So…in a short sentence…the title. I have a server in a remote location which also happens to be under CGNAT. I only get to visit this location once a year at best, so if anything goes off…It stays off for the rest of that year until I can go and troubleshoot. I have a main location/home where everything works, I get a fixed IP and I can connect multiple services as desired. I’d like to make this so I could publish internal servers such as HA or similar on this remote location, and reach them in a way easy enough that I could install the apps to non-tech users and they could just use them through a normal URL. Is this possible? I already have a PiVPN running wireguard on the main location, and I just tested an LXC container from remote location, it connects via wireguard to the main location just fine, can ping/ssh machines correctly. But I can’t reach this VPN-connected machine from the main location. Alternatively, I’m happy to listen to alternative solutions/ideas on how to connect this remote location to the main one somehow.
Thanks!
You must log in or # to comment.
I’m self hosting headscale (foss implementation of tailscale control server) for this scenario. Works great!
THanks…I haven’t tried Tailscale yet, I think I’ll get the “easier” commercial version just yet for this. Still learning on this.
I’ve been told that zerotier is even better. Haven’t tried it myself (it looks more complicated to selfhost) but the guy suggesting it knows waaaaay more than me on these things. Just if you want to look into another option.
For what it’s worth (from a random guy on the internet) selt-hosting tailscale is quite easy! 🙂
If this server is running Linux, you can use autossh to forward some ports in another server. In this example, they only use it to forward ssh port, but it can be used to forward any port you want: https://www.jeffgeerling.com/blog/2022/ssh-and-http-raspberry-pi-behind-cg-nat
OpenSSH also has a built-in tunnel that is more general (-w Parameter) than just port forwarding.
Yes, but autossh will automatically try to reestablish connection when its down, which is perfect for servers behind cgnat that you can’t physically access. Basically setup and forget kind of app.
You can use any ssh command option (including -w) with autossh.
-w creates
tapdevices on the server and client, and connects them together. Both sides get a private IP address.“How I get a reliable ssh connection” and “What I do with the SSH connection once I have one” are two entirely different things, autossh does the first, my comment was about the second.
Can the ISP at the remote location remove your remote location from the NAT? I have a similar issue where sometimes it’s will reset and my services are inaccessible. A quick call to support usually has the problem fixed in a few minutes.
I…logged a ticket with them, they promised they’d get back to me within 48h. I’m not holding my hopes too high.
That’s unfortunate you have to put in a ticket. They should be able to help you with this during a 5-10m phone call. Hopefully they get to your ticket in a timely manner
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
9 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #707 for this sub, first seen 23rd Apr 2024, 11:05] [FAQ] [Full list] [Contact] [Source code]
I’m noob and this was simple. Works like a charm. It has readymade installers for Wireguard on different VPS providers and installer for your client (home server). https://github.com/mochman/Bypass_CGNAT
Thanks…I use my own home server, so I’d try to avoid the VPS part if I can, and directly re-address it to the home server, as I already have that one with a working fixed domain etc.
Netbird and a VPS. Netbird for private services and remote access and the VPs to route traffic into the network.
I would also setup ssh in on a high port
You probably need the server to do relatively aggressive keepalive to keep the connection alive. You go through CGNAT, so if the server doesn’t talk over the VPN for say 30 seconds, the NAT may drop the mapping and now it’s gone. WireGuard doesn’t send any packet unless it’s actively talking to the other peer, so you need to enable keepalive so it’s sending stuff often enough the connection doesn’t drop and if it does, quickly bring it back up.
Also make sure if you don’t NAT the VPN, that everything has a route that goes back to the VPN. If 192.168.1.34 (main location) talks to 192.168.2.69 (remote location) over a VPN 192.168.3.0/24, without NAT, both ends needs to know to route it through the VPN network. Your PIVPN probably does NAT so it works one way but not the other. Traceroute from both ends should give you some insight.
That should absolutely work otherwise.
From your remote location I would set up at least two different tunnels back to your home network. Perhaps one service using cloudflare tunneling, and one using wire guard as you mentioned. That way if one of your tunnels goes down you have time to fix using the other tunnel.
If you have the budget for it ubiquiti gear is pretty good, and using their cloud configuration makes sense in this scenario. The ubiquiti gateway would sit at your remote location, maintaining tunnels, and if there any issues you could fix them through the UI.com interface.
IPv6. Just let the other network through the firewall, use direct connections, no overcomplicated tunnel setup needed.
Can the ISP offer dedicated IPv4 addresses? We had a similar issue with the new rural fiber provider. I spent hours tinkering and researching only to finally call support.
15 minutes and $2/mo later it’s all taken care of. I have a direct IP and no maintenance nightmare that I have to sacrifice a goat to the printer gods and pray for mercy to make work*
*when it wants to
