I just got TMO home service to use as a backup/secondary WAN on my network. I have things set to fail over (and back) and it works great, except that I can’t connect to my home VPN servers when it fails to TMO.
I get that this goes back to the whole IPv6/translation challenge, but I suspect the solution isn’t too difficult - however it’s outside of my experience.
My thinking is that if I enable IPv6 on my router (which has the embedded oVPN and Wireguard servers I use) and set up my DDNS to work with IPv6* I should be fine. My questions are, however:
- Since IPv6 addresses are all routable, would a connection request to the VPN server hit the router, or would it dead-end in the TMO device?
- What IPv6 setting do I need on my router? I have a ton of listed connection types which cascade into other settings, but am not sure what any of these are or how I should set things up. This one is kinda on me, but I welcome advice here.
- Is there something major I’m not thinking of?
*This makes me realize I have no idea if the DDNS updater on my router supports no-up IPv6, but at worse I could spin up a Raspberry Pi to run said updates on WAN IP change.
tailscale all the way, I use it full time with TMHI and it works perfectly
Although IPv6 avoids CGNAT, incoming connections are still blocked by TMO’s firewall policy. Because of this, whatever VPN protocol is being used, the tunnel needs to be established from behind the TMHI connection in client mode, i.e. first packet going out to a non-Tmobile endpoint somewhere, preferably on a stable IP. A cheap virtual private server on cloud hosting may be worth considering. You can then port-forward services from the external VPS back toward servers at home, so long as the VPN client sends a keepalive often enough to keep T-mobile’s stateful connection-tracking entry from expiring,
The answer to question 2 is IPv6 Passthrough. For non-Merlin ASUS, go to Advanced Settings | IPv6 | Connection Type.
Tailscale and other proposed solutions work, and in layman’s terms they all end up being the same thing - you setup an OUTBOUND VPN (like WireGuard for example) from the device (firewall/Wifi router) NAT’ed behind the TMO modem to an accessible HUB. Since its outbound it won’t be blocked by the TMO modem. All devices that need access to this TMO device would need to VPN to the same HUB. Then through routing magic you have access to the device behind the TMO modem. Setting up WireGuard on a Wi-Fi router or firewall (like pfsense) behind the TMO modem is doable (Wi-Fi router depends if it supports WG) and not that hard, the hard part is finding a place for everyone to “HUB” into. That HUB would need to be fully accessible with public IP Address and not behind a similar NAT so everyone can just VPN into. Could be a family or friend’s home internet not using TMO home internet.
Starting to read and it seems like Tailscale uses the Wireguard protocol but eliminates the need/issue on NATing. No ASUS/Merlin support, but I suspect setting this up on a Pi would be reasonably simple.
Seems like a potential solution, though I was hoping to be able to leverage my existing VPN servers for a few reasons. Not requisite, I suppose.
While this adds a failure point it isn’t a bad idea. I have a VPS I could install this on, though I suspect it could be worth isolating it, plus, there’s probably a service that has this pretty turn-key compared to the disaster of me trying to do this from scratch.
I could establish the inbound (hub) in another house, but for the sake of speed and reliability, I’ll prob set up a VPN on a VPS and handle it that way. This will also make it so, since I may have multiple locations connected, there won’t be a single house’s connection acting as the bottleneck for all. I was comfortable with that single bottleneck being the location w TMO as backup, but the other locations don’t have setups as robust.
Yes it works perfectly on a pi
I run mine on a LXC container since im using proxmox.
Interesting - so what are you going to use for your VPS (hub) for all connections if not another house? Are there “free” places to setup a free VPN concentrator for all clients to hub into? I know Tailscale is free for up to 3 users on the same share, but what if you need more… also a concern for privacy - if you use another’s service there is no stopping the provider of these services from accessing your shit as they are the hub.