Site to Site VPN, 2 HD MAX 2 router both using cellular Network with DDNS

Hi there,

I am facing difficulty setting up a site to site VPN. Currently using 2 HD MAX2 routers both with 3G/4G LTE Cellular network. I have followed some of the site-site vpn discussion. Currently i have configured the router in this format

Router A
192.168.60.2 (Router IP)
Using DDNS function from noip on the Cellular 1 (details tab)
I set-up my router vpn profile with the Router B Remote ID and left the Remote IP address slot
blank.

Router B
192.168.50.1 (Router IP)
i did not activate the DDNS function from noip.com on the Cellular 1 (details tab)
I set-up my router vpn profile with the Router A Remote ID and inserted host name from the router A noip DDNS in the Remote IP address slot.

However, i am unable to set-up the VPN sucessfully. It kept stuck at “Starting Status” at the dashboard

I have followed some videos from MartinLangmaid. However, i can’t seem to connect no matter trying different variations. Please help

Hi. If you look at the IP address assigned to the cellular connections on each HD2 I suspect you’ll see that they have a private IP address (eg in the 10.x.x.x range).

Mobile network operators tend to use carrier grade NAT to share a small allocation of public IP addresses with many hundreds of cellular devices connected to their network (there is effectively a NAT router between your cellular IP and the public internet). That NAT router is likely blocking inbound VPN requests to the HD2 devices so the tunnel can not start.

Here is an example - one of my customers in portugal currently:
image

This BR1 has been allocated a private IP on the cellular WAN of 10.26.105.8 but Incontrol sees the management traffic coming from public IP of 85.255.232.114 - this is the MNO NAT router’s IP address. I can not create a VPN tunnel to the public IP address shown as the MNO filters inbound traffic.

You have three options:

  1. Buy SIMS / Data contracts with public IP address allocations.(only one HD2 device needs to have public IPs). If you do this make sure your MNO provides firewall services in your behalf on this public IP - otherwise you might get a massive data bill.
  2. Use a third device as a VPN hub which has a public IP (like a hosted virtual Fusionhub appliance or a physical Peplink Balance router) that the two HD2s connect to to then be able to communicate.
  3. Test to see if you can route traffic on the private IP addressing provided by your mobile network operator. Sometimes (and it might take a call to get it turned on by the MNO) you can use the private IP allocated to you by the mobile network operator (ie the 10.x.x.x address) for direct device to device communication as the target for the inter device VPN.
3 Likes

Hi Martin,

Really appreciate your reply. Always felt that your videos and replies on other post are very informative and useful.

For me i am not really a network engineer in training. Thus, i may not understand the outlying problem which you have stated above fully.

Option 1 will be too costly for me (Have explored this option)
Option 2 will difficult for me to implement as well (Have explored this option)
Option 3 - I was able to implement the site-site vpn using the private IP address by the mobile network operator (ie the 10.x.x.x address). However, as you understand that the ISP will always update their IP address thus i won’t have a stable site-site VPN connection whenever one of the cellular network gets updated.

Pardon me for my lack-of-knowledge in this area. Based on what you have mentioned above. I understand that these are the factors that are affecting and approach that i will try to trouble-shoot.

Problem (Based on my understanding from what you shared above):
1)Current ISP NAT router is blocking the router VPN request.

Solution

  1. Try using Sim Cards from another ISP.

Am also curious with regards to use DDNS. Hope that you may answer my doubt. When i implement DDNS on one of the peplink router.

The flow will be like this:
Peplink router(192.168.50.1)-> Cellular IP(10.XX.XX.XX)->NAT router IP (85.X.X.X)-> DDNS Hostname (119.x.x.x)

So effectively if i were so boldly to say that if the ISP NAT router is not causing any problems. No matter when the ISP assigns a new private ip to my cellular network. The DDNS will always take care of the updating of the new ip for me and the site-site vpn should be able to work

If you can create a tunnel directly over the MNO#s NAT network then you’re sorted. Don’t bother with Dynamic DNS or worry about IP address allocations changing just use the VPN builder in IC2.
Create a Peer To Peer Network topology between the devices and hit save. IC2 knows what the WAN IPs are of both devices (the 10.x.x.x. IP’s) so if the MNO assigns a new IP IC2 will spot that and automatically build the VPN using the new addresses.

There is no Mobile Network Operator that I know of that doesn’t use Carrier Grade NAT on dynamically assigned cellular IP addressing. Carrier grade NAT normally breaks VPN, unless you’re lucky and inter device routing is allowed (as is the case here). Of course building a VPN between the private assigned WAN IPs will only work on the Same ISP address space.
As you have likely found, the MNO’s like to charge an arm and a leg for publlc IP addressing on a cellular data connection (many call this their M2M product offering - and charge accordingly).

Normal dynamic dns sits on the internet and waits for registration requests. A registration comes from a device (typically behind NAT /Firewalls) that connects to the DynDNS service using a username and password and ID for authentication and identification purposes. When the DynDNS service receives the request it looks at the source IP of the request (which is the public IP of the NAT router) and updates its DNS record with that IP address (not the typically private IP that is on the WAN of the router).

Peplink include a dynamic DNS service in IC2 called find my peplink (you can turn it on at a device settings level):
image

2 Likes

Hi MartinLangmaid,

Thanks for the advice above. Really appreciate it. Unfortunately my device is out-of-warranty and i will need to pay to subscribe for in-control. But i will consider it. Your information above is really useful and i will need some time to digest it. However, i discovered while using another ISP Sim card that the IP address jump between the range of 14.x.x.x and 100.x.x.x which is recorded on my router when i clicked the cellular 1 details. From what i understand, searching the internet. These are consider public dynamic IP address as the first octet does not start with 10.x.x.x or those in the picture below. Just to understand better, if my sim card IP is 14.x.x.x or 100.x.x.x does it mean i am still hiding behind a NAT router (i believe the answer is yes but i just want to confirm it). Will i be still able to use a dynamic domain name services if the sim card IP address shown on my router is like those of (14.x.x.x & 100.x.x.x)?

Thanks for your patience and understanding.

image

Yes you’re right that if the IP Address directly assigned to the cellular WAN on your HD2 is not within the private class A/B/C subnets then it ought to be considered a public IP address.

Public IP address assignments on cellular WANs in that way is not something I typically see from mobile network providers unless you are paying for the privilege and even then - when you do have a public IP, there is no gaurentee that additional filtering / firewalling isn’t in place.

One quick and dirty way to test if there is inbound filtering would be to temporarily enable device web admin on the cellular WAN (using https) in System > Admin Security:

image

Then on another connected device (like a cellular connected smartphone/tablet) try and connect to the https:// and see if you can access the web ui. If you can then change the port from 443 to 445 and try again (https://:445) to confirm that its not just standard web ports that have been allowed to pass.

When using Dynamic DNS, your DNS entry will get updated with the visible source public IP address seen in the network traffic that gets sent by your device via your ISP to the service. So if you did sign up to a dynamic dns service you would be able to compare the IP address it sees (by looking in your dynamic dns online control panel) with the IP address you see on the HD2 and confirm if they are the same or not.

2 Likes

Hi Martin,

I followed the instructions that you have given me. For the above, i can only connect to the router wed admin GUI if the web admin port is 443. But when i set it to 445. I am unable to connect back to the web admin GUI. If the following is true. Does that mean that the dynamic dns service will not work?

Hi Martin,

I was able to get the site-site vpn working using the dynamic DNS method. Thanks for your support all these while. learned a lot from you. I have another problem now. I am hoping to use a notebook that has cellular network adapter installed in it. I wish to directly connect the notebook to the peplink router. Am wondering if you have any suggestion how should i go about doing this?

Glad you got it working. Surprised you managed to use Dynamic DNS to do so. To connect your Laptop as a remote client you need to look at the remote user settings on the Peplink device. You want to use PPTP over IPSEC.

1 Like

Hi Martin,

I am pleasantly surprised as well. Thanks for all the help =)

Hi Martin,

I am facing another problem wondering if you are able to help? I connected my two HD routers and able to create a vpn tunnel between both routers using 4G cellular network and DDNS. However, i am unable to communicate with my other devices that are connected via ethernet to the router. Wondering if you are able to help?

Things to check are:

  1. Can you ping those LAN devices using the webui ping tool of the HD4 they are connected to? (If so neither the HD4 nor the LAN devices have rules blocking ping)
  2. Can you ping the LAN IP of the HD4 those LAN devices are connected to from the web ui of the HD4 at the other end of the tunnel? (If so then the PepVPN is up and traffic is passing)
  3. Can that remote HD4 at the other end of the tunnel ping the LAN devices in question? (if so then traffic is routing correctly across the tunnel and its something local to you with the issue)
  • If 1-3 are true then the device you are pinging from at the remote HD4 end isn’t using that HD4 as its default gateway.
  • If 1-2 are true then the LAN devices connected to the target HD4 are not using it as their default gateway.

Or its something else entirely :slight_smile: Have a play and tell me at what stage things fail.

1 Like

Thanks for the advice, I realized that it could work once I activated the NAT mode option check box on the pepvpn page in the settings on one of the router (which was using ddns) that was connected to all my devices and the other router that was connected to my laptop I didn’t activate the NAT mode option. I am not sure why it worked after I did that. Wondering if you are able enlighten me Martin :blush:

Hello Fun_Sherwin
Now i got problem same issue. Please share How to setting configuration to do.