I have a client with a Draytek 2865Lac and I am trying to setup VPN Matcher so I can connect to their router over the LTE connection.
Normally I use Three SIMs at customer sites because they are cost effective way to get a public IP.
Sadlly, this site has poor Three signal so I am investigating other low cost SIM options.
I had both a 1p SIM (EE) and GiffGaff (O2) SIM to hand but neither work, they fail the STUN detection.  
"Fail to get IP information from STUN Server, please check your network environment or contact your network administrator."

Has anyone got specific experience of 4G providers that are known to work?  

Thanks

Paul R
 

Probably not what you are going for, but do you have a VPN server (Such as another Draytek, a spare physical box, or even a VPS) which you could use for the clients to dial-in to, and then you can access their networks through this? Then you will only have outbound VPN connections occurring over the CGNAT LTE connection, which is usually successful. 

I can already VPN in if their VDSL is working, the aim is to be able to connect to their LTE if it is down.
As above, I usually achieve this with a Three SIM but the signal there is not good enough.
I was hoping someone may have had experience of using VPN Matcher with a UK mobile network and CGNAT.  

I have never used the VPN Matcher, so can't help you there.

I have had good success with client Draytek's dialing-out over LTE (With CGNAT) to my VPN server, which then of course allows me (also connected to the VPN server network, directly or via a tunnel) to access their equipment. This could be a method you could use?

m_d wrote:

I have never used the VPN Matcher, so can't help you there.

I have had good success with client Draytek's dialing-out over LTE (With CGNAT) to my VPN server, which then of course allows me (also connected to the VPN server network, directly or via a tunnel) to access their equipment. This could be a method you could use?

Hi. Yes I had setup an outbound VPN as a workaround but it isn't ideal as I had to setup a dedicated VLAN for their VPN as I did not want any risk devices on their LAN could access ours! I also don't like having custom solutions for customers, but that is probably my OCD!   
 

Paul wrote:

Hi. Yes I had setup an outbound VPN as a workaround but it isn't ideal as I had to setup a dedicated VLAN for their VPN as I did not want any risk devices on their LAN could access ours! I also don't like having custom solutions for customers, but that is probably my OCD!   
 

I quite understand that! 

If it helps, if you have 1 VLAN for 'customer VPN's' (if you ever have to do this for other customers), I think (although it would be worth double-checking) the firewall will be able to control access between the customers, even if they are on the same VLAN / subnet - this doesn't usually work in a traditional, physical LAN, because devices can communicate on layer 2, but in this case each VPN terminates at the Draytek, so I think you can implement firewall rules.

I have never found a way to limit access from a VPN to the Draytek's web interface itself though, none of the firewall rules seem to work for this. I don't feel it is too much of an issue though, considering many people expose their web interfaces to the whole internet. (I do not recommend!)