Remote Access ESP32 over CGNAT; Site to Site VPN Server/Client Advice

I could do with some advice from anyone who knows more than me - not hard in this scenario!

I will have three server boxes running concurrently at music festivals this year and need to access a webpage hosted by an ESP32 on the local network in the server box. The webpage will be used to change the LoRa settings (this bit I know about).

My networks:

I have a Unifi Dream Machine as my home router, and a linux server (or two) if that helps.

The server boxes each have USR GS808 4G fallback routers with the main internet connection via Starlink.
They also include a linux server, in case that helps.

The server boxes are always behind a CGNAT, so not easy to have the VPN server on the GS-808s.

The best plan seems to be to set up a VPN Server on my Dream Machine, my IP address is not fixed, but has not changed for 3 years. So I could use the IP address or I could add another subdomain on the wind website. Then if the IP address does change, I can amend the subdomain from anywhere and restore access.

It seems that WireGuard would be ideal, but the GS-808s don’t seem to support it. I have contacted their support to see if it can be added.

Failing that, both the Dream Machine and the GS-808s support OpenVPN and L2TP.

I’d rather not pay for OpenVPN, it seems that there is a cost for running 4 or 5 devices; is this correct?

That leaves L2TP, which I understand is old slow and less secure than the others.

Does anyone have any comments?
All good advice is appreciated!
Thanks

USR-G808-usermanual-V1.0.6.pdf (4.1 MB)

I don’t have to use a VPN

There are also things like this:

or possibly cloudflare, either running locally on the linux box or something like this running on the ESP32:

Here’s another option

Tailscale?

Tailscale looks good.
I can run it on the linux box at the remote site and on a linux box at home.
Do you know if the linux box on the remote site will be able share the ESP32 webpage?
(sorry for being lazy, I’m still reading)

Tailscale doesn’t seem to meet my use case - or I’ve missed something.
It does look useful for my daughter in Germany to watch sky sports “in the UK”, the skygo app won’t work in Germany…

NGROK looks like it does everything I need, I can run it on the linux box at the remote site and forward the ESP32 IP address. It even has some security I’m going to see if I can get it running on a remote server at home first.

Another approach is to use Firebase with free web hosting and sync with that.

that looks useful
Thank you

I think I’m going to go with NGROK for now.
I’m having slight stability issues with the ESP32 and this doesn’t interfere with the code stack that’s already running on it.

Thank you very much for your help

On your IP address not being fixed, you can use something like duck DNS to keep the DNS record up to date just in case it changes.

A word of warning with duck DNS though, some ISPs/network operators won’t resolve duck DNS domains because it does get used by people maliciously. It’s easy to fix though with an Alias record from a domain you own.

I’m going to add another alias record on the domain.

But once I get the remote management working I’ll be able to update the IP address remotely.

NGROK seems to be working well so far.

But I also found this which might be useful

NGROK is okay, but the free plan is quite restrictive.

I did more research and discovered TailScale Subnets. The documentation is designed for people who know more than me, but I seem to have got them working.

Hi Jem,
New here but I think I can help with this. (unless you figured it out already)
I am pretty sure tailscale is what you want, as long as I understand the situation correctly. Here is my understanding:

You have 3 “server boxes” that will be deployed “in the field”. Each server box contains:

• ESP32 board
• Linux server (I am guessing some kind of small pc like a thin client or NUC? maybe a raspberry pi?)
• Starlink for WAN connectivity
• 4g router for backup WAN connectivity

Would be good to know how all of theser are connected, but you mentioned the ESP32 is on a local network in the box, so I am guessing you have some sort of router/switch in there that all of the devices are connected to.

What I would suggest is run tailscale on the linux server inside each server box. The tailscale free tier will be enough. Join them all to the same tailnet ( I would suggest using preauth keys) and then launch them with the local subnet route exposed. So for example, if your local network inside the server box has everything on 192.168.1.0-255, then run the command:

tailscale up --advertise-routes 192.168.1.0/24

(CIDR notation for IP address ranges)

As you have 3 boxes, you’ll have to make sure the subnets don’t collide, meaning the ip address ranges are different. So you could have box 1 with LAN on 192.168.1.*, then box 2 with 192.168.2.*, and 3 with 192.168.3.*
That should be configurable in your router for the box.

Then you can expose all 3 subnets in your tailnet, and then log into the tailnet with any other device (your laptop, phone, linux server at home) and then access the ESP32 page, which can be accessed by going to it’s IP address on it’s own local network in your browser (include the port that the webserver is running on): 192.168.1.34:8080

Actually a small note, is that you also need to avoid subnet collisions with your home network or whatever network you are accessing the tailnet from. So you may be better off using class A address space, which is less commonly used for home networks (10.*.*.*)

Also good to note, tailscale is a VPN so it gives you much more security than exposing the webpage directly.
It also operates at the application level, so it does not require any special support in the 4g router etc.

Let me know if you want more info or if you got it working already

Thank you very much for your help.

I do already have it working, almost exactly as you described.

Jem

Ah good to hear. Sounds like a cool project anyway, you are managing some distributed IOT devices at music festivals using lorawan?

I measure wind speed and detect lighting and use a LoRa mesh network to get the data to the gateway.