When I was looking for a place to move, I was under the gun. I had a place lined up and it fell through two days before I was supposed to move, and I needed a place with a number of particular things according to my needs but the one that pertains to the VPN is that the internet had to be Google Fiber (GF), not because VPNs require GF, but because I know that if it is GF, and not Xfiniti, which I have heard mixed things about but regardless of this, the thing that really matters to me is that the ISP does not use CGNAT. I can't tell where Xfiniti uses CGNAT, but I do know that they do us it. I tried to figure some things out on my moms laptop so she could access my VPN. Now CGNAT doesn't stop you from accessing a VPN based on a connection that doesn't use CGNAT, but the VPN cannot be on an ISPs lines through CGNAT.
My understanding about CGNAT is that when I was setting up my VPN with my instructor, Doug, I was also learning about NAT, Network Address Translation. IN a router, this separates public IP addresses from private IP addresses, and consequently, translates between them. So I have a computer o my own network with an IP of 192.168.50.153 for instance, I google something, that query will go to my router or up the chain in my private network to my router which is the gateway to the internet, which is why they call it a Default Gateway address, it is the inner private network address of the router, and will usually be 192.168.0.0 or something like that, depending on circumstances. I have a double NAT because I have a router plugged into another router. All this means is that the first router that belongs to my roommate will give a portion of its subnet over to my router, but it'll be a small portion, in my case the third octet if .50, and I get all 255 of those addresses, but my roommates router will keep the rest of the subnet for itself. Anyway, so the google query will go to the default gateway IP address which is my router, get translated through NAT to the network addressing scheme of the network that router is inside of, so it'll leave the .50 subnet of my network and enter the broader private network, and then it'll go to the default gateway address of his router, go through NAT, the firewall, all of that stuff and get translated into whatever my public IP address that faces the internet, and then it'll traverse the public network from one router to another until it reaches the server that has the desired information, then that information will be used to create a new set of IP packets which will carry all the data back to the place that my query packets said they came from, which is where the new packets will be mailed to. They will make their way back to my roommates router through the public IP address, a temporary port in the firewall opens to let them back in, they will get translated by NAT back into a private IP address that the network my roommates router knows and then send it to my router at .50.0, and then through NAT in my router and the firewall, and get translated back into 50.153 to the device the requested the data. Now if the ISP had a CGNAT, which is a carrier-Grade NAT, what that means is some ISPs will save money purchasing public IP addresses, there are after all only so many public IP addresses, especially IPv4 addresses, which is still being used because IPv6 is harder to use long story short. CGNAT is the ISPs own NAT, where they buy just a few public IPs instead thousands or millions of them like GF, and then they will convert public IPs into their own pool of public IPs through their industrial grade NAT, and if you have Xfiniti, then you will get one of their GCNAT based public IP addresses. This causes a problem for someone like me. If I want to have a VPN, my server cannot be behind a carriers CGNAT. CGNAT, to my understanding, has a firewall attached to it, and only one service can usually be assigned to a port in a firewall. And so if a few thousand of Xfiniti's customers had VPNs, only one of them would be granted the port-forward. If you can only do one and thousands on an ISPs service want to do it, there's a problem.
Okay but before you call me out, I will admit that yes, you can do a VPN behind an ISPs CGNAT. I don't know how to do it but so far when I was trying to set my moms laptop up so I could access it remotely and it wouldn't let me do an Anydesk remote connection, I found out this was because of the CGNAT. Now I don't know if maybe I just activated a full tunnel on my VPN and then did it that maybe it would work fine, but a whole host of problems could happen that would render the VON ineffective, and that is why I set up Anydesk. So Anydesk needs to function regardless of the VN and it wouldn't. Turned out my mom had a number of problems while on Xfiniti, and a lot of them being because she was sold a whole package for Xfiniti with her apartment lease and so she got phone and cable and all sorts of stuff, and she had a variety of problems that may or may not have had to do with Xfiniti and the way they do things, which is different from ISP to ISP in many cases. So when she switched back to GF, the problem went away. I can't remember how I concluded it, but I somehow deduced or did research or something and found that CGNAT was likely responsible or something.
Okay, so the reason why wherever I go, they must have GF, is not necessarily because I can't make this work without GF, but because I know it works with GF. And there are a lot of things I don't want to change. For instance, I know there are other ways to access my internal network and file server and all that other than through a VPN. But the VPN is the way everything is set up, it would require a whole overhaul to do something else, such as the method being used and what can be accessed, I am comfortable with my current set up, I have reasonable expectations for it, and even when I have requirements that go beyond those expectations, I am often pleased with results, and I know what these reasonable expectations and limits are most of the time. I would essentially be throwing away everything I already know and established and have to use new methods with unknown limits and still have my expectations and they may not be reached if I use other methods. I would expect that if you had an organization that was used to using VPNs and they seemed to work great most of the time and then you decided to go with an all new method no one knows how to use, that can't be expected to do everything and even what it can still do may require new methods on top of the new access method just tog et the same results, the company would sort of be in chaos and day to day function would be severely inhibited. I have the advantage of being one person but VPNs are not exactly uncommon, they are used everywhere and have many functions. It would serve me to continue to use it. I have often thought that my VPN may be the thing that gets me hired somewhere because of the amount of crap I have had to go through whenever something went wrong.
So I had to set up the port-forwarding on my new roommates router. I went to the router after asking his permission and assuring him this wouldn't affect anyone else, assuming no one else has a VPN at this place of residence, and when I looked on the bottom of the router, there was no admin password credential thing. Ge told me he had not changed the credentials, he barely knew what I was talking about. So when I found nothing on the router, and then went to me browser and typed in the typical IP address for the routers web interface to access settings, I got error web pages. I asked ChatGPT how you access the web interface on a GF router and it said that it most likely uses an app or website attached to the account that pays for the GF service. I asked the roommate if he had an app or a website he has access to for his GF account and he did, he went to it, and it was the web interface I was looking for.
Unfortunately I didn't get to write down the steps we did to find the port-forward settings, but the best I can ascertain is once logged in, we saw a screen that looked like this:
After that I believe we went into the internet or router options, I think we selected something on the next page like Edit Network:
And then saw a screen that I believe said Advanced Network Settings > ports:
Once I clicked on Ports, I believe we found a button that said ADD RULE, and then saw what I was looking for:
Once I found my .50.0 routers MAC address on this page, and confirmed with my roommate that was the same MAC address, I saw a page similar to this:
The Device at the top was my routers MAC address, the service I selected was single custom port, because I am only doing 51820 and not a range, I selected TCP & UDP despite ChatGPT insisting WireGuard only uses UDP, so I think I will go in and change it to just UDP since I believe this does open me up to potential hacking. I put 51820 in both the below ports that said external port and again in internal port, and had my roommate save it. He then asked again what this does, because he wanted to be sure this wouldn't affect anyone adversely since he's responsible for it and I explained that I have a file server, I asked if he knew what servers were and he said yes, and I explained that to access my file server remotely, I needed to open a port that would let me send stuff through my VPN, both inwards and outwards, and that is what we just enabled.
Now that was the easy part. I told him I had to test the connection to make sure it worked and went straightaway to do so. But then I turned on my half tunnel as usual and it was receiving no packets as usual when there was a problem. I rolled my eyes. What now! After a few minutes, oh, I hadn't changed the settings in WireGuard on any peer (remote) devices such as my phone and laptop and my moms laptop. So I went on my laptop, into the tunnel settings after looking up what my public IP address now was, I entered:
curl -4 ifconfig.me
I put that in the endpoint address under peer settings in WireGuard on my laptop and did the same for both the half tunnel and full tunnel, then changed it on my moms laptop remotely through AnyDesk, then on my phone.
Then I tested it again and it didn't work. No packets received. I verified that the server was running properly, I went locally and accessed the file server through SMB, and the file server is the same device running the VPN server. I started trying to troubleshoot the issue, and didn't seem to solve it.
The next day I continued researching and looking things up, I had verified everything I could think of, the port forward was done under my supervision and I confirmed the MAC address of my router, I then had also asked my roommate to send me a screen shot of the configuration, which as you can see above, he did, and I confirmed the PAC address again, I asked ChatGPT if setting it to both TCP and UDP would cause this problem and ChatGPT thought it might but I said, it worked perfectly like this before I moved, and then it said, well, it most likely won't cause problems but it is unsecure. I checked the settings on my router, I made sure all my IP addresses were the same, the file server was obviously serving files so anything server related that was no my separate Proxmox server had the proper reserved IP, I can't think what else I had checked, but I had checked everything I could think of. Oh, I also went into the wg0.cong file on the VPN server and checked to see if there were any public IP addresses that needed to be changed, I didn't find any, ChatGPT thought this was strange and then admitted that the way I was using it, having endpoints in the server side was unnecessary, and then I asked Grok 3 and it said yes, that's normal, I then switched to Grok 3 because it troubleshoots better than ChatGPT. I only prefer ChatGPT because despite the 4.0 lite query limits on ChatGPT, it switches automatically to 3.5 and keeps letting me ask questions and I don't see much of a difference in the way I use it. But Grok seems to have a hard limit for several hours that absolutely stops me in my tracks and it doesn't even revert to a lower model so any progress I had made absolutely stops. I can't abide that. And I will not be nickeled and dimed out of my entire paycheck. So despite Grok 3 being the better choice for me, ChatGPT doesn't set the hard limit and so it gets all my use.
The next day I had decided that since the last time I had VPN issues, the thing that fixed it was rebooting the router, letting the power drain from the capacitors first, I would do the same on both my router and my roommates router. But I asked him if he could do it at a time that affects everyone the least, and he just didn't even get around to it when I happened to check my VPN randomly and suddenly it worked. He told me he hadn't done anything and I hadn't rebooted my router yet either, so I really don't know how it got foxed. The only thing I can think, which I then asked Grok 3 about, was if it is a thing for routers to only update the port forward settings at the start of a new day or something, it said at first that whatever words I used for this scenario sounded very unusual for networking, but then said that it is common for routers to update all the settings after a few hours. I know I checked right away after setting it up and it didn't work and I can't recall if I checked the next morning. I might have and it still didn't work but I don't remember. So whatever the problem was, it works now. And I had insisted many times to both ChatGPT and Grok that my VPN worked fine before the move, same ISP, right down to the way the port forward was established, it looked the exact same as it did a year and a half ago when Robert my former roommate did it for me back in October or November 2023. So they admitted that then it should be working. I went through everything I had confirmed and everything checked out. Everything! But then t started working fine the next day.
There is one caveat, I can no longer just leave half tunnel activated on the laptop. It simply won't work at all if I am at home, on my network, plugged in or on WiFi, and either tunnel is activated. I didn't have this problem before.
This has been Truncat3d 00000000111100010100110______________end of line
No comments:
Post a Comment