Networking Gurus - getting around a lack of a VPN

CCTVCam

CCTVCam

Known around here
Sep 25, 2017
3,207
4,148
I changed a while ago to Fibre to the Premises due to a deal that made it cheaper than my regular Broadband.

However, I have to use the ISP's Router as they won't offer any tech support to anyone using their own router. The trouble is, as with all ISP's, they're cut down even by basic standards as they don't have a VPN built in. (Probably none of them will if Govn gets it's way as it's already banned the other type of VPN in the UK).

The question is therefore how do I connect safely out to the web.

I thought I'd attach a line from my ISP's router to my BI room then put another router or switch in there that has a VPN and use that in a daisy chained formation. However thinking about this, wouldn't I then have to open a port on my ISP router to let the VPN router hear the traffic requests from outside thus exposing my entire network of other devices eg tv, phone etc to the net?

Any solutions? Is there a way to spilt the signal in to go to 2 routers at the point of entry?
 
Yeah, you can use their ISP router direct to your VPN router. I was doing this for awhile when I got fiber. I don't know about the issue with Ports.
But since I am a fossil, this VPN shit makes me confused.
So I'm using the "Tailscale VPN" on my phones and my PC with Blue iris.
So i have the ISP modem, direct to an ASUS RT-AX55 router, and have unplugged their crippled router. but I lived with it for a few months before I got the Nerve to remove theirs from the man in the middle.
 
  • Like
Reactions: JDreaming, CCTVCam and VorlonFrog
  • Like
Reactions: CCTVCam, iwanttosee and elvisimprsntr
Thanks and sorry for this question as a lot to try and read on Tailscale's web page.

Is this a VPN using an external server and VPN network? The client sits on the PC, communicates with a VPN server which then helps encrypt the traffic and route it?

If so it's probably illegal in the UK as the UK just banned ALL VPN's on child safety grounds as the Govn now requires age proof checks on ALL pwn and banned internet type VPN's to prevent circumvention.

The only type that's legal (for now) in the UK is the type that sits soley on your pc or router.
 
VPNs aren't banned in the UK, yet.

When age verification was introduced for adults sites being accessed from the UK, VPNs were used to get around this. There are thoughts around this age verification process and if it should be implemented on VPNs which would be quite difficult to enforce as not all VPN providers run their services exclusively from the UK.

I use Tailscale to access BI remotely, have to use it as my broadband provider uses CGNAT so I don't have a public facing IPv4 address so can't port forward. I created a Tailscale account, run the client on my BI PC and then have it installed on my laptop and phones when I need access. Yes it does use their services but you can run Tailscale with your own server if you want to set that all up. Not that familiar with how you would do this to be honest but Tailscale just works for me and is wife friendly as she has never complained about it. Only issue I've ever noticed is that I use the feature of when accessing a .ts URL it enables the Tailscale VPN but then keeps the VPN connected even after you stop accessing the .ts site.
 
Maybe try:

cheap man's vpn using ssh

A cheap man's VPN using SSH can be set up by creating an SSH tunnel that acts as a SOCKS proxy. You can do this with the command ssh -D 1080 user@remote-server.com, and then configure your browser to use localhost:1080 as a SOCKS proxy.

Setting Up a Cheap Man's VPN Using SSH​

Creating a low-cost VPN alternative with SSH involves setting up an SSH tunnel that functions as a SOCKS proxy. This method is straightforward and requires minimal configuration.

Steps to Create an SSH Tunnel​

  1. Open Terminal or Command Prompt
    Use the terminal on your local machine.
  2. Run the SSH Command
    Execute the following command to create the SSH tunnel:
  3. ssh -D 1080 user@remote-server.com
  4. Configure Your Browser
    After establishing the SSH tunnel, configure your browser to use the SOCKS proxy:
    • For Firefox:
      • Go to Preferences.
      • Click on "Settings..." next to Connection.
      • Select "Manual proxy configuration."
      • Enter localhost in the "SOCKS Host" field and 1080 in the Port field.
      • Choose "SOCKS v5" as the proxy type.
    • For Chrome:
 
  • Like
Reactions: VorlonFrog
Thanks I'll make a note of that.

I thought VPN's were banned in the UK but apparently the ban hasn't gone through yet and is being altered all the time.

I couldn't understand how Tailscale was going to get through my hardware router's firewall being sat behind it and I didn't want it opening a port forward to do this as it then leaves the other devices on my network vulnerable. However according to this it uses it's own trick to allow itself through it without port forwarding.

This was the Google AI answer so beware inaccuracies, I'm sure hackers already have this info and probably can't manipulate firewalls the same way, otherwise Tailscale wouldn't work. I'm guessing the install client side is vital and what prevents it but it's a guess as I'm no techy. Either way, this is AI's answer for anyone interested as to how this apparently works:

Tailscale gets through firewalls by establishing direct peer-to-peer connections using NAT traversal (specifically, UDP hole punching). When direct connections are blocked by strict firewalls, it securely relays traffic through encrypted cloud servers (DERP) without requiring you to manually open ports. [1, 2, 3]
Tailscale manages this process through three main methods:

1. UDP Hole Punching (Direct Connections)
Most consumer and business routers block incoming connections by default but allow outgoing traffic. [1, 2, 3]
  • Tailscale uses STUN (via port 3478) to discover your device's public IP address.
  • Both client devices then reach out to each other simultaneously, "punching a hole" in the firewall so the traffic can bypass the standard block.
  • Once the connection is established, traffic communicates via UDP (default port 41641). [1, 2, 3]

2. DERP Relays (The Fallback)
If you are behind a particularly strict symmetric NAT, a corporate firewall, or a strict hotel Wi-Fi that actively blocks P2P traffic, UDP hole punching will fail. [1, 2]
  • Tailscale falls back to its global network of DERP (Designated Encrypted Relay for Packets) servers.
  • The relay server simply passes the encrypted traffic between the two devices.
  • Because DERP runs over HTTPS (TCP port 443), it works on almost any network that allows general web browsing, though you may experience slightly higher latency. [1, 2, 3]

3. Automatic UPnP/NAT-PMP
For home and small office routers, Tailscale will actively attempt to manipulate your router using UPnP or NAT-PMP protocols. If supported by the router, Tailscale automatically requests temporary, predictable ports to be mapped externally, making direct connections much easier to establish. [1, 2]
For detailed technical reading about how the traversal engine handles different network topologies, you can review the Tailscale NAT traversal blog. [1]
Click to expand...
 
You must log in or register to reply here.
Top Bottom