Port Forwarding with Verizon Wireless NAT

I thought I’d do a followup to my last post, because this is another issue with Verizon Wireless.  Sometimes you need to be able to forward ports to devices on your LAN and this is impossible to do when you’re behind a Verizon Wireless NAT.

But, it is possible to create a port forward by using ssh to create a reverse tunnel from a remote server back to your house.  You can do this easily with a $5/month VPS.

verizon_nat_gw_ports

Signup for a cheap cloud server / VPS (Virtual Private Server).  What you want to look for is a VPS near the location to where your Verizon connection routes out.  You can figure this out by using mtr.  E.g.

mtr_out

As you can see from the trace route my Verizon Wireless connection usually routes out through Seattle.   Vultr has quite a few locations, including a location in Seattle so I setup a VPS.  You should look at the best VPS provider for your location, but if you decide to use Vultr use this link to sign up and I’ll get $10 (two months of free port forwarding).

The OS/Distro doesn’t matter too much, I’ve done it with FreeBSD and Ubuntu.

Login to your VPS server, edit /etc/ssh/sshd_config and enable GatewayPorts…

Restart ssh

Now, you need a Linux/FreeBSD server on your LAN.  I’ve got an Ubuntu VM under VMware named “wormhole” for this purpose.  On wormhole generate some ssh keys.

Then copy /root/.ssh/id_rsa.pub on wormhole to the /root/.ssh/authorized_keys on your VPS.  At this point you should be able to ssh into your VPS from your wormhole VM without using a password.  You’ll need to do it once to get the key fingerprint.

On “wormhole”, make sure autossh is installed (apt-get install autossh) and create a file called /etc/cron.d/autossh

Here’s a quick example to forward two ports.  The first line forwards the Minecraft port and the second line will forward port 8443 on the VPS to port 443 to a server on your network.

After saving the file give it executable permissions…

Then reboot to make sure the connections establish.  Now you should be able to connect a Minecraft client to your VPS server and have the port connect to your LAN.  If you can’t, check the cron logs, and also check root’s mail for any errors.  Also run ps aux to make sure autossh is running.

Autossh is pretty resilient, it will automatically reconnect after connection drops and such.  I don’t think I’ve ever had to restart autossh manually.

As a bonus, you could install SoftEther VPN on your VPS and use it to compress your connection to save on bandwidth/increase speed.

5 thoughts on “Port Forwarding with Verizon Wireless NAT”

  1. Hi Ben,

    Tom again. Thanks for the write ups. I currently have a VPS that runs several websites. Is there any danger in running SoftEther and using this port forwarding setup on the VPS, to enter my internal network at home?

    1. Well, there’s always a danger with port forwards or VPN access onto your network. … your security is only as good as SoftEther’s and the rest of your internal network. My guess is that open source solutions like SoftEther VPN and OpenVPN are going to be more secure than most VPNs built into consumer routers because when security vulnerabilities are found it’s easier to patch them.

  2. Thanks again for posting this, Ben. I had to tweak a couple of steps, but these instructions definitely got me headed in the right direction. For those having troubles, perhaps because they’re running Ubuntu 15.04:

    1) I looked at the man page for cron and apparently, the ‘/etc/cron.d/autossh’ file needs to be A) owned by root and B) not be group or other writable. It also states that the files saved under cron.d do not need to be executable. Upon reading this, I set the file permissions to ‘600’ instead of the recommended ‘755’.

    2) I also had to modify the commands suggested for the ‘/etc/cron.d/autossh’ file itself. I didn’t understand the ‘&’ symbols you put at the end of each line, so I looked them up. Upon discovering that they simply instruct your command to run in the background, I replaced them with the ‘-f’ flag for the the autossh command. This provides the same function as the ‘&’ is supposed to, but for some reason this works for me while the ‘&’ did not. So instead of ‘@reboot root autossh -nNR 8443:10.4.0.11:443 root@vpsservers_ip &’, I used ‘@reboot root autossh -fnNR 8443:10.4.0.11:443 root@vpsservers_ip’

    Everything’s working great now and I couldn’t be happier. Now that I can reach my server from outside of my local network, I feel like I finally have proper internet connectivity – even out here in the boonies! Now time to shop for some ip cameras…

  3. Hi Ben,

    Stumbled onto your site looking for a solution regarding using VZW UDP as my primary internet source…surprised I didn’t see this sooner!

    DISCLAIMER: I have practically zero experience with Linux based systems and basic/a bit intermediate understanding of network configurations.

    I read this and your other post about your Verizon rural internet setup and wanted to seek your help in accessing my IP cameras and other PCs on my network. I was previously using a traditional ISP, and was able to forward ports on my router (an ASUS RT-AC68U) to my cameras and access them with no issues via DDNS. Obviously, when trying to do the same from VZW I couldn’t. I am currently using a Novatel T1114 router (going to change it to a UML295/Cradlepoint though, as I’ve heard Verizon is blocking people with this device now).

    Three of my cameras are Android phones running an app called IP Webcam. I’m also using an Amcrest IP cam that I got off of Amazon. At the very least, I’d like to be able to view these cameras on my phone, using an app called tinyCam monitor. How I was doing it before, was (through the app) typing in my DDNS address in the host name with the associated port, entering in the login credentials, and boom I can view the live stream.

    Can you help me achieve this through the Verizon network? I also have a Raspberry Pi 3 at my disposal that I was thinking to use as my local server at home, and was hoping not to spend anymore money, but if I have to I’ll pony up for a VPS.

    Sorry this is a bit long-winded. If you’d rather communicate through e-mail rather than clogging up your site, I’d be cool with that too. Thanks in advance, and hope to hear from you soon!

Leave a Reply