OpenVPN Support Forum

Hello,

Situation:
For a project we ar trying to make a static IP using a 4G router work (anywhere in the world with 4g service). We have a (Server/ remote client) that we want to connect to our network using a 4g router. Sadly, we can not list the reason why but this is what we are trying to accomplish:

Network requirements
- MTU 1500
- UDP Ports 10301 - 13555
- ESP traffic
- Static public IP (No NAT)

What are we using

- 4g Connection using a ASUS 4g-RT86U router. (VPN Client)
- Digital ocean droplet (Static public IP) with openVPN Access server.
- regular laptop not in any domain (Testing purposes)

Best case would be if we could bridge the droplet public IP to the client behind the 4g-RT86U so it is reachable via public internet.

Since we can not really think of a way to do this we are trying the following:

digital ocean OVPN Access server (Public IP) -->
OVPN Client (4G-TR86U) --> Network on router interfaces: 192.168.50.0/30 ip pool 192.168.50.1 - 192.168.50.2 (This so we can simulate a Static IP, only 1 client will be behind this router and should get a static IP but using DCHP) -->
A Network device that needs to be accessible via public internet (Simulating for now with a laptop)

The VPN Connection on the router is working. All traffic is routed through the VPN.
We are trying to configure static routes to route the ip acquired via DHCP to the egress public IP (OVPN Access server)

Can anyone maybe tell if we're on the right track and how we could posibly test if the client is reachable through this public IP.
I can provide more information if needed!

C2OST.

Hello,

I wouldn't say it is impossible, but it's also very difficult and requires cooperation from digitalocean or some other party to send public IP addresses through a router system you provide. It is far from trivial and you can't achieve it from just your end of things unless you want to run your own ISP.

What you can do that is relatively simple is to use Access Server to accept traffic on its public IP on certain ports or port ranges, and forward those internally to a particular connected VPN client. This is the DMZ functionality built into Access Server. See this page for more information: https://openvpn.net/vpn-server-resource ... ss-server/

If you need this access to be extended to a device on the network that the VPN client is on, you could use port forwarding on the VPN client. Linux for example can do this with iptables, to take packets coming in on a port on the VPN interface (forwarded there by the DMZ function on Access Server) and pass them on to another network device.

If you really insist on doing public IP addressing on the VPN clients directly then you might want to look at some provider like ExtraIP that can give you a public IP block and encapsulate that through GRE to a target router system that can then use that to assign devices those public IP addresses directly. Note that this will violate the MTU 1500 requirement as the encapsulation takes some bytes. I've set this up in the past, it's not magic.

Good luck,
Johan

Morning Johan,

Thank you for the detailed response. Today we will be going over the idea's you have provided.
If we find a way i'll follow up this post.

If someone thinks of more options they are always welcome!

c2ost.

This is wat we're trying and what is our situation, sadly ExtraIP is not possible because we can' t use it outside the Netherlands.
(We need a static IP 'worldwide', thats why we want to use a VPN)

If there is a service or another way that could provide this anywhere in the world, please tell us.

Hello C2OST,

Sorry, I don't know all service providers out there - you might need to look around a bit.

Anyway, you present the situation as "we need a public static IP and it must be assigned to a machine on some private network that is connected through a VPN client system". That will be extremely difficult.

My suggestion is to go back to basics. What do you really need? You probably only just need a port on a public static IP that when accessed, it reaches a particular system on some private network that is connected through a VPN client system. For that, the suggestion I made with DMZ and port forwarding already suffices, and that is an 'easy' solution.

Kind regards,
Johan