Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Can't connect to Wireguard on OPNSense from Visible LTE (poss. due to CGNAT?)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can't connect to Wireguard on OPNSense from Visible LTE (poss. due to CGNAT?) (Read 1200 times)
tgice
Newbie
Posts: 4
Karma: 0
Can't connect to Wireguard on OPNSense from Visible LTE (poss. due to CGNAT?)
«
on:
May 31, 2023, 01:55:05 am »
Hi,
I've been running OPNSense successfully for a few years and Wireguard on it for a year or two. It's worked great. It was pretty easy to setup and I like the speed and simplicity of it.
I previously had cellular service through Mint Mobile and I had my Pixel 6 configured to connect to my home OPNSense box on an Xfinity cable connection. This worked fine and was very reliable.
Then I switched phone service to Verizon's MVNO Visible. Now it does not work. At first I thought it might be something weird with UDP and started chasing that down but now based on some simple iperf3 tests I've done (running a server listening on a low port number on OPNSense and running an iperf3 client on another (non-cellular) machine outside of my network, I can always connect to the iperf3 server with either UDP or TCP at that port).
When I try the same iperf3 test from my Pixel 6 when only on the Visible LTE connection, I get nothing with either UDP or TCP. No indication it's getting through.
So now I'm wondering whether either:
a) Visible is for some reason blocking access to known home IP addresses (or specifically Xfinity home IP addresses) or
b) Xfinity is blocking access
from
Visible's blocks of IP addresses (though I've tried this in another city and had the same problem there)
Does anyone have any suggestions on where to look next, other diagnostics to try or whether I should approach Visible or Xfinity first on this?
I've not found many references to problems like this outside of some talk of needing to use IPv6 (which I have attempted to enable in my Wireguard client) or reduce the MTU size or something (also attempted this).
Any other ideas? I'm frustrated and at a loss. This VPN connection is rather important to me to be able to make work over LTE.
«
Last Edit: June 05, 2023, 06:38:36 pm by tgice
»
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Can't connect to Wireguard on OPNSense from new cellular network (Visible)
«
Reply #1 on:
May 31, 2023, 08:12:52 am »
Try Tailscale?
https://www.youtube.com/watch?v=Uzcs97XcxiE
If your provider blocks WireGuard then that will fail as well. If it is funky routing/CGNAT then Tailscale will fix it.
Logged
tgice
Newbie
Posts: 4
Karma: 0
Re: Can't connect to Wireguard on OPNSense from new cellular network (Visible)
«
Reply #2 on:
June 05, 2023, 06:38:05 pm »
@bartjsmit, awesome! Thanks for the lead on Tailscale, which I'd not even heard of yet.
It was very simple to setup and as they say it "just works". I do have reason to believe that my (Verizon-owned) Visible LTE connection may be using CGNAT (which I'd also never heard of ... I'm a little behind in my tech research I guess) based on doing a tracert to my LTE WAN IP from that IP and seeing multiple hops (one method I found of detecting you're on a CGNAT IP).
So the good news is Tailscale works around this and it looks like a great product and will probably work well for me, for now. However, assuming some day they may want to start charging for even light users like myself (or that I'm especially security paranoid and would rather have as few third parties involved in my private networks as possible), has anyone worked out a way around CGNAT-related problems as far as getting Wireguard to work natively on Android to a Wireguard host on OPNSense?
I wouldn't have any idea where to begin with that but will probably be interested in it in the future.
In the meantime thanks again for the suggestion, it's probably going to work great for me as a workaround at least.
Logged
tgice
Newbie
Posts: 4
Karma: 0
Re: Can't connect to Wireguard on OPNSense from Visible LTE (poss. due to CGNAT?)
«
Reply #3 on:
June 05, 2023, 06:41:17 pm »
Since my understanding of the reason behind CGNAT is the ever-shrinking pool of available IPv4 addresses, which of course IPv6 was designed to combat, wouldn't CGNAT on your LTE connection be avoidable as a problem as long as you could do a pure IPv6-to-IPv6 connection?
I'm reasonably sure my home cable connection has both IPv4 (not CGNAT, apparently)
and
IPv6 addresses. Not sure about the Visible LTE one yet though.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Can't connect to Wireguard on OPNSense from Visible LTE (poss. due to CGNAT?)
«
Reply #4 on:
June 06, 2023, 07:44:57 am »
The Tailscale direction of travel seems to be in expanding mindshare for growth. They expanded the free tier from 20 to 100 devices. The biggest risk is with their longevity I reckon.
There is however a self hosted version
https://github.com/juanfont/headscale
which you could run on a VPS - search YouTube for 'oracle free tier'. This obviously shifts the risk to Oracle cutting the freebies, but hey, your ISP may have seen the light by then
Speaking of YouTube, Alex from selfhosted.show did a good video on running Tailscale on OPNsense (without a plugin for now)
https://www.youtube.com/watch?v=Uzcs97XcxiE
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Can't connect to Wireguard on OPNSense from Visible LTE (poss. due to CGNAT?)