Connecting remotely via OPENVPN

Have a MAX BR1 Pro 5G with multple WAN inputs (cellular, wifi and Starlink via the WAN port). Also using SFC protect. Have been unsuccessful in connecting via OPEN VPN. As part of troubleshooting, have disabled all WAN inputs except one, reset OPENVPN settings to just the one active source and redownloaded OpenVPN file from the status page. Unsuccessful in connecting to the system no matter which individual WAN input is active nor when SFC Protect is disabled (redownloading config file each time). Basically the OpenVPN client tries to login (going to the correct IP address) , then times out with a Transport Error, socket protect UDP.

I’m using the default UDP setting (1194) and have also set UDP1194 and TCP 443 and 943 to be open from any to any in the firewall. From the log, it looks like the max BR1 is rejecting the connection for some reason.

Log file extract below, open to any ideas/suggestions on how to get this to work as the ability to remotely access the network was a big part of why I purchased the Peplink unit.

—Log file—

[May 4, 2023, 10:52:16] EVENT: RECONNECTING ⏎[May 4, 2023, 10:52:16] EVENT: RESOLVE ⏎[May 4, 2023, 10:52:16] Contacting 30.90.217.43:1194 via UDP
⏎[May 4, 2023, 10:52:16] EVENT: WAIT ⏎[May 4, 2023, 10:52:16] WinCommandAgent: transmitting bypass route to 30.90.217.43
{
“host” : “30.90.217.43”,
“ipv6” : false
}

⏎[May 4, 2023, 10:52:16] Transport Error: socket_protect error (UDP)
⏎[May 4, 2023, 10:52:16] Client terminated, restarting in 2000 ms…
⏎[May 4, 2023, 10:52:18] EVENT: RECONNECTING ⏎[May 4, 2023, 10:52:18] EVENT: RESOLVE ⏎[May 4, 2023, 10:52:18] Contacting 30.90.217.43:1194 via UDP
⏎[May 4, 2023, 10:52:18] EVENT: WAIT ⏎[May 4, 2023, 10:52:18] WinCommandAgent: transmitting bypass route to 30.90.217.43
{
“host” : “30.90.217.43”,
“ipv6” : false
}
.
.
.
bottom of file after 40 seconds of repeated efforts to login
.
.
.

⏎[May 4, 2023, 10:52:44] Transport Error: socket_protect error (UDP)
⏎[May 4, 2023, 10:52:44] Client terminated, restarting in 2000 ms…
⏎[May 4, 2023, 10:52:45] EVENT: CONNECTION_TIMEOUT SOCKET_PROTECT_ERROR : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 29
⏎[May 4, 2023, 10:52:45] EVENT: DISCONNECTED ⏎

Hi Dave,

It sounds to me like the issue you are having is because all of your WAN connections are behind a NAT or CGNAT.

You can confirm this by going to ipchicken or whatsmyip and compare the IP address against what the router is showing.

Tim,

I am using DDNS to point to the current IP address. Is there something else I need to do?

Dave,

DDNS is only going to use the IP address that the router is getting and this is NAT’d in your case and will not work.

If you need to access devices on the LAN side of the BR1 then I recommend using the powerful InTouch feature on InControl. It doesn’t matter if you are behind a NAT and it works great!

Thanks. Actually I’m trying to VPN into the network remotely so I can not only access devices on the network but also so I can securely VPN in and then access the internet from that location (much like I VPN in to my home network and then access the internet from there). To be honest, I’m very surprised I can’t do this because I certainly have used open VPN to access my home network via both starlink and cellular networks (but with an OpenVPN server on my home synology). In this case I’m trying to use the MAXBR1 OpenVPN server and I can’t understand why it isn’t working.

Clearly others have gotten it to work and Intouch doesn’t let you do what I’m trying to do…it just appears to let you access a device which has a webserver or responds to an https://query (as far as I can tell).

Hi Dave,

The reason you can VPN into your home network is because your home internet connection has an IP address that accepts incoming connections. Your BR1 does not. The only way you will be able to VPN into the BR1 is if one of the WAN IP’s can accept incoming connections. You can try to subscribe for a static IP from a cellular carrier or upgrade you Starlink plan to the premium/business plan but this will get spendy.

Another option for inbound access behind a NAT is to spin up a free FusionHub Solo on Vultr or similar for like $10/month. This will give you a static IP but you still need to port-forward in to the BR1.

At this point why not just use the InControl InTouch feature? It will allow you to connect to ANY device on the BR1 LAN via http/https/SSH/Telnet/RDP or VNC. Simple, reliable, and free as long as your device has an active Care plan.

Hope this helps.

Just to verify the problem, you can run nmap or an online port tester/probe on the public IP addresses that the MAX BR1 Pro is using. Steve Gibsons Shields Up can test a single TCP port like this:

https://www.grc.com/x/portprobe=443

It does not do UDP.

Thanks. Will use it when next at the site.