Port Forwarding with Verizon Wireless NAT

Updated

I thought I’d do a followup to my last post, because this is another issue with Verizon Wireless.  Sometimes you need to be able to forward ports to devices on your LAN and this is impossible to do when you’re behind a Verizon Wireless NAT.

But, it is possible to create a port forward by using ssh to create a reverse tunnel from a remote server back to your house.  You can do this easily with a $5/month VPS.

verizon_nat_gw_ports

Signup for a cheap cloud server / VPS (Virtual Private Server).  What you want to look for is a VPS near the location to where your Verizon connection routes out.  You can figure this out by using mtr.  E.g.

# mtr google.com

mtr_out

As you can see from the trace route my Verizon Wireless connection usually routes out through Seattle.   Vultr has quite a few locations, including a location in Seattle so I setup a VPS.  You should look at the best VPS provider for your location, but if you decide to use Vultr use this link to sign up and I’ll get $10 (two months of free port forwarding).

The OS/Distro doesn’t matter too much, I’ve done it with FreeBSD and Ubuntu.

Login to your VPS server, edit /etc/ssh/sshd_config and enable GatewayPorts…

GatewayPorts yes

Restart ssh

# service sshd restart

Now, you need a Linux/FreeBSD server on your LAN.  I’ve got an Ubuntu VM under VMware named “wormhole” for this purpose.  On wormhole generate some ssh keys.

# ssh-keygen

Then copy /root/.ssh/id_rsa.pub on wormhole to the /root/.ssh/authorized_keys on your VPS.  At this point you should be able to ssh into your VPS from your wormhole VM without using a password.  You’ll need to do it once to get the key fingerprint.

On “wormhole”, make sure autossh is installed (apt-get install autossh) and create a file called /etc/cron.d/autossh

Here’s a quick example to forward two ports.  The first line forwards the Minecraft port and the second line will forward port 8443 on the VPS to port 443 to a server on your network.

@reboot root autossh -nNR 25565:10.4.0.40:25565 [email protected]_ip &
@reboot root autossh -nNR 8443:10.4.0.11:443 [email protected]_ip &

After saving the file give it executable permissions…

# chmod 755 autossh

Then reboot to make sure the connections establish.  Now you should be able to connect a Minecraft client to your VPS server and have the port connect to your LAN.  If you can’t, check the cron logs, and also check root’s mail for any errors.  Also run ps aux to make sure autossh is running.

Autossh is pretty resilient, it will automatically reconnect after connection drops and such.  I don’t think I’ve ever had to restart autossh manually.

As a bonus, you could install SoftEther VPN on your VPS and use it to compress your connection to save on bandwidth/increase speed.