Recently I tried to connect to my home using my trusted Wireguard solution, but it just did not work. Although the client claimed to be connected, I could not access anything on my Home Lab remotely. What is the issue? Why did this stop working? End of last year I replaced the router to a N100 CPU based mini pc, could it be due to migration of my config?

Time to investigate…. And hopefully find a working solution.

Investigation

While investigating, I checked if the DNS entry was properly updated, which it was. Is the service running correctly? Yes it was.

What is my public IP? And is this IP correctly updated to the DNS name? Yes it is. Is that the same as the one assigned to my WAN network port? No, it was and is not.

  • What is wrong here?
  • How can I solve this?
  • Or is this something I cannot solve?

ISP

As most in IT know, there is a big shortage on IPv4 addresses. As a “solution” my ISP changed my, although dynamically assigned IPv4 address, into assigning a bogon IPv4 address. And thus “breaking” my VPN access. What are bogon IPv4 addresses, you might wonder.

Bogon IP Addresses are a set of IP addresses that are not assigned to any entity by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registry (RIR).

This unallocated address space is called the bogus space. Bogons also include reserved private address and the link local address ranges. In time IANA might assign Bogon IP Addresses to a entity or RIR.

Carrier Grade NAT

In other words I am stuffed. My ISP is now using what is known as a Carrier Grade NAT, therefore I never will be able to access my firewall directly anymore. My WAN ports is no longer directly connected to the internet. No need to open ports or try to have some direct access to my home lab network. Any port I open is accessible from within the bogon network, never from the internet.

Solution

How to solve this? There should be a way to access services on my Home Lab without a direct VPN connection.

Costly solution

I could change my ISP subscription to one that provides a fixed IP. It is possible, albeit quite costly.

Alternative solution

Thanks to a Youtube video from NetworkChuck, he has a very funny way to explain the more complex network issues one faces, I found the solution. Twingate And the best part is, it is free for my use.

Implementing Twingate

Implementing Twingate is pretty straight forward. It just works, like magic. And now I am able to connect to services/devices back home without the need for a VPN. Pretty awesome! Just a matter of creating “resources” in the Twingate account, assign the resource to the remote network and like magic, access to the server/device.

Result

It just works. I have setup those services I would like to access and like magic the services are available from most of my devices when on the road. There is only one device type that is not (yet) capable in accessing specific sets of data at home. These are a nice to have, and I am (still) convinced that it should be possible. But that is for some other time.

In the end very happy with this setup. It gives me access to home services. The only downside is missing my setup where I used the VPN to route my traffic via a VPN tunnel back home and then out to the internet. There are other solutions I can investigate. Also for a later time.