Xplornet double NAT: VPN edition

Previously, I wrote about using a reverse SSH tunnel to escape a double NAT (specifically, the one provided by Xplornet). Without looking into why (maybe poor, intermittent connection and particularly awful uplink), my previous solution was not stable. Even with autossh, the connection kept dropping and not picking back up. I’m exclusively accessing this remotely, so when I notice the service being down I’m in pretty much the worst position to fix it.

Grab a public server with a static IP – for example a 5$/month Linode or Droplet. I’ve seen reference to cheaper international products, but I have no experience with them.


If you’ve picked Linode:

  • deploy an Ubuntu image
  • boot it up
  • SSH to the machine
  • do regular server stuff – make sure it’s up to date, generally read over Digital Ocean’s guide here for inspiration

Set up OpenVPN server

On the public computer (OpenVPN server/cloud instance):

The first time I did this, I set up OpenVPN myself. It’s not awful, there are some pretty comprehensive guides (like this one), but it definitely sucks enough to look for an alternative. Googling around shows two compelling public scripts – Nyr’s openvpn-install and Angristan’s version based off Nyr’s. Looking over the two, I ended up picking Angristan’s version without all that much consideration.

SSH to the machine and execute the script on your pubic server to set up the certificates and keys for your client. The defaults for the script all seem sensible – you don’t have to feel bad if you just mash enter until the name prompt comes up, then give your client a reasonable name

$ wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh
$ ./openvpn-install.sh

You should notice at the end of the script execution a line that looks something like this:


Your client config is available at /root/unifi-video-server.ovpn
If you want to add more clients, you simply need to run this script another time!

Take note of the location of your .ovpn file, as you’ll need it for the next step.

Set up OpenVPN client

On the private computer (machine that’s behind the double NAT):

On your client machine, get the OVPN configuration file that was generated from the previous step. scp is likely the easiest way to do this. From the client machine, you can retrieve the file like:

scp {server user}@{server host}:{remote path to ovpn} {local path}

For example:

$ scp root@ .

This will copy the file to the current directory on the machine. An extremely quick sanity check to ensure you can connect:

sudo openvpn unifi-video-server.ovpn

You should see:

Initialization Sequence Completed

once you do, you can ctrl + c your way out. If this wasn’t successful… something has gone wrong and you should fix it.

To make sure your client connects on start up:

  • rename your .ovpn file to be a .conf file
  • move the .conf file to /etc/ovpn
  • Edit /etc/default/openvpn to ensure AUTOSTART is configured to start your connection

At this stage, you have an OpenVPN server set up and an OpenVPN client that automatically connects to the server. All that’s left is to do the internet part.

Set up server traffic forwarding to client

On the public computer (OpenVPN server/cloud instance):

What we want now is to forward traffic that hits a particular port on the public server to the private computer. Not only that, but you want the private computer to think the traffic is coming from the public server, so it doesn’t respond directly to whoever sent the internet request.

First things first, toggle the server to allow forwarding traffic (if you don’t do this, you’ll end up insanely frustrated and convinced iptables is the devil:

sysctl -w net.ipv4.ip_forward=1

We need two pieces of information:

  • the public WAN (internet) IP address of the server
  • the virtual address of the OpenVPN client

Finding the public address can be done with:

$ curl ipinfo.io/ip

The virtual address of the OpenVPN client can be found in the OpenVPN status log with the client connected (see above for how to set up the connection for now). The log seems like it’s either in either /etc/openvpn/openvpn-status.log or /etc/openvpn/openvpn.log

$ cat /etc/openvpn/openvpn.log
Updated,Sun Nov 5 01:37:33 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
unifi-video-server,,39837,52165,Sun Nov 5 01:02:05 2017
Virtual Address,Common Name,Real Address,Last Ref,unifi-video-server,,Sun Nov 5 01:36:54 2017
Max bcast/mcast queue length,1

Now we’ll need a source routing NAT rule and a destination routing NAT rule for every port that is going to be forwarded. They’ll look something like this:

iptables -t nat -A PREROUTING -d {server WAN IP} -p tcp --dport {port} -j DNAT --to-dest {client virtual address}:{port}
iptables -t nat -A POSTROUTING -d {client virtual address} -p tcp --dport {port} -j SNAT --to-source {server virtual address}

Practically speaking, with the following:

  • public server whose Internet accessible IP address is
  • public server whose OpenVPN virtual address is
  • private computer whose OpenVPN virtual address is
  • Forwarding port 7080 on the public server to port 7080 on the private computer

It’d look something like this:

iptables -t nat -A PREROUTING -d -p tcp --dport 7080 -j DNAT --to-dest
iptables -t nat -A POSTROUTING -d -p tcp --dport 7080 -j SNAT --to-source

Now the only thing left is to make sure the routing rules persist across reboots.

$ sudo apt install iptables-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

And that’s it. In my experience this seems to be both a more robust solution to the double NAT problem, and uses tools in a more conventional way. I visited, and (subject to the awful uplink speed from Xplornet), my page loaded!


24 thoughts on “Xplornet double NAT: VPN edition

  1. Alex H

    Hey there,

    This post and the last one made me laugh… not in a haha way, but in a sad way. I’ve been dealing with xplornet’s intolerable double NAT for a long time now trying to find workarounds to it. I do some setups for people that use IP cameras and want to be able to view them remotely. The cameras contact a mediator server to create a NAT tunnel association for the inbound, but they (xplornet) must have their timeout set to something incredibly aggressive as the cameras don’t stay visible from the outside for long. Probably because they have 700 people sharing a single static IP.

    I’ve been putting together a solution that puts a Mikrotik hex at the client end, and using L2TP/IPSec to get to a head end where I have a public subnet. Dispensing addresses and then allowing the client to reach their home over the public address. Everything working as planned in the lab, but I haven’t been out to a client site yet to test it out.

    Any idea if L2TP will play nicely with their setup? I could use OpenVPN, but I am trying to take advantage of the hardware encryption chip in the $80 hex to inexpensively solve the problem. If there was lots of money to throw around, it wouldn’t be a problem at all… Bell LTE hub with Static IP, Cisco DMVPN solution, etc etc etc but they are all more expensive than what I’m attempting.

    If they would just get IPv6 deployed already, at least I could tunnel over that in a reliable way but when you can stretch a /24 to serve 8,000 people there’s no hurry.

    Would love to hear your thoughts, feel free to email me with the address below.

    1. Genny

      Alex, I work for a company that is marketing monitoring and control solutions to agricultural customers. xplornet is the bane of our existence. We really need a solution to access cameras through a double NAT from Xplornet. I have one customer with a remote site with an internet connection, but no permanent computer on the site. Would like to deploy a solution through the router. If there is any help you or the author of this blog post could provide, it would be very much appreciated.!!! My networking knowledge is rudimentary, but increasing through necessity. A lot of these posts are difficult to understand at the moment.

    2. tobymurray Post author

      > the cameras don’t stay visible from the outside for long
      I’ve found that as soon as I started looking at my Internet connection it was even worse than I thought. On a daily basis my upstream will drop to single digit Kbps. Between that and reasonably regular outages, I wouldn’t be surprised if you were running into raw bandwidth issues.

      > Any idea if L2TP will play nicely with their setup?
      I haven’t tried – if it works for you, please write about it somewhere/comment here. I’d be interested in the “best” solution to this problem.

      > I could use OpenVPN, but I am trying to take advantage of the hardware encryption chip in the $80 hex to inexpensively solve the problem
      I’m not clear on what part of the problem you’re solving inexpensively there – is it that there is no existing hardware on the customers’ site that would be able to act as a VPN client? Or you don’t want to have to deal with whatever arbitrary equipment a customer has, aiming to drop a box, plug it in, and go?

      The good thing about ridiculously terrible upstream speeds is that virtually any device would be able to satisfy the performance needs. I don’t know much about the Mikrotik HEX, but nothing good is coming up on google in the area of ease of use or robustness around the problem you’re trying to solve. If there is already a router you can piggy back off, I’m sure you could find something super cheap to act as the client for a VPN? Raspberry Pi isn’t the best value, but still half the price of the hex.

  2. Jeff Lamer

    Thanks for the blog :). I’m stuck on the “Set up OpenVPN client” I followed your directions and have a server setup on a DigitalOcean Droplet. I am trying to get outside access to my raspberry pi webserver. I had issues with the scp command so I used winScp to copy the file. Now when I run sudo openvpn XplornetOpenVpn.ovpn I get sudo: openvpn: command not found.
    Do I need to install openvpn on the client ? I know I’m over my head a bit, but live and learn !

    1. tobymurray Post author

      > so I used winScp to copy the file

      Can you clarify where you used WinSCP? Did you install Windows on your Raspberry Pi? I’ve never done that – sounds interesting.

      > when I run sudo openvpn XplornetOpenVpn.ovpn I get sudo: openvpn: command not found.

      That comment is intended for a Linux environment. I have no experience with OpenVPN clients on Windows.

      > Do I need to install openvpn on the client ?
      Yes, you’ll need a VPN client for your Raspberry Pi. I imagine if it’s in Windows, you’ll launch your client and then load the configuration file somehow – all it’s trying to do is run the client with the configuration in the file.

  3. Jeff Lamer

    Hey Toby,
    Hoping to get some help, Was able to follow all instructions and still can’t access my local page on port 1880.

  4. Phil

    This has been extremely helpful to me as well. I too am trying to set up cameras via xplornet, though I am significantly downscaling the video quality on site before trying to send it out. I was able to get the ngrok solution working, but has the downfalls of if there’s a power bump, when things restart you have a different ngrok address, unless you’re paying for a link.

    I’ll have to try this particular VPN solution on another day, as my onsite staff had to fly out and we inevitably had issues with inverter faults.

    Just wanted to say thanks for some good explanation of the root cause, and some innovative solutions. Xplornet Jupiter systems don’t leave you much to work with.

    1. tobymurray Post author

      > I am significantly downscaling the video quality on site before trying to send it out
      Ugh, tell me about it. A reliable 1 Mbps up would be a welcome improvement over what I have now.

      Great to hear I’m not alone in struggling with Xplornet. I’ve had this running on and off for a while as projects fade in and out and it seems to consistently be the most robust solution. I tried a few other strategies, and when it comes down to it the power failure/Internet failure made everything else less robust – often for difficult to understand reasons. VPN client re-connection is bog standard and seems to not suffer the same issues if it isn’t immediately successful.

      Plus, 5$/month is basically free, and you could theoretically serve multiple customers via the same public facing machine. If you’re in the unenviable situation of having to solve this problem, this is the best solution I’ve come across. If you come up with anything different or notice anything to improve, please let me know!

  5. Clem Morton

    Hello everyone. I’m also struggling with xplornet’s double NAT. There are several things I’ve tried. I’m running an ubiquity edge router lite. With it I have been able to pull in and distribute to my network IPv6 addresses. So I have native IPv6 on my network. However the addresses are on a lease, and they change with regularity. Also, I randomly seem to loose IPv6 connectivity? Its not been stable. I have tried OpenVPN running on the edge router in client mode, yes. It does work, however the speeds are terrible. There is no offloading for it. If anyone has a guide on how to get LT2P and Ipsec working on one of these devices behind a double NAT with offloading. Please do a write up and share. I’ve been struggling on that for months now. I’m not even sure it will work.
    Other options I am looking at are the pfsense firewalls/routers, if one of those can’t do it, then nothing can.

    1. Clem Morton

      No, dns is simply a “phone book” for either ipv4 or IPv6 address to domain names.

      Given a domain name like example.com using the dns system, when “going to that website” it simply looks up and finds the IP address associated with it. Then initiates a IP to IP connection.

  6. marc arcand

    So can anyone explain whether a dns server might help? Im trying to make a wordpress page on godaddy and I’m having huge problems with seeing my page cache issues and more. I’m following this thread I wish after calling explornet 10 times at least and godaddy at minimum 40 times I had head of double Nat. I’m just really grateful I stumbled on this thread. Ty all!!

    1. tobymurray Post author

      Wow, I typed up a whole big response trying to explain with DNS servers are, what the double NAT issue is, and then I hit “reply” to submit it but because of stupid garbage modern web design it wasn’t clear to me that “cancel reply” was one button and I was actually discarding my comment. Instead, “send” is for submitting a comment – who “sends” comments?! UUUUGGGGHHHHHH.

      Short answer is that DNS servers will not help. They map between hostnames and IPs. There is no IP that leads to you, so there’s nothing to give a name to. If what you’re hosting is on your Xplornet provided Internet connection, you need to do something like what is described above for it to work. If you’re hosting externally (via some service, or on a VM somewhere), then likely all you do need to do is sort out the DNS (on your hostname provider’s website, most likely).

      1. tobymurray Post author

        Seems like a good idea, maybe something I’ll look at setting up. If it’s just for tunneling connections, then should be relatively low risk (I think…).

  7. marc arcand

    oh and by the way godaddy is fine I’m actually domains priced right wich is owned by godaddy. I know Go-daddy is newyork-california. However I am unclear as to the location of domains priced right. I empty my cash and their logo wont even appear properly next to my quick links like facebook, gmail, ect. WHY? I have no idea but because everyone thinks im crazy this post is my closest point of reference to reasons ect. I haven’t even tried to host my owncloud deployment on ubuntu server yet. I had a hard time even shaking hands with anything outside of my location. I did try google dns, cloudflair, and godaddy’s custom dns nameservers.I pointed the word at me with 3 no-ip hostnames. And again only to see my site in the realworld and to no avail. Seems my problems might be a little more complicated I am however fond of this thread and what it means. I will repost this @ amped.rocks when I recover my site from the nerf that resulted from this debacle.

    1. tobymurray Post author

      Make using a VPN more user friendly? I’m not aware of any. I think practically speaking the easiest thing to do would be to do up a script that helps configure the instances, but you’re still stuck with a VPN at the end of the day. If anything, my Xplornet connection has degraded as they continue to oversell their infrastructure. Around 7:00pm each evening I can go through periods of not even being able to load a web page.

      Is there anything specific you’re struggling with/would like to see become more user friendly? It looks like you have amped.rocks up and running again, so have you figured it out?

    2. tobymurray Post author

      Actually, your comment prompted me to take another look. It seems like OpenVPN Access Server might be an answer from a provider perspective, just to make things slightly easier.

      If you’re open to paying ~5$ a month, something like ngrok might work. You can try it out for free to make sure it works, then pay to get a consistent IP address. Would that work for what you’re trying?

  8. Hernan D. Corcoy

    There is little help or forums about xplorenet, so I am having a go in this forum so see if someone could give me a hand.
    A user in Canada (using xplorenet LTE) is trying to connect to our office in Europe using VPN, but it cannot connect, the error message says “the vpn connection between the computer and the vpn server could not be completed, probably because one internet device is not configured to allow GRE”

    This user had another 4G connection, and VPN worked okay, but as it was a metered connection (quite expensive) he moved to Xplornet.
    I have many other users, with many ISP accessing the VPN server, so I doubt that the problem is at our end.

    As I’ve been reading and searching the web, it seems is caused by Xplorenet and its double Nat.
    It’s been some time from the last post, I am just checking out if someone found a solution to this?

    Any sort of help would be very much appreciated.


    1. tobymurray Post author

      Hey Hernan, I’m on Xplornet’s LTE service as well and I readily use VPNs without issue. I have never knowingly tried using a GRE tunnel. Have you validated there are no firewall rules in place to block GRE tunnels (or that they do have a hole poked to allow GRE) on the client’s machine and router? If Xplornet itself is blocking the port that seems strange and I think you’ll have to call Xplornet support so see why/if it’s possible to not do that.

      Maybe worthwhile to set up a quick VPN that does not use a GRE tunnel to see if it’s specifically GRE traffic?

      1. Hernan D. Corcoy

        Hello Toby, many thanks for your fast reply.
        I’ve also never tried or heard about GRE, until I got the following message when the user tried to use the vpn for the first time:

        “The VPN connection between your computer and the VPN server could not be completed, The most common cause for this failure is that at least one internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets.”

        I didn’t pay to much attention to the GRE as this is a windows message (I think) and I tried a few things before getting into that, such as:
        *Disable all firewalls (windows firewall, our Avast firewall and I disable the firewall from the xplornet modem) and still the same problem.
        *We use PPTP as type of vpn, I tried automatic and all the rest types but that doesn’t work, although the warning message changed.
        *I had a go trying al the different options in the xplornet modem web interface. There isn’t too much to try on, but all attempts were useless.

        I am asking the user not to use a router at the moment to get that out of the way. He still has the old 4G connection and with that, the vpn works just fine.

        Now that you tell me that you use VPN without a problem puzzles me and gives me some hope at the same time.
        So, you don’t think that the double nat has anything to do with this? Your vpn connection worked without any setting change in the xplornet modem?

        So far, I have considered that the problem is at the user end, not at our end (firewall and vpn server), could this be a wrong approach?

        Again, thank you for your help and attention. And sorry for any grammatical or orthographic errors.
        Kind Regards,

  9. Ellen

    I don’t know what double NAT is. I didn’t understand most of this post. I knew a few things from using a VPN, which has been moderately helpful until recently. Now nothing works. Their crap speeds are all consuming. I was at 2 Mbps for over an hour last night. There is actually something wrong with it… I think. I drop off the system for some reason.

    Anyway the point of this is, I would really like to understand the point of what I just read so I could potentially try what I just read. Would anyone be willing to help me?

    1. tobymurray Post author

      This is a follow on post to https://technicallyrural.ca/2017/02/15/xplornet-and-its-confounded-double-nat/ which goes into a bit more detail about what the situation is and how it comes about – maybe that can help build some context?

      The tl;dr is: single NAT is when one one device (typically your router) takes a single address and splits it up to your laptop, cell phone, etc, so everything you have is “translated” at the router. A double NAT is when your ISP _also_ has a router, so it goes through a translation at their router (which you don’t control) and then again at your own router. This means nothing you have in your house is “directly” connected to the Internet, it’s only connected to your ISP’s router.

      Feel free to ask questions, though note that I’m just some person on the Internet and by no means a pro.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s