PepVPN without opening special ports?

According to the description of PepVPN, it has the following features: “…tunnel over any WAN link… compatible with any dynamic IP environment and NAT, allowing you to establish a VPN behind a NAT gateway or firewall without worrying about static IP addresses…”

I take this to mean that I can plug the WAN port of two PepVPN enabled devices (in my case Balance 20 and a SOHO) into any network with internet access (single WAN IP, via a router with NAT of course) and if they are correctly configured, they will establish a connection.

So, having their WAN ports connected to the same network, I successfully “paired” them using InControl2, confirmed the VPN had connected in its most basic setup with two subnets that can ping each other, and thought I was all set - until I moved one of the devices to my office and plugged the WAN port in there. Both units still appears in InControl2 and I can manage their settings, but they say “Starting…” for PepVPN. In other words: They cannot really create the tunnel apparently.

After some googling, it turns out that I may need to open a TCP port and a UDP port on the router in one of the locations. Is that true or what is wrong here? If I need to configure ports on the routers on either network, I don’t think the claim about PepVPN conveys the correct idea anymore. In that case I need access to my IT guy to help with the router ports. Not what I wanted.

Hopefully I don’t need to do this. I just want two boxes to create a “virtual ethernet cable” over “any WAN connection” without having to think about anything between those two points. Can that be done and if so, what do I need to focus my attention to?


True - but a connection to a hub device that has a routeable public IP.

No, because both devices are behind NAT. You either need a hub device to act as a middle hop between them or one device needs inbound routing (Port forwarding if on NAT) setup.

Yes. You either need to open the PepVPN ports to one of the devices (it can be a dynamic IP) or you need to build a Fusionhub in the cloud. There is a free Fusionhub solo license but that only supports a single Peer (device) so you’ll need the Fusionhub Essential license (which supports up to 5 remote devices).

1 Like

Thank you Martin. This gives me two interesting things to pursue:

  • In the meantime I tried to open the UDP and TCP ports on my Ubiquity EdgeRouter (having an internet IP on the WAN port) and point them to the IP of the Balance 20 sitting behind NAT. This made no difference apparently. Do I need to do this in both ends? In any case, is there a way to analyse how far the signal gets after doing such an operation? Thing just look the same. “Starting…” like if it made no difference.

  • Using FusionHub sounds like what I’m after. I understand the point to have a middle man for what I want. It seems like it’s software I would need to download - can I rather purchase this as a cloud service? I don’t want to personally set up a server to run this for me, just want the service to route my traffic between my two behind-NAT PepVPN points.

No just one end. TCP/UDP 32015 and UDP 4500

Check that 32015 is open using something like Open Port Check Tool - Test Port Forwarding on Your Router

Did you configure this with InControl 2? If so, I suspect you set this up as point to point? Change it to star and set the device behind the edge router as the hub and see if that helps.

Sure. I (and others here) provide this as a service. I’ll send you a message.

1 Like