use some help narrowing down the problem space.

Thanks!

Curious how a **network** and **server** question is considered off topic?? — Fred, May 14 '12 at 18:04
Possibly because of the FAQ: "Server Fault is for Information Technology Professionals needing expert answers related to managing computer systems in a professional capacity." — Martijn Heemels, May 14 '12 at 18:20

mulaz · Answer 1 · 2012-05-13T20:11:20.393

4

Yes, you can use IPv6 (no matter if tunnelled or native) for openvpn.

Your provider will probably still offer public IPv4 addresses (on request, for a price).

There is no "nice" way to traverse NAT at all, but there are a couple of workarounds, and the simplest would be to buy a VPS with it's own IPv4 number, and then connect your home pc and your other pc's from whereever you are. If you use L2 vpn (dev tap), you can bridge everything and be in your home network whereever you are.

You can also try some nat-traversal techniques, but in my experience they don't work very stable (example)

PS: You can also try using some services like hamachi which are designed to traverse nat, but do not offer as many features as OpenVPN. (You could also try running OpenVPN over Hamachi... but with a performance hit).

edited May 13 '12 at 20:11

answered May 13 '12 at 20:06

mulaz

10,682
1
31
37

Thanks, I hadn't considered the option of logging both my local network and the "road warrior" into the same, separate VPN before. This should become an interesting exercise in routing (after all, I want to reach what's *behind* my home OpenVPN server), but it sounds doable! – Fred May 13 '12 at 20:25
Bridge your client interface at home to your home network, and give your 'road warrior' an IP from your home range and it should work. OpenVPN (L2) is like a switch, and you just connected 3 pc's to it (home, vps and your RW). – mulaz May 13 '12 at 20:29
A L3 VPN (e.g. OpenVPN with tun devices) is preferable since it avoids unnecessary broadcast traffic. – mgorven May 13 '12 at 22:47

How to traverse carrier-grade NAT (large-scale NAT) to reach VPN Server?

1 Answers1