Servers behind CGNAT

[geffers]

Code: Select all

System:    Kernel: 5.10.0-32-amd64 [5.10.223-1] x86_64 bits: 64 compiler: gcc v: 10.2.1 
           parameters: BOOT_IMAGE=/boot/vmlinuz-5.10.0-32-amd64 root=UUID=<filter> ro splash quiet 
           init=/lib/systemd/systemd 
           Desktop: KDE Plasma 5.20.5 wm: kwin_x11 vt: 7 dm: SDDM 
           Distro: MX-21.3_KDE_x64 Wildflower September 18  2022 
           base: Debian GNU/Linux 11 (bullseye) 
Machine:   Type: Laptop System: TOSHIBA product: SATELLITE C55D-C v: PSCQEE-03C00TEN 
           serial: <filter> 
           Mobo: FF50 model: 06F7 serial: <filter> UEFI: Insyde v: 5.20 date: 10/02/2015 
Battery:   ID-1: BAT1 charge: 8.2 Wh (32.4%) condition: 25.3/31.7 Wh (79.9%) volts: 15.5 min: 14.4 
           model: Panasonic PA5185U-1BRS type: Li-ion serial: N/A status: Charging cycles: 259 
CPU:       Info: Quad Core model: AMD A8-7410 APU with AMD Radeon R5 Graphics bits: 64 type: MCP 
           arch: Puma family: 16 (22) model-id: 30 (48) stepping: 1 microcode: 7030105 cache: 
           L2: 2 MiB 
           flags: avx lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 17567 
           Speed: 1339 MHz min/max: 1000/2200 MHz boost: enabled Core speeds (MHz): 1: 1339 
           2: 1235 3: 1224 4: 1339 
           Vulnerabilities: Type: gather_data_sampling status: Not affected 
           Type: itlb_multihit status: Not affected 
           Type: l1tf status: Not affected 
           Type: mds status: Not affected 
           Type: meltdown status: Not affected 
           Type: mmio_stale_data status: Not affected 
           Type: reg_file_data_sampling status: Not affected 
           Type: retbleed mitigation: untrained return thunk; SMT disabled 
           Type: spec_rstack_overflow status: Not affected 
           Type: spec_store_bypass 
           mitigation: Speculative Store Bypass disabled via prctl and seccomp 
           Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization 
           Type: spectre_v2 
           mitigation: Retpolines, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected 
           Type: srbds status: Not affected 
           Type: tsx_async_abort status: Not affected 
Graphics:  Device-1: AMD Mullins [Radeon R4/R5 Graphics] vendor: Toshiba driver: radeon v: kernel 
           alternate: amdgpu bus-ID: 00:01.0 chip-ID: 1002:9851 class-ID: 0300 
           Device-2: IMC Networks TOSHIBA Web Camera - HD type: USB driver: uvcvideo 
           bus-ID: 2-1.1:3 chip-ID: 13d3:5652 class-ID: 0e02 serial: <filter> 
           Display: x11 server: X.Org 1.20.14 compositor: kwin_x11 driver: loaded: ati,radeon 
           unloaded: fbdev,modesetting,vesa display-ID: :0 screens: 1 
           Screen-1: 0 s-res: 1366x768 s-dpi: 96 s-size: 361x203mm (14.2x8.0") 
           s-diag: 414mm (16.3") 
           Monitor-1: eDP res: 1366x768 hz: 60 dpi: 101 size: 344x194mm (13.5x7.6") 
           diag: 395mm (15.5") 
           OpenGL: renderer: AMD KABINI (LLVM 14.0.5 DRM 2.50 5.10.0-32-amd64) v: 4.5 Mesa 22.0.5 
           direct render: Yes 
Audio:     Device-1: AMD Kabini HDMI/DP Audio vendor: Toshiba driver: snd_hda_intel v: kernel 
           bus-ID: 00:01.1 chip-ID: 1002:9840 class-ID: 0403 
           Device-2: AMD FCH Azalia vendor: Toshiba driver: snd_hda_intel v: kernel 
           bus-ID: 00:14.2 chip-ID: 1022:780d class-ID: 0403 
           Sound Server-1: ALSA v: k5.10.0-32-amd64 running: yes 
           Sound Server-2: PulseAudio v: 14.2 running: yes 
Network:   Device-1: Realtek RTL810xE PCI Express Fast Ethernet vendor: Toshiba driver: r8169 
           v: kernel port: 3000 bus-ID: 01:00.0 chip-ID: 10ec:8136 class-ID: 0200 
           IF: eth0 state: down mac: <filter> 
           Device-2: Realtek RTL8821AE 802.11ac PCIe Wireless Network Adapter driver: rtl8821ae 
           v: kernel modules: wl port: 2000 bus-ID: 02:00.0 chip-ID: 10ec:8821 class-ID: 0280 
           IF: wlan0 state: up mac: <filter> 
Bluetooth: Device-1: Toshiba Bluetooth Radio type: USB driver: btusb v: 0.8 bus-ID: 2-1.2:4 
           chip-ID: 0930:022f class-ID: e001 serial: <filter> 
           Report: hciconfig ID: hci0 rfk-id: 2 state: up address: <filter> bt-v: 2.1 lmp-v: 4.0 
           sub-v: 8821 hci-v: 4.0 rev: a 
           Info: acl-mtu: 820:8 sco-mtu: 255:16 link-policy: rswitch hold sniff park 
           link-mode: slave accept service-classes: rendering, capturing, object transfer, audio 
Drives:    Local Storage: total: 465.76 GiB used: 41.21 GiB (8.8%) 
           SMART Message: Unable to run smartctl. Root privileges required. 
           ID-1: /dev/sda maj-min: 8:0 vendor: Crucial model: CT500MX500SSD1 size: 465.76 GiB 
           block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> 
           rev: 043 scheme: GPT 
Partition: ID-1: / raw-size: 48.83 GiB size: 47.76 GiB (97.81%) used: 41.08 GiB (86.0%) fs: ext4 
           dev: /dev/sda5 maj-min: 8:5 
           ID-2: /boot/efi raw-size: 260 MiB size: 256 MiB (98.46%) used: 127.1 MiB (49.7%) 
           fs: vfat dev: /dev/sda1 maj-min: 8:1 
Swap:      Alert: No swap data was found. 
Sensors:   System Temperatures: cpu: 58.8 C mobo: N/A gpu: radeon temp: 53.0 C 
           Fan Speeds (RPM): N/A 
Repos:     Packages: note: see --pkg apt: 2747 lib: 1514 flatpak: 0 
           No active apt repos in: /etc/apt/sources.list 
           Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list 
           1: deb http://deb.debian.org/debian bullseye-updates main contrib non-free
           Active apt repos in: /etc/apt/sources.list.d/debian.list 
           1: deb http://deb.debian.org/debian bullseye main contrib non-free
           2: deb http://security.debian.org/debian-security bullseye-security main contrib non-free
           Active apt repos in: /etc/apt/sources.list.d/mkusb.list 
           1: deb http://ppa.launchpad.net/mkusb/ppa/ubuntu bionic main
           Active apt repos in: /etc/apt/sources.list.d/mx.list 
           1: deb http://mxlinux.mirrors.uk2.net/packages/mx/repo/ bullseye main non-free
           2: deb http://mxlinux.mirrors.uk2.net/packages/mx/repo/ bullseye ahs
           Active apt repos in: /etc/apt/sources.list.d/signal-xenial.list 
           1: deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
Info:      Processes: 236 Uptime: 2h 33m wakeups: 1 Memory: 10.66 GiB used: 2.51 GiB (23.5%) 
           Init: systemd v: 247 runlevel: 5 default: 5 tool: systemctl Compilers: gcc: 10.2.1 
           alt: 10 Client: shell wrapper v: 5.1.4-release inxi: 3.3.06 
Boot Mode: UEFI

Folks,

For a good few years I've used port redirection to run a number of servers on my home network to make some available on the network, recently changed Internet provider and now discovered the delights (aka problems) of CGNAT. I used to run a personal VPN on a Raspberry Pi and accessing this gave me access to all my servers without the need to open ports on my router (did open 80 and 443 for obvious reasons). Now with CGNAT I am unable to access my personal VPN

I understand NAT but was oblivious to CGNAT so am now finding out the complications of trying to run servers behind such a system.

Any suggestions appreciated, I have a Domain name I use which is now currently useless (for the moment), read a wee bit about Cloudflare tunnels, ngrok but initially am wondering about reverse proxy with SSH.

Geffers

[CharlesV]

I think I would start by figuring out what the new ISP is doing.

If they broke your NAT, then the question is what is different. The obvious answer is that *their* external ip changed.

But what happened to YOUR external IP? Is it still an external ( ie public ) IP or did it change to a Class C ( ie Private) IP?

And if it went private inside your ISP (ie YOUR external IP is a private ip), then do they even allow forwarding and such?
( Some / many, ISP's dont allow internal routing if they have private ip's. The last two places I lived are like this. )

[geffers]

Seems I had a typo in the title, should have read CGNAT not CHNAT

It's a change of internet supplier and the new supplier uses CGNAT - they haven't broken anything. CGNAT is NAT on the WAN side as opposed to NAT on the LAN side, as a result I get no public facing IP address.

Geffers

[CharlesV]

Ah I see. So your new isp has CGNAT and your VPN server cannot receive connections?

You might try moving to a new VPN. I have found both VPN.com and ZeroTier VPN's work through just about all ISP 'tweakage' .

Otherwise... Your probably going to have to work with your ISP to route that port back to you.

[geffers]

Ah I see. So your new isp has CGNAT and your VPN server cannot receive connections?

You might try moving to a new VPN. I have found both VPN.com and ZeroTier VPN's work through just about all ISP 'tweakage' .

Otherwise... Your probably going to have to work with your ISP to route that port back to you.

It is a personal VPN on my own network https://www.pivpn.io/ It is a fully functional VPN and being on my own network once connected my network is then available without opening any ports. That is one of the main purposes of it but when accessed from a remote location all traffic appears as though you are at home.

Geffers

[CharlesV]

Right, that is what both VPN.com and ZeroTier are.

[timkb4cq]

CGNAT usually only applies to ipv4 addresses. Have you tried using an ipv6 address for your VPN?