accessing BI through VPN hosted on VPS

[tv1]

Was wondering if anyone could give me some guidance on accessing my BI server through a VPS. Recently switched to t-mobile home isp and they are double-nated. I have my server connected to the vpn hosted on digital ocean. I have my phone connected to the vpn hosted on digital ocean. I can remote into the server but i'm not sure what settings to use so I can use the BI app while I'm on the VPN. Hope that makes sense in what i'm trying to accomplish.

 

[Jay Roman]

I just did this, happy to help.

For me, the first thing I needed to do was to get my ISP assigned router into bridge mode. (You need to get rid of that double NAT situation you have going on)

What type of personal router are you using ? OPenVPN?

Once you get that double NAT situation fixed, we can proceed to the next step.

 

[tv1]

unfortunately I can't get rid of the ISP double NAT or else I would have gone that route. They use a Nokia modem/router combo for the t-mobile home internet that has ZERO admin features. It's the only modem they provide that has 5g and i've searched high and low for a fix to that. No one has anything. I'm can use either OpenVPN or Wireguard (I setup both to test and didn't work with either). I was happy I was finally able to VPN into a server I have with the VPS/VPN solution. I'm just lost on what settings to use for the webserver on BI so that I can view it on the browser or on the mobile app once i'm connected to the VPN. I've tried using the VPN's assigned IPs but that didn't work.

 

[Jay Roman]

Hmmm if you can vpn into the server , i guess your good.

Have you set up your webcams yet ?

Gave them a static ip, that is not the default ip address??

 

[catcamstar]

So to summarize your use case @tv1: your BI server is throwing an outbound VPN connection to your VPS. That seems to work, right? What IP's are you getting (local, vpn-internal etc)
Secondly, you throw out an outbound VPN connection from your mobile to your VPS. That seems to work too, right? What IP's are you getting (local, vpn-internal etc)

Now, the question you need yourself to ask: HOW are you actually connecting to your BI server?

• can you ping (from your mobile) to the IP of your BI pc? I guess not
• if you blocked outside-LAN access in BI: it will be blocked on BI, so it won't work

I did a similar setup years ago, and what I finally messed up is to let the Mobile VPN client connect to (not BI) application on the 10.0.0.2 (internal VPN ip address of the LAN PC).

And that worked like a charm. Only thing you need to make sure is that the VPN server does not alter (dhcp wise) those 10.0.0.X range.

Good luck!
CC

 

[tv1]

@catcamstar that's exactly my scenario. Not sure how to ping from an android phone but I can look it up. That's what I really want to accomplish is to be able to see the cameras from the web or from the app (both fully setup and working while on the same network).

My VPS/VPN are 10.6.0.X range. They are static IPs for each device.
Location A 192.168.86.X
Location B 192.168.87.X (behind double NAT) (BI Server)

I'll try to ping later today after work.

Side note, I can remote into my server with full tunnel but I lose the ability to access other webpages. Weird double NAT thing I haven't figured out yet. If I do split tunnel, I can still remote in and have full access to webpages.

 

[catcamstar]

Don't have android (anymore), but ain't there a "terminal" app in the OS itself where you can simply execute a "ping"?

I now re-read your opening post: so if you'd open the VPN from your android to the VPS, do you call this "split tunnel"? And you are able to access BI webpage? But the BI app does not work?

Or do I misinterprete your problem statement ?

 

[Jay Roman]

Of you are using openvpn follow this guide.

OpenVPN on a Asus router

Sept 2021 Turned off comments because of ads July 2021 Bought a new Asus router, an RT-AX86U. Loaded it right away with Merlin firmware, s...

randyshomeprojects.blogspot.com

Also download openvpn on your android phone

 

[tv1]

@catcamstar split tunnel means that you can access internal networks of a vpn but your ip isn't masked by it. saves you bandwidth and speeds things up. I can neither access the webpage of BI on full tunnel or split tunnel. On the internal network, BI is on 192.168.87.100 and on the VPN it's on 10.6.0.2. I can access it locally fine on 192.168.87.100. I turn on VPN and I change BI's webserver to use the VPN ethernet adapter and change it's IP to 10.6.0.2 for the webserver but once i'm on the VPN, I can't access the page in a browser or BI app. I've tried leaving it as 192.168.87.100 and leaving the ethernet adapter the same as well.

@Jay Roman thanks for the link but that's not the setup i'm looking to achieve as I still need a VPN on my VPS to get out of the double NAT. I know because I have 2 other VPNs in Location A (openvpn on synology and wireguard on my pi zero) and have had no success in getting past location B's double NAT. It'll connect for maybe 2-3 seconds and drop.

I might have to do something similar to what Jay posted and just put the whole network as a VPN client on the router. That way I can see all devices. Prefer not to go that route so hopefully I can figure it out.

 

[bp2008]

Jay Roman doesn't seem to understand what you are trying to accomplish here.

Side note, I can remote into my server with full tunnel but I lose the ability to access other webpages. Weird double NAT thing I haven't figured out yet. If I do split tunnel, I can still remote in and have full access to webpages.

That would have nothing to do with double NAT. I'm guessing maybe your VPN server configuration includes a line like push "redirect-gateway def1" but also is not actually configured to route traffic to VPN clients. See if that line is in your openvpn configuration and if it is there, remove it. Alternatively you could instruct your client configuration to ignore it.

As for getting your VPN clients to talk to each other, I am not sure exactly what to do, but likely it does require specific VPN configuration. It may be helpful if you learn how to view and understand the routing table on your Windows machine and on your phone. I can point you in the right direction for Windows: Open a command prompt and enter the command route print. It will show you the routing table. You'll want to see your VPN subnet in the routing table, pointing at the correct interface.

As an example, this routing table, the line reading 10.8.0.0 255.255.255.0 On-link 10.8.0.2 259 says to access anything on the 10.8.0.0/24 subnet, the traffic must use the interface with IP address 10.8.0.2 which in this case is a VPN connection. So if I had Blue Iris running on 10.8.0.3 and I tried to connect to it, this line would be matched in the routing table and the traffic would go out the VPN interface.



Your phone and Blue Iris server PC should have similar routes defined for the VPN. They probably already have this actually.

Your VPN server will also need to be configured to allow clients to communicate with each other. I haven't tried this before but it looks pretty straightforward.

 

[bp2008]

One more thing. Your needs would probably be met with much less complex configuration just by running zerotier on your BI server and on your phone. This does all the hard work of VPN configuration and connection tunneling for you and you don't even need to run your own server -- their free tier will probably be more than adequate.

 

[tv1]

@bp2008 thanks! I'll check out zerotier tonight. Yeah, I'm too much of a newb to figure out routing tables and how to get clients to talk to each other. More research in getting that setup tonight along with zerotier. Appreciate the help and guidance everyone has provided so far.

 

[Kameraad]