Using VPN or Cloud VM to bypass CGNAT.

achaudhary997

[OP]
Regulars
Apr 15, 2018
132
52
I was recently trying Assassin's Creed Unity (since they made it free to play :)) Co-Op but it warns me that I have a strict NAT. In order to bypass it what I am currently doing is using Digital Ocean as an OpenVPN Server and bridging the connection between the digital ocean droplet and my pc. So basically I have a gateway which has a Public IP which my PC is using to get an "Open" Nat type.
As of now, it's working but the setup is cumbersome and the digital ocean droplet is pretty economical as I only keep the droplet up for the time period which I am running the game.

Anyone using PIA Vpn can test if their port forward option works?
 

Smh

Regulars
Nov 7, 2016
925
149
could you create a thread on how you setup digital ocean as open server
 

achaudhary997

[OP]
Regulars
Apr 15, 2018
132
52
Tbh the above script is what I used but that will only give you a VPN and no port forwarding. So for that I added simple IP table rules (dumb ones) which just forwards everything on the tun0 adapter by changing the src and dest ips.

So the DO server is gateway. Anything incoming on the gateway is being forwarded to my vpn ip which was 10.4.0.20, so I added the following rules in the IP table:

When packet goes from DO ==> Local PC
sudo iptables -t nat -A PREROUTING -i eth0 -o tun0 -p tcp --dport * -j DNAT --to-destination 10.4.0.20
sudo iptables -t nat -A POSTROUTING -i eth0 -o tun0 -p tcp --dport * -d 10.4.0.20 -j SNAT --to-source 10.4.0.1 (the ip address of DO given by openvpn)

* are the ports you want to forward make sure its not 22 else all ssh connections to your DO will be forwarded to local pc.

Allow established connection to transfer data
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

For more details you can follow this link:
How To Forward Ports through a Linux Gateway with Iptables | DigitalOcean

Edit: Will add a more detailed thread later cause as of now its not a thing which I'll recommend as its painful to set up and my config only supports ONE client. I am looking for a more automated way of doing things. Can also look at SoftEther VPN Project - SoftEther VPN Project This is supposed to make life easier with port forwarding stuff.
 
Last edited:
  • Like
Reactions: Smh and Sushubh

varkey

Regulars
Jun 11, 2006
657
223
I know I recommend ZeroTier a lot, but it's almost zero conf, not even 5% of what OpenVPN requires.

You could use the DO user data script option to launch a droplet pre configured or could use an image also I think.

Summarised steps would be

1. Install ZeroTier on DO and join your network.
2. Setup IP forwarding, add a IP tables masquerade rule for anything going out of the main WAN interface of the droplet.
3. Add a default route on ZeroTier console pointing to the DO droplets ZeroTier IP address.
4. On your client side, enable default route (this basically enables routing traffic through the droplet)

At this point it should be able to traverse the NAT/PAT through the droplet I think. You can add more clients easily as required.
 
  • Like
Reactions: Smh

achaudhary997

[OP]
Regulars
Apr 15, 2018
132
52
From what I understood my machine still won't accept incoming connections right? Unless I explicitly tell DO droplet to forward everything to my local zero-tier IP which would again require iptables?
The problem I am facing with AC Unity is that external entities (Friends and UBI servers) which are on the public internet should be able to access my Local PC.

I am currently using zero-tier but only to access my desktop at home.

The following config should work.
WAN<========>DO Droplet <====> Zerotier <====> My local PC.
x.x.x.x .................. 10.0.0.20 ........................................................... 10.0.0.30

So in the droplet I just forward all incoming connections to 10.0.0.30 while adding src and dest NAT rules? Or do I need something else also?
 


Last edited:

varkey

Regulars
Jun 11, 2006
657
223
I meant to use ZeroTier instead of OpenVPN, you still need the DO droplet. So ZeroTier would do the job of OpenVPN in your current setup.

The rest of the pieces in your current setup would remain, you could add perhaps a uPNP daemon or NAT-PMP service on the droplet to manage explicit port forwards automatically, in case the game isn't able to traverse the NAT/PAT (on the droplet) automatically (like using UDP hole punching etc)
 

achaudhary997

[OP]
Regulars
Apr 15, 2018
132
52
Hmm. Makes sense. This requires some more tinkering but if it works (which it should theoretically) would be great. Will try to implement this setup after my exams are over and create a post here if it works well.
 
  • Like
Reactions: varkey

varkey

Regulars
Jun 11, 2006
657
223
I have couple of VMs running the config I mentioned (except for uPnP or the NAT-PMP daemon) so I can quickly test if for you if you want. Is there a utility or something that can be used to test this from a game perspective?

I use this setup as a personal VPN alternative to work around content restrictions etc ;) VMs I pay for anyway for running websites etc. A Hetzner cloud VM costs only 2.49 EUR per month and few other similar cheap VMs 😁
 
  • Like
Reactions: achaudhary997

achaudhary997

[OP]
Regulars
Apr 15, 2018
132
52
If you can test uPnP it would be great. The only two applications that I know which use uPnP are Plex, and utorrent. After setting up ports then you can go to Open Port Check Tool - Test Port Forwarding on Your Router and plug in the public IP and port of cloud VM which is being used by the above two apps.

Also if you know any other cloud VM (preferably located in India) which are relatively inexpensive let me know. The reason i choose DO is because of low latency for low ping. :D
 
  • Like
Reactions: varkey