Need the ability to remote into KVM using VPN

We have the need to have our KVM be on a cellular network in case of local outage so we can still manage and see the firewalls.
The idea would be have a 5G device that is up on its own and we use that remote via lan into the local FW management interface.
The issue we are facing due to current budgetary constraints is that I have to work with our Inseego M2100 hotspot and the GL-MT1300 router(though for this part we have some leeway)

I was able to get the hotspot to tether to router with no issues and I setup an OpenVPN server on the router and started it. However after importing the config from the router into my OpenVPN client it seems that I am unable to get a connection.
I am also unable to ping the tunnel IP.
I am guessing I am missing something like a port forward on the hotspot? Never had to do this before so would really like some help.

You can’t run an VPN server on a 5G/LTE device due to CGNAT.

You need to use another method, so the cellular device will act like a client and connects to another server. Or you have to use something like ZeroTier.

I should clarify the VPN is on the GliNet device not the hotspot. So ideally all the hotspot does is route my traffic through itself to the the Glinet which takes over from there and I see that they can tackle the IP issue with dynamic DNS or possibly IPV6.

Does ZeroTier work similar to NGROK?

But the GL device is connected to the hotspot, isn’t it?

Correct its tethered so it would still need to traverse CGNAT

And that’s not possible by design.

I am seeing folks say WireGuard seems to work around this do you have any knowledge in that respect? Really trying to avoid having to add yet another provider to the mix.

My knowledge is that you can’t use WireGuard to get around CGNAT if there is no relay service. AstroRelay could do it, or ZeroTier as mentioned before.

I would go with ZeroTier. Super easy to use and secure enough for daily usage.

1 Like

Appreciate the help, will try ZeroTier and report back.

Another possibility is to set up a free or small tier on OCI running openvpn or wireguard, have the 1300 connect to it as a client, and then connect into as another client.

Yeah similar to running a VPS I suppose!

This only works if your gl-inet router connects to the vpn as a client but not when it functions as a server.

Basically what it does is inside the tunnel its skipping the hop to your isp and using wireguard as the hop, it only uses the isp for the tunnel.

However i guess you might want to make some type of wireguard point to point, then you could use the clients behind cgnat just like a node, and for even more complexity mix L2 through the mix with vxlan or gretap if that is important, ive been experimenting with it lately it can make me pretend im always home even with devices on multicast where vpns often don’t have support for layer 2 stuff😆, most people are good enough with just the vpn and client to client communication, not vlan pushing through vpn tunnels but its cool that it exists.

1 Like

Hmm so it looks like I got it working by following the existing threads on the subject matter.
I can now reach the router using Zerotier and log into it which is great. After rebooting all devices routing is now also working to the LAN which is amazing.
For anyone else who may need it I follow this thread:
and this one Using ZeroTier on GL.iNet's mini-routers - Think && Act