wan ip changed to private, can't access cameras remotely

[sparky9]

As the heading suggests, my internet provider changed my ip address from public to private... now start with 100. What are my options to now access my cameras remotely as openvpn does not seem to work with private ip addresses., (besides paying extra for a public ip address)?

My system had been set up since late 2020 early 2021 from information on this site. I have a dual nic system and was using openvpn client on my asus router. Everything was setup, and ran fine, until 2 months ago when internet provider changed my ip address from public to private.

 

[wittaj]

OpenVPN doesn't care whether it is public or private. The issue is it sounds like your IP address changed.

When the IP address changed, if you are not using DDNS, then you would need to create a new certificate and put that on your devices being used to view remotely.

Best solution is to use a DDNS and then create the new certificate and place on your devices, that way it can find it regardless of when the WAN IP address changes.

 

[sparky9]

OpenVPN doesn't care whether it is public or private. The issue is it sounds like your IP address changed.

When the IP address changed, if you are not using DDNS, then you would need to create a new certificate and put that on your devices being used to view remotely.

Best solution is to use a DDNS and then create the new certificate and place on your devices, that way it can find it regardless of when the WAN IP address changes.

I am using a ddns. I did not create a new certificate tho. I will try that and post back, be a couple hours tho.

This is the message router gives me. "The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x or 172.16.x.x). Please refer to the FAQ and set up the port forwarding". The wan ip starts 100.xx.xx.xxx.

 

[wittaj]

Who is the ISP and are you using a combo modem/router that they provided or do you have an ISP provided modem and you are providing the router?

 

[bigredfish]

I'm no networking expert but I think they changed his WAN IP and he was port forwarding to it, I dont get the whole Public vs Private IP thing, thats not something an ISP does is it?

Private IP simply refers to your Internal LAN address in one of those 3 ranges typcially

 

[sparky9]

Who is the ISP and are you using a combo modem/router that they provided or do you have an ISP provided modem and you are providing the router?

was sumofiber and it was a public wan ip address, they switched it to infinity who then assigned it a private ip address. It is fiber, it comes into their device (combination fiber access and modem then my routers) had sumo setup and running for a year like that, then when it switched to infinity it no longer works. Had the ddns all setup

some info from blueiris remote access wizard
internet status ok........wininet web request ok
port tcp :443 listening ok green check
router add 192.xxx.xx.x and internet wan 104.xxx.xx.xxx:443 green check
final test wan address 104.xx.xx.xxx: matches
BUT verified ip and verified server timeout

 

[Mike A.]

104.x.x.x looks to be your WAN/Internet IP. That's not in "private" address space. What does your router show as its external/WAN IP?

 

[bigredfish]

router add 192.xxx.xx.x and internet wan 104.xxx.xx.xxx:443 green check

 

[sparky9]

external wan ip is 104.xx.xx.xxx home lan is 192.xx.xx.xxx

104.x.x.x looks to be your WAN/Internet IP. That's not in "private" address space. What does your router show as its external/WAN IP?

 

[wittaj]

Did you home IP LAN subnet change? In other words has it always been 192.xx.xx.xxx - I am guessing so since you said you own the routers and you haven't switched them.

The only other thing I can think of is the new device is a modem/router and you have a weird double NAT situation or something going on.

In that case, you would need to have them put the modem/router in bridge mode.

 

[bigredfish]

^^^^^
This

Was my thought as well.
Gets new modem/router combo from ISP. It uses a diff LAN network range, his equipment is on the old LAN network

 

[sparky9]

Did you home IP LAN subnet change? In other words has it always been 192.xx.xx.xxx - I am guessing so since you said you own the routers and you haven't switched them.

The only other thing I can think of is the new device is a modem/router and you have a weird double NAT situation or something going on.

In that case, you would need to have them put the modem/router in bridge mode.

My stuff hasnt changed... the only thing that has is my provider changed from sumofiber and a public wan to infinty and private ip....something about a double nat...

 

[sparky9]

^^^^^
This

Was my thought as well.
Gets new modem/router combo from ISP. It uses a diff LAN network range, his equipment is on the old LAN network

Company changed...same eqiptment

 

[wittaj]

Company changed...same eqiptment

The ISP changed and the modem didn't?

 

[Mike A.]

My stuff hasnt changed... the only thing that has is my provider changed from sumofiber and a public wan to infinty and private ip....something about a double nat...

If your external WAN address is 104.x.x.x, then you don't have a "private" IP. That is in public address space, not in one of the reserved "private" IP address spaces. May well be something else going on beyond that.

If you know how to do it you could try to quickly set up a temporary port forward to your BI machine (or other simple web service inside of your network) on whatever port and then try to access it from outside of your network by that IP address. If you can get there, then it's something with your ddns, OpenVPN, etc. If you are double-natted then you'd need to do something different vs what you had as far as a VPN (ZeroTier, etc.).

ETA: Obviously, the forward just as a test. You don't want to leave it up and open like that.

 

[sparky9]

The ISP changed and the modem didn't?

Correct

 

[sparky9]

If your external WAN address is 104.x.x.x, then you don't have a "private" IP. That is in public address space, not in one of the reserved "private" IP address spaces. May well be something else going on beyond that.

If you know how to do it you could try to quickly set up a temporary port forward to your BI machine (or other simple web service inside of your network) on whatever port and then try to access it from outside of your network by that IP address. If you can get there, then it's something with your ddns, OpenVPN, etc. If you are double-natted then you'd need to do something different vs what you had as far as a VPN (ZeroTier, etc.).

ETA: Obviously, the forward just as a test. You don't want to leave it up and open like that.

Ok, i will try that, router said to port forward, but this site warns against so i was hesitant....i think double natted....dont know why....havent looked into this since oct...may be a couple days before i get this figured out... will post back after i try these possibly learn zerotier

 

[Mike A.]

I'd warn against it too. Definitely don't want to run or leave it up long that way. Test it, take the forward down.

I'm assuming so, but just to be clear, you can get to your BI server from another machine on you local network?

Also, in a command window run tracert 8.8.8.8 and post what that shows. Redact the last two places of the IP for your external IP. The rest doesn't matter.

 

[sparky9]

while doing some changes/testing I noticed my router has an wan ip address of 100.xx.xx.xxx....however after making new certificates, trying a few things and watching the openvpn log, I noticed it was trying to connect to 104.xx.xx.xxx. Searching show I may be behind a cg nat?
heres the tracert someone requested . i blocked out a few extra numbers as nothing actually matched up to anything except lan ip.

I typed in "tracert 8.8.8.8" into a cmd window

1 2 ms 1 ms 2 ms 192.168.45.1]
2 6 ms 3 ms 2 ms 100.73.xx.x
3 15 ms 13 ms 5 ms 38.95.xx.x
4 * * * Request timed out.
5 8 ms 7 ms 5 ms 104.234.xx.x
6 * * * Request timed out.
7 9 ms 10 ms 6 ms te0-3-1-5.rcr21.tpa01.atlas.cogentco.com [154.24.32.129]
8 11 ms 11 ms 11 ms be2261.ccr21.mia01.atlas.cogentco.com [154.54.5.81]
9 16 ms 14 ms 13 ms be8079.ccr82.mia03.atlas.cogentco.com [154.54.170.94]
10 10 ms 11 ms 11 ms be2258.ccr41.mia03.atlas.cogentco.com [154.54.168.85]
11 13 ms 11 ms 12 ms 154.54.12.250
12 15 ms 15 ms 14 ms 173.194.121.154
13 16 ms 10 ms 11 ms 142.251.239.73
14 11 ms 11 ms 10 ms 108.170.232.201
15 15 ms 11 ms 10 ms dns.google [8.8.8.8]

 

[Mike A.]

Looks like you are behind CGNAT. 100.73.x.x is within that reserved space. The 38.95.x.x likely is an internal address used by your provider. The 104.234.x.x likely is the outside-facing address for your provider's network. If you search the full IPs you should find the host names/networks in one of the reverse whois sites. The rest is just going out wherever over the Internet and not of any interest.

So, yeah, you'll probably need to do something differently since you can't get to your OpenVPN host directly. Take a look at zerotier or tailscale.