I was planning on providing OPNsense firewalls to my parents house across the pond. I am setting up the mini-pc’s up with Opnsense and will deploy the unit when I visit them next. So I thought it’d be great to connect both our firewalls using Site-2-Site VPN. Unfortunately, all ISPs that provide internet to my parent’s house use CGNAT.
What are my options to enable connectivity between the 2 houses? I have done some research but the 2 options that I found have some drawbacks.
ZeroTier – I have seen @LTS_Tom 's video (ZeroTier VS VPN and A Look At The Data Stream With Wireshark - YouTube) but I am a bit concerned about my data passing through 3rd party servers. Secondly, if I use the ZeroTier plugin on Opnsense – will all the devices behind these firewalls be able to talk to each other?
VPS serving OpenVPN – additional cost of VPS and having to monitor the bandwidth etc.
Are there any other options in the CGNAT scenario? My preference would be to self host a VPN (Site-2-Site or Road-Warrior style) but I am not sure if that is even possible.
If you setup a RAS on your side and a client at your parents you have a tunnel. You now need to tweak the setting on the server for it to now act like a site-to-site (not quite sure which but must be possible - on my to do list as this is what I have instead of site-to-site using this approach as a fallback if something goes wrong).
Additionally if I recall correctly from ages ago, QNAP had some kinda hole-punching VPN approach. They have/had a service allowing access to a QNAP and/or between QNAP devices, basically it must be some kinda solution whereby they host the VPN server and route the traffic between devices. Don’t fully recall but you might want to investigate as it might work out cheaper than a VPS service.
Thanks @LTS_Tom – I have a dynamic IP – but that can be handled by DDNS (which I already have setup).
Are you saying that a Road warrior VPN would just work or were you talking about a Site-2-Site VPN? Is there any way to have an “always-on” kind of connection — that would be easier for my totally non-tech parents. But if that is not possible, then maybe I can make it as easy as possible for them to initiate the connection.
As Tom said but just use a site to site. in OpenVPN a site to site still has a “server” and a “client” so just set your place up as the server and them as the client.
Just out of interest, “other side of the pond” I am guessing you mean the Atlantic pond, which side are you on? I’m in the UK and there are plenty of ISP’s here that do none CGNAT and static IP addressing.
ps. First hand experience, one of my office locations is on a 4g router with cgnat and it connects back to base absolutely fine. I even filter the inbound connection based on IP using Dynamic DNS through a free cloudflare account
Might be handy to have a raspberry pi set up as a second client at your parents, small, cheap and decent backup to the backup. A flight won’t be cheaper.
Should both the connections Server–Client1 and Server–Client2 be on separate Tunnel networks or can I use the same Tunnel network? What are the repercussions of either option?
Should I be using a /30 Tunnel network instead of a /24 as there would only be the Server and Client --especially if I am using separate Tunnel networks for each client
In the Concurrent Connections option – say if I set this to 2 (does it mean 2 client sites can connect or does it mean only 2 client machines can connect? eg. if 2 computers from client1 connect, no computers from client2 can connect until a connection is released?
If both clients connect to the server, will traffic be routable directly between the 2 clients as well, if I push the appropriate remote networks in the Server configuration?
I’ll ask the ISP if they provide IPv6. But that would mean that I would have to switch over to IPv6 too which would be a hassle as I have set up everything on my network to only use IPv4.
@LTS_Tom mentioned earlier that OpenVPN would work in a CGNAT scenario if the client sites would call the Server as long as the Server had a public IP. Will IPSec work across CGNAT too?
Once the VPN connection in initiated, all devices should be pingable from server to client and client to server, correct?
In my case on the internal network I use only IPV4, but for VPN I prefer to make a direct connection, no third-party software as this can greatly reduce the VPN bandwidth and complicate troubleshooting.
About the exchange of DNS, nothing simpler than DDNS, in the same way that I always worked with VPN IPV4
