Intranet Access Season 3: Under the Carrier’s CGNAT Network

/ 贺叶霜的树

Original link: https://blog.heysh.xyz/2023/05/10/through-nat/

ping1.png

Yep, after this and this , now that I’m bored in the hotel, I’m back to VPN.

Yes, there are still no IPv6 addresses in hotels.

Why

As mentioned above , no matter it is Tailscale/Headscale, Nebula or Netmaker, the principles are similar. They are all based on Wireguard, use STUN-like protocol to traverse NAT, or use TURN (DERP) server for forwarding. In the domestic home broadband network environment, there are generally triple NAT firewalls of routers, optical modems, and operators. STUN needs to overcome multiple obstacles, and the hope of automatic traversal is slim; Cloud prices are also unattainable, and self-built services are not an economical choice.

However, triple NAT is not impenetrable. At the first level of optical modem, as long as it is changed to bridging, it can be easily solved; at the first level of routing, it can be bypassed through port mapping; and at the carrier level, most of them are NAT1, and through Natter or natmap , the effect similar to the public network can be obtained. In this way, using pure Wireguard can also directly return to the inside of the home network, eliminating the trouble of transit abroad.

From Guangdong Unicom to Beijing Unicom.

From Guangdong Unicom to Beijing Unicom.

From Guangdong Unicom via Beijing Unicom to Gansu Mobile. Personally, I feel that it is no longer important to pursue Full Mesh under such a delay.

From Guangdong Unicom via Beijing Unicom to Gansu Mobile. Personally, I feel that it is no longer important to pursue Full Mesh under such a delay.

How to do it

Before starting, first check that the following requirements are met:

  1. A device that is turned on for a long time.

    Since there is a requirement for remote access, it is natural to have a server in the distance.

  2. The optical modem is in bridge state.
  3. The main router is OpenWRT, or there is a DMZ host in the intranet.

    Or, if you are an expert in port forwarding, you can forward all the way from the outside of the optical modem to the innermost part.

  4. There is no public network IPv4, but the test NAT type at the router is NAT1.

    Here you can use the functions that come with Natter to test. If you have public IPv4, just open the port, and I will envy you.

  5. An own domain name, preferably hosted on Cloudflare.

    The DDNS function is required to update the domain name in real time. If there is no domain name, some other means may be needed to obtain the port in real time.

The specific configuration part has been written in great detail. First set the point-to-site connection according to the WireGuard Point to Site Configuration , and then set the NATMap according to the natmap Wiki . Note that when operating on the router, you must remember to open the corresponding port in the firewall.

After completing the above steps, you should be able to access the Wireguard Peer of the intranet from the mobile network.

little problem

Since the carrier gateway is not under our control, the IP and port numbers of the external network are randomly assigned. Whenever the address changes, NATMap will execute a custom script. In the Wiki above, the IPv4 address and port are encoded into the IPv6 AAAA record using DDNS. This is not a standard technique, but since 2001:: is for teredo , it doesn’t matter if you use it here.

For the Wireguard client under Windows, I (with ChatGPT) wrote a PowerShell script that can automatically modify Endpoint of the configuration file and call wireguard.exe to connect.

Instructions:

  1. Install wireguard-windows and test successfully with the client connection.
  2. Create wg.ps1 and nat.conf under the folder C:\example , and paste the Gist content.
  3. Modify nat.conf according to the actual situation, and the $Hostname part in wg.ps1 . Endpoint does not need to be modified.
  4. Run PowerShell as administrator
  5. Set ps1 script execution permissions: Set-ExecutionPolicy RemoteSigned (or Unrestricted)
  6. Start and restart Wireguard: C:\example\wg.ps1 -up
  7. Stop Wireguard: C:\example\wg.ps1 -down

On Windows 11, Powershell 5.1.22621.963 has passed the test, and it can also be used with sudo under Windows.

In addition, under Android, you can also use termux to run nm-echo.sh to obtain the IP address, and manually modify the IP in the official Wireguard client.

The last port I allocated here lasted for 18 days, so it should not be necessary to refresh frequently.

The last port I allocated here lasted for 18 days, so it should not be necessary to refresh frequently.

If you need more stable access, you can refer to reresolve-dns.ps1 , this script can refresh DNS when the last handshake time is too long, but it is a bit too complicated because of the need to add scheduled tasks.

Bonus

Another usage of Natmap is to map BitTorrent clients, so that external connections can actively initiate connections and obtain the so-called High ID . See wits-fe/bittorrent-NAT-hole-punching . Should be useful when seeding at PT stations.

It’s hard to imagine that I have spent so much energy on such a simple need to access the intranet. However, this time it should be regarded as a relatively satisfactory plan at present, and it should be able to persist until the next Mercury retrograde begins.

This article is transferred from: https://blog.heysh.xyz/2023/05/10/through-nat/
This site is only for collection, and the copyright belongs to the original author.