Open ports with vpn?

VPN
1

Is there any kind of vpn that can be put on an asus merlin router that will allow me to open ports and mess with firewall settings or something?

2

No.

No matter how many hardware devices you add behind the TMHI router, you are still behind cgNAT. There’s no way around that.

To do what you want (open ports to the outside world) you’ll need a non cgNAT IP.

Example - I want to host SSH on port 22 on my desktop, which is behind a TMHI router. To do this, I have a cheap VPS box with Digital Ocean hosting OpenVPN. Using tools like netmaker, I can have the VPS act as a relay and provide this.

You’ll want to look into paid services like tailscale if you want a easy solution, if you are are bit more technical with things you can get a cheap VPS and host a relay.

That’s the only solution. You will never be able to directly expose a service to the internet while behind cgNAT - due to the nature of the tech. You don’t have a IP address that is unique to you, you share from a pool. A relay of some sort is required.

All firewall/port forwarding settings are done at the ISP level, not the user level.

Tailscale - paid solution, requires client to be running on all devices wanting to connect.

Netmaker - open source, requires you to have a server somewhere and configure it for relay.

playit.gg - paid solution, more focused on small home users - might be better for you.

3

Yes, with a PAID external VPN you can certainly open up ports. For instance I use AirVPN. They allow port forwarding when you’re connected.

I haven’t used it on a router, but they do have a configuration generator you can use to import into your ASUS router’s VPN setup.

From their website you can enable the open ports and what they map to.

You’ll need to do some routing config on the ASUS to make sure the port goes to the correct device inside your network.

4

Tailscale works great for tmobileisp when it comes to remote access to a system running on a tmobile account. Free for 20 devices Compare All Tailscale Plans

Since you are trying to port forward I have been able to do this with a pi to open up a port for a service. See the example here:

https://virtualprivatepi.com/diy/

Pretty much I have a VPS ----openvpn tunnel—pi—some device that has a port open to the internet on tmobile

There are some paid vpn services where you can do port forward and cut the middle man out of setting up a VPS instance. Google port forward vpn and some options should pop up

Realize that this can cause latency and whatnot to whatever service you are trying to port forward.

5

This has been asked a bunch of times before, the answer is no you cant edit any port information.

https://old.reddit.com/r/tmobileisp/comments/tire2z/successful_remote_access/

6

If you know someone with a publicly accessible IP address, Fios, Comcast, etc you can tunnel in through their connection. Pita setup and maintenence though.

7

Tailscale is free until you add 20 devices. And you only need one device on the network running tailscale to access the entire network if you set it up correctly. I have one device with tailscale on my tmhi network running on my 3d printer. From that one device I can access anything on the network and use the entire network as an exit node if needed.

8

Not quite. There are no NAT issues with IPv6…

ZeroTier is free for one admin + 50 active devices.

9

I’ve been considering using it - my issue is, let’s say I was hosting a Jellyfin server locally with my media, and wanted to allow a family member to remotely access that service - but said family member would be using a firestick/roku like device, and have no ability to run a special client - would this still be functional?

10

Correct me if I am wrong, but IPv6 does not change anything. You’re still behind carrier grade nat, you still can’t open a port?

That would be a more elegant solution than using a relay, but I am totally unsure of how one would set that up.

11

Check this thread

12

There is definitely no NAT natively with IPv6 where you typically connect directly to other devices. There may be a software firewall on each device though that could need a rule added to allow a port through.

There are multiple types of IPv6 addresses though & usually your devices IP would change over time so Dynamic DNS would help with that if you’re publicly hosting a service. With ZeroTier then it usually doesn’t matter since it’ll adapt automatically like Tailscale.

13

Bit hacky but workable!

Was hoping for something like - map jellyfin.mydomain.com to my local service, that way the end user just has to know the server name and login/password, vs having to rely on external apps and dodgy config :frowning: