Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Point to Point VPN on a NAT environment?
New on LowEndTalk? Please Register and read our Community Rules.

Point to Point VPN on a NAT environment?

sanvitsanvit Member

Hi everyone!

I was wondering, is there any way to make a point-to-point VPN connection between 2 NAT connection? One would be my LTE and another will be my friend's dormitory internet, which I obviously don't have access to the router's settings. Having a kind of authentication server is fine as long as the actual traffic doesn't pass through it. Does anyone know any solution to this?

Thanks in advance!

Comments

  • Try zerotier or wireguard. Both can do point to point VPN over NAT and are easy to configure. Zerotier has a centralized authentication server and relays if direct connection between two nodes is not feasible.

    Thanked by 1sanvit
  • sanvitsanvit Member
    edited July 2019

    @terrorgen said:
    Try zerotier or wireguard. Both can do point to point VPN over NAT and are easy to configure. Zerotier has a centralized authentication server and relays if direct connection between two nodes is not feasible.

    I'll have a look at Zerotier. iirc wireguard requires requires port forwarding, or if only one node has public access, other nodes connected to it can communicate together under NAT?

    Thanks :)

  • edfoxedfox Member

    @sanvit said:
    I'll have a look at Zerotier. iirc wireguard requires requires port forwarding, or if only one node has public access, other nodes connected to it can communicate together under NAT?

    Wireguard requires port forwarding only on one of the two nodes. As long as the two can estabilish a connection (both ways are alright), wireguard will update the endpoint ip of both clients.

    https://www.wireguard.com/#built-in-roaming

    Also: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence

    Thanked by 1sanvit
  • sanvitsanvit Member

    @edfox said:

    @sanvit said:
    I'll have a look at Zerotier. iirc wireguard requires requires port forwarding, or if only one node has public access, other nodes connected to it can communicate together under NAT?

    Wireguard requires port forwarding only on one of the two nodes. As long as the two can estabilish a connection (both ways are alright), wireguard will update the endpoint ip of both clients.

    https://www.wireguard.com/#built-in-roaming

    Also: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence

    I thought you can connect multiple nodes on a single wireguard connection? Since I don't have access to port forwarding in both nodes so I was thinking if putting 3 nodes (2 nodes that I want to directly connect which I don't have access to port forward setting and 1 of my idling VPS that will some how relay authentication/connection) if wireguard supports such thing

  • edfoxedfox Member

    @sanvit said:
    I thought you can connect multiple nodes on a single wireguard connection? Since I don't have access to port forwarding in both nodes so I was thinking if putting 3 nodes (2 nodes that I want to directly connect which I don't have access to port forward setting and 1 of my idling VPS that will some how relay authentication/connection) if wireguard supports such thing

    Yes, you can. If you enable packet forwarding on the node that will act as a "server", you can set "10.0.0.1/24" in the "AllowedIPs" of that peer and you will automatically get access to the entire subnet of the NAT (even peers to which you are not connected directly) via the server.

    Thanked by 1sanvit
  • sanvitsanvit Member

    @edfox said:

    @sanvit said:
    I thought you can connect multiple nodes on a single wireguard connection? Since I don't have access to port forwarding in both nodes so I was thinking if putting 3 nodes (2 nodes that I want to directly connect which I don't have access to port forward setting and 1 of my idling VPS that will some how relay authentication/connection) if wireguard supports such thing

    Yes, you can. If you enable packet forwarding on the node that will act as a "server", you can set "10.0.0.1/24" in the "AllowedIPs" of that peer and you will automatically get access to the entire subnet of the NAT (even peers to which you are not connected directly) via the server.

    To be clear, in that case, the open server will relay the connection, correct?

  • edfoxedfox Member

    @sanvit said:

    To be clear, in that case, the open server will relay the connection, correct?

    Yes. The "AcceptedIPs" option means "peer might access these addresses from this interface"

    Thanked by 1sanvit
  • sanvitsanvit Member

    @edfox said:

    @sanvit said:

    To be clear, in that case, the open server will relay the connection, correct?

    Yes. The "AcceptedIPs" option means "peer might access these addresses from this interface"

    Oh, I see. I should look into zerotier for now. Thanks :)

  • Or an open source and selfhosted zerotier-like solution: tinc

    Thanked by 1sanvit
  • I am still waiting for a 3rd party zerotier-one fork. Surprised nobody has done it already.

    Thanked by 1sanvit
  • take a look at https://samy.pl/pwnat/

    Thanked by 1sanvit
  • vitexvitex Member

    I have found Wireguard VPNs easy to configure and use. The best documentation that I have found is The Unofficial Wireguard Documentation.

    I use the TunSafe implementation of the Wireguard protocol. Since TunSafe runs in user mode, it requires neither a special version of the Linux kernel nor a kernel module, and it is possible to relay VPN connections through an inexpensive NAT VPS.

    If a VPN uses a VPS to relay connections, each connection from a client to the VPS is outgoing, so NAT hole punching is not needed for a client to connect from behind a NAT firewall. A point-to-point connection between clients behind NAT firewalls usually works if both clients have static IP addresses.

  • sanvitsanvit Member

    @Kousaka said:
    Or an open source and selfhosted zerotier-like solution: tinc

    seems like tinc is similar to wireguard with NAT hole punching ability? Looks really great. Thanks ;)

    @terrorgen said:
    I am still waiting for a 3rd party zerotier-one fork. Surprised nobody has done it already.

    ZertoTier seems easier to set up. I'd also really like to see a fork where you can setup your own roots :)

    @user54321 said:
    take a look at https://samy.pl/pwnat/

    That's actually pretty smart and seems to be a really simple solution. Thanks :)

    @vitex said:
    I have found Wireguard VPNs easy to configure and use. The best documentation that I have found is The Unofficial Wireguard Documentation.

    I use the TunSafe implementation of the Wireguard protocol. Since TunSafe runs in user mode, it requires neither a special version of the Linux kernel nor a kernel module, and it is possible to relay VPN connections through an inexpensive NAT VPS.

    If a VPN uses a VPS to relay connections, each connection from a client to the VPS is outgoing, so NAT hole punching is not needed for a client to connect from behind a NAT firewall. A point-to-point connection between clients behind NAT firewalls usually works if both clients have static IP addresses.

    Last time I've setup wireguard, for some reason I cannot connect my device. I'll see how TunSafe works. Thanks :)

  • rm_rm_ Member, IPv6 Advocate

    sanvit said: Does anyone know any solution to this?

    IPv6.

  • sanvitsanvit Member

    @rm_ said:

    sanvit said: Does anyone know any solution to this?

    IPv6.

    The last time I contacted my ISP about public availability of IPv6 for their Internet, I was told around 2020 or later :(

  • @sanvit said:

    @rm_ said:

    sanvit said: Does anyone know any solution to this?

    IPv6.

    The last time I contacted my ISP about public availability of IPv6 for their Internet, I was told around 2020 or later :(

    Get a hurricane electric tunnel then :)

  • sanvitsanvit Member

    @terrorgen said:

    @sanvit said:

    @rm_ said:

    sanvit said: Does anyone know any solution to this?

    IPv6.

    The last time I contacted my ISP about public availability of IPv6 for their Internet, I was told around 2020 or later :(

    Get a hurricane electric tunnel then :)

    Lol the closest available is HK which will add another 100ms of latency, never mind the horrible bandwidth :(

  • rm_rm_ Member, IPv6 Advocate

    terrorgen said: Get a hurricane electric tunnel then

    Tunnel will not work if you only have a NATed IPv4 from your ISP.

    sanvit said: The last time I contacted my ISP about public availability of IPv6 for their Internet, I was told around 2020 or later

    Anyway it is great that you kept that option in mind and also asked the ISP for it.

    Thanked by 1sanvit
  • sanvitsanvit Member

    @rm_ said:

    terrorgen said: Get a hurricane electric tunnel then

    Tunnel will not work if you only have a NATed IPv4 from your ISP.

    sanvit said: The last time I contacted my ISP about public availability of IPv6 for their Internet, I was told around 2020 or later

    Anyway it is great that you kept that option in mind and also asked the ISP for it.

    At leaset some ISPs give IPv6 to their mobile customers (LTE) :(

Sign In or Register to comment.