Hi guys! IN a bit of a rush, I installed a server on a place where I knew I’d have trouble reaching, as their router is behind CGNAT. I want now to start installing some VMs etc. At the moment all I have is a VM running Windows running Teamviewer for remote access (I know, I know). I have most of my services hosted on a local home server that runs rather well and has plenty of bandwidth. Among these, there’s a PiVPN running on my home server that works rather well. Is there a way I could make that remote CGNAT server connect to my VPN and be reachable/pingable/show webpages locally?
Thanks!
you could use tailscale for that, it should be able to punch through the CGNAT
As someone else who uses Tailscale behind a CGNAT, this indeed works. I use it for accessing my home server from the office for a year now. You can’t quite self host anything public facing but anything on your tailnet can talk to it just fine.
Theoretically a VPS proxy into the server over the VPN could work for devices not capable of running tailscale but your mileage may vary.
WireGuard as well.
Cloudflare tunnels can punch a hole through that. Get a reverse proxy setup for your apps and VMs, then create a cloudflare tunnel and you’re off to the races.
Cloudflare tunnels would be the easiest/cheapest way to go about it. But always be mindful that if you violate their terms and conditions, you could find yourself with a high bandwidth bill.
Sorry, but I’m a bit lost with these specifics. I currently have a reverse proxy (nginx) publishing some of my apps running locally on my home server. Where should I put the reverse proxy? On the remote unreachable server, or? And how would the tunnel go?
On the server that’s behind CGNAT, install Cloudflare tunnel. The tunnel will create an out going connection to Cloudflare, with an open socket; when you try to hit your specified subdomain, Cloudflare will receive your request, send it through the tunnel, and thus allow you to connect to your service.
Yes, you can connect the device behind CGNAT to your existing VPN as a client. Then, from inside the VPN, you would use the its virtual address to connect to it. You can use a systemd service or similar to have the VPN connect at boot.
Oh wow, I’ll have to try this! Can then the virtual IPs be pinged in Wireguard VPNs? (I mean, PiVPN is simplifying Wireguard anyway).
Yes. All devices connected to the VPN will have a private IP inside the virtual network. You can use these to communicate as though they were public IPs, except that they can’t be used from outside the VPN.
That would be my problem right? In my understanding, if I get some remote device to dial into my home network through a PiVPN running in my home network, i believe the remote devices can access and ping home devices, but no home device other than the PiVPN can ping them back? Right?
You would need to set up routes on these other devices to tell them that VPN devices can be reached through the Pi. It’s possible, but I’ve never done it myself, so I don’t have any useful pointers.
Do you have IPv6? That usually isn’t behind any kind of NAT and you can just let machines through the firewall.