How to access my LAN devices through VPN server?

Pretty sure this will not happen. CGNAT is like NAT “in big”. In a NAT environment, each internal device is differentiated by unique port numbers when mapped to a single public IP address. This setup works well for outbound connections, as the NAT device can keep track of which internal device initiated a connection and route return traffic appropriately. However, for inbound connections (like hosting a server), it’s more challenging because the NAT device needs a predefined rule to know which internal device should receive the incoming traffic on a specific port.

In the case of CGNAT, this challenge is magnified. Since CGNAT is implemented by ISPs at a much larger scale, it serves many more clients, making it difficult to assign unique public-facing ports for each client’s services.

Long story short: IPv6 will solve this issue, nobody will try to fix it in IPv4 :dotted_line_face:

Yes maybe; maybe not…

IPv6 is not going to be there fully for another decade; lets just see how bad it breaks everything in the spitz software apparently; and it is based on openWRT so unless Im missing something it is not for tomorrow.

I think since I already own a few vps, the only acceptable solution for me will be to setup a pi zero as an access point with wireguard since apprently gl software is not able to run two vpn at the same time ? :frowning:

2 VPNs the same time are possible but not with stock firmware tools as far as I know.

You could try to combine WG + OVPN. This should work, I guess.

yes not possible. You have a solution or guide I could follow to run 2 vpn clients on spitz ?

That’s something for @bring.fringe18 :sweat_smile:

1 Like

… my ears are burning! :wink:


You’ll need a Slate Plus, Slate AX or Flint v1:

whaaat ??? :money_mouth_face: :money_mouth_face:
now I need to change my router for one that cannot do what I need ? I need 5G… Why can’t spitz do it if a smaller slate can ?

Surely that would be a must have feature for an LTE router like spitz

LTE routers ARE travel routers too … GL please make this available on spitz

The GL firmware is typically two full versions behind mainline OpenWrt… & vanilla OWRT is required for PBR. This means you’ll be giving up GL’s optimizations from the closed source SDK for vanillla OWRT.

FWIW, the Slate Plus is at good price on the current sales but the Slate AX will be much more performant (see the full thread I posted); connect it downstream fr the Spitz & you’ll have the best of both worlds.

yeah not buying another router when the one I already have should be able to do it… going vanilla seems also more troubles for my limited knowledge and time I can invest…

Not sure why GL is not implementing that when they must know this is a good workaround to CGNAT for an LTE router that will be in this use case…

In the meantime I’ll setup a pi as access point and hopefully gl does what is needed soon.

Policy Based Routing (PBR) is typically only found in Enterprise class hardware. It’s fortunate even the premise of it is replicated in any way into OpenWrt. As to GL integrating it, well… :

In Research

For these requirements, we have to research the technical solution or evaluate its impact on other features. So we can’t promise to these.

  • Optimize VPN policies to support multiple VPN clients at the same time and use composite VPN policies.

Sorry for replying so late.I think this test has proved that connecting wireguard server from wan/repeater is without problem. Connecting from LTE donot work is a CGNAT issue.As admon said, CGNAT is responsibility of provider, The wan ip got from provider is not a true public ip , and maybe translated not exactly or blocked by provider, so you can not using it directly. Setting up wireguard via Astorelay is one of the solutions. You can also use tailscale and wireguard together if you donnot want to use Astorelay. Using tailscale only also can meet your needing, which can implement remote access LAN devices.

1 Like

… & native/onboard Tailscale support is still in beta, correct?

It has been tested a lot

… but still not signed off for production.

Sorry if Im wrong but I don’t think it proves anything. As shown in screenshots it is only connecting through LAN and not WAN as everything is within the same local network regardless of repeater. At no time I am connecting my client from outside the “upstream router” network. And I had to change DNS to upstream router address. So if Anything it proves to me that we have not proved anything. sorry if I am missing something here.

That also does not address why DDNS is not working

using another closed source service like tailscale is not my idea of internet; and I don’t want to slow down my traffic unnecessarily just to access to IOT devices sometimes.

Dual VPN would be a good workaround but apparently not available on spitz AX. I think that is a real shame when spitz is the router in your lineup that would benefit it the most being constantly behind CGNAT on LTE and starlink situations… I opened a feature request.

So to resume; VPN server which is kinda useless (at least for 99% of spitz users I guess), DDNS not working; IPV6 breaking all DNS and apparently barely supported; no dual VPN for a flagship travel router, from a previous post openVPN with NORD not working either; I can only make vpn work with wireguard and mullvad. I had a spitz before and it worked fine with nord before upgrading to AX. That is all I discovered so far… Im not very impressed.

if CGNAT is such an issue and GL is making LTE travel routers for lets say prosumer level then it seems fitting to give a solution to that or workaround that is NOT closed source or relying on external providers. Again dual/multi VPN would be acceptable…

I don’t know if it is me but everything I try fails out of the box.

I really hope GL takes me seriously because I am not joking here… I would not recommend your product at the moment. The only reason why I keep it is because it is the only 5G router with multi wan that I know of (ok I did not do much research either but being a previous spitz customer I upgraded to AX naturally). And for those basic needs 5G multi wan needs; they are fulfilled…

Yep, because the test was to detect if an issue on the router itself was part of the problem. It’s not, so it will be CGNAT. Differential diagnostics à la House M.D.

CGNAT does because the device will push its own WAN address to the DDNS server. This WAN address isn’t the true one - so that’s why DDNS does not work.

Somehow you’re right, but somehow you’re also fundamentally wrong. You could also take out a costly mobile contract for companies that guarantees you a static IP. Then the problem is solved immediately.

The router is just a tool, the customer has to create the basic requirements. With the integration of Tailscale and Astrorelay, solutions have been integrated that help.

IPv6 does not break DNS, but it’s still some kind of experimental, yes. However, this is also since not all software and devices can cope with IPv6 yet. Of course, you must also address an IPv6-capable DNS for IPv6.

Well. As you mentioned previously: You.

That’s not a bad thing, you don’t have to be able to do everything directly. But then you have to deal with it, get friendly help, read documentation and talk to people. OpenWrt is the way it is for a reason - because of the Linux idea behind it. And that’s why it’s always a bit of tinkering.

I meant VPN not DNS; my bad; it says as warning when you enable it; it is a fact.

Honestly while I sometime appreciate your feedback; Im just going to give up because you seem to just defend GL for whatever I say. I don’t know what your game is since apparently you are not GL staff… I don’t want to have to constantly justify myself for simple feature request to GL staff and not you.

On dual VPN; Im not fundamentally wrong; you are.

I am just asking for a product that is well rounded; at the moment it is lacking and not up to what it could because of some “simple” software updates that already exist in other GL product that also use openwrt so don’t tell me it would be the end of the world to take multi vpn to spitz AX.

Again you are wrong: the router is not just a tool; it is a product; a product advertised for a use case; and using it in its advertised use case shows it is lacking… Go to the spitz AX product page you will see a big RV !! In reality it only works in very few circumstances that have nothing to do with its primary use case and it is very sad when it is actually possible to provide workarounds or GL could be more open and put a warning before buy that many feature will not work if you have CGNAT.

So if I resume your answers: asking me to buy another expensive gl router, then take a costly mobile contract with static ip (that does not even exist here), telling me is not bad not to be able to use openvpn, telling me I am wrong because I ask for working/workarounds on travel features for a travel router…

Your suggestions and constant protection of GL really makes me doubt who you are… Im not sure what your game is here but it is not helping. Helping would be to push GL to do the right thing and provide features needed for the use case of the product they sell. Sounds to me you are here to protect GL…

I am a client; I bought a product; I use it and find out it is lacking; it is not me asking for unrealistic demands; it is GL not providing a product up to the task they advertise when I know they know how to do it because of other products they sell having the needed SOFTWARE feature…

Don’t worry, I would even protect Cisco or any other company.
It’s not about the company or the product, it’s about the technology.

The technology works the way the technology works. You’ve been shown solutions that you don’t accept - then in the end you just have to say: I’m sorry, I can’t help you. And that probably applies to everyone else too - you can’t help if the way - as you would like it to - simply doesn’t work.

I don’t want to argue with you because I couldn’t care less whether you’re happy with the product or not. Because, even if you might not believe it, I’m not being paid for my time here. That’s why I’m ending this conversation for myself at this point.

I hope that you can find a solution to your problem.

you cannot indeed. only GL can help by updating their software to at least provide a workaround with dual VPN so I can create access point with my own WG server hosted on a vps. I don’t want to use closed source third party providers; I think that is a very valid argument.

You don’t seem to understand the difference between technology and product advertising/clear marketing. I did not know about CGNAT before buying and not many people do. I see a big RV with VPN, DDNS advertising on the product page and I just trust the company. There is no * or warning anywhere… Now after asking and understanding more I ask GL (not you) for a software workaround; nothing wrong with that.

  1. The root problem is CGNAT. That would be the case regardless of the equipment manufacturer.
  2. I sent you a HOW-TO on running vanilla OpenWrt on a Raspberry Pi so you can try PBR.
  3. OpenWrt on RPi will also give you access to a more up to date Tailscale daemon.
  4. Headscale is the F/OSS alternative for self-hosting Tailscale networks (‘tailnets’).
  5. CGNAT dictates Headscale would have to run on a VPS.
  6. should be helpful sourcing an appropriate VPS.
  7. < something about death & taxes here >