Hi,

I have been successfully running VPN for many many years.

However, I recently suffered an outage on my broadband line and after a bit of re-wiring got the network to run over a mobile network.

This gave me the idea of using the Draytek failover option by implementing a mobile network backup line to the primary "wired" broadband connection.

I went out an purchased a 4g/LTE modem (A Netgear LB2120), purchased an EE PAYG mobile data sim and then implemented it, I also took out a DDNS address with No-Ip and put that into the VPN addresses of the remote devices.

When I pull the wired link, it successfully fails over to the mobile link and MOST things work.

But one persistent thing does not work. VPN.

I have three inbound VPN links that are happy when I am on the "wire" broadband, but refuse to work when the network switches over to the mobile network. The DDNS address is updating successfully, so it is not that.

I have done a trace route that just stops when it gets to IP 195.66.239.158 (6 hops), a company called Linx.

Can anyone share any insight into what is going on here and how I may be able to fix it so inbound VPN's work when my infrastructure switches over to the mobile network?

Linx is an internet exchange and most likely you are getting onto the mobile carrier and they are using (CG)Nat and giving your external interface a 10.x or other private non routable address. You may have to look at outbound VPN or maybe Drayteks VPN matching service.

Interesting. You are right about the 10. address, I had noticed this but did not realise it was not routable.

May be time to upgrade the equipment at the remote end then because I currently use 2760's which don't accept inbound VPN and also don't have VPN matching...

That said I have had them a long time so perhaps an upgrade is due.

if it is site to site then can you turn the inbound and outbound direction around? if the vpn call comes from the mobile network interface it will work Also if it is site to site and you upgrade then vpn loadbalancing may be worth looking at.

Hi Des,
Interesting thought and I'm going to try it by replacing one of the remote routers.

It's not a perfect solution as the remote sites do not have a fixed ip addresses and one is a travel set up that will always be using a mobile network,, but it's a step forward.

What I am at a lot to explain is why the mobile networks block this kind of activity, it seems so unnecessary.

mobile connection and changing IP can be helped with Dynamic DNS which the routers can do for free for you.

As to why the mobile networks use CGNAT and private IP addresses it is just pure Math and lack of available routable IP4 addresses for all the devices now clamouring to get onto the internet. IP6 will help but that's still coming and then the transition from CGnat to IP6 is at the discretion of the mobile networks and whether it is worth it. Some business mobile ISPs will offer routable IPs but ££