New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Point to Point VPN on a NAT environment?
Hi everyone!
I was wondering, is there any way to make a point-to-point VPN connection between 2 NAT connection? One would be my LTE and another will be my friend's dormitory internet, which I obviously don't have access to the router's settings. Having a kind of authentication server is fine as long as the actual traffic doesn't pass through it. Does anyone know any solution to this?
Thanks in advance!
Comments
Try zerotier or wireguard. Both can do point to point VPN over NAT and are easy to configure. Zerotier has a centralized authentication server and relays if direct connection between two nodes is not feasible.
I'll have a look at Zerotier. iirc wireguard requires requires port forwarding, or if only one node has public access, other nodes connected to it can communicate together under NAT?
Thanks
Wireguard requires port forwarding only on one of the two nodes. As long as the two can estabilish a connection (both ways are alright), wireguard will update the endpoint ip of both clients.
https://www.wireguard.com/#built-in-roaming
Also: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
I thought you can connect multiple nodes on a single wireguard connection? Since I don't have access to port forwarding in both nodes so I was thinking if putting 3 nodes (2 nodes that I want to directly connect which I don't have access to port forward setting and 1 of my idling VPS that will some how relay authentication/connection) if wireguard supports such thing
Yes, you can. If you enable packet forwarding on the node that will act as a "server", you can set "10.0.0.1/24" in the "AllowedIPs" of that peer and you will automatically get access to the entire subnet of the NAT (even peers to which you are not connected directly) via the server.
To be clear, in that case, the open server will relay the connection, correct?
Yes. The "AcceptedIPs" option means "peer might access these addresses from this interface"
Oh, I see. I should look into zerotier for now. Thanks
Or an open source and selfhosted zerotier-like solution: tinc
I am still waiting for a 3rd party zerotier-one fork. Surprised nobody has done it already.
take a look at https://samy.pl/pwnat/
I have found Wireguard VPNs easy to configure and use. The best documentation that I have found is The Unofficial Wireguard Documentation.
I use the TunSafe implementation of the Wireguard protocol. Since TunSafe runs in user mode, it requires neither a special version of the Linux kernel nor a kernel module, and it is possible to relay VPN connections through an inexpensive NAT VPS.
If a VPN uses a VPS to relay connections, each connection from a client to the VPS is outgoing, so NAT hole punching is not needed for a client to connect from behind a NAT firewall. A point-to-point connection between clients behind NAT firewalls usually works if both clients have static IP addresses.
seems like tinc is similar to wireguard with NAT hole punching ability? Looks really great. Thanks
ZertoTier seems easier to set up. I'd also really like to see a fork where you can setup your own roots
That's actually pretty smart and seems to be a really simple solution. Thanks
Last time I've setup wireguard, for some reason I cannot connect my device. I'll see how TunSafe works. Thanks
IPv6.
The last time I contacted my ISP about public availability of IPv6 for their Internet, I was told around 2020 or later
Get a hurricane electric tunnel then
Lol the closest available is HK which will add another 100ms of latency, never mind the horrible bandwidth
Tunnel will not work if you only have a NATed IPv4 from your ISP.
Anyway it is great that you kept that option in mind and also asked the ISP for it.
At leaset some ISPs give IPv6 to their mobile customers (LTE)