VPN to home behind CG-NAT with 2 GL-iNET routers

Hello all,

I own 2 GL routers:

1- GL-X3000 that connects to a 5G network behing CG-NAT
2- GL-MT3000 that goes with me on my travels

I want to be able to connect to my home network (GL-X3000) and use my home connection to acess the internet.

What is the best way to achieve this?

My solution was:
1- create a zerotier ip on each router
2- setup a wireguard server on GL-X3000
3- setup a wireguard client on GL-MT3000 using the zerotier IP from GL-X3000.

It works but speeds are slow.
If I use a Raspberry Pi as the wireguard server speeds are higher.

Is this the best solution?
Are there other solutions to try?
Any setup that could improve the speeds?

Thanks a lot for your help.

Do you use zerotier with RPi?

Yes I do!

To bypass CG-NAT that was the best way.

Tailscale is easy to setup but has slow speeds.

And GL-X3000 doesn’t have the option to become an exit node.

I use a free Oracle cloud VPS to give me a public IP address, and have my AR300M router, which is behind a NAT, setup a Wireguard connection to the VPS when it boots. I then use iptables on the VPS to route the traffic from specific ports to my AR300M over the Wireguard link. The AR300M is setup with 3 VPN clients, OpenVPN, Wireguard and SoftEther, as some remote locations I use block one or more ports or VPN protocols. As the Oracle VPS can pass packets quickly, I get the full speed of the AR300M when using Wireguard. As I control the VPS, I have it do some pre-filtering of packets before it passes on the packets.

I originally set this up using GL iNet firmware on my AR300M, but I recently changed over to 23.05 OpenWrt as I don’t feel that GL iNet is going to support the AR300M firmware much longer, and I found it was easier to setup with the generic OpenWrt, as GL iNet does not support this type of setup. My main travel router is an AR750s.

This setup allows me to use a family members home IP address while on travel, without them ever needing to do anything on their end, other then plug the AR300M to their home router with a short Ethernet cable.

Could the slow speed related to a bug in Wireguard Server binary on GL? Can you try to htop while testing the speed? I am suspecting that the CPU is the bottleneck!

I think it does support it, although I did not use TS:
https://openwrt.org/docs/guide-user/services/vpn/tailscale/start

Try to tune the performance as per this:

Why do you use WireGuard + ZeroTier?
It’s not needed since ZeroTier will encrypt the traffic as well.

I am just using ZeroTier between all my routers (even the CG-NAT ones) and it’s OK to use without the WireGuard overhead.

I had the same problem, since I wanted to be perceived “at home” while working my corporate job. The best answer I have found is Zerotier + Wireguard. ZeroTier is fine for getting past your ISP’s cgnat. However, you will want Wireguard layered on top specifically for its native IP protection capabilities. If your internet ever blips, you will NEED Wireguard’s native IP leakage protection to keep you from accidentally exposing your IP. I tried brewing up some scripts to accomplish the same thing using Zerotier only, but it was overly complicated. Basically, Zerotier will be needed to bypass cgnat, and Wireguard to ensure you don’t accidentally leak your IP. I didn’t notice any performance hit by layering the two technologies, and is fully supported by the native Glinet OS. Once you setup your Wireguard connection, you just flip the switch in the Glinet OS to “Block -NonVPN traffic”. Badda bing badda boom, you are good to go!

@eric

I use a free Oracle cloud VPS to give me a public IP address, and have my AR300M router, which is behind a NAT, setup a Wireguard connection to the VPS when it boots. I then use iptables on the VPS to route the traffic from specific ports to my AR300M over the Wireguard link. The AR300M is setup with 3 VPN clients, OpenVPN, Wireguard and SoftEther, as some remote locations I use block one or more ports or VPN protocols. As the Oracle VPS can pass packets quickly, I get the full speed of the AR300M when using Wireguard. As I control the VPS, I have it do some pre-filtering of packets before it passes on the packets.

Is it possible to write a detailed setup tutorial of this VPS option to get a public IP and correct setup of iptables or point me to a nice tutorial for noobs? I am kind of new on this but would like to try this option and see if it makes a difference in performance.

@SpitzAX3000

Could the slow speed related to a bug in Wireguard Server binary on GL? Can you try to htop while testing the speed? I am suspecting that the CPU is the bottleneck!

The CPU is not the bottleneck. Did a top on both and the load is ok in both routers.

I think it does support it, although I did not use TS:
[OpenWrt Wiki] Tailscale

Thanks it works if you activate it through the terminal.
However speeds are terrible.
The zerotier / wireguard solution is still better.

Try to tune the performance as per this:

Would like to try:

sudo sysctl -w net.ipv4.tcp_congestion_control=bbr

but it looks like the kernel doesnt support it.

@admon

Zerotier is to get access to the wireguard server that is not accessable through a public IP.
Wireguard is to behave like I am doind everything from that network.
Like @goldsteinadj issue.

@goldsteinadj

Yes I have a working solution but expected better performance.
Thanks for the tip.

I travel full time and just don’t have the time to write-up my setup, especially as I do this with OpenWrt and not GL iNet firmware. As a starting point, you can look at:

Which uses similar ideas to how I implemented my setup. Also do a Google search for:

using a vps for cgnat

I understand why you use it, but it’s not necessary. You can simply rely on ZeroTier without wireguard.

@admon

I understand why you use it, but it’s not necessary. You can simply rely on ZeroTier without wireguard.

Can ZeroTier route all traffic through my home connection? How? Thanks.

It’s not totally easy but yes, you can: