One employee needs access to company VPN, but he is always in the middle of nowhere without a proper internet connection. He tries to connect his laptop to cellphone hotspot but i can’t connect to VPN.
After some researching i found out that there is something called CGNAT that makes it impossible to do what he wants to do, but he really needs to connect to VPN and he only has cellphone internet, is there some work around ?
It is a windows server PPTP/MS-CHAPv2 VPN
CGNat shouldn’t prevent outbound VPN usage.
What VPN vendor are you using? IPSEc or SSL based?
Lower the MTU to around 1300
Use a proper VPN silly
Tell us what vpn solution you are trying to deploy.
Is it Fortigate? Palo Alto? Is he on a Mac? windows? What vpn client is he trying to use? Is it IPSec? SSL?
There might be 100 different VPN protocols/services/applications.
You aren’t going to get any help unless you provide useful information.
Also, try a lower MTU.
Silly goose, switch to IPSec or SSL. PPTP is insecure and not recommended.
You can configure IPSec to be preferred but failover to SSL if IPSec fails. Make sure you follow best practices when securing your tunnels
You probably want to try a more modern protocol. Old protocols are ironically much “heavier” so it’s harder to stay connected. I would try Bowtie which uses wireguard, and if there’s connectivity problems they still let you choose the end point so it can narrow down if the users internet is truly too weak.
PPTP has problems with that sometimes yeah.
In general you should move to something more modern that protocol is ancient.
Can’t give you a solution for ur specific case , but I’ve transitioned to wireguard which still stays connected even in areas with unstable cellphone connection
Consider changing from pptp if possible
Is not about CG-NAT, is about ISPs blocking IPSec VPN traffic.
Use IPSEC-over-TCP (preferred) or SSL-VPN (not preferred)
IPsec will solve this.
That’s not how CGNAT works. CGNAT does not prevent the establishment of a VPN connection. It’s likely that the hotspot is simply introducing too much latency/jitter into the equation to properly establish a connection
Edit: Holy fuck man. PPTP in 2025? Aside from the fact that that is definitely the worst protocol to try and use remotely, it’s also insanely insecure. IPSec, SSL VPN, OpenVPN, Wireguard. Literally any of those would be infinitely better to implement nowadays.
The right answer here? Setup IPv6. You don’t need it inside your network, which is a lot more work. But an IPv6 tunnel endpoint makes these sorts of problems go poof.
PPTP, fairly sure you can have problems.
Just edited the post, it is a windows server PPTP/MS-CHAPv2 VPN
I’ll try the lower MTU thank you
Well, i need more research then
You know something in wifi hotspots that could cause VPN to not work ?
I’ve had bullshit fuckery with CGNAT and both IPSEC and Forti DTLS VPNs. Typically not “hard broken”, but intermittent problems and breaking pure IPSEC (without TCP/UDP underlay) is most definitely a thing depending on implementation.
That said, I’m really sold that remote worker VPN endpoints should be offered in IPv6 now. Way easier than IPv6 for your internal nets (assuming you’re not running BGP uplinks), and solves a lot of dumb shit really easily.
Oh no! Stop everything and just google if pptp is safe to use. This is the only research you need to do right now.
“The PPTP protocol itself is no longer considered secure as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).”
I’ve been having the same issues with users behind cgnat or 6to4 nat, connecting to IKEv2 AlwaysOn VPN. Fixed it (/workaround) for those users by switching the user tunnel to SSTP. Device tunnel remains broken tho, can’t do SSTP on those