Is it possible to set up a point-to-point VPN without "opening" ports?

rul3s

Hello colleagues,
You see, in a project I'm working on, I need a VPN that communicates a PC (Server) and an Android (Client), with the OpenVPN software/protocol.

I have everything working, but I have a BIG handicap with the issue of opening the port to the PC (Server) since things are getting more complicated with CG-NAT, corporate firewalls, etc...

Currently, the users of my system who for whatever reason couldn't open/redirect the port, bought a USB 3g/4g modem and air, but lately not even that since the entire MasMovil network no longer has a public IP for mobile connections and some Vodafone SIMs are starting to do the same, despite having the APN properly configured.
A clear example is that I have a 3G Modem + Vodafone SIM + APN configuration that always gives me a PUBLIC IP and instead I put the Vodafone SIM of a user and nothing, behind a NAT, there's no way to get a public IP, and one crazy afternoon I felt like calling the technical service but well, you can already imagine, 1 hour lost trying to explain that the only thing they said was to sell me the "fixed IP" package.

In short, a solution would be to rent VPS servers and make a triangular network, where the server is the VPS and the clients are the PC and the Smartphone, but that involves major drawbacks:

• Higher cost (VPS rental + generated traffic)
• Lower speed and higher latency than point to point
• Changes in the system infrastructure

So I was thinking if I'm missing some solution that I haven't considered, if there is ANY way to make a point to point VPN without needing to open/redirect ports.

So, without having any idea, I was thinking of something like, the server sends a request to the client for the NAT to wait for the client's response (which obviously won't answer because it won't receive the request, but that a server would give a nudge to the client to try the connection just at that moment and as the NAT would be waiting for the response, it could receive it. Maybe what I'm saying is crazy, or maybe not, but I don't know what else to try and/or test.

Obviously if IPv6 were already well deployed, the problems would be over but as always, we're at the back of the technology line.

Best regards and sorry for the long text I left you here to reflect on.

krampak

It's not my topic, but while looking for information I think the solution is something called Hole punching if you want to look further.

https://github.com/samyk/pwnat

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

The only VPN I have set up is through the firewall itself (sonicwall) with its own application for Windows/Linux/Android clients.

rul3s

@krampak said in Is it possible to set up a point-to-point VPN without "opening" ports?:

It's not my topic, but while looking for information I think the solution is something called Hole punching if you want to look further.

https://github.com/samyk/pwnat

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

The only VPN I have set up is through the firewall itself (sonicwall) with its own application for Windows/Linux/Android clients.

Indeed I have also come across this technique, it turns out that this is what, for example, Teamviewer does. I am already testing it, both if it works or not I will keep you informed.

Best regards!

rul3s

I'm going to update this topic with the "temporary" results obtained.

Indeed, thanks to the UDP HOLE PUNCHING technique, I was able to connect a VPN server and client without needing to open ports, but there's a BUT.

As you may know, lately ISPs have started using CG-NAT, which is a HUGE SCAM, because the UDP HOLE PUNCHING technique doesn't work under CG-NAT because it does a PORT RANDOMIZE and then the Source Port of the VPN server changes with each connection it makes, for example.

If I have a PC with the VPN server on port 1194 UDP and behind a CG-NAT, when sending packets to another computer, that 1194 probably leaves the CG-NAT through another port, which WE DON'T KNOW because it applies a PORT RANDOMIZE and maybe it ends up going out through 55123.

I've tried using a 3rd server where the "vpn server" sends some packets to be able to discover the SRC PORT behind the CG-NAT, but of course, that assignment waiting for a response is only for that 3rd server, to which the client tries to connect through that hole, the CG-NAT blocks the connection since it wasn't the original recipient, that's what HOLE PUNCHING is about.

Do you have any idea or know of any procedure to "jump" over this barrier? I know it's possible to ask the company to take us out of CG-NAT, but that's not a valid option because in the end, the one who will run the VPN server may even be behind a shared mobile connection, where there's no way to open/redirect ports either.

I know what I'm asking for is quite complex, but you never know where one might find the solution!

Best regards.

P.D: @krampak I mention you just in case