VPN Issues with Possible Solution????

Davmacrat · ‎25-01-2022

Hi All, new to the EE Community and hoping some of you clever cookies can bring your experience to bear.

I entered in to contract with EE for 4G WiFi in March of last year. Explained to the nice lass at EE that I was looking for a solution that would support my works VPN and some gaming. Terrestrial providers could only offer 3Mbs^-1, which wasn't going to cut it with 4 of us working from home in our new intergenerational living situation due to CVOVID. No problems I was told and duly signed up for EE's Mobile WiFi solution using their Huawei CPE Pro H112-372.

I have had no problems, but others in the family have; where the VPN grinds to a halt when using Teams. With my background in datacomms (30 years ago X25 FFR etc.) suspected that we may not have the signal density to support the throughput demands, and after speaking to EE Aerials Team invested further on an external antenna. The signal was now banging through. But no better with regards to the issue.

Then spoke to EE Technical department today, only to be told that EE Mobile WiFi does not support VPN or Gaming! WOW! Really! Why was this not made clear at the time of sale, especially when I explained my requirements? Stunned silence. We had an extended conversation regarding why VPN was not supported, and it turns out it was due to EE's use of Dynamic IP addressing within the ISP network however, I felt that I was not being told something; so back to the drawing board.

So here we come to the crux

I then attempted to go into the CPE admin page, only to find that all the advanced settings were locked down due to the implementation of CLAT Mode..... Back to Mr Google! Right, this is where I need some help in verifying my findings and interpretation and a possible solution: I've dragged on enough so bullet points for clarity. Am I correct in saying:

CLAT mode is implemented when a Customer Side Network Address Translator is employed by the UE.
In the case of EE this is caused by EE's IPv4 -> IPv6 transitional arrangements.
EE has implemented IPv6 only with 464XLAT and a central CG-NAT64 to embed Native and DNS IPV4 addresses into an IPv6 HEX format.
Consequently, I can do nothing with the router.

So at the risk of throwing good money after bad, what I'm looking at is a pre-established Peer to Peer VPN tunnel using a second VPN router outside the EE deliverable, (Something like VPN Express), where the VPN router is set up on a separate subnet. We then should be able to run our corporate VPN connections on the proprietary VPN outside the EE network. The only thing I need from EE's CPE Pro is to "Pass Thru" the Proprietory VPN. Not sure if the CPE Pro will do this automatically or am I going to be stumped again by the CLAT shutting down the advanced settings.

If any of you clever cookies can come up with any alternate solutions, I'm all ears. All comments will be gratefully received. My only other option is to go elsewhere, and although I'm slightly bent out of shape for not being told about this issue before I handed over my hard-earned pennies, I really don't want to go anywhere else since the QoS is good, as is the Customer Services, and that is hard to find these days.

Thanks all in advance.

Kindest Regards

Dave.

James_B · ‎25-01-2022

Hi @Davmacrat,

Welcome to the EE Community. 🙂

You shouldn't have any issues using Teams or a VPN service over EE mobile data.

Does the VPN work as intended when not using Teams?

James

mikeliuk · ‎25-01-2022

Hi @Davmacrat ,

Does the router give you the option to add an APN configured for IPV4-only instead of IPV4V6 ?

Adding the below reference as the OP seems to be a very good summary. I've not fully checked the details but the bones of the description and overview appear to be there in the OP.

https://www.ipv6.org.uk/wp-content/uploads/2018/11/Nick-Heatley_BT_EE_464xlat_UKv6Council_20180925.p...

Davmacrat · ‎25-01-2022

Hi @James_B, Thanks for getting back. I agree, I wouldn't have thought I would have had any VPN issues. But, the fact remains that EE first-line technical, with the advice from 2nd Line, stated that EE does not support VPN over Mobile broadband. Having thought about this further, there are some possible reasons for this, but the one I was given is not one of them. The Dynamic IP "issue" should not be an issue for the VPN (This is Dynamic within the EE Network, not the DHCP service), since the VPN is a Peer-to-Peer service running between Hosts, hence is transparent to the EE network. (It's just Encrypted data).

Hence the only reason that I can see why EE does not support VPN is a political one. I.e., like most network operators, they like to have oversight of use cases. If I'm correct here then there is still a technical issue to be solved. Probably one outside the EE network.

To answer your question; Yes. It appears to. I am told that when Video is passed the link slows down dramatically and grinds to a halt. All other devices appear to handle the situation fine, i.e. Netfilx, and all the usual TV stuff.

The other issue though is the inability to support the gaming side of things. This (Within the Operator Industry) is a well-known issue since the Customer side Translator (CLAT) shuts down the ability for the user to port fwd etc. and imposes "Strick" NAT. My gripe here is that I was not told of these limitations at the point of sale, so nine months down the line and several hundred pounds later, I'm no further forward.

So I'm going to go back to a test setup and see what I can glean from the stats.

Thanks again James.

Dave.

Davmacrat · ‎25-01-2022

Hi @mikeliuk, Thanks for the reply. Yes, the router does give me access to add another APN. What are your thoughts going forward, since EE's CLAT workaround to accommodate IPv4 addressing across a single stack IPv6 network is the root of the problem?

Thanks for the URL. Yes, this makes perfect sense, and if I were in the chair I would have done the same thing. However, going down this route, and not being transparent about it to your customers is something else. i.e. the case in question. I note within the OP the inability to accommodate gaming is mentioned, however, there is nothing said about VPN compatibility, which tends to reinforce my conclusion regarding EE stance on not supporting VPN I made to @James_B.

Would be interested in your thinking RE: "Alternative APN" route.

Kindest Regards

Dave.

James_B · ‎25-01-2022

Hi @Davmacrat,

Just to confirm, EE doesn't block the use of VPN services over our fixed or mobile networks. If traffic flows through the VPN with no issues, other than when using Teams, it suggests the VPN connection isn't the issue.

Have the affected users reported the issue to their employer's IT team to see if they can identify the issue?

James

mikeliuk · ‎25-01-2022

Hi @Davmacrat ,

My understanding is that a significant impediment to moving away from IPv4 is that web developers may have hardcoded IPv4 literals (e.g. IPv4 DNS addresses) so graceful usage of IPv6 may not be possible when one of these hardcoded literals is hit.

Hardcoded IPv4 literals will definitely be a problem for dual-stack IPv4/IPv6. I don't recall if 464xlat will solve the problem of hardcoded IPv4 literals or might suffer other issues because of it.

My understanding was that it was mainly Android and Apple phones with reliable 464xlat implementations such that IPv6 has become mostly a non-issue on such handsets/devices.

I'm not aware of a router with good 464xlat support although something of this nature (e.g. CLAT) must be present if EE is making IPV4V6 the default APN configuration.

I have a Netgear MR1100 and its internal database defaults to using IPV4-only. When I manually select IPV4V6, I see that only an IPv6 address is assigned which surprises me a little as the naming suggests dual-stack IPv6 (so I would additionally expect an IPv4 address, naively).

From a practical point of view, you will see on these forums many examples where switching from IPV4V6 to IPV4-only solves a wide variety of problems, including incompatibility with VPNs. The root cause of the problems is unknown to me as I don't currently have a configuration which would allow me to reproduce the issues. I speculate the issue might be hardcoded IPv4 literals or lack of 464xlat support in EE-supplied routers configured for IPV4V6.

The upshot is that if a problem is hit, the knee jerk reaction is often to switch from IPV4V6 to IPV4-only, and once that works for a user, the motivation to track down the root cause is often lost, to the detriment of wider adoption of IPv6. 🤓

Davmacrat · ‎26-01-2022

Hi @mikeliuk,

I could not agree more. This is an industry issue, which needs to be solved by the industry, but nobody seems willing to take the lead. The main issue that I see is that the software developers are still writing apps that require IPv4 communication, with IPv6 on the fringes. Until this is driven towards IPv6, then the NetOps will have to continue responding. I really do not understand why there is such a lack of impetus from the SW bods when the complexity and the nature of the app community is that the apps require more and more comms over the net just to function. Consequently, why would they not want to speed this up? Beets me.

Thanks again for all your help.

Kindest Regards

Dave.

Davmacrat · ‎26-01-2022

Hi, @James_B,

Thanks for this, and I hear you. However, I have never said that EE blocks the use of VPN, what I did say was that EE does not support it. 2nd Line tech confirmed that it may work, but EE does not support it.

And remember, we are talking about 4G broadband here. EE said there is no problem with their terrestrial network supporting user VPN's, but not so over the 4G network. Why, I don't know, and when I asked, I was given a reason I know not to be the right one. If you are able to get a clearer answer to the question, then I am all ears.

Thanks for all your help, James. Much appreciated.

Kindest regards

Dave.

James_B · ‎27-01-2022

Hi @Davmacrat,

We've confirmed that the VPN isn't the root cause of the issue, as the problem is only seen when using Teams. Have the affected users reported the issue to their IT team at work?

James