Home

Forums

Stories

Knowledge Base

Home Network Community > Deco > Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

< Deco

Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

3 weeks ago - last edited 3 weeks ago

Posts: 11

Helpful: 3

Solutions: 1

Stories: 0

Registered: 2023-07-28

Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

3 weeks ago - last edited 3 weeks ago

Model: Deco BE65-5G

Hardware Version: V1

Firmware Version: 1.0.5 build 20240904 Rel 22287

Hi

I bought a router DECO BE65-5G for a remote site behind a CGNAT IP, typical setup nowadays for a 5G connection

on the central site I run a TP LINK MR600 with public IP and DDNS and with OPENVPN server enabled, how can I connect the client from the DECO BE65 to the MR600 server and enable site-to site connectivity, ie remote and central subnets can talk to eah others thru the VPN as shown by the blue arrows in the drawing below ?

Note that I can connect from a PC or IPhone to the central site MR600 Server through OPENVPN, it works pretty well I can reach all devices on the central site LAN from my Iphone

feasible with OPENVPN ?

then what do I miss ?

or any other type of VPN that could be used ?

PPTP ?

L2TP/IPSEC ?

thanks

Damien

1

1

#1

3 Reply

3 weeks ago

Posts: 13495

Helpful: 1935

Solutions: 1459

Stories: 9

Registered: 2020-04-14

Re:Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

3 weeks ago

Hi, It is said that Deco BE65-55G supports a VPN server/Client.

I think you can try to set Deco BE65-5G as an OpenVPN client to connect to Archer MR600.

How to set up OpenVPN Client on Deco APP

Wait for your reply and best regards.

▶Deco BE65/85/95 New Firmware Versions Ready for Test ▶Deco M5 Newly Introduced Advanced Parental Control Features ▶Certain Programs and Service Can't be Loaded Properly on Deco M9 Plus_1.8.0 ▶Meet Us at CES 2025! ▶KidShield Now Open for Trial! Try to leave a Message if urgent help is required.

0

0

#2

LV1

3 weeks ago - last edited 3 weeks ago

Posts: 11

Helpful: 3

Solutions: 1

Stories: 0

Registered: 2023-07-28

Re:Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

3 weeks ago - last edited 3 weeks ago

I tried this setup, strictly following the process, it does not work....

the OPENVPN tunnel can be established, as shown on both the DECO (remote site, client) and the Archer MR600 (central site, server) , I can even see that the DECO received the tunnel IP address 10.8.0.3

However no communication at all between both routers, I cannot ping the tunnel endpoint IP 10.8.0.3 from a PC on the central site subnet with ip= 192.168.0.100.
BTW, when my IPHONE is used as an OPENPN client, It also receives a tunnel client IP from the range 10.8.0.x, BUT this one can be pinged from the same PC 192.168.0.100 from the central site, so there is definitely something wrong with the DECO OPENVPN client which is the only difference in both setup.
but then even if tunnel IP addresses can be pinged, there is no route in the central site ARCHER routing table towards the remote site LAN subnet 196.168.68.0/24 that i want to reach from the central site (see table below) so the remote and local subnets will not be able to talk to each others !!!
As shown in the last screenshot, I also tried a static route to the remote subnet 196.168.68.0/24 within the central router, but it did not change anything so I disabled it

What else can I do ?

Txs

0

0

#3

LV1

2 weeks ago

Posts: 11

Helpful: 3

Solutions: 1

Stories: 0

Registered: 2023-07-28

Re:Deco BE65-5G behind CGNAT as a client VPN for site-2-site connectivity ?

2 weeks ago

no feedback on this request ?

I tested the BE65-5G OPENVPN client with several OPENVPN servers (TP-Link MR-600, Linux OPENVPN AS) .

In any case from my central site (for instance TP-LINK MR600 ) I'm not able to ping the OPENVPN tunnel IP assigned to the BE65-5G. and obviously I cannot reach any system connected to the BE65-5G, even if all devices are allowed to use the OPENVPN client

mitigation attempt :

I tried to by-pass this issue by deploying an OPENVPN client on a Linux server on the remote site connected to the BE-65-5G. The client can successfully connect to the central MR-600 and I can ping its tunnel IP.

However I cannot add any route on the BE65-5G pointing to the Linux OPENVPN client so that all traffic to the central site would be routed through the Linux OPenVPN client and tunnel. so I can only reach the OPENVPN client itself.

Since nowadays almost all 5G providers only assign CGNAT IPs, a decent dedicated 5G router should provide decent OPENVPN client connectivity, and at least offer static routing capabilities. More particularly a 500 EUR worth router.. . Disappointing

0

0

#4