How to Bypass the Mobile Hotspot Double NAT to make use of Port Forwarding in order to Host Services with A dedicated Public Static IP.

If you are using Broadband, 4G, or 5G you have likely ran into the double NAT issue making your local hosted services unreachable. Here is a simple and cost effective work around.

Create an Amazon Lightsail account https://lightsail.aws.amazon.com/

Select ‘Create instance’

Select OS Only & Choose Ubuntu or Debian

Choose A Plan
The $5 A month plan offers plenty compute and storage for most.

Once the instance is created, go over to the Networking Tab and Create a static IP, then assign it to the instance

As always, Highly Suggest running updates on the server

Install OpenVPN Server

sudo su
wget https://git.io/vpn -O openvpn-install.sh
nano openvpn-install.sh
chmod +x openvpn-install.sh
bash openvpn-install.sh

Did you catch where the client configuration file was outputted too?
find / -type f -name myvpn.ovpn

Move that client configuration file over to your client via method of choice.

Setup Port Fowarding

Move back over to the AWS instance openvpn server & run the below commands to setup port forwarding

echo ‘net.ipv4.ip_forward = 1’ » /etc/sysctl.conf sysctl -p

Do the following for every port you want to forward
Assuming eth0 is the LAN/WAN gateway interface and 10.8.0.2 is the client assigned VPN IP

iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 8080 -j DNAT –to-destination 10.8.0.2:8080
iptables -A FORWARD -p tcp -d 10.8.0.2 –dport 8080 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

Make the iptables changes stick for when you reboot

apt-get install iptables-persistent
iptables-save

Restart the OpenVPN Service
systemctl restart openvpn-server@server.service

Back to Amazon Lightsail Instance Manager Networking Tab Open the firewall ports used for port forwarding and the UDP port used for VPN

Testing

Connect to the OpenVPN server
openvpn myvpn.ovpn

Check your public IP at https://ping.eu should be the openvpn servers public IP

Run a netcat listener for a port that is setup to forward

nc -lvnp 8080

From a device on a separate network than your netcat listener open a browse and navigate to http://YourOpnVPNPublicIP:8080
You should see the GET header request now in your netcat listener indicating a successful setup.

Be sure to implement security controls, keep OpenVPN patched to the latest version as well as keep your client config file protected