Beating CGNAT with reverse SSH tunnels

Because of my current internet provider which refuse to give me a public IP (providing me with only CGNAT), I can no longer access my stuff at home as I wish. This post describes my workaround for the problem.

External access server

Used to connect the tunnel from the inside to, and to connect to from the outside. I use a Oracle Free tier WM for this.

On the access server, I have set up a (normal) user account for the tunnel, then created a private key using Puttygen and added the public key to the .ssh/authorized_keys file for the user.
/etc/ssh/sshd_config needs to be modified by adding the line
GatewayPorts clientspecified
Do not forget to check that you are able to login to the server using the user set up for this purpose (set private key login in Putty, or use ssh -i with that key)

Firewall on the access server
If the access server is behind other firewalls, you need to open the port(s) you want to connect to.
For the Oracle VMs, this is done via the web UI:
Virtual Cloud Networks, click the VCN name, click the subnet name, click the security list (“Default security list” unless you have done it the recommended way to create separate security lists). Then (at last), “Add Ingress Rules”:
Source CIDR: (unless you want to limit, but just for testing this will allow everyone to connect)
Source port: blank
Destination port: the port you want to connect to. An unprivileged user (the SSH user account) can only use ports 1025 and up.

The same port(s) also need to be opened on the access server itself.
I prefer using firewalld for this:
# firewall-cmd –zone=public –permanent –add-port={your-port-number-here}/tcp
# firewall-cmd –reload

GUI for plink (from Putty) to keep a reverse SSH tunnel open
Download the file (myentunnel_setup-3.6.1.exe), install it and then replace the included plink.exe with the current version included by the Putty installation.
Putty location: C:\Program Files\PuTTY
myEntunnel location: C:\Program Files\MyEnTunnel
Files used for the default profile: localports.txt (blank), remoteports.txt, keyfile.ppk (used for connecting to the server)

MyEntunnel configuration

Settings tab:
The obvious section, server (name or IP) and username, I suppose you know what to fill in there 🙂
No passphrase is needed, since we’re connecting with a private key only (this is also required by Oracle VMs)

As I forgot to note down the default settings, I just provide a snapshot of the settings I have in use (most are default values):

Tunnels tab:
Only the remote side needs to be filled in, syntax as the description below the input fields (per tunnel to create):
Where listen-IP is the LOCAL ip of the access server (a private IP address if behind NAT as with the Oracle WMs, which are usually by default on the 10.x.x.x network)
listen-port is the port opened in the inside and outside firewalls (the port on which you will access the inside stuff on)
host is the inside host, can be localhost for the computer running MyEntunnel, or any other host reachable from that computer.
port is the port on the inside host
A complete line could look like this:
(will access port 80 on the inside host IP, when going through the access server at port 18180)

OpenWrt on Raspberry Pi 4

Installation and configuration notes

Stuff used
Raspberry Pi 4 Compute Module (CM4, 4GB)
Waveshare Dual Gigabit Ethernet Base Board (with case)

OpenWrt Wiki
OpenWrt Firmware for Raspberry Pi 4

(Very thin documentation on the CM4 baseboard used, nothing about the USB3 network port, but some info on the RTC, fan control and display and camera interfaces)

Internet of Things – a techie’s viewpoint
(I used mainly the beginning of chapter 36 for the first good enough solution I found on how to switch the interfaces so that eth0 will be used for WAN and eth1 for LAN)


Get the latest (stable) version of OpenWrt (I use “Factory (EXT4)”), write it to a MicroSD-card the usual way, insert into slot on CM4 board and boot up.

Note: Before booting the SD-card, you might want to resize the Linux partition and file system on it. Do this with another Linux-based system:
Insert the SD-card into a reader/card slot and check end of ‘dmesg’ output which device was assigned the card:

root@DS1517:~# dmesg |tail
[13376.702534] sd 10:0:0:1: [sdr] 61849600 512-byte logical blocks: (31.6 GB/29.4 GiB)
[13376.714483]  sdr: sdr1 sdr2

In this case (on my Synology NAS), the card readers’ slot was assigned ‘sdr’.

Resize the partition with ‘parted’:

root@DS1517:~# parted /dev/sdr
GNU Parted 3.2
Using /dev/sdr
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: TS-RDF8 SD Transcend (scsi)
Disk /dev/sdr: 31.7GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      4194kB  71.3MB  67.1MB  primary               boot, lba
 2      75.5MB   173MB   104MB  primary

(parted) resizepart 2 -1
(parted) q

Resize the file system with ‘resize2fs /dev/sdr2’

The default is to use eth0 for LAN, which I didn’t like (with the possibility that the other USB3-based interface might be less stable, and is using kernel drivers for the incorrect model).
To fix this I used the guide mentioned above, the beginning of chapter 36, with some modifications to fit my network.

(section 36.4 in IoT guide)
The later distributions of OpenWrt starts up as logged in as root on the console, which makes it easier to do the initial adjustments to the network settings. As the guide mentions, if your home network is on the subnet, you can access the shell by SSH (root without password) to do the modifications.
Change the lan section of /etc/config/network to:

config interface 'lan'
    option ifname 'eth0'
    option proto 'dhcp'

Reboot the Pi, and you will get IP by DHCP (handed out by your old router). Either find that IP in the old router or just do a “ifconfig” command on the console.

Installing the kernel module for the USB3 network port

(section 36.5 in IoT guide)
To get the second network port working, you need to install the correct kernel module for the chipset it is using. In the case of the CM4 base board, the chip is rtl8153. Unfortenately there is no exact match or that chip (yet/ever ?), but rtl8152 will work fine. Use ‘opkg’ to install the module:

opkg update
opkg install usbutils
opkg install kmod-usb-net-rtl8152

For further configuration, I also add a more user-friendly text editor than ‘vi’:

opkg install nano

Verify by ‘ifconfig eth1’ that the second network adapter shows up.

Switching the eth0 / eth1 interfaces to have eth0 for WAN

Now that we have both interfaces visible, we can switch their usage as described in the IoT guide. For my network (LAN side) I use a network mask of /16, so I cannot be on that same IP range for the network on the inside of the CM4 router.
For the inside, I choose (from the private IP-series), and will give my CM4 router the IP address

Change the old ‘lan’ section to ‘wan’ and add a new “lan” section in /etc/config/network:

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'lan'
	option proto 'static'
	option ifname 'eth1'
	option ipaddr ''
	option netmask ''
        option gateway ''
        option type 'bridge'

(I don’t think the “gateway” config is needed in ‘lan’, but have to check that)

Configure DHCP on the LAN interface
Add a “dhcp” section for eth1 in /etc/config/dhcp:

config dhcp 'eth1'
	option start '100'
	option leasetime '12h'
	option limit '150'
        option interface 'eth1'

Reboot the CM4 router, connect your uplink cable to eth0 and a computer to eth1. When the CM4 router has started, and if everything works well, and the computer should get an IP address on the 172.16.3 network (in the range from .100 to .250).

LuCI confusion by manual configuration

Access the web interface on, set a password for the web interface.
When you first access the web interface for your manually configured CM4 router, LuCI will ask to update the configuration to the new format (for using ‘br-lan’ instead of “option type ‘bridge'”) and using the ‘br-lan’ device instead of the manually entered ‘ifname’ in the lan section. Allow these changes, and the GUI is ready for use.


The first step is to go to System/Software in the menu and click the “Update lists” button to refresh/create the list of available plugins for OpenWrt. Then use the many OpenWrt guides online for additional configuration ideas.

If you during setup have your CM4 router behind another router on the local network, change the firewall setting for WAN to allow inbound access (unless you’re happy with accessing it from a computer on that routers’ LAN interface).
You find that setting under “Network/Firewall”:

You can after this change access the web interface and SSH over the WAN side IP. Do not forget to change back if this router is put on a public network!

That’s it for the basics and getting started with OpenWrt on a Pi4 with dual ethernet interfaces (either with the used CM4 baseboard or a separate USB3 dongle). I have probably missed some of my steps as this guide was written some time after I completed the setup.


Add and configure (accept default settings) the package named ‘luci-app-statistics’ to get graphs for CPU usage and network traffic.
Add the module ‘collectd-mod-thermal’ to get graph for CPU temperature.

Ivacy VPN settings

Get the file from here:
or (any of the non-Mac and non-Windows files) here:

Follow the guide

Ivacy-VPN related content in /etc/config/openvpn (as created by LuCI)
For easier configuration, skip the steps in the guide which explains how to configure the VPN connection using LuCI, just add the connection and then hit “Save & Apply” on the basic settings page, then edit the /etc/config/openvpn file directly:

config openvpn 'Ivacy'
        option dev 'tun'
        option nobind '1'
        option comp_lzo 'yes'
        option verb '1'
        option persist_tun '1'
        option client '1'
        option auth_user_pass '/etc/openvpn/userpass.txt'
        option resolv_retry 'infinite'
        option auth 'SHA1'
        option cipher 'AES-256-CBC'
        option mute_replay_warnings '1'
        option tls_client '1'
        option ca '/etc/openvpn/ca.crt'
        option tls_auth '/etc/openvpn/tls-auth.key'
        option auth_nocache '1'
        option remote_cert_tls 'server'
        option key_direction '1'
        option proto 'udp'
        option port '53'
        list remote ''
        option enabled '1'

Server list

Other carrier boards with dual ethernet ports

Seeed Studio Dual Gigabit Ethernet NICs Carrier Board
Product page
Getting Started with Dual Gigabit Ethernet Carrier Board for Raspberry Pi Compute Module 4 (hardware info)
The latest version of the pre-installed image (2022-07-18, as checked today, 8 Jan 2023) is linked from their Getting Started with OpenWrt guide.

I recently did the same installation on the carrier board from Seeed Studio, with a 8GB/8GB eMMC CM4 on it.
At the time I wrote this guide, the official CM4/Pi4 OpenWrt image did not contain the needed driver for the network adapter on the USB-bus, which lead me into using the bloated image from Seeed Studio.
For the new installation attempt, I found out which driver was used, and was prepared to install it manually.
The driver needed for this board is ‘kmod-usb-net-lan78xx’, but as it’s now included in the official image, no additional steps (except for configuring) eth1 is needed.
Resizing the OpenWrt root partition is done the same way as described above, except the extra steps needed if using a CM4 with eMMC (as described in the “Getting Started” above (follow the instructions for Mac/Linux for installing “usbboot”).

Seeed Studio CM4 Router Board
Another board from Seeed Studio. This one uses a real NIC controller chip (RTL8111E) for the second port to provide better stability and speed:
CM4 Router Board product page

Cisco ASA5505


Mappa extern IP-adress till intern
Port forwarding (närmast rätt)
Cisco ASA CLI/ASDM for Dummies

När saker inte fungerar

När det inte går spara konfigurationen (full flashdisk):
Om det finns någon gammal version av ASA eller ASDM, så går den plocka bort med “delete”-kommandot
show disk
delete disk0:/asa-gammal-fil.bin

Byta version på adsm eller asa som laddas:
conf t
asdm image disk0:/asdm-792-152.bin
boot system disk0:/asa924-33-k8.bin
write memory

Laga trasig ASDM-inloggning
To enable ASDM on Cisco ASA, the HTTPS server needs to be enabled, and allow HTTPS connections to the ASA.
To configure ASDM (HTTP) access to Cisco ASA on particular interfaces, where core and management are the nameifs use following commands:

ASA(config)#aaa authentication http console LOCAL
ASA(config)#http server enable
ASA(config)#http inside

Remember to create username, password to be able to authenticate to asdm:

ASA(config)#username admin password secretpassword


(låst) ASDM och ASA

Cisco ASDM
Cisco ASDM 7.12.2
Cisco Software Download – ASDM bra att kolla vilken version som ska letas

Cisco ASA 9.12.2
Cisco Software Download – ASA 5505 – kolla version här

Video Tutorials

Cisco ASA 5500 Password Reset Recovery

Cisco 5505 Factory Restore

Cisco ASA Training 101: ASA 5505 Firewall Initial Setup

Cisco ASA5505 firewall teardown an detailed overview for CCNA security lab and repair

dd-wrt for Linksys wrt3200acm

Check here if your router is supported (wrt3200acm is)

Installing and upgrading

Firmware FAQ
Download locations: