Unable to get Remote VPN working

Radial
Radial Posts: 11  Freshman Member
First Comment Friend Collector First Anniversary
in Nebula

Hi all.

I have a USG Flex 100 and I'm trying to get Remote access VPN working but am unable to.

I've set it up as follows.

Screenshot 2025-02-06 at 12.45.15.png

I've validated that the dynamic DNS looking URL there (that I've blocked out) resolves back to the IP address that I am on by looking up the a record DNS for it and doing a whats my IP. That IP is not a private IP like 192.168. or 10.0. or 172.16.

I've checked and double checked passwords, secret keys and cloud auth users several times.

I'm trying to connect from my Mac laptop where I installed the downloaded configuration file from the VPN setup page.

I just get an error saying it can't connect, but I can't see any logs that suggest an authentication attempt is even made at the Firewall.

My fibre provider is Giganet. I don't have a static IP. The USG is connected directly to the Giganet modem.

All Replies

  • mMontana
    mMontana Posts: 1,421  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    My fibre provider is Giganet. I don't have a static IP

    Does your provider deliver on WAN interface a public ora private IP address? IF the WAN address is among private address your ISP should forward several ports to your USG Flex 100.

  • Radial
    Radial Posts: 11  Freshman Member
    First Comment Friend Collector First Anniversary
    https://community.zyxel.com/en/discussion/comment/74823#Comment_74823

    The IP that I get from whatsmyIP does not look like a private one unless I am misunderstanding what to look for. I get an address thats 188.74.x.x

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,860  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Radial,

    May I know your MAC OS version and could you help to enable Zyxel support access so we can help to check?

    https://community.zyxel.com/en/discussion/14234/nebula-how-to-turn-on-zyxel-support-access
    Zyxel Melen


  • Radial
    Radial Posts: 11  Freshman Member
    First Comment Friend Collector First Anniversary
    https://community.zyxel.com/en/discussion/comment/74867#Comment_74867

    Support granted.

    Running Sonoma 14.7.1
    VPN settings like this ..

    Screenshot 2025-02-07 at 09.12.55.png
    Screenshot 2025-02-07 at 09.12.45.png
    Screenshot 2025-02-07 at 09.13.07.png
    Screenshot 2025-02-07 at 09.13.02.png
    Screenshot 2025-02-07 at 09.12.58.png
  • Zyxel_Melen
    Zyxel_Melen Posts: 2,860  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Radial,

    After checking, I found your firewall uses PPPoE to get a WAN IP address. But seems like your ISP provided you with a carrier-grade NAT (CGNAT) IP address. Therefore, the public IP you see is not the same as your WAN interface and you cannot connect with the remote access VPN. You need to contact your ISP if they can provide you with a normal public IP.

    Zyxel Melen


  • Radial
    Radial Posts: 11  Freshman Member
    First Comment Friend Collector First Anniversary

    Checking with them now.

    For future people searching this thread, I am with Giganet in Dorset. My connection was installed in 2023 so it is not a VLAN tagged connection like some of their older ones. They confirmed they only block port 25 on CGNAT but everything else is open.

  • Radial
    Radial Posts: 11  Freshman Member
    First Comment Friend Collector First Anniversary

    Update here. Giganet have stopped offering static IP's which is what I need to get around this (despite this page still being live at the time of writing https://www.giganet.uk/faq/can-i-have-a-static-ip-address/ ). Apparently its something to do with the merger with Cuckoo Fibre and they don't offer static IP's anymore so there is nothing I can do. This is currently the only way I can get FTTP in my area. :(

    Thanks for your help @Zyxel_Melen

  • mMontana
    mMontana Posts: 1,421  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I don't agree with

     so there is nothing I can do.

    unless your ISP do not put on writing the statement "you can't have public IP", which is different from static IP.

    Static IP should mean that your ISP will provide you for the whole duration of the contract the same public ip address for the network connection.

    Public IP means that directly (on the CPE/provider box at your site) or indirectly (through a network configuration done from your ISP) your connection will have access for the full TCP/IP stack (outside port 25, all the TCP and UDP ports, with some more other IP protocols) and you need a port forwarding/nat rule (IDK if made on the CPE or by the ISP) to your current firewall.

    Now.

    The IP that I get from whatsmyIP does not look like a private one unless I am misunderstanding what to look for. I get an address thats 188.74.x.x

    Access to your firewall when you're at your site. Check on the Firewall the ip address that WAN interface have. Then compare it with the result of whatsmyIP. I bet they are different.
    If it's so, your ISP or you should configure a proper L2TP/IKE compliant nat/port forwarding rule to have your traffic delivered from the ISP to your zyxel box.

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)