How to access my LAN devices through VPN server?

Sorry but I do not think I am there. In the link you send the author says “I get connection to the wireguard and see the connected client.” But I am not even there; no client connected from wan

I tried connecting to VPN from within the LAN and it works. From WAN nothing. Ports seem closed somehow.

I cannot get a basic setup. I tried everything; disabled everything (except Next DNS).

At the moment I am just in repeater mode through normal ISP with a basic wg server and cannot connect the client (phone) or even confirm the vpn port is open…

You can try this way to make sure it it not a “port closed on wan” issue.Remember to replace ip with 192.168.15.3

works with you diagram but this is not going through wan ? this is LAN only right ?
I also had to change DNS on client to upstream router address for it to work

Screenshot 2023-12-01 at 13.13.482082×766 51.3 KB

Screenshot 2023-12-01 at 13.14.202082×766 52.6 KB

IMG_4309.PNG1170×2532 211 KB

If I connect my phone from LTE it does not work as expected.

I also checked my DDNS feature and turns out it is NOT working either…

Screenshot 2023-12-01 at 15.56.37762×900 51.1 KB

@fangzekun I am not an IT expert; and I don’t want to be a pain but is anything working with features advertised ? because if GLinet is selling a travel router with features that only work with normal ISP then I see that as very bad sale practices to say the least.

From comments above purevpn appears to have a workaround for CGNAT issues so it is possible; don’t you implement anything to patch CGNAT issues on your flagship travel router ? nothing appears to be working; VPN server or DDNS; what else will I discover later ?

And to be clear I am not doing anything crazy here; simply using stock features AND on repeater mode with repeater set as highest priority; so NOT using starlink or LTE for connecting the spitz.

I would really appreciate a clear answer and more active support. thank you so much and again I don’t want to be a pain. I understand CGNAT seems to be an obstacle but as clearly shown from comments above not insurmontable. I paid very good money for this router; maybe I can expect features to work out of the box? or GLInet to advertise they do not work behind CGNAT before purchase ? because I feel very let down at the moment…

Here I must clearly defend GL.iNet: CGNAT is a responsibility of the provider. You cannot test or " protect" all devices against all eventualities

CGNAT does not cause any* problems as long as you do not want to establish a VPN connection to a device behind CGNAT. But that is not a problem for GL.iNet either. As far as I know, there is also “Astrorelay” integrated in some products, which can provide a remedy.

But once again: This is the responsibility of the respective user. You can’t complain if you buy a city car that it doesn’t perform the same in every climate zone in the world. Even if cities in the desert or polar zone are cities as well.

So to help you better, you should draw what your result should (use draw.io) look like and provide all the information about every ISP (+ ISPs router if there is one) you use. So we will try to start over and find a solution.

Please note that a large part of this is community support. These are people like you and me who take the time to provide support free of charge. It is therefore important that requests are described as precisely and in as much detail as possible.

You need a drawing now ? I mean is it not clear what I am trying to achieve ? It is written in plain english in the first post.

I think I was clear. I would like to acces my LAN IOT devices behind my router. VPN is for me the way to go but I could be wrong. Im here to ask for help from people who know more more than myself. Getting solutions and not; and sorry for the word; condescending answers.

I appreciate you trying to defend glinet and I can understand your argument but for me it falls in the same kind of “useless” reply not providing any solution and now asking for a drawing and starting over… what starting over; I have given so many informations and screenshot and repeated myself many times… Im not going now to draw such a simple use case…

@fangzekun sent me a drawing; I followed it and provided information; now my problem is still NOT solved.

I am not the only one on earth trying to access my IOT devices on the go (or shall I say behind CGNAT). It seems to me this is a basic use case nowadays… especially for people living in vehicles like me or companies with specialised mobile units; etc… So please lets not disgrace into VS talks. I just need solutions; not someone asking for drawings…

if there is no solution and I will never be able to access my IOT devices behind my TRAVEL router (LTE or starlink) then let a GL.inet staff tell me that. An no I am not going to signup for another obscure service routing all my data through their server like Tailscale or ZeroTier… If anything It just proves to me it is possible and I don’t get why GL does not implement a custom sotion for a travel router. I just want to use industry standard and open solutions like WG VPN. I’d rather forget the idea of ever monitor my home from WAN.

Thank you and I mean NO disrespect.

I must first apologize, as English is neither my first language nor my normal language of communication. Therefore, I may have misunderstood you.

Basically, diagrams make it easier to understand what you want to achieve. Especially if the information is not all in the first post, but scattered over many posts.

I can understand that you are disappointed that an advertised function does not seem to work. But here you have to differentiate between “The function exists” and “The function is always ready for use”. Many routers come with a VPN function as standard - but that doesn’t mean that it always works.

Of course, it’s annoying that a travel router doesn’t meet your requirements - but would it be better if the VPN function was completely missing?

What you don’t seem to fully understand is that CGNAT is a fundamental problem beyond the manufacturer or the industry standard. As soon as CGNAT is used, you cannot open any ports and therefore cannot process any incoming connections. It doesn’t matter whether you want to provide a VPN or simply share a website with the outside world.

This problem is provider-side and cannot be solved by anyone other than the provider. There are some workarounds (such as using Astrorelay or ZeroTier) but this is only a bypass of the problem, not a solution. There are no other solutions.

This is the reason why many systems - where monitoring is possible, such as surveillance cameras, alarm systems or similar) have their own manufacturer service that works with an app, for example. In this case, the information is then routed via the manufacturer’s server - so that no incoming (!) connection is necessary. This is more or less what Astrorelay does.

An alternative for you would be to use an external VPN service (or your own server) and connect the RV to it. Then the “server” would be in a data center and not affected by CGNAT.

I’m quite sure about my technical explanation - let’s see what the GL.iNet team answers (next week?).

A few links for this topic:
https://www.reddit.com/r/HomeNetworking/comments/iweie6/if_i_have_cgnat_does_that_mean_i_cant_play_any/

https://dannyda.com/2023/03/08/what-is-cgnat-carrier-grade-nat-large-scale-nat-why-it-can-be-bad-problematic/

https://broadband.forum/threads/sad-life-with-cgnat.210601/^

CGNAT does not exist in IPv6 btw. So in the future ™ this won’t be a problem.

Thank you for your kind answer,

Yes I understand fully the CGNAT issue and understand it is actually THE big issue.

From my internet research I see the custom VPS solution which completely blows because now I have to pay for an extra server that will slow down my connection and the server is not in my home but in the cloud…

I know IPV6 seems to be THE solution but seems quite iffy at the moment… Enabling ipv6 in spitz gives the most daring warning … it is all broken…

If something in tech I know there are always solutions. CGNAT was invented to share ipv4 addresses but clients must be differentiated somehow. So hopefully someone will figure how to extract this data like ports in regular setups.

yes lets see what the glinet staff says but yes I am not very hopefull anymore… Sad life behind CGNAT indeed…

Pretty sure this will not happen. CGNAT is like NAT “in big”. In a NAT environment, each internal device is differentiated by unique port numbers when mapped to a single public IP address. This setup works well for outbound connections, as the NAT device can keep track of which internal device initiated a connection and route return traffic appropriately. However, for inbound connections (like hosting a server), it’s more challenging because the NAT device needs a predefined rule to know which internal device should receive the incoming traffic on a specific port.

In the case of CGNAT, this challenge is magnified. Since CGNAT is implemented by ISPs at a much larger scale, it serves many more clients, making it difficult to assign unique public-facing ports for each client’s services.

Long story short: IPv6 will solve this issue, nobody will try to fix it in IPv4

Yes maybe; maybe not…

IPv6 is not going to be there fully for another decade; lets just see how bad it breaks everything in the spitz software apparently; and it is based on openWRT so unless Im missing something it is not for tomorrow.

I think since I already own a few vps, the only acceptable solution for me will be to setup a pi zero as an access point with wireguard since apprently gl software is not able to run two vpn at the same time ?

2 VPNs the same time are possible but not with stock firmware tools as far as I know.

You could try to combine WG + OVPN. This should work, I guess.

yes not possible. You have a solution or guide I could follow to run 2 vpn clients on spitz ?

Screenshot 2023-12-01 at 20.54.161952×186 10.2 KB

That’s something for @bring.fringe18

… my ears are burning!

@uppppppp

You’ll need a Slate Plus, Slate AX or Flint v1:

whaaat ???
now I need to change my router for one that cannot do what I need ? I need 5G… Why can’t spitz do it if a smaller slate can ?

Surely that would be a must have feature for an LTE router like spitz

LTE routers ARE travel routers too … GL please make this available on spitz

The GL firmware is typically two full versions behind mainline OpenWrt… & vanilla OWRT is required for PBR. This means you’ll be giving up GL’s optimizations from the closed source SDK for vanillla OWRT.

FWIW, the Slate Plus is at good price on the current sales but the Slate AX will be much more performant (see the full thread I posted); connect it downstream fr the Spitz & you’ll have the best of both worlds.

yeah not buying another router when the one I already have should be able to do it… going vanilla seems also more troubles for my limited knowledge and time I can invest…

Not sure why GL is not implementing that when they must know this is a good workaround to CGNAT for an LTE router that will be in this use case…

In the meantime I’ll setup a pi as access point and hopefully gl does what is needed soon.

Policy Based Routing (PBR) is typically only found in Enterprise class hardware. It’s fortunate even the premise of it is replicated in any way into OpenWrt. As to GL integrating it, well… :

In Research

For these requirements, we have to research the technical solution or evaluate its impact on other features. So we can’t promise to these.

• Optimize VPN policies to support multiple VPN clients at the same time and use composite VPN policies.

Sorry for replying so late.I think this test has proved that connecting wireguard server from wan/repeater is without problem. Connecting from LTE donot work is a CGNAT issue.As admon said, CGNAT is responsibility of provider, The wan ip got from provider is not a true public ip , and maybe translated not exactly or blocked by provider, so you can not using it directly. Setting up wireguard via Astorelay is one of the solutions. You can also use tailscale and wireguard together if you donnot want to use Astorelay. Using tailscale only also can meet your needing, which can implement remote access LAN devices.

… & native/onboard Tailscale support is still in beta, correct?