Overview

This setup requires 3-4 components which I outline below.

VPN Server

The VPN server will run on a device in your home network, the device should be permanently on and ideally connected to your router using Ethernet. You could use a Raspberry Pi, a mini-PC, another travel router or your existing server hardware.

If you have gigabit internet, ensure you’re not bottle necking your speeds by using non-gigabit Ethernet ports on your router+device or cables.

Tip: Check what category your Ethernet cable is by reading cat4, cat5, cat5e etc on the cable and match against this table https://tripplite.eaton.com/products/ethernet-cable-types

I host my VPN server on a GL.iNet Brume 2 since it has a gigabit Ethernet port and good WireGuard performance. I have it connected directly to my router using Ethernet.

If you have full access to your router and it supports hosting a WireGuard Server, use that.

Connectivity

You have a VPN server running on your home network, now what? To access it from the public internet and from abroad you’ll need IPv4 or IPv6 access. Due to IPv4 exhaustion your ISP (Internet Service Provider) has likely put you behind a CGNAT - a private network consisting of other customers with your ISP. The problem with being behind a CGNAT is that you no longer have a “public” IPv4 address for your network and port forwarding won’t work.

cgnat Figure 1. Showing an attempt to make a connection from abroad to your home network using your home’s public IPv4 address. The public IPv4 address belongs to the ISP’s Router and past that it does not know where to go.

The solution for CGNAT? Either ask your ISP to give you a static IPv4 (you’ll probably have to pay extra) or screw that off and go down the IPv6 route.

The world is slowly but surely transitioning to IPv6. Every country is at a different stage of adoption as you can see here https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption, if your home country has low IPv6 adoption then you may struggle to get IPv6 for your home network. Also, you may struggle to connect to home, because for IPv6 to work all the network infrastructure from where you are abroad to back home has support IPv6.

The perfect scenario is full end-to-end IPv6 support as you will connect directly to your home without worrying about a CGNAT or port forwarding. You can test your home IPv6 support here: https://www.test-ipv6.com

ipv6 Figure 2. Showing good IPv6 adoption and an end-to-end IPv6 connection.

A less than ideal scenario is IPv4-only support showing the need for a static IPv4 address at home to get around the CGNAT.

ipv4 Figure 3. Showing poor/no IPv6 adoption and depending on a static IPv4 address at home.

I’m in a country with poor IPv6 adoption and I need to connect to my IPv6 home network using IPv4, what do I do?

This is where a relay comes in.

The relay will be the middleman that has a static IPv4 and IPv6, reachable from abroad and from home. CGNAT is only a problem in the IPv4 world so we can completely disregard that in our IPv6 connection between the relay and home.

relay Figure 4. Showing poor IPv6 adoption on the “Abroad” side and good IPv6 adoption on the “Home” side.

The relay introduces latency and should be thought of as a backup if you can’t establish an end-to-end IPv6 connection.

What if I need a pure IPv4 solution without a static IPv4 at home?

Check out this video guide on setting up WireGuard tunnels using IPv4 only behind CGNAT: https://www.youtube.com/watch?v=aAzdn9cqYRY&t=1672s

How do I know if my home network is behind a CGNAT?

Follow steps outlined here: https://www.purevpn.com/uk/blog/how-to-check-whether-or-not-your-isp-performs-cgnat/#How_to_check_if_the_ISP_performs_CGNAT_in_the_UK

What if my home network is not behind a CGNAT?

If you’re not behind a CGNAT then setup DDNS (optional but convenient) from a device on your home network, port forward on your home router so you open access to your VPN server and you’re good to connect using IPv4 only.

Home Router

If you go down the IPv6 route for your home network, you’ll need to create a firewall rule on your home router to allow access to the device hosting your VPN on a protocol and port. Ensure IPv6 is turned on on your router.

If you go down the static IPv4 route, you’ll need to setup port forwarding on your home router to the VPN on a protocol and port.

Regardless which route you go down, it’s recommended to setup a static IP for the device hosting your VPN server.

Relay (optional)

Your relay can be a VPS (Virtual Private Server) hosted in the cloud. You will need to have control over it’s firewall and be able to assign static IPv4 and IPv6 addresses - check these when selecting your hosting provider.

IONOS has very affordable VPSs.

VPN Client

As mentioned in part 1, your VPN client will be a travel router that you will carry with you. Make sure it supports the VPN protocol you decide to use and has sufficient Ethernet ports.

I use a GL.iNet Slate Plus but look at their other products and make your own decision.

VPN Protocol

OpenVPN and WireGuard are the main two protocols. I use WireGuard as it’s faster.

For a detailed comparison, see here: https://protonvpn.com/blog/openvpn-vs-wireguard

Part 3

Part 3 on the details of my own setup coming soon!

Overview#

VPN Server#

Connectivity#

I’m in a country with poor IPv6 adoption and I need to connect to my IPv6 home network using IPv4, what do I do?#

What if I need a pure IPv4 solution without a static IPv4 at home?#

How do I know if my home network is behind a CGNAT?#

What if my home network is not behind a CGNAT?#

Home Router#

Relay (optional)#

VPN Client#

VPN Protocol#

Part 3#