Homelabing - Local to online setup suppressing CGNAT
Source: Dev.to
In the journey of creating a Hub before we start programming or building website lets setup Pi in a way where we can access it on mobile internet. For that we can use Cloudflare Tunnel or Tail Scale, but the problem is both are overpowered for this setup I don't want to use Cloudflare as an intercept between Me and my data. I can't trust any 3rd Party. So, not going to use that. I will not use Tail Scale because some features are awesome. But, it to use it I need to make accounts and every new person joins the network need to create an account on Tail Scale and I don't think. I will create an account on 3rd party to access my self-hosted server.
Now, This leads to setup my own VPN on Pi and connect to devices when I want to connect with Mobile network. For That, I will be going to use WireGuard.
Why? Because it is open-source light and free.
Let's set it up. Installing WireGuard on Pi. And verify by printing it's version Now, for this to work, we need to create Pi's Private and Public Keys. To create, follow this. inside /etc/wireguard if not, then regenerate the keys. For me, it worked. Now let's add some config. I am using 10.10.0.1/24 for subnet, as It is easy to remember for me and will not conflict with anything.
Now I will enable IP forwarding
by adding net.ipv4.ip_forward=1 inside /etc/sysctl.conf and apply the changes with. It should output 1
Now, let's enable wireguard and verify with sudo wg Now it is time to install WireGuard Official Android app on mobile and add it as a Peer.
Will create a new tunnel generate public and private keys then on Pi in /etc/wireguard/wg0.conf will add peer in bottom. finally on mobile WireGuard will add and add a Peer over there Now at this point I don't have a static Public IP as my ISP don't know me doing homelabing. If you are able to get static IP then use it otherwise there is one workaround.
I will use DuckDNS, this will help me to mimic my dynamic IP to look like static and on top of it. It is free, Lightweight and No vendor lock-in also it is not a proxy but a DNS record. To hook it go to https://www.duckdns.org
create an account and add a domain name it whatever you want, it is not a public address just a link to your public IP. and use that subdomain as an endpoint. We need to make a cron job to update the latest IP on DDNS. For that on Pi will create a Script to do that. Update YOUR_TOKEN from DDNS token and YOUR_SUBDOMAIN with your own subdomain.
Now give some permissions and test it. It should give OK. NOT KO if it says KO then you are KO setup failed check your token and subdomain.
Now let's add a cron and adding this to run every 5 minutes Now, let's try to connect turn VPN on in mobile it should connect and by running You will see a device connected saying
latest handshake: X seconds ago If not then Hello my friend me too. Our ISP uses CGNAT (Carrier-Grade Network Address Translation) so they can control the router and as a user we cannot forward and port on IPv4. Then, What to do??
You know what, after hours of research, I found that I cannot forward port by any mean, so the last option is to use Tail Scale, and so far one of the requirements broke. But, it is not my mistake, I cannot control my ISB behavior so. I have to use Tail Scale. So, we don't need DuckDNS now let's remove the cron and wireguard.
If you followed along, then you will feel what wasting time looks like. Then remove that port forward line from sudo nano /etc/sysctl.conf
Now, create an account at https://login.tailscale.com
Then add the devices and install it on Pi, and done online.
You can check it on tailscale dashboard. Now, we can focus on building online Pi is on local and online.
Just run a server running and good to go. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse COMMAND_BLOCK:
sudo apt update
sudo apt install wireguard -y Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo apt update
sudo apt install wireguard -y COMMAND_BLOCK:
sudo apt update
sudo apt install wireguard -y CODE_BLOCK:
wg --version Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
wg --version CODE_BLOCK:
wg --version COMMAND_BLOCK:
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key COMMAND_BLOCK:
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key CODE_BLOCK:
-rw------- 1 root root 45 server_private.key
-rw------- 1 root root 45 server_public.key Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
-rw------- 1 root root 45 server_private.key
-rw------- 1 root root 45 server_public.key CODE_BLOCK:
-rw------- 1 root root 45 server_private.key
-rw------- 1 root root 45 server_public.key COMMAND_BLOCK:
sudo nano /etc/wireguard/wg0.conf Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo nano /etc/wireguard/wg0.conf COMMAND_BLOCK:
sudo nano /etc/wireguard/wg0.conf CODE_BLOCK:
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PASTE server_private.key CONTENT>
SaveConfig = true Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PASTE server_private.key CONTENT>
SaveConfig = true CODE_BLOCK:
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PASTE server_private.key CONTENT>
SaveConfig = true COMMAND_BLOCK:
sudo sysctl -p Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo sysctl -p COMMAND_BLOCK:
sudo sysctl -p COMMAND_BLOCK:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0 Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0 COMMAND_BLOCK:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0 CODE_BLOCK:
[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32 Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32 CODE_BLOCK:
[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32 COMMAND_BLOCK:
sudo wg-quick down wg0
sudo wg-quick up wg0 Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo wg-quick down wg0
sudo wg-quick up wg0 COMMAND_BLOCK:
sudo wg-quick down wg0
sudo wg-quick up wg0 COMMAND_BLOCK:
Address = 10.10.0.2/32
DNS = 192.168.1.1 # your gateway IP Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
Address = 10.10.0.2/32
DNS = 192.168.1.1 # your gateway IP COMMAND_BLOCK:
Address = 10.10.0.2/32
DNS = 192.168.1.1 # your gateway IP CODE_BLOCK:
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <YOUR_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <YOUR_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 CODE_BLOCK:
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <YOUR_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 COMMAND_BLOCK:
sudo apt install curl -y
mkdir -p ~/duckdns
nano ~/duckdns/update.sh Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
sudo apt install curl -y
mkdir -p ~/duckdns
nano ~/duckdns/update.sh COMMAND_BLOCK:
sudo apt install curl -y
mkdir -p ~/duckdns
nano ~/duckdns/update.sh CODE_BLOCK:
#!/bin/bash
echo url="https://www.duckdns.org/update?domains={YOUR_SUBDOMAIN}&token={YOUR_TOKEN}&ip=" | curl -k -o ~/duckdns/duck.log -K - Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
#!/bin/bash
echo url="https://www.duckdns.org/update?domains={YOUR_SUBDOMAIN}&token={YOUR_TOKEN}&ip=" | curl -k -o ~/duckdns/duck.log -K - CODE_BLOCK:
#!/bin/bash
echo url="https://www.duckdns.org/update?domains={YOUR_SUBDOMAIN}&token={YOUR_TOKEN}&ip=" | curl -k -o ~/duckdns/duck.log -K - CODE_BLOCK:
chmod +x ~/duckdns/update.sh
./duckdns/update.sh
cat ~/duckdns/duck.log Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
chmod +x ~/duckdns/update.sh
./duckdns/update.sh
cat ~/duckdns/duck.log CODE_BLOCK:
chmod +x ~/duckdns/update.sh
./duckdns/update.sh
cat ~/duckdns/duck.log CODE_BLOCK:
crontab -e Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
*/5 * * * * ~/duckdns/update.sh >/dev/null 2>&1 Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
*/5 * * * * ~/duckdns/update.sh >/dev/null 2>&1 CODE_BLOCK:
*/5 * * * * ~/duckdns/update.sh >/dev/null 2>&1 COMMAND_BLOCK:
sudo wg Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
crontab -l
rm -rf ~/duckdns
sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0
sudo apt purge wireguard wireguard-tools -y
sudo apt autoremove -y
sudo rm -rf /etc/wireguard Enter fullscreen mode Exit fullscreen mode CODE_BLOCK:
crontab -l
rm -rf ~/duckdns
sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0
sudo apt purge wireguard wireguard-tools -y
sudo apt autoremove -y
sudo rm -rf /etc/wireguard CODE_BLOCK:
crontab -l
rm -rf ~/duckdns
sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0
sudo apt purge wireguard wireguard-tools -y
sudo apt autoremove -y
sudo rm -rf /etc/wireguard COMMAND_BLOCK:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up COMMAND_BLOCK:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
