VPN for Public IP

[asintado08]

I have this problem. My new ISP at my new place doesn't provide any public IP. I need to have public IP for CCTV viewing, RDP, and Plex. I am thinking of renting a VPS with public IP and create an OpenVPN server with ubuntu 12.0.4. I will VPN to this server from my pfsense router. The pfsense router will do all the port forwarding.

Questions:

1. Is my plan going to work?
2. Do you have other suggestions?

Diagram:

VPN Server with Public IP > Pfsense > gigabit switch and wireless AP > network.

 

[BigBadAl]

Do you mean public or static?

A public IP is something you would NEED in order for your ISP to provide you with service.

A static IP is something that is desirable but not necessarily a requirement.

Depending on your ISP`s policies it may or may not be necessary to have a static IP.

My ISP doesn`t offer static IP`s on their Residential services but I`ve had the same IP for a couple of years now.

The way my ISP works it is they give you a 24 hour lease on your `dynamic` IP but if your CPE is powered up and connected to their network when the lease is due for renewal it will retain the same IP.

As I say, your ISP may work differently, but that`s how mine does it.

 

[Eminence_Front]

If you don't have a public IP, you won't have much luck for an inbound tunnel, obviously.

If you could RDP to a jump box, from inside your network you could conceivably have a shot. The issue will be whether and what type of VPN your PATd home connection will allow outbound.

e.g. SSL vpn is an obvious one, but usually that's only for client VPN.

ESP / Tunnel-Based VPNs lesser likely, but possible.

And then there's pure UDP transport, which would support NAT-T, required when your tunnel will run over a NAT / PAT type connection.

 

[plugwash]

A setup along the lines of what you describe can be made to work but it will require a good understanding of networking to pull of successfully.

Firstly it's the VM that has the public IP. Therefore unless the VPS provider gives you multiple public IPs you have to do "Destination NAT" (what most router vendors call "port forwarding") on the VM. You can either do a second layer of NAT/port forwarding on the VPN client box or you can set up the VPN in such a way that it becomes part of your LAN.

The second problem is that the response traffic needs to go back to the VM so the NAT on the VM can correctly do the reverse translation and send the replies back out to the internet. If you send all traffic through the VPN that's easy but if you don't want regular internet traffic from the devices that receive the port forwards to go through the VPN then it gets trickier.

One option is to have the VPS change both the source and destination of the packets (apply both SNAT and DNAT to the traffic) so that the packets appear to come from the VPN servers VPN IP. The upside of this approach is that the box on your lan doesn't have to do anything special to make traffic go back to the VPN server. The downside is that you lose the ability to see where traffic on the forwards came from.

Another option if forwarding a handful of ports and if the OS on the VPN client box can do it (i've no idea if pfsense can, i'm a linux man myself) is to route traffic back to the VPN based on source port (remember a reply to an internet packet swaps source and destination IP/port information)

 

[k1pp3r]

Get a cname from NO-IP.org and install their IP update utility on a computer that is always on, or if your router supports dynamic DNS you can do it there.

I do it that way and have had no issues.

 

[asintado08]

Do you mean public or static?

A public IP is something you would NEED in order for your ISP to provide you with service.

I need static and public IP. My previous ISP provides me with a public IP so I use dyndns. This allow me to access my devices outside my network.

A setup along the lines of what you describe can be made to work but it will require a good understanding of networking to pull of successfully.

Firstly it's the VM that has the public IP. Therefore unless the VPS provider gives you multiple public IPs you have to do "Destination NAT" (what most router vendors call "port forwarding") on the VM. You can either do a second layer of NAT/port forwarding on the VPN client box or you can set up the VPN in such a way that it becomes part of your LAN.

The second problem is that the response traffic needs to go back to the VM so the NAT on the VM can correctly do the reverse translation and send the replies back out to the internet. If you send all traffic through the VPN that's easy but if you don't want regular internet traffic from the devices that receive the port forwards to go through the VPN then it gets trickier.

One option is to have the VPS change both the source and destination of the packets (apply both SNAT and DNAT to the traffic) so that the packets appear to come from the VPN servers VPN IP. The upside of this approach is that the box on your lan doesn't have to do anything special to make traffic go back to the VPN server. The downside is that you lose the ability to see where traffic on the forwards came from.

Another option if forwarding a handful of ports and if the OS on the VPN client box can do it (i've no idea if pfsense can, i'm a linux man myself) is to route traffic back to the VPN based on source port (remember a reply to an internet packet swaps source and destination IP/port information)

Ohhmygod!

It is more complicated from what I think. It will require me additional work and research. I already have a OpenVPN server from Azure (MSDN credits). I'm pretty sure Azure can provide me with additional IP. I will test the things that you told me.




Meanwhile, I will find a VPN provider that will provide me with the service that I need to save me the trouble. If you guys know any provider that can provide the service that I need, please reply below.

Thanks.

 

[Lames.]

If you have a modem in your place then 99% sure you have a public IP assigned to you.

Whatismyip.com

If you are just hooked up with an ethernet cord (apartments are starting to do this) to your devices to get internet access via their public IP, it may be more locked down.

 

[devman]

It sounds like the OP is behind CGNAT. There are ISPs that do not give you a public IP and instead your given an RFC 6598 address (or an RFC 1918 address if your ISP implements CGNAT poorly). The issue network savvy customers run in to is that they can no longer control DNAT as they are effectively double NAT'd with the outer NAT not under their control.

If this is the case then you'll have to tunnel out to a provider who will give you a standard IP address. You can do this with VPN as you were thinking.

If you have the technical know how, you can sign up for a Hurricane Electric IPv6 tunnel broker which will give you a routeable IPv6 address block (a /48 I think). This is free.

 

[bds1904]

If you are in fact behind carrier grade nat, most isp's that impliment it also support port forwarding through a Web configuration interface.

Check with your isp to see if they are running cgn.

 

[asintado08]

If you have a modem in your place then 99% sure you have a public IP assigned to you.

Whatismyip.com

If you are just hooked up with an ethernet cord (apartments are starting to do this) to your devices to get internet access via their public IP, it may be more locked down.

I do have modem and I have an IP address that is only assigned to me. It is just that this particular ISP will not let you access that IP address from the outside.

It sounds like the OP is behind CGNAT. There are ISPs that do not give you a public IP and instead your given an RFC 6598 address (or an RFC 1918 address if your ISP implements CGNAT poorly). The issue network savvy customers run in to is that they can no longer control DNAT as they are effectively double NAT'd with the outer NAT not under their control.

If this is the case then you'll have to tunnel out to a provider who will give you a standard IP address. You can do this with VPN as you were thinking.

If you have the technical know how, you can sign up for a Hurricane Electric IPv6 tunnel broker which will give you a routeable IPv6 address block (a /48 I think). This is free.

I will try your suggestion.

 

[devman]

It is just that this particular ISP will not let you access that IP address from the outside.

This statement needs to be clarified. Is the address an RFC 1918 or RFC 6598 address? (For reference those networks are 100.64.0.0/10, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)?

What does the "ISP will not let you access that IP address from the outside." actually mean. Your original form of this statement "not a public IP" indicates CGNAT, the form you just gave indicates ISP preventing inbound connections via firewall.

 

[asintado08]

This statement needs to be clarified. Is the address an RFC 1918 or RFC 6598 address? (For reference those networks are 100.64.0.0/10, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)?

What does the "ISP will not let you access that IP address from the outside." actually mean. Your original form of this statement "not a public IP" indicates CGNAT, the form you just gave indicates ISP preventing inbound connections via firewall.

It is not under 100.64.0.0/10, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. My IP Address right now is 49.144.182.2xx.

Here is the story. I called my ISP since port forwarding is not working. They told me that they don't allow port forwarding since I am not using "public IP". Dyndns is also not working. I asked them if they can allow me to do port forwarding for additional cost, they said no.

Right now, I am thinking of site to site VPN to a VPS server that has a public IP just to make this work.

 

[bds1904]

You are using a public ip (owned by Philippine Long Distance Telephone Company) right now. Is that the ip address assigned to the modem or did you get it from something like whatismyipaddress.com?

Either way you could set up an openvpn server on a vps then use an openvpn capable router to establish a true site-to-site vpn. You woulsd then have to route the internal traffic accordingly.

 

[kevin_levinski]

Check out the https://2ip.io/ sevice. Might be useful for you!

 

[goodcooper]

Check out the https://2ip.io/ sevice. Might be useful for you!

ok now it's apparent you're a shill

 

[qwerty123456]

Hi,
Is the issue resolve?
We are encountering same problem