Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




530 posts

Ultimate Geek
+1 received by user: 31


Topic # 198766 21-Jul-2016 16:02
Send private message

Hey, hopefully someone kind can help me or point me in a right direction.

 

Putting together a proof of concept to access a mobile bit of kit when it's out on the road for diagnostic purposes. Have a 3g router, unfortunately due to CGNAT, accessing the router (and anything on it's LAN) via WAN wasn't going to work without a VPN (correct me if I'm wrong?).

 

Anyway.. this is roughly how the gear is setup.

 

Primary Router (running OpenVPN server) on 192.168.1.x (yes, I know this isn't ideal!) with DynDNS service to get WAN IP

 

3G router, connecting to Primary router via VPN Client config - lan is 192.168.0.x - receives 192.168.1.200 from VPN server

 

other laptops connecting to the Primary router via VPN - 192.168.45.x - receives 192.168.1.201 from VPN server

 

 

 

I am having trouble accessing the 192.168.0.x network as another VPN Client (192.168.45.x).  Accessing the 192.168.0.x network is fine from the 192.168.1.x - so provided you're not connecting via VPN, you can access the VPN clients.  192.168.1.201 can access 192.168.1.200 (brings up the 3g router login pages, same as accessing 192.168.0.1, however accessing 192.168.0.1 does not work)

 

 

 

I have enabled client - client in the OpenVPN settings. so scratching my head, I believe I need to put some static routes inplace - but not sure if this needs to be in the Primary router or the 3g router, or both?  Any help would be appreciated!

 

I have already done this on the main router:

 

Destination        Gateway / Next Hop            SubnetMask          Metric         Interface

 

192.168.0.1             192.168.1.200              255.255.255.0            0          br0 (LAN)


Create new topic
2464 posts

Uber Geek
+1 received by user: 735

Trusted
Lifetime subscriber

  Reply # 1596384 21-Jul-2016 16:08
Send private message

Have you got the APN for the cellular network set to direct ?  Currently it is likely set to internet which will in most cases geta  CGNAT address - fine for browsing and email but not fine for VPNs and incoming port forwarding.

 

This should get you a real public IP address.  We frequently have to do this for client VPNs from devices using the cellular network.





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



530 posts

Ultimate Geek
+1 received by user: 31


  Reply # 1596513 21-Jul-2016 21:16
Send private message

Thanks, yeah, might have to bite the bullet and get a spark sim and change the APN to get a public IP on the 3g router.

Seems Vodafone don't do it anymore?

Doing it this was is going to be a more elegant end product too. Hmm

 
 
 
 


3679 posts

Uber Geek
+1 received by user: 1389

Subscriber

  Reply # 1596521 21-Jul-2016 21:35
Send private message

If I'm understanding correctly you aren't having any trouble getting the remote (3g) router to connect to your core router? If it was an APN issue then the VPN shouldn't even establish (like on 2degrees for example).

Also, you say you have no problem accessing the remote subnet from your core? But only have an issue when connecting to the core via vpn and then trying to go on to the remote subnet.

I think your issue will come down to your route table not having the correct routes in place.

2284 posts

Uber Geek
+1 received by user: 375

Trusted
Subscriber

  Reply # 1596526 21-Jul-2016 21:40
Send private message

Just setup a reverse SSH tunnel, then the remote end always phones home so to speak, and it doesn't matter where it's sitting behind, CGNAT or not. 




530 posts

Ultimate Geek
+1 received by user: 31


  Reply # 1596699 22-Jul-2016 10:06
Send private message

chevrolux: If I'm understanding correctly you aren't having any trouble getting the remote (3g) router to connect to your core router? If it was an APN issue then the VPN shouldn't even establish (like on 2degrees for example).

Also, you say you have no problem accessing the remote subnet from your core? But only have an issue when connecting to the core via vpn and then trying to go on to the remote subnet.

I think your issue will come down to your route table not having the correct routes in place.

 

 

 

Yep exactly, just not sure what else needs to be there on the route table. 

 

 

 

 

 

insane:

 

Just setup a reverse SSH tunnel, then the remote end always phones home so to speak, and it doesn't matter where it's sitting behind, CGNAT or not. 

 

 

VPN tunnel is working fine, its getting another VPN client talking to the clients behind the remote 3G client (if that makes sense).


2095 posts

Uber Geek
+1 received by user: 357

Lifetime subscriber

  Reply # 1596701 22-Jul-2016 10:16
One person supports this post
Send private message




Ross

 

Spark FibreMAX using Mikrotik CCR1009-8G-1S-1S+

 


Speed Test




530 posts

Ultimate Geek
+1 received by user: 31


  Reply # 1602100 1-Aug-2016 11:16
Send private message

Thanks for your help and advice. Ended up getting the Spark Sim and using direct.telecom.co.nz + VPN server on the remote device.  It's the far better way to do it!


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.