Using VPN or Cloud VM to bypass CGNAT.

achaudhary997

Member
Messages
310
ISP
Excitel
I was recently trying Assassin's Creed Unity (since they made it free to play :)) Co-Op but it warns me that I have a strict NAT. In order to bypass it what I am currently doing is using Digital Ocean as an OpenVPN Server and bridging the connection between the DigitalOcean droplet and my pc. So basically I have a gateway which has a Public IP which my PC is using to get an "Open" Nat type.
As of now, it's working but the setup is cumbersome and the digital ocean droplet is pretty economical as I only keep the droplet up for the time period which I am running the game.

Anyone using PIA VPN can test if their port forward option works?
 

achaudhary997

Member
Messages
310
ISP
Excitel
Tbh the above script is what I used but that will only give you a VPN and no port forwarding. So for that I added simple IP table rules (dumb ones) which just forwards everything on the tun0 adapter by changing the src and dest ips.

So the DO server is gateway. Anything incoming on the gateway is being forwarded to my vpn ip which was 10.4.0.20, so I added the following rules in the IP table:

When packet goes from DO ==> Local PC
sudo iptables -t nat -A PREROUTING -i eth0 -o tun0 -p tcp --dport * -j DNAT --to-destination 10.4.0.20
sudo iptables -t nat -A POSTROUTING -i eth0 -o tun0 -p tcp --dport * -d 10.4.0.20 -j SNAT --to-source 10.4.0.1 (the ip address of DO given by openvpn)

* are the ports you want to forward make sure its not 22 else all ssh connections to your DO will be forwarded to local pc.

Allow established connection to transfer data
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

For more details you can follow this link:
How To Forward Ports through a Linux Gateway with Iptables | DigitalOcean

Edit: Will add a more detailed thread later cause as of now its not a thing which I'll recommend as its painful to set up and my config only supports ONE client. I am looking for a more automated way of doing things. Can also look at SoftEther VPN Project - SoftEther VPN Project This is supposed to make life easier with port forwarding stuff.
 
Last edited:

varkey

Well-Known Member
Messages
2,125
Location
Bangalore | Ernakulam
ISP
Excitel | BSNL
I know I recommend ZeroTier a lot, but it's almost zero conf, not even 5% of what OpenVPN requires.

You could use the DO user data script option to launch a droplet pre configured or could use an image also I think.

Summarised steps would be

1. Install ZeroTier on DO and join your network.
2. Setup IP forwarding, add a IP tables masquerade rule for anything going out of the main WAN interface of the droplet.
3. Add a default route on ZeroTier console pointing to the DO droplets ZeroTier IP address.
4. On your client side, enable default route (this basically enables routing traffic through the droplet)

At this point it should be able to traverse the NAT/PAT through the droplet I think. You can add more clients easily as required.
 
  • Like
Reactions: Smh

achaudhary997

Member
Messages
310
ISP
Excitel
From what I understood my machine still won't accept incoming connections right? Unless I explicitly tell DO droplet to forward everything to my local zero-tier IP which would again require iptables?
The problem I am facing with AC Unity is that external entities (Friends and UBI servers) which are on the public internet should be able to access my Local PC.

I am currently using zero-tier but only to access my desktop at home.

The following config should work.
WAN<========>DO Droplet <====> Zerotier <====> My local PC.
x.x.x.x .................. 10.0.0.20 ........................................................... 10.0.0.30

So in the droplet I just forward all incoming connections to 10.0.0.30 while adding src and dest NAT rules? Or do I need something else also?
 


Last edited:

varkey

Well-Known Member
Messages
2,125
Location
Bangalore | Ernakulam
ISP
Excitel | BSNL
I meant to use ZeroTier instead of OpenVPN, you still need the DO droplet. So ZeroTier would do the job of OpenVPN in your current setup.

The rest of the pieces in your current setup would remain, you could add perhaps a uPNP daemon or NAT-PMP service on the droplet to manage explicit port forwards automatically, in case the game isn't able to traverse the NAT/PAT (on the droplet) automatically (like using UDP hole punching etc)
 

achaudhary997

Member
Messages
310
ISP
Excitel
Hmm. Makes sense. This requires some more tinkering but if it works (which it should theoretically) would be great. Will try to implement this setup after my exams are over and create a post here if it works well.
 

varkey

Well-Known Member
Messages
2,125
Location
Bangalore | Ernakulam
ISP
Excitel | BSNL
I have couple of VMs running the config I mentioned (except for uPnP or the NAT-PMP daemon) so I can quickly test if for you if you want. Is there a utility or something that can be used to test this from a game perspective?

I use this setup as a personal VPN alternative to work around content restrictions etc ;) VMs I pay for anyway for running websites etc. A Hetzner cloud VM costs only 2.49 EUR per month and few other similar cheap VMs 😁
 

achaudhary997

Member
Messages
310
ISP
Excitel
If you can test uPnP it would be great. The only two applications that I know which use uPnP are Plex, and utorrent. After setting up ports then you can go to Open Port Check Tool - Test Port Forwarding on Your Router and plug in the public IP and port of cloud VM which is being used by the above two apps.

Also if you know any other cloud VM (preferably located in India) which are relatively inexpensive let me know. The reason i choose DO is because of low latency for low ping. :D
 
Top