#StackBounty: #networking #vpn #ipv6 Site-to-site VPN with CGNAT

Bounty: 50

Sorry if I posted this in the wrong place. Let me know if I should move this to another SE site. On with the story…

My home ISP sometimes (but not consistently) forces us through a CGNAT, however I need remote access to the local devices in a reliable fashion (as long as there is Internet connectivity in the first place; no way to avoid this requirement 🙂 ). Before switching ISPs (old ISP always gave me the same public IPv4 address) I could just use OpenVPN and be done with that.

Now that CGNAT is a real possibility OpenVPN is no longer a reliable way to connect to my LAN resources remotely. So I’m looking for another reliable enough solution (it will enable me several things that are both kinda required — accessing security cameras remotely — and useful — reverse SSH server to my workplace).

Now for the setup:

  • At home, I have a Raspberry Pi. Model 3 B+ if it matters (I’d be surprised, but providing it for completeness). It’s behind a router of my own which connects to the ISP (PPPoE). It has full access to LAN resources. I have a private, fixed IPv4 (though now with the CGNAT issue I contemplate removing the "fixed" requirement; it’s probably not as useful as before to have it fixed anyway) and an automatic (SLAAC, no privacy extensions) publicly routed IPv6 address. No guarantees that I will get the same /64 from reconnect to reconnect (and thus IP addresses will vary with time).
  • Off-site, I have an AWS EC2 host (the smallest one, which is "free" but I think won’t truly be free). I have elastic IPv4 and IPv6 configured on the host, with proper gateway configuration (wasted a lot of time but managed to do it in the end). So technically I could connect from here to the Pi via IPv6 (assuming there is a proper Dynamic DNS service the Pi can use for IPv6) or from Pi to the AWS host on both IPv4 and IPv6.
  • At work, I have a highly guarded network, for which I only want to do reverse SSH. I can probably just use the AWS instance as a jump host and resolve it very quickly. I mean, I can run the SSH server on the AWS instance on port 443 anyway. So it’s no real issue (port 22 is blocked by work firewall 🙁 )

What I need help with is twofold:

  1. First, how to set up the direct connection from my Raspberry Pi to the AWS host so that the AWS host has direct access to all my LAN resources (eventually customizable by my firewall rules on the Raspberry Pi)
  2. Second, how to ensure this support will automatically start every time the Pi is restarted (I tend to reboot it often enough, and power outages will cause unintended reboots as well).

Note that I do have a workaround but it genuinely sucks. It involves restarting my router through the TP-Link cloud service several times every time I get a CGNAT IP address until I get a public one. Then my ISP is helpful enough to provide a proper Dynamic DNS service so I can resolve to my public address (OR my private address, if I do get CGNAT; that’s not that helpful though). I want to be able to forget about such workarounds, really.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.