Hi guys! IN a bit of a rush, I installed a server on a place where I knew I’d have trouble reaching, as their router is behind CGNAT. I want now to start installing some VMs etc. At the moment all I have is a VM running Windows running Teamviewer for remote access (I know, I know). I have most of my services hosted on a local home server that runs rather well and has plenty of bandwidth. Among these, there’s a PiVPN running on my home server that works rather well. Is there a way I could make that remote CGNAT server connect to my VPN and be reachable/pingable/show webpages locally?

Thanks!

  • Leafimo@feddit.de
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    1 year ago

    you could use tailscale for that, it should be able to punch through the CGNAT

    • Funwayguy@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      As someone else who uses Tailscale behind a CGNAT, this indeed works. I use it for accessing my home server from the office for a year now. You can’t quite self host anything public facing but anything on your tailnet can talk to it just fine.

      Theoretically a VPS proxy into the server over the VPN could work for devices not capable of running tailscale but your mileage may vary.

  • TwinTurbo@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    Yes, you can connect the device behind CGNAT to your existing VPN as a client. Then, from inside the VPN, you would use the its virtual address to connect to it. You can use a systemd service or similar to have the VPN connect at boot.

    • ibroughtashrubbery@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Oh wow, I’ll have to try this! Can then the virtual IPs be pinged in Wireguard VPNs? (I mean, PiVPN is simplifying Wireguard anyway).

      • TwinTurbo@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Yes. All devices connected to the VPN will have a private IP inside the virtual network. You can use these to communicate as though they were public IPs, except that they can’t be used from outside the VPN.

        • ibroughtashrubbery@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          That would be my problem right? In my understanding, if I get some remote device to dial into my home network through a PiVPN running in my home network, i believe the remote devices can access and ping home devices, but no home device other than the PiVPN can ping them back? Right?

          • TwinTurbo@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            You would need to set up routes on these other devices to tell them that VPN devices can be reached through the Pi. It’s possible, but I’ve never done it myself, so I don’t have any useful pointers.

  • chiisana@lemmy.chiisana.net
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    Cloudflare tunnels can punch a hole through that. Get a reverse proxy setup for your apps and VMs, then create a cloudflare tunnel and you’re off to the races.

    • ibroughtashrubbery@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sorry, but I’m a bit lost with these specifics. I currently have a reverse proxy (nginx) publishing some of my apps running locally on my home server. Where should I put the reverse proxy? On the remote unreachable server, or? And how would the tunnel go?

      • chiisana@lemmy.chiisana.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        On the server that’s behind CGNAT, install Cloudflare tunnel. The tunnel will create an out going connection to Cloudflare, with an open socket; when you try to hit your specified subdomain, Cloudflare will receive your request, send it through the tunnel, and thus allow you to connect to your service.

    • Meow.tar.gz@lemmy.goblackcat.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Cloudflare tunnels would be the easiest/cheapest way to go about it. But always be mindful that if you violate their terms and conditions, you could find yourself with a high bandwidth bill.

  • 2xsaiko@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Do you have IPv6? That usually isn’t behind any kind of NAT and you can just let machines through the firewall.