Openvpn server (or simply WAN access to SLATE storage) on Slate behind CGNAT using NGROK - is there a luci etc package for this?

Hi there, not sure if this is the area to post this.

Just got a GL-AR750s (slate) and i have put in a 128GB SD Card for storage. Locally that work ok but I would like to be able to access this storage remotely, i.e. outside the local network behind the CGNAT - via VPN or not, no matter.

I understand NGROK needs to run on a computer inside the network to open a tunnel and provide a link. Maybe a dumb question, but is there a way to somehow install NGROK on the SLATE itself so that I do not need a computer inside the network to run NGROK?

I got the idea reading about the Adblock package that can be installed on the Slate. I wonder if there would be a way to open a tunnel from the SLATE itself - or run NGROK once only from a computer inside the network and be able to shut that computer down afterwards. Basically I only have 2 laptops inside the network and they are being taken away daily, so I do not have an always-on server machine to run ngrok on (and do not need to access a webserver). I have zero experience with raspberry pi (if that would be a solution) - willing to earn, but it seems a lot of work and if there is a simpler way involving just the slate…

I have a webcam inside and the camera seems to work from outside ok through the CGNAT once it is paired with a phone. Also, Teamviewer work with no problems through the CGNAT (or at least i thin it is CGNAT as I have a fixed public IP that is different from the local (which is unreachable)etc). So how can the webcam and TeamViewer get through ? Can’t this principle be used to access the storage on the Slate?

Sorry fort the long post, any help would be great, thank you. Any details you need, pls ask…

… apparently it can be done with zerotier and openwrt…

Pls check www.astrorelay.com. It is developed for this purpose.

Ok, yes, I had a look - thank you

Also, reverse tunneling: ngrok – documentation

Never done it though.

AstroRelay already does all needed, no need to use ngrok or reverse tunnelling. Just setup AstroRelay and use Wireguard :slight_smile:

Where does Wireguard come in? I thought you set up an AstroRelay account, create certiticate, create agent for GLINet router, SSH into router and copy paste the script from Astrorelay, execute and test, then go back into Asdtrorelay account and create links for router page, SSH and hopefully its attached storage (my main goal!) and other machines on the LAN and then go back into a browser outside and use the generated addresses. Is Wireguard (or OpenVPN) on top for added security? I assume I would use the Astrorelay generated addresses for the Open VPN client, but first I’d like to see it working without VPN at least. No time to try right now but soon.

Well any time you want to access files remotely, you will usually use SMB aka Samba. Doesn’t matter if it’s on Windows or on Linux, SMB was not designed to be accessed remotely, it was designed to be used inside the local network. The encryption and security for login is very weak, so it is never recommended (even by Microsoft) to open an SMB port directly to the internet.

The correct way to do it is to use Wireguard (not OpenVPN as it is old, slow and clunky) and connect that way. Having the Wireguard client on your device means 1 click to connect usually and just typing //[wireguard_router_ip]/[share_name] into Windows Explorer (for example, or a similar way in other platforms).

On Windows i personally use the TunSafe VPN Wireguard client, and access my files as i wrote above, just making a network map of the Wireguard ip. On Android i use Cx File Explorer to do the same and the TunSafe client.

So for links you can do UDPoverTCP (+XOR) for Wireguard, TLS for GL UI and TCP (+XOR) for SSH (since its already encrypted, no need to modify the data).

Ah, I see. Ok, I will try it, thanks!

1 Like

Well, I managed to do everything AstroRelay tutorial shows but I cannot access the router storage. Darn…
I tried making a link for Wireguard but I do not know how to setup Tunsafe in Win 10. There is a config file but where do I put in the address and port given by astrorelay?

If I want to try unencrypted, what settings should I put in the Links in astrorelay? I need to point to \192.168.8.1\GL-Samba\sda1.

Must be close but nothing works thus far… So i wonder 1. how do you configure tunsafe - and then 2. you just map a drive to local address in Explorer just like being in the network? And can you try say FTP or SFTP at all using astrorelay?

Thanks!

For wireguard, you should replace the endpoint IP and port with the one given by astrorelay.

Thanks, I tried some stuff but no go. In GliNet router’s wireguard I have Local address 10.0.0.1 and Local port 51820. I have specified these in building the Astrorelay link (destination host ip and destination port). I have used the link and port generated by astrorelay in the tunsafe config file in Endpoint. Still not working. Obviously I do not know what i am doing :frowning: Should I keep 10.0.0.1 and 51820 in the wireguard server on the router or change to something else? Should I change something else in the tunsafe config?A step-by step guide on how to set up access to router’s storage using wireguard would be great…

Seems like you made some mistakes :slight_smile:

When creating the link in AstroRelay the destination host and ip are the ones to your router, like without VPN, so 192.168.8.1 or 127.0.0.1 and port 51820. Protocol should be UDPoverTCP with or without XOR. Then in TunSafe, you copy the client config generated by the Wireguard UI on the router, but you replace the IP and port with the AstroRelay Host and Port. Your config should look something like this (ofc charge your values, but you should have all bellow):

[Interface]
Address = 10.0.0.2/32
ListenPort = 37407
PrivateKey = ****
DNS = 64.6.64.6

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = client.astrorelay.com:10284
PersistentKeepalive = 25
PublicKey = *****

Then finally when you get a good connection in TunSafe, you can go into Windows Explorer and you need to mount a new network drive, and set it to the router Wireguard IP (not the lan) so \\10.0.0.1\GL-Samba\sda1. For other IPs on the network you can use the local IP, it is just when accessing the router in some way you need to use the Wireguard IP.

Ok, many thanks - I will try this. However, do I need to get another account with a VPN provider as well, e.g. azireVPN? Can I not just use the Wireguard server on the router itself? because you mention the config file created by the Wireguard UI on the router - that is when you set up a Wireguard client that uses some external VPN provider? I am trying to do as much as I can on the router itself… In other words, avoid a third party Wireguard. And if so , how do I get a config file…I suspect yours is particular to your config. Sorry if I am talking nonsense…

I mean in the GL UI, Wireguard Server page.

Ooohh… Ok.
Well I created a client and copied the Interface and Peer sections into the TunSafe config file… by the way ,every time you click on the configuration, wireguard client on the router seems to give a different listen port in the Interface section (?). Changed the Endpoint to the astrorelay address:port in Peer. This was done with the wireguard server stopped. Started the Wireguard server. Tried to connect with TunSafe, no joy… Trying handshakes forever.
In Astrorelay i have 192.168.8.1 and 51820. I must be really bad at this… Also I get the error UdpSocketWin32::Write error 0xC000023D in the log, but only first time after tunsafe install… The plot thickens…

EDIT: tired of it, I installed the Win10 Wireguard client. I got an ‘object already exists’, Googled it, disabled the Tunsafe TAP adapter, copied the config in the Win10 Wireguard client… and TA-DA! Connected! Why the Tunsafe client does not want to work, it is beyond me, as it seems the settings are correct. Well, happy enough and I learned a bit about VPN. BTW I do use VPN on my Billion 7800 VDOX and setup was infinitely easier - but the Billion is not behind CGNAT… Will look at the Tunsafe again when i have time.

EDIT 2: Not sure how, it seems i have used up 1GB of data in just a few minutes and my agent is down. Strange…

If you use vpn, all of your pc’s data goes via the vpn so 1GB is very possible.

Ok, I got caught I guess…
So I paid $USD6 for 5GB and monitored incoming / outgoing data using the Wireguard client. I have to say, the statistics on Astrorelay site are out by 100%. I.e. I used up 60MB data - uploaded some files and added transmitted and received data were 60MB in Wireguard client stats - but the Astrorelay graph shows 120MB, so double… Also it is very slow. I guess this is a solution just for emergencies, if you need some important file or two from a location behind a CGNAT. For everyday use, just SSH and router admin are worth it in my opinion. Perhaps free solutions such as Zerotier are better - will investigate later on. Thanks!