Using a Flex Radio over CGNAT IP Connection Using ZeroTier


I run a remote station using 4G LTE internet at the remote end and wired internet at home. Typical of UK 4G networks, the remote router has a ‘Carrier Grade Network Address Translation’ (CGNAT) IP address. In other words, the carrier (EE) allocates a private IP address to my 4G router and uses port forwarding techniques to route traffic in and out of their network. Many other EE users potentially share the same IP address as me, the result is that I cannot access my remote site from elsewhere using an IP address.

To get around this, at the remote site I’ve employed a Draytek 4G router that ‘dials out’ i.e. creates a LAN to LAN VPN to my home IP address (which by necessity has a public address) where I have another Draytek router, configured to work over the VPN. Since around October last year I've been running a remote Elecraft K3 with Remote Rig RC-1258 Mk II units and everything has worked fine. Networked kit at the remote site is on LAN subnet 192.168.50.0/24 and my home is on subnet 192.168.0.0/24 – both subnets visible and accessible to/from each other. Thus, I can use my K3 and control the equipment at the remote site from home.

Figure 1 - Remote Site VPN Access

I recently picked up a Flex 6500 SDR transceiver to use at the remote site but found it wouldn’t work when I'm away from home because the radio was 'hidden' behind a private IP address which was inaccessible from the internet.

However, I've now come accross a solution that makes the Flex Radio and my PC appear on the same network subnet - ZeroTier.

ZeroTier (ZT) is a cloud-based VPN, they describe themselves as a ‘global network switch’ to connect any number of devices. It will allow me to connect to the Flex Radio from anywhere in the world; in fact I was recently in Norway and did just that.

To use ZT, a user creates an account (free for up to 50 connected devices) and defines a VPN - as a minimum you give it a name and the IP address range you want it to use. It creates a unique Network ID and that’s you set up with a simple encrypted network which will seek out the fastest route between any two nodes when up and running – so this is ‘peer to peer’ rather than ‘LAN to LAN’. This is a differentiator from normal VPNs.

For this to work, both my PC (running the Flex SmartSDR software) and the Flex Radio need to connect to my new ZT network. The PC is easy – I just installed the ‘ZeroTierOne’ client software and pointed it to my Network ID; it’s a very lightweight and easy to use application. Of course, ZeroTierOne cannot be installed on a Flex Radio, though the radio does have an Ethernet connection to the remote site LAN. Therefore the technique I’ve employed is to bridge the Ethernet to the virtual ZeroTier network using a simple Network Bridge on a Raspberry Pi at the remote site. I cannot claim credit for discovering this and I’ve had wonderful help from several other hams along the way, for which I am very grateful.

The outcome of this is that with ZeroTierOne installed on my laptop, I can access the Flex Radio behind its 4G CGNAT IP address from anywhere in the world.

Figure 2 - Remote Site + ZeroTier Access

With this up and running, it crossed my mind that I could use the same approach to access my NAS drive, other networked kit and printer when away from home. I set up another ZeroTier network especially for home access, purchased another Raspberry Pi, installed ZeroTierOne and an Ethernet bridge, plugged it into my home router and bingo – I now have access to my home NAS drive while on the road. I suspect this technique could also be used to circumvent port forwarding issues.

I am no LINUX or networking expert, all this has been a huge learning experience for me and without help received early on would have been impossible. However I thought I’d share this to encourage others that might want to attempt a similar project.

For the time being I still have my K3 + RemoteRig units on the legacy VPN from home, unfortunately my broadband connection at home is too slow to support the Flex so until I get FTTP broadband, that’s strictly for when travelling.

References:

1. ZeroTier home page and download link: https://www.zerotier.com/

2. ZeroTier to Ethernet Bridge on a Raspberry Pi: https://zerotier.atlassian.net/wiki/spaces/SD/pages/193134593/Bridge+your+ZeroTier+and+local+network+with+a+RaspberryPi

PART II

The instructions for the Rasp Pi bridge contain a table of values used in the implementation. Here is a description of what those values are and where they are used.

Physical LAN Subnet

e.g. 192.168.192.0/24 - This is the LAN subnet that you have remote site. This is set in your router.


Physical LAN DHCP RANGE

e.g. 192.168.192.65 through 192.168.192.126 - This is the range of addresses on your LAN sub-net that DHCP will allocate. This is set in your router.


ZeroTier Auto-Assign Range ($ZT_POOL)

e.g. 192.168.192.129 through 192.168.192.190 - You set this range of IP addresses in your ZT admin panel on the web. See screen-shot below - I have set the ZT auto-assign range to a set of values OUTSIDE the range that my physical LAN allocates via DHCP.


ZeroTier Managed Route ($ZT_ROUTE)

e.g. 192.168.192.0/23 - You set this range of IP addresses in your ZT admin panel on the web. See screen-shot below - note that I am using the same subnet as ZT and the physical LAN (though I am uncertain if they have to be on the same subnet).

Default Gateway IP Address ($GW_ADDR)

e.g. 192.168.192.1 - This IP address is substituted for $GW_ADDR in the network configuration file:


[Network]

Address=$BR_ADDR

Gateway=$GW_ADDR

DNS=1.1.1.1



Bridge IP Address ($BR_ADDR)

e.g. 192.168.192.2/24 - This IP address is substituted for $BR_ADDR in the network configuration file:


[Network]

Address=$BR_ADDR

Gateway=$GW_ADDR

DNS=1.1.1.1


ZeroTier Network ID ($NETWORK_ID)


e.g. d5e04297a19bbd70 - This value is derived from the ZeroTier admin panel on the web. When you define your ZT network you are allocated a Network ID. You substitute $NETWORK_ID for this value when you join your RPi onto the ZT network with the command:


sudo zerotier-cli join $NETWORK_ID


ZeroTier Network Interface Name ($ZT_IF)

e.g. zt3jnwghuq - After your RPi has joined the ZT network, you should issue the command:


sudo zerotier-cli listnetworks


This will list the ZT networks the RPi is a member of (it can be joined to >1). The output from this command will show the ZT Network Interface Name for this particular RPi. It is a value that will be in the same format as the example.


Bridge Interface ($BR_IF)

Assume this to be "br0" (without the quotes). Substitute $BR_IF with br0 in the network configuration files.