looking for options for enabling remote access for CGNAT fiber connection

[JeffCharger]

Our area is moving to a fiber solution for internet. I was assisting my brother with his installation and we've run into a problem with remote access to cameras.

The problem seems to be due to the ISP is using CGNAT where you don't have a routable IP address (even with a DDNS provider).

Questions:
1) does running Zerotier resolve this? (I am currently doing this, so my implementation would work when I convert to the fiber solution next week)

2) my brother does not run Zerotier, are there other solutions to getting remove access with CGNAT? (e.g. OpenVPN, or others?)

Thanks for some help!

 

[bp2008]

There are several options.

I wrote a wiki page on this topic a while ago, specifically in the context of Blue Iris, but the same concepts apply to other software as well: Blue Iris Remote Access

 

[JeffCharger]

There are several options.

I wrote a wiki page on this topic a while ago, specifically in the context of Blue Iris, but the same concepts apply to other software as well: Blue Iris Remote Access

Thanks, I found this before posting my question here. It's provides great direction , and suggests that ZeroTier will resolve the issue when I migrate next week (thankfully). It doesn't seem to directly answer the question as to whether these solutions were specific to CGNAT based networks.

Does it help my brother's situation where he doesn't run a BlueIris solution, but has IP cameras that he uses port forwarding that work with his current ISP. (I know, we don't recommend this, but it's widely used). Are there other options?

 

[bp2008]

It doesn't seem to directly answer the question as to whether these solutions were specific to CGNAT based networks.

If your ISP uses CGNAT, it means you do not have a public IPv4 address. But you probably still get fully functional IPv6 so if you learn how IPv6 works you can use that.

Does it help my brother's situation where he doesn't run a BlueIris solution, but has IP cameras that he uses port forwarding that work with his current ISP. (I know, we don't recommend this, but it's widely used). Are there other options?

If all the camera remote access is done by connecting directly to cameras or directly to an NVR appliance, then Zerotier will be difficult to use. Because you can't install Zerotier on the cameras or NVR. You'd need a router that supports Zerotier (opnSense for example), and even then the routing could be tricky (I've never tried).

If you learn how IPv6 works, then you can probably use that for the remote access just like you were using IPv4 before. There are two main differences between IPv4 and IPv6: The addresses look very different when written out, and there is no shortage of IPv6 addresses. The idea behind IPv6 is that every internet subscriber gets at least 18,446,744,073,709,551,616 addresses (no exaggeration) to use as they see fit, all of them publicly routable. So you statically assign one of the addresses in your allotted range to whatever device you want, open port(s) in the router's firewall to allow the inbound connections you want to be allowed, and that is that. It is very similar to forwarding a port with IPv4, except you don't have to worry about a distinction between public and private addresses. At least that is how it is in theory. In practice, some routers have shitty IPv6 support. and some ISPs (particularly smaller ones) have shitty or non-existent IPv6 support. So you can run into obstacles.

If the router has VPN server capability, you could use that with the router's IPv6 address (which hopefully doesn't change). Then you connect to the VPN using IPv6, and once connected you can connect to the NVR or cameras using their IPv4 LAN addresses.

Or you could assign the NVR a static IPv6 address and open the necessary port(s) in the router's IPv6 firewall similar to how you port forwarded in the past using IPv4, and connect directly to the NVR using IPv6. You still take on the risk of the NVR's cybersecurity problems this way, but you also don't have to deal with a VPN connection so it is a tradeoff.

 

[JeffCharger]

If your ISP uses CGNAT, it means you do not have a public IPv4 address. But you probably still get fully functional IPv6 so if you learn how IPv6 works you can use that.



If all the camera remote access is done by connecting directly to cameras or directly to an NVR appliance, then Zerotier will be difficult to use. Because you can't install Zerotier on the cameras or NVR. You'd need a router that supports Zerotier (opnSense for example), and even then the routing could be tricky (I've never tried).

If you learn how IPv6 works, then you can probably use that for the remote access just like you were using IPv4 before. There are two main differences between IPv4 and IPv6: The addresses look very different when written out, and there is no shortage of IPv6 addresses. The idea behind IPv6 is that every internet subscriber gets at least 18,446,744,073,709,551,616 addresses (no exaggeration) to use as they see fit, all of them publicly routable. So you statically assign one of the addresses in your allotted range to whatever device you want, open port(s) in the router's firewall to allow the inbound connections you want to be allowed, and that is that. It is very similar to forwarding a port with IPv4, except you don't have to worry about a distinction between public and private addresses. At least that is how it is in theory. In practice, some routers have shitty IPv6 support. and some ISPs (particularly smaller ones) have shitty or non-existent IPv6 support. So you can run into obstacles.

If the router has VPN server capability, you could use that with the router's IPv6 address (which hopefully doesn't change). Then you connect to the VPN using IPv6, and once connected you can connect to the NVR or cameras using their IPv4 LAN addresses.

Or you could assign the NVR a static IPv6 address and open the necessary port(s) in the router's IPv6 firewall similar to how you port forwarded in the past using IPv4, and connect directly to the NVR using IPv6. You still take on the risk of the NVR's cybersecurity problems this way, but you also don't have to deal with a VPN connection so it is a tradeoff.

Many thanks for the suggestions and ideas. We will pursue these.

I don't believe that the ISP has IPV6 available. We will work with these suggestions and hopefully have some discussions with the tech support team at the vendor.

Many thanks!

 

[pyspilf]

You could also use a solution like ngrok... I have it installed on one of the servers in my LAN and start it when I need to access remotely...

 

[JeffCharger]

thanks for the ngrok suggestion. We are in the process of setting up a Zerotier solution. The site is remote, so we are only there sporadically to work on it!

 

[pyspilf]

Maybe a better idea. I only start ngrok when I am away and need to access (a bit of a convoluted way, but it works for me: I use Alexa on my phone to run a home automation event in Homeseer which starts ngrok), and usually stop if afterwards for security concerns... I have never tried running it long term, so I can't say how stable the connection would be, but I think it has the ability to reconnect. In any case, with your scenario, I would guess the more robust the solution, the better

 

[kd5mdk]

ZeroTier relies on the device you're accessing being online and running the ZeroTier software unless you're setting it up as a proxy. Do you have a plan for what to do if anything goes wrong with the ZeroTier host (like a failed update)? Would it be possible to configure ZeroTier on multiple local devices, or have a router or other reliable piece of equipment attempt at startup to make an outbound VPN connection to a VPN server you control?

 

[elvisimprsntr]

Look at Tailscale MESH VPN. I installed on my pfSense firewall so I can access my entire network. It will traverse multiple levels of NAT, including CGNAT.

Tailscale · Best VPN Service for Secure Networks

Tailscale is a zero config VPN for building secure networks. Install on any device in minutes. Remote access from any network or physical location.

tailscale.com

They have a free tier with up to 100 devices. Even a primate like me can set it up. Works automatically!

 

[ticotexas]

Thank you for mentioning Tailscale. I'm buried behind AT&T CGNAT on my rural hotspot. Just set up Tailscale and am thrilled to be able to see my cameras remotely finally!

 

[IReallyLikePizza2]

I really don't trust Tailscale personally

I just have a VPS with a site-to-site Wireguard VPN tunnel

I don't have CGNAT, but I have that setup to allow for my redundant WAN to be easier with remote access for LPR

 

[JeffCharger]

ZeroTier has worked very well for me. I’m personally not familiar with Tailscale, since my ZT setup has worked so well, but I believe that they are similar upon function.
ZT allows me to use windows Remote Desktop. The combination has worked very well.

 

[schaef350]

You could us a Mikrotik, pfSesne, etc and do a tunnel to something like Core Transit. They will lease you a single (or multiple) public IP's you can then just connect over the tunnel as you normally would with a static IP address.