Using VPN or Cloud VM to bypass CGNAT.

[a.c]

I was recently trying Assassin's Creed Unity (since they made it free to play 🙂) Co-Op but it warns me that I have a strict NAT. In order to bypass it what I am currently doing is using DigitalOcean as an OpenVPN Server and bridging the connection between the digital ocean droplet and my pc. So basically I have a gateway which has a Public IP which my PC is using to get an "Open" Nat type.
As of now, it's working but the setup is cumbersome and the digital ocean droplet is pretty economical as I only keep the droplet up for the time period which I am running the game.

Anyone using PIA VPN can test if their port forward option works?

 

[Smh]

could you create a thread on how you setup DigitalOcean as open server

 

[alphago]

If u are not a power Linux user, you can use this script on a 2.5 dollar Ubuntu DO. angristan/openvpn-install

 

[a.c]

Tbh the above script is what I used but that will only give you a VPN and no port forwarding. So for that I added simple IP table rules (dumb ones) which just forwards everything on the tun0 adapter by changing the src and dest ips.

So the DO server is gateway. Anything incoming on the gateway is being forwarded to my vpn ip which was 10.4.0.20, so I added the following rules in the IP table:

When packet goes from DO ==> Local PC
sudo iptables -t nat -A PREROUTING -i eth0 -o tun0 -p tcp --dport * -j DNAT --to-destination 10.4.0.20
sudo iptables -t nat -A POSTROUTING -i eth0 -o tun0 -p tcp --dport * -d 10.4.0.20 -j SNAT --to-source 10.4.0.1 (the ip address of DO given by openvpn)

* are the ports you want to forward make sure its not 22 else all ssh connections to your DO will be forwarded to local pc.

Allow established connection to transfer data
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

For more details you can follow this link:
How To Forward Ports through a Linux Gateway with Iptables | DigitalOcean

Edit: Will add a more detailed thread later cause as of now its not a thing which I'll recommend as its painful to set up and my config only supports ONE client. I am looking for a more automated way of doing things. Can also look at SoftEther VPN Project - SoftEther VPN Project This is supposed to make life easier with port forwarding stuff.

 

[varkey]

I know I recommend ZeroTier a lot, but it's almost zero conf, not even 5% of what OpenVPN requires.

You could use the DO user data script option to launch a droplet pre configured or could use an image also I think.

Summarised steps would be

1. Install ZeroTier on DO and join your network.
2. Setup IP forwarding, add a IP tables masquerade rule for anything going out of the main WAN interface of the droplet.
3. Add a default route on ZeroTier console pointing to the DO droplets ZeroTier IP address.
4. On your client side, enable default route (this basically enables routing traffic through the droplet)

At this point it should be able to traverse the NAT/PAT through the droplet I think. You can add more clients easily as required.

 

[a.c]

From what I understood my machine still won't accept incoming connections right? Unless I explicitly tell DO droplet to forward everything to my local zero-tier IP which would again require iptables?
The problem I am facing with AC Unity is that external entities (Friends and UBI servers) which are on the public internet should be able to access my Local PC.

I am currently using zero-tier but only to access my desktop at home.

The following config should work.
WAN<========>DO Droplet <====> Zerotier <====> My local PC.
x.x.x.x .................. 10.0.0.20 ........................................................... 10.0.0.30

So in the droplet I just forward all incoming connections to 10.0.0.30 while adding src and dest NAT rules? Or do I need something else also?

 

---

[varkey]

I meant to use ZeroTier instead of OpenVPN, you still need the DO droplet. So ZeroTier would do the job of OpenVPN in your current setup.

The rest of the pieces in your current setup would remain, you could add perhaps a uPNP daemon or NAT-PMP service on the droplet to manage explicit port forwards automatically, in case the game isn't able to traverse the NAT/PAT (on the droplet) automatically (like using UDP hole punching etc)

 

[a.c]

Hmm. Makes sense. This requires some more tinkering but if it works (which it should theoretically) would be great. Will try to implement this setup after my exams are over and create a post here if it works well.

 

[varkey]

I have couple of VMs running the config I mentioned (except for uPnP or the NAT-PMP daemon) so I can quickly test if for you if you want. Is there a utility or something that can be used to test this from a game perspective?

I use this setup as a personal VPN alternative to work around content restrictions etc 😉 VMs I pay for anyway for running websites etc. A Hetzner cloud VM costs only 2.49 EUR per month and few other similar cheap VMs 😁

 

[a.c]

If you can test uPnP it would be great. The only two applications that I know which use uPnP are Plex, and utorrent. After setting up ports then you can go to Open Port Check Tool - Test Port Forwarding on Your Router and plug in the public IP and port of cloud VM which is being used by the above two apps.

Also if you know any other cloud VM (preferably located in India) which are relatively inexpensive let me know. The reason i choose DO is because of low latency for low ping. 😀

 

[alphago]

Only DO Bangalore seems to have low latency and high throughput in India. You can choose Singapore server of Vultr. Hetzner has poor peering to India. I have never tested Linode's throughout though

 

[alphago]

Sometimes I use SSH Forwarding when I don't have time to set up open VPN. So it is quick and easy. We can also forward ports using SSH tunnelling. There's an Encrypted connection between pc and the VM, and acts as a vpn too.

 

[varkey]

@alphago True, DO seems the cheapest if you want good latency. AWS Mumbai is pretty good too, if you prepay or commit for a year you'd get a T3 Small for about 60 USD, but then bandwidth and storage would be extra. I tested the same the other day and I was getting great speeds, 200 Mbps + over WiFi.

Also Hetzner depends on the ISP, Airtel directly peers with Hetzner, direct hop out of Airtel is Hetzner.

@achaudhary997 Sure, will test today and let you know.

 

[a.c]

Sometimes I use SSH Forwarding when I don't have time to set up open VPN. So it is quick and easy. We can also forward ports using SSH tunnelling. There's an Encrypted connection between pc and the VM, and acts as a vpn too.

I have used SSH tunnels but it's not something you can try for gaming because of the overhead it has and is pretty slow if low latency is required. Although this is the easiest to set up.🙂

So from my calculations I am currently paying about 1k/month to get a public static ip with 50megs of speed (until I get Excitel fiber) and 1 tb worth of data/month. I dont think there is some other isp which will offer better solution than this. Considering my normal usage (without needing the public ip) is about 1.3-1.5 tb/month. This is the only reason stopping me from getting Airtel as their unlimited plan is close to 2k/month.

 

[JB701]

Does anyone know a good VPS Host in Delhi? I want to host a VPN Server to avoid bad ISP Routing, AWS, DO, Azure, Google Cloud don't have their main servers in Delhi. I want low latency.