21 Sep
2018
21 Sep
'18
4:20 p.m.
Openvpn can route whatever size subnet you want ;)
But you will also need a subnet for the openvpn clients. That subnet can be rfc1918, but I
would advise against that
Ruben - ON3RVH
On 21 Sep 2018, at 22:00, Steve L
<kb9mwr(a)gmail.com> wrote:
On Fri, Sep 21, 2018 at 2:20 PM
<secret.memail.com(a)gmail.com> wrote:
It it certainly true that many home users are now behind firewalls and “NAT” devices
that cause issues with many tunneling protocols such as IPIP. It’s worthwhile to mention
that for a majority of these people it is possible to fix this issue with a third party
device such as Ubiquiti’s Edgerouter X. I have seen a number of threads about this so it
is clear that a majority of the participants in this mailing list are aware of this
solution.
The issue is with those who utilize an ISP that uses “Carrier Grade NAT” (often just
“CGNAT”). In this situation, the user will often have no control over the firewall or
“NAT” appliance and therefore no way to allow IPIP (or otherwise) traffic to travel to
their 44net router.
I am surprised that these have not been a significant number of threads about this
issue before especially as there appears to be no good solution (not to say that there are
not any solutions).
Bryce Wilson, AS202313
Note about NAT and NAT related terms being in quotation marks: I have been informed
several times that the version of NAT found on most consumer hardware is in fact not NAT
(Network Address Translation) but Stateful PAT (Port Address Translation). I use NAT above
because that is the term that the majority of people would be familiar with. I aim not to
use terms that are technically correct but not understood by the reader.
I often wonder how many people outside of mobile providers are behind
carrier grade NAT. At some point I suppose its inevitable for IPv4.
I am hoping if providers implement that, they are are least offering
IPv6 too.
As for our purposes behind carrier NAT, John K9VE proposed a solution.
And its to buy a cheap VPS (virtual host) and have a 44net subnet
brought to it by BGP. From there you could use Openvpn which is a
stateless (continuous handshaking to keep the outside connection open)
so you don't need to worry about protocol/port forwarding from your
home connection to the VPS.
I don't think you are able to bring in more than one IP address (per
connection) with openvpn though. Where with ipip you can specify
something other than a /32 to tunnel to you. I am sure there are
other open source stateless VPN packages that I don't know about
though.
The other thing is BGP requires nothing less than a /24 so you might
end up with an allocation to your VPS that is bigger than you really
need. So a group approach might be best.
https://groups.io/g/net-44-vpn/wiki/home
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net