Site-to-site with CGNAT

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
dmerickson54
Posts: 3
Joined: Tue Aug 02, 2022 12:23 pm

Site-to-site with CGNAT

Post by dmerickson54 » Wed Aug 03, 2022 8:15 pm

Hoping someone can help me with newby questions. I had a Ubiquity Unifi VPN link between 2 home sites; both with dynamic public ipv4 addresses. Recently, I changed out one end (my current site) to StarLink (CGNAT). The Unifi products cannot negociate the CGNAT end with their current software. I am trying to configure SoftEther to recover the VPN connection, hopefully using the NAT traversal function on the StarLink end. StarLink doesn't allow port forwarding or IPv4/IPv6 assignments. Teamviewer is being used to make adjustments to the distant from me. The 2 sites (windows 10/11) have separate subnets (192.168.222.0, 192.168.1.0) so I added a layer 3 switch; switches on each end are "running." I installed stand alone servers on both ends. There is activity with the virtual hubs on each side; see attached file. The various devices on each end were populated into the hub's routing table. Both sides have unique DDNS Hostnames. Ping times out when I try to ping the opposing sites; the IPs from within the opposing local LANS, the opposing DDNS Host names, or the unique IP range assigned by SoftEther (in the range 192.168.30.0). On the two Unifi firewalls, I have opened up unique port 5566 (on both ends)to incoming packets.

Questions: how are the unique LAN addresses assigned by SoftEther (in the 192.168.30.0) used? Do I need to enter the DDNS Hostname somewhere specific on the computers opposite one another to get the 2 sites to see each other? Do I need to set up a cascading variable to connect the 2 sites? As I am not an expert in these areas (I'm a newby), I am hoping someone out there can help me with what I am hoping to be a simple solution so I can again map drives on the opposing computers.

Thanks!
--Doug
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Site-to-site with CGNAT

Post by solo » Fri Aug 05, 2022 9:43 am

So one site changed to StarLink but you should be able to initiate Unifi VPN from it to the other one. Why not?
Whatever the reason you can't do it with Unifi VPN, it will also apply to your SoftEther NAT-T attempts.

VPN Azure will work for sure though:

[non-StarLink site with SoftEther Server] LAN-bridge-HUB1---> L3 switch <--HUB2--->
...VPN Azure...
<---BRIDGE-LAN [StarLink site with SoftEther Bridge]

// add static routes for the LANs' subnets
// SecureNAT disabled
// VPN Azure is slow and with high latency

dmerickson54
Posts: 3
Joined: Tue Aug 02, 2022 12:23 pm

Re: Site-to-site with CGNAT

Post by dmerickson54 » Fri Aug 05, 2022 7:05 pm

Thanks for your reply! With the Unifi equipment and the Starlink, I can map a drive from the StarLink site to the other ("traditional") site with usual dynamic IPv4 address. I, however, need to map a drive from the traditional site to the StarLink site....thus, the reason for trying to traverse the NAT. As I am trying to control some radio equipment at the StarLink site, latency with Azure would be problematic. I am thinking that instead of trying to duplicate the site-to-site system I had before StarLink, I may try installing the server on the StarLink side and connect to it with clients on the other side. I am thinking this would be easier to configure, but limit me in some ways (mapping drives). Maybe one day I'll be able to get fiber here and eliminate the CGNAT. I suppose I could use Teamviewer to download files when I need them. Any thoughts on this?

--Doug

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Site-to-site with CGNAT

Post by solo » Fri Aug 05, 2022 10:08 pm

In that case, here is a revised VPN:

[non-StarLink site with SoftEther Server] LAN-bridge-HUB 1---> L3 switch <--HUB2--->
...SoftEther DDNS...
<---BRIDGE-LAN [StarLink site with SoftEther Bridge]

// add static routes for the LANs' subnets
// SecureNAT disabled

Note, SE Server must be on the non-StarLink site, where the router IP-forwards a SE port. It has no impact, or limitation, on drive to/from mapping at all.

dmerickson54
Posts: 3
Joined: Tue Aug 02, 2022 12:23 pm

Re: Site-to-site with CGNAT

Post by dmerickson54 » Sun Aug 07, 2022 3:48 pm

Thank you. I'll be on business trip this week but will give it a try when I get back home.
--Doug

Post Reply