Memory shards — Setting up your own VPN to bypass CGN limitations

Nowadays, with the exhaustion of IPv4 addresses, more and more ISPs use Carrier-grade NAT. What’s the main issue for customers? Well, they can’t forward their ports which could be an issue if they wanted to host a website, a video game server or any kind of peer-to-peer application.

To avoid this, you can setup your own VPN on a cheap VPS. After setting it up, configuring SSH settings and firewall rules, you can run this OpenVPN installation script. Then, allow incoming traffic through ufw on your OpenVPN port and on the port you want to forward.

22                                   ALLOW IN    Anywhere                  
[PORT_TO_FORWARD]/tcp                ALLOW IN    Anywhere                  
[PORT_TO_FORWARD]/udp                ALLOW IN    Anywhere                  
[OPENVPN_PORT]/udp                   ALLOW IN    Anywhere                  
22 (v6)                              ALLOW IN    Anywhere (v6)             
[PORT_TO_FORWARD]/tcp (v6)           ALLOW IN    Anywhere (v6)             
[PORT_TO_FORWARD]/udp (v6)           ALLOW IN    Anywhere (v6)             
[OPENVPN_PORT]/udp (v6)              ALLOW IN    Anywhere (v6)

You also have to change DEFAULT_FORWARD_POLICY to ACCEPT insde /etc/default/ufw. Next step is to configure our local client IP address so it’ll stay the same accross connections. To do that, you need to add ifconfig-pool-persist ipp.txt 0 to /etc/openvpn/server.conf and client_name,[LOCAL_CLIENT_IP_ADDRESS] to /etc/openvpn/ipp.txt. To disable logs. you can also add the following lines to the same file:

log /dev/null
status /dev/null
verb 0

You obviously need to change [LOCAL_CLIENT_IP_ADDRESS] to a valid IPv4 address matching the OpenVPN server subnetwork (which you can find inside /etc/openvpn/server.conf). Then, copy the following lines to /etc/ufw/before.rules, before the last “COMMIT” line.

# Commits changes made to another table
COMMIT

# NAT rules for OpenVPN
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport [PORT_TO_FORWARD] -j DNAT --to-destination [LOCAL_CLIENT_IP_ADDRESS]:[PORT_TO_FORWARD]
-A PREROUTING -i eth0 -p udp --dport [PORT_TO_FORWARD] -j DNAT --to-destination [LOCAL_CLIENT_IP_ADDRESS]:[PORT_TO_FORWARD]
-A POSTROUTING -o eth0 -j MASQUERADE

Finally, copy your OpenVPN client configuration generated earlier to your local machine with scp and allow incoming traffic on your local OpenVPN port through ufw.

[OPENVPN_PORT]/udp                  ALLOW IN    Anywhere                  
[OPENVPN_PORT]/udp (v6)             ALLOW IN    Anywhere (v6)

If you only want to use your VPN with one application, you can install and run vopono.

yay -S vopono-git
vopono -v exec --custom ./custom_openvpn.ovpn --protocol openvpn "your_application"

I hope this tutorial has been helpful. See you again, have a nice day!