Hello.
How can I connect to my home network using BtH on my router, but without using the WireGuard client on the PC from which I can connect ?
WireGuard is blocked where I connect from, so no connections can be established.
I already have BtH set up and can connect to my home router/network from my mobile operator without any problems.
——–
For example, I have a VPS server with a public IP address of 78.54.125.25, on which a Wireguard server 20.20.0.0/24 is running.
A PC with the tunnel address 20.20.0.5 is connected to this WG.
To connect to the PC directly without installing the WG client, I configure iptables rules on the VPS server itself, where I forward the port from incoming connections to 78.54.125.25:3389 to the tunneled address 20.20.0.5:3389.
This way, I can connect to my home PC via RDP using only the public VPS address, without the WG client.
(The IP addresses in the example are fictitious.)
Can I do this in a similar way, but using BtH technology on a MikroTik router ?
My home router does not have a public IP address.
You currently either do not have a public IP at your MT router
OR
You have a public IP but your ISP blocks wireguard.
Somehow you have wireguard BTH working on your MT router and can access the router and devices from remote locations ( assuming cellular on your phone ) or wifi anywhere else. Since its still wireguard, able to get this version past your ISP is the confusing part??
You also use VPS in the sky, which runs an instance of Wireguard.
A remote user via cellular or at any place with wifi, can access the VPS via wireguard.
For some reason your MT router cannot connect to the VPS over wireguard ????
There is conflicting not clear information being presented.
++++++++++++++++++++++++++++++++++++++++
Please provide a network diagram or some clarity on what can and cannot be accomplished.
Saying the word PC without stating if its behind the MT router or in a remote location is useless.
If your country blocks wireguard, how can you use BTH, how can you connect to the VPS over wireguard............
What I wrote about the VPS was just an example of how it was done on my VPS.
Now I want to do something similar, but without a VPS.
Using only my MikroTik with BtH.
I apologize for any inaccuracies, I was trying to describe what I want.
I have a MikroTik connected to the provider, the provider gives it the address 78.55.12.6 (for example).
This is not a public IP, because I cannot access this IP from any other Internet provider.
But if I run BtH on this router, I can connect to it from any Internet provider.
I connect via the official Back To Home app, and the connection status says “via relay.”
How can I use BtH features to connect to the router\local network without the official Back To Home and Wireguard ?
I don't fully understand how the connection to Mikrotik via BtH works if Mikrotik itself does not have a public address (no access).
I read that this happens somehow through a relay. Technically, if I could send a request to a selected port on the relay and receive a response from it to my Mikrotik via BtH, I would be able to gain access without using WG on the client side.
But I don't understand how this technology works...
The mikrotik server in the cloud acts as a relay between the wireguard settings on the remote client device and the the BTH wireguard settings on the router.
Think of it as a VPS instance but is not manageable by the user, its just a 'dumb' link so to speak.
We are constrained by the available settings on the router.
It's quite unusual to block all external connections to public ips. So in your case I would verify this thoroughly. (It's not unusual for isps to block some ports for security.)
Does ping work?
If you enable ssh externally (with a rule like add chain=input action=accept protocol=tcp dst-port=22 placed before all other input rules) does that work?
EDIT: Wireguard has the ability to use an external (provided by Mikrotik) relay. Unfortunately the handshake with this relay relies on wireguard to work.
The common solution is use Xray or Amnezia when WG is detected by firewalls. If you have BTH, then you likely have a container support which can run one of the services. IDK which one is best (or others) but seen a few post on forum about Xray and Amnezia when the topic of WG being detected+blocked.
I suspect it's a nationstate firewall, since at least one country purportedly detects standard WG on the wire.
Well, in that case it would have been nice to at least hint at the fact that the access is from "another" country.
As far as I know (which doesn't mean a whole lot) they don't block ssh. In that case tunneling through ssh is a simple/standard solution. But in order to know if this works it's important to know what exactly and by whom is blocked... That's what I'm trying to establish.
Thank you for sharing this information.
I was interested to learn how the relay works. I thought I could try sending something to the DDNS name assigned to my router during the BtH activation process, but it seems that this does not work and is strictly configured for BtH.
I still don't understand at what stage the relay is activated here. It's a pity that I couldn't find the BtH operating diagram.
I will check all the connections again to see what is blocked and how it works.
I will write about the results, as I may have missed something.
It goes to relay, essentially, if detect-internet logic fails but it does not use detect-internet, rather BTH/DDNS uses same function to determine WAN state. So I know you need UDP 30000 allowed to MikroTik subnets since that's how it detects if your WAN port is unencumbered (and thus can use direct mode). If that fails, it assumes a proxy is needed. And the "open WAN" decision manifest in the DDNS of sn*.vpn.mikrotik.com used by BTH resolving to either your IP (if direct) or MikroTik proxy IP (if port not openable).
Could be CGnatted? Check under ip/address, you should see either your public IP or an IP starting with 100.x.x.x. If it’s the later, you have a CGnat connection. BTH will work with this, but just takes a bit longer to make the connection as opposed to a public IP. If you find you have a CGnat, most providers offer static IP addresses for IPv4 for an additional fee. This might be an option worth considering at some point.
I checked everything again, and the public address I have blocks any direct connections from outside.
I tried forwarding ports and adding rules, but when I tried to connect, nothing happened, and there were no connection attempts in the logs either (I set up logging on port 22).
I determined the public IP using the website myip.com.
Sometimes, at some point, this public address allows direct access and even ping starts to show that this address is available, but after a moment everything disappears and no longer works.
So I am sure that the direct connection problem is due to the provider's restrictions.
Services like myip.com always show a public IP regardless of whether CGNat is involved or not.
Try opening up a terminal (if using Linux) and type “traceroute 78.55.12.6”, minus the quotes and hit enter. If only one line of info is outputted, then you have a pure public IP address. If you don’t use Linux, you’ll need to google find the traceroute alternative for your OS.
If it tries several times without success, or has *** once or several times, your connection is CGnatted, meaning your public IP (the one you have) is shared with other users. See image below… Shows the connection I’m currently on is a pure public IP with no CGnatting.
It could be that some of your issues are related to CGNat, and if they are you’ll probably want to request a static public IP from your provider to get around that issue. I’m not saying that’s the solution in it’s entirety, but it may remove a significant headache.
Well... I found out something else interesting.
It turns out that my router is not connected directly to the provider, but to my neighbor's router, which is connected to the provider🤦🏻♂️
Here's my trace route:
tracert 78.55.12.6
1 <1ms <1ms <1ms 192.168.88.1
2 <1ms <1ms <1ms 192.168.0.1 - this is my neighbor's router
3 1ms 1ms 1ms 192.168.1.1
4 3ms 2ms 2ms bras-***-lo0-management.gnc [46.19.***.**]
Further from 5 to 30 hops, all ***
I tried calling to provider and explaining that I needed a static public address, but they decided to play dumb and said they didn't know what that was.
Looks to me like you are double natted to your neighbour and Cgnatted to your ISP. No, wait a minute... You’ve also got another subnet in there too, 192.168.1.1. So 3 subnets (two external to you) before you even get to the outside world, which is CGnatted! That’s weird. What you are trying to acheive maybe possible in a double nat situation, but someone with a bit more knowledge would be able to better advise on this.
However…
indicates your provider hasn’t issued you with a public IP after all. My recommendation would be, if your current provider doesn’t want to play nice with a static IP, go to one who will - or at least provide a true dynamic public IPv4 address. Word of caution though, especially if you live rural - approach only those who serve your specific location.
Many providers use IPv6 these days, that may also be an option because it removes the CGnat issue altogether. But going down that route may require a rewrite of your wireguard code, something again, a more knowledgable mind than mine would know more about. Forget Starlink, they are strictly CGnat for residential clients, though they may offer a IPv6 solution.
You may also need to do some digging to find out why you are running off your neighbours network, seems strange to me considering you know nothing of it and are paying your ISP directly(?).
Could be that if you are rural, your ISP has sought permission from your neighbour to install repeater gear using 192.168.0.1 or 192.168.1.1 as a gateway to service other homes in your area, including yours? Just a guess though.
I don’t pay the provider because this is a rented apartment, my neighbor pays. I also tried forwarding the port on neighbor’s router, but it didn’t help.
From what we already know, the provider is still imposing some restrictions.
I don’t know why my neighbor set up the connection this way, but I do know that it’s easier for him to pound screws with a hammer and twist nails with a screwdriver.
Might be worth considering a Chateau LTE6 or similar router for yourself and find a mobile ISP who doesn’t play the CGnat game, or at least offers static IPs? Cut out the middleman, um, men. lol.
At least that way you know you have an actual public IP to begin with and can work from there.
