The usual method of implementing a connection to a remote router and to devices on the LAN behind the router is to use port forwarding and/or a VPN.
Both of these techniques are initiated by the local device (eg router, PC or laptop) and require that the remote router has a public IP address that is static or can be accessed using a dynamic DNS service.
However, this method is not possible with most 4G (and 5G) connections as these use a technology called CGNAT (Carrier Grade Network Address Translation) which allocates dynamic private IP addresses to 4G connections.
The 4G router is therefore hidden and can’t be accessed remotely by the usual methods.
The solution to this problem is to implement a VPN tunnel between the routers in which the remote 4G router is configured as the VPN client and the local router as the VPN server.
In other words, it is the remote 4G router that initiates the VPN connection rather than the local router.
A pre-requisite for this solution is that the local router must have a static public IP address.
The diagram above shows how this solution would be implemented.
The key points to note are:
- the local router has a static public WAN IP address;
- the remote 4G router is assigned a CGNAT private WAN IP address;
- the LAN IP subnet of the local and the remote router are different;
- the local router is configured as the VPN server and the remote router the VPN client; and
- each end of the VPN tunnel is assigned a private IP address which must not be in the same subnet as the local and remote LAN IP addresses.
Our step-by-step instruction guide shows you clearly how to implement this solution using Mikrotik routers.
For this solution to work it is also necessary to configure static routes in both the local and remote router which enable devices on the local LAN to connect to devices on the remote LAN across the VPN tunnel and vice versa.
To access the router configuration pages it may also be necessary to open the appropriate ports on the remote router to allow access over the VPN.
It is also necessary to open one or more ports on the local router to enable the VPN connection. The ports that need to be open depend on the type of VPN used.
Unless you plan on having the VPN tunnel permanently open, it is relatively safe to use a simple PPTP VPN.
Typically, PPTP VPNs are not recommended because of security concerns. However, security concerns can be mitigated by disabling the local VPN server and enabling it only when remote access is required.
The remote 4G router will continually be trying to activate the VPN connection and will only be successful when the local VPN server is enabled.
Another benefit of this approach is that it minimises the use of 4G data.
If continuous remote monitoring of (say) CCTV cameras is required then it makes sense to use a more secure VPN protocol such as L2TP or OpenVPN.
It is possible to extend the solution described above to provide remote access to multiple 4G routers and their associated LANs.
This would require each additional remote 4G router to have a LAN subnet that is not used by any of the other remote 4G routers. For the solution described above 192.168.101.1/24, 192.168.102.1/24, 192.168.103.1/24 etc etc would be valid subnet choices for each additional remote router.
It would also be necessary to configure a separate VPN tunnel for each additional remote 4G router. The remote IP address for the VPN tunnel should not be the same as that used by any of the other remote 4G routers.
For the solution described above VPN tunnels with a remote IP addresses of 172.16.0.101, 192.168.0.102, 172.16.0.103 etc etc for each additional VPN would be valid choices. The local VPN tunnel IP address would remain as 172.16.0.1 for each additional VPN tunnel.