VPN, Dual Stack NAT, IPV6

[Senzelian]

Hi everyone,

 

I want to connect remotely to my home network using a VPN.

My router has a build in VPN-function which would make this incredibly easy, but there is, of course, a catch.

 

My ISP provides me with an IPv4 and IPv6 address, but only the IPv6 address is accessible because they're using a "Dual Stack NAT".

That means that my IPv4 address is not openly accessible, because my home is basically handled as part of their network and is routed through their gateways to the mighty internet.

 

The IPv6 address, on the other hand, is just an ordinary address, which of course changes every 24 hours, because ... uhm... reasons!

 

So, now the issue is that with my phone, with which I want to connect to the VPN, can only get an IPv4 address and therefore I'm not able to connect to the IPv6 address, which I actually thought was possible, but apparently it's not.

 

Are there any solutions with which I can connect with my phone (IPv4) to my VPN (IPv6) without having to pay 2€ a month to get a public IPv4 address?

[Alex Atkin UK]

Damn, that's an awful implementation they have there.  CGNAT is bad enough, but the whole point of IPv6 is there is no good reason to have your address EVER change, they should give you your own entire static IP range.  Its amazing how many ISPs seem to be going against the IPv6 specifications with half-assed solutions.

 

I believe in theory you should be able to connect over IPv6 and do some sort of IPv4 over 6 routing, but if your routers implementation can handle that is a different question.  Plus I have no idea how to do it myself, I had been considering looking into it myself but never gotten around to it.

[Senzelian]

2 minutes ago, Alex Atkin UK said:

Damn, that's an awful implementation they have there.  CGNAT is bad enough, but the whole point of IPv6 is there is no good reason to have your address EVER change, they should give you your own entire static IP range.  Its amazing how many ISPs seem to be going against the IPv6 specifications with half-assed solutions.

 

I believe in theory you should be able to connect over IPv6 and do some sort of IPv4 over 6 routing, but if your routers implementation can handle that is a different question.  Plus I have no idea how to do it myself, I had been considering looking into it myself but never gotten around to it.

Yeah I don't understand why they're changing my IPv6 address every 24 hours.
With IPv4 it at least made sense.

 

I just ordered a public IPv4 address now for 2€ a month. That should fix it.

[Alex Atkin UK]

18 minutes ago, Senzelian said:

Yeah I don't understand why they're changing my IPv6 address every 24 hours.
With IPv4 it at least made sense.

 

I just ordered a public IPv4 address now for 2€ a month. That should fix it.

At least its not too expensive.  CG-NAT is such a terrible idea when online gaming is so popular these days, its honestly the worst time to be using it.

I had IPv6 enabled for a while here but turned it off (its running on the router for DNS but not on the LAN) as I don't understand Microsofts implementation on Xbox One.  It would chang its ID every reboot causing it to get a new IP address, and some clients don't support DHCPv6 at all, so they get randomly assigned IPs.  Whoever thought having multiple ways to assign IP addresses was a good idea should be shot!

How on earth are you supposed to enable specific clients on the firewall for public incoming traffic if they do that?  No way I'm just blanket enabling incoming connections to the whole LAN, who knows what rogue ports are open on IoT, Smart devices or even a slight glitch in the Windows firewall leaving things wide open.  First line of defense IMO should be the router/firewall and IPv6 completely breaks that with its inconsistency in implementation on the clients.

[lal12]

One reason providers supply their own solution and not giving you a static IPv6 is too give you more anonymity.

[Senzelian]

4 minutes ago, lal12 said:

One reason providers supply their own solution and not giving you a static IPv6 is too give you more anonymity.

If that's the reason, I wish they would give me the option in my router settings instead.

[lal12]

Just now, Senzelian said:

If that's the reason, I wish they would give me the option in my router settings instead. 

Most people probably would not know about that or at all touch the setting, so the default has to be a changing IP. But I don't see any easy way to get this working like that with a router setting.

[schizznick]

The smallest network which should be used in IPv6 is a /64, which is 65535 IP's. The main reason for this is NAT does not exist in IPv6 and so IP's need to be adequate for every device in the home. Your router should get a single IPv6 IP and then route to a /64 of IP's in your home. Every single device in the house is reachable from the internet. If you go to an IPv6 IP lookup site (https://www.whatismyip.com/), every device should have a different IP. What may be happening is your lease for DHCPv6 or router advertisement is changing every 24 hours which causes the IP on the router to change. This would be unusual considering it would invoke network routing changes but it is not impossible. IPv6 is a whole new beast and many carriers are avoiding it or improperly implementing it because of the considerable changes in how you have to deal with it. Ultimately if you don't see the IPv6 IP of your PC when you go to https://www.whatismyip.com/ then your are not really using IPv6. 

[mtz_federico]

you could use zerotier to access your home devices.

zerotier is basically a vpn, it gives each device on your zerotier network an ip and you can access that device on other devices that are connected to the same zerotier network, the nice thing is that you don't need to port forward and it works on windows, mac, linux, android, ios.

 

here is a good video on zerotier if you are interested

 

[Donut417]

5 hours ago, Alex Atkin UK said:

Its amazing how many ISPs seem to be going against the IPv6 specifications with half-assed solutions

More like they are trying to catch up. I mean IPv6 has only been around for 20 or so years.......... Now they have ran out of IPv4 addresses they are trying to find a solution. So some ISP's it involves replacing equipment, which costs a chunk of change. Im lucky that Comcast has the foresight  to dual stack with both addresses being public.  To my understanding there are 3 ways ISP's implement IPv6. They basically need to standardize on 1 way. 

 

5 hours ago, Alex Atkin UK said:

CG-NAT is such a terrible idea when online gaming is so popular these days

I think part of the reason many ISP's do this, is its cheaper that upgrading and they dont want people running servers on their residential connections, so they make it so you cant. Keeping the public IP addresses for business customers. Because at the end of the day, they dont care about gaming, there is no money in it for them. 

[Alex Atkin UK]

Indeed, its similar to how in the early days you had to pay for a static IP but over time (at least in the UK) some of the better ISPs just give you one by default, or for a one-off charge to enable it.  As unlike the dialup days, almost all users will be "online" at all times, so dynamic isn't allowing you have a lower allocation of IP addresses than your total number of customers.

I guess as gamers (and I'm not an online gamer personally, only when I'm forced into it with things like The Crew 2 and Forza Horizon 4, I still treat them as single player) its easy to forget that the majority of users will indeed never know they are on CG-NAT as online gaming will still be a minority of all broadband connections and even less people running servers in the home.  But that can also be a problem in that when its causing them technical problems, they won't know why.

 

Its actually kinda sad as things like Skype moved from P2P where I could get a clean 1080p chat on a good day with correct port forwarding, to now it being server based (theoretically I'm guessing its for compatibility now more people are using phones/tablets that often use CG-NAT) where it runs like crap all the time.  In some ways were going backwards.