I only can access a mobile connection at my farm, which appears to have multiple layers of CGNAT between network segments. Zero documentation available and most P2P services like online gaming don’t work at all. You can’t even ping another mobile device… usually.
I want to be able to remotely login to my farm SCADA system from my wife’s place in the city. This location is also CGNAT but does allow some form of hole punching, as I can play games on my Switch (which is terrible at penetrating NAT of any sort)
I also want to be able to play games with my daughter who stays at my wife’s place most of the time. LAN Minecraft over a VPN would make my day.
So neither end can act as a server. I’m considering settting up a DigitalOcean droplet running OpenVPN (just because it’s a one-click setup) and logging in from both ends. These droplets appear to be fully exposed with a real IPv4 address. Or I could try the EC2 or GCP free tiers but pricing is confusing on these, I’m an embedded not cloud guy…
The farm connection is a little complicated using a metered connection as fallback for an unmetered connection (phone hotspot). A Raspberry Pi acts as the gateway, responsible for detecting the phone hotspot and routing local traffic through it if available.
As I type this I am connected PC->Local net->Pi->Phone Hotspot->CGNAT
So… can I set up OpenVPN on the Pi so that it will maintain a connection to my cloud provider regardless of which connection is available? Or will it drop out every time the routing table changes? Any help appreciated.
Makes sense, so I would have to rely on the client detecting a broken connection and reestablishing the link.
I’m looking into Wireguard instead of OpenVPN which is supposed to offer better performance and seamless IP roaming, would this be a better solution? I’ve never used it but it actually looks way easier to set up.
The changing public IP and broken connections on switch is one of the issues I’m trying to solve with the VPN.
The metered connection (a hardwired 3g modem) is eligible for a static IP, but at $30 it over doubles the $20 that I pay for the 1GB of data. Massive overage charges, too. That’s why this connection is pretty much only used for telemetry, and when I’m at home the gateway switches everything over to use the phone.
The phone hotspot is an unlimited talk/text/data plan that is not really meant for the use I put it through, and as a consumer product has no option for a static IP.
Regardless, when switching between the two connections, the IP has to change. I’ve been experimenting with Wireguard today and it’s quite impressive with seamless roaming, it looks like what I want. It will maintain a robust link while switching between two public IPs.
Now the trick is figuring out what layer a Wireguard VPN actually is and how to route all WAN traffic into it, then route it over the available connection. This document appears to describe doing exactly that, but uses multiple routing tables and/or namespaces - which I have no experience with. Guess I have some learning to do!
However at least I now have a free GCP instance and a couple point to point tunnels that will let me access my systems securely. Wireguard is amazingly easy to set up!