VPN and Remote Access - non-static IP

[Peter Blanchard]

I have two sites. A flat and house.

House has ADSL, IP whilst not static doesn't change very often.

Flat situation somewhat different. 4G mobile broadband x 2 - one through modem, other tethering to phone. Both are limited to 20GB a month. Very slow and flaky but unlimited public wifi is available. IP address can and does change.

I'm going to have a TrueNAS box at each site. Windows and Linux machines as well.
I've an old wi-fi router from ISP that I will install OpenWRT. Plhoan is to use it to connect to the public wifi (BT-Wifi) and hopefully it'll have a more stable wifi connection.

What I'm a bit confused about is how to deal with dynamic IP.
With VPN, do you need static IP at both ends?

You get the idea.

Any suggestions?

 

[heromode]

You can use any free dyndns service, for example FreeDNS - Free DNS - Dynamic DNS - Static DNS subdomain and domain hosting

if your IP changes it will automatically update your public DNS record.

I don't have OpenWRT, but i assume it supports it, pfsense/opnsense certainly do.

 

[elvisimprsntr]

1. For ASDL, set up DynDNS service updater with any number of free providers, then you can access via a hostname. Ideally set it up on your router, but TrueNAS also has one.
2. For 4G, the IP address assigned by your carrier is normally not a public IP address unless you pay extra for a public/static IP address.

 

[Peter Blanchard]

There are a lot of things I don't quite understand.

eg.

2. For 4G, the IP address assigned by your carrier is normally not a public IP address unless you pay extra for a public/static IP address.
​

But, you know, there are a ton of VPN products aimed at mobile devices. Vaguely understand tunnel. There are also fail-over products from ISPs that do wired broadband to 4/5G stuff. I'm based in the UK and I'm probably signed up to a service that might do it but probably in a very opaque way.

 

[elvisimprsntr]

​

But, you know, there are a ton of VPN products aimed at mobile devices. Vaguely understand tunnel. There are also fail-over products from ISPs that do wired broadband to 4/5G stuff. I'm based in the UK and I'm probably signed up to a service that might do it but probably in a very opaque way.

Yes, there are many outbound, so called privacy, VPN services that allow you to disguise your location and encrypt traffic up to the exit node of the VPN.

In the US, most carriers assign a dynamic private IP address for cellular broadband. So even if you set up DynDNS over a mobile broadband connection, you will not be able to connect to the private IP address remotely.

For your situation, you might want to consider using Tailscale to set up a virtual VPN network for all your sites, which will traverse NAT performed by any of your providers and does not require one to open ports on any of your firewalls. Works on any client and mobile devices. They have a free tier.

If you already use pfSense® - World's Most Trusted Open Source Firewall for your firewall, pfSense already has an add on package for tailscale.

Tailscale on pfSense Software!

In this video, we introduce Tailscale running on pfSense and demonstrate a common site-to-site deployment scenario.

www.netgate.com

 

[oneplane]

If you use OpnSense or OpenWRT you can do the same.

 

[reasonsandreasons]

Building off of what @elvisimprsntr said, some ISPs and all mobile phone operators use carrier-grade NAT (sometimes abbreviated cgNAT) to provide IP addresses. Basically, your phone isn't provisioned an IP address on the public internet, but instead is provisioned one on an internal network and a centralized service routes traffic to and from the phone.

In those circumstances, something like a dynamic DNS service isn't useful because those services provide a static name for a non-fixed endpoint on the public internet. This is usually done with a small program on your router that pings a server every once in a while to say "hey, here's my public IP address." The server then just updates the redirect and moves on. If your router's IP address isn't accessible from the public internet, as it is in a cgNAT situation, you haven't really solved that problem.

Tailscale is a solution to this problem, as it serves as a relay on the public internet both sides can reach. You tunnel into Tailscale at both ends and they take care of the routing between the tunnels. It would be useful to hear a bit more about what your router situation is at the flat; if you're just using the old ISP router as a bridge between public WiFi and a wired network, you'll likely want to configure Tailscale there as well as on the devices that are wirelessly connected to the 4G hotspots (provided access to the virtual network from those devices is a requirement). That will likely be easier than figuring out how to jack a router into a 4G connection and manage two LANs at the flat.

(If you're adverse to Tailscale there are ways to host your own relay box with a cloud instance, but that might be a bit of a pain.)

 

[oneplane]

Besides Tailscale (and Teleport) you can also use STUN and TURN etc. for NAT traversal.

As for what a true solution in this case is: don't use low bandwidth or data-capped locations for mass storage. You can store it elsewhere and use remote access to the storage instead, that way data changes are limited to the WAN speed anyway and thus no high-load reconciliation is needed.

 

[elvisimprsntr]

I just configured Tailscale between two pfSense sites in less than 30 minutes. One is behind double NAT. I just watched the video from the pfSense blog post while following along.

Tailscale on pfSense Software!

In this video, we introduce Tailscale running on pfSense and demonstrate a common site-to-site deployment scenario.

www.netgate.com

 

[Samir]

I actually run ipsec tunnels over dynamic IP. Every few years the tunnels break because of an IP change, but most of the time a tunnel breaks because an isp has an issue and then the tunnel comes back up.

If you are using cellular, you will need to see if you have a true public IP that can be hit. Otherwise the tunnel may need to be initiated client-server vs peer-to-peer.

 

[Peter Blanchard]

I'll investigate the options that people have mentioned.

I am in the process of building the two TrueNAS boxes so there's no urgency (lots to learn before full deployment). I don't have to replicate all the data I have onto both boxes, only some. I can bring them together at some point, attach them to the same physical network.

Because sites are in 10 minutes walk of each over, sneakernet is a good option. How that works with TrueNAS, I dunno.

 

[oneplane]

Is there a clear line of sight between the sites?

 

[Peter Blanchard]

That's a very good question I'd not considered before.

No, no clear line of sight but close. In theory could put up a mast at home. I need to understand UK planning laws in terms of what antenna are permitted.

 

[Samir]

That's a very good question I'd not considered before.

No, no clear line of sight but close. In theory could put up a mast at home. I need to understand UK planning laws in terms of what antenna are permitted.

Would probably be cheaper to get some sort of wired internet connection at each site than dealing with a point-to-point setup with masts and antennas.

 

[Peter Blanchard]

The problem is that flat is only temporary. UK broadband providers want to lock you into long contracts.

 

[Samir]

The problem is that flat is only temporary. UK broadband providers want to lock you into long contracts.

Ah, I see. They want to do the same here in the US, but you can always ask what the 'non-contract' price is and it's usually only 5-10 more. I usually opt for that anyways just to cut some of the strings between an isp and myself--they always want to get their bloody hooks in my wallet!!

 

[Peter Blanchard]

After long conversations with customer service, favoured ISPs don't offer the rolling one month contract. Flat infrastructure is copper managed by Openreach. No fibre optic possible.

 

[TheUnknownThing]

If you only want to access your TrueNAS Box over public network, there is no need to setup a VPN, you could use Dynamic DNS and register a domain.
If you want a more secure access (only between your houses), you could consider using ZeroTier or Cloudflare Tunnel. The former could establish direct P2P connection if your firewall policy is allowed, to ensure a better access speed. The latter will proxy your bandwidth through Cloudflare’s server, but it is fast enough to satisfy everyday usage.

 

[Peter Blanchard]

If you only want to access your TrueNAS Box over public network, there is no need to setup a VPN, you could use Dynamic DNS and register a domain.
If you want a more secure access (only between your houses), you could consider using ZeroTier or Cloudflare Tunnel. The former could establish direct P2P connection if your firewall policy is allowed, to ensure a better access speed. The latter will proxy your bandwidth through Cloudflare’s server, but it is fast enough to satisfy everyday usage.

Good points. Caused me to reflect on requirements.

My wife is a management consultant. Her employers are rubbish at IT. A lot of her data is confidential and commercially sensitive. Sure, the business stores data "in the cloud" but harsh experience is that if employer supplied laptop is rendered non-functional for whatever reason, I'll be asked to fix it. It doesn't help that they purchase pretty consumer laptops rather than rugged tanks. You know, the type with soldered RAM and SSD.

An large external HDD should take care of her needs. Assuming her employer will cough up a decent back up solution.

Which makes things a lot simpler for me re data security. I've very little data that is confidential or subject to data protection.

 

[Samir]

Yep, the kiss principle is always great to use in situations like this.