Saturday, 7 November 2015

Using a VPN for online gaming when behind NAT

When to use this guide:

This guide applies if you're unable to play online games, and are unfortunate enough to have an internet connection trapped behind a NAT layer. This frequently happens in apartment buildings and on university campuses.

In my case, I was trying to play Splatoon and Mario Kart 8 on the Wii U , but they raised the dreaded 118-0516 error when trying to find/join games.

The easiest way to check if you're behind a NAT layer is to go to your router's status page and look at your WAN IP address. If it is of any of the following formats, you're stuck behind NAT:
  • 192.168.X.X
  • 172.16.X.X to 172.31.X.X
  • 10.X.X.X
These are 'private' IP address ranges that are not accessible from the public internet.

Why does NAT break online games?

Many online games need to be able to accept incoming connections from the public internet (or route incoming UDP packets, which can only be routed to a public IP address). If you're behind NAT, then the IP address issued to your router is a private address, which cannot be accessed from the public internet.

What do I do if my IP address is not a private address?

Good news everyone! In that case, your router has been assigned a public IP address. You can simply setup port forwarding or UPnP on your router to forward the necessary ports from your router to your console. The ports that you will need to forward vary by game or console. The fewer ports you can forward, the better.

Unfortunately, Nintendo doesn't specify the precise ports to forward for Wii U games - you need to forward UDP ports 1 - 65535. Putting your console in your router's DMZ will also achieve the same result, but is not recommended as it will forward all TCP and UDP ports, which opens your console up to attacks from the public internet. Forwarding UDP ports is less risky than forwarding both TCP and UDP ports. For PC games, a quick web-search will often tell you which ports you should forward. I have provided instructions to setup port forwarding on a DD-WRT router in the next section.

So I have a public IP address and want to setup port forwarding. How?

In all cases, the first thing to do is setup port forwarding from your router to your console. I believe that there are some systems that implement UDP hole punching that can allow games to work (but I've never seen one). You'll need to setup port forwarding to your console/PC anyway, so you might as well give it a try, and if it works, great!

I have all UDP ports forwarded to my Wii U. In order to do this, I first setup my router to assign a static IP address to my Wii U that is outside of the range of addresses that my router's DHCP server assigns (which is to

Then I setup my router to forward the necessary ports to that IP address as shown.

At this point, try to connect to an online game. If it works, great! You're done! If it doesn't work, keep reading.

Using a VPN for Gaming.

If you've gotten to this point, your router is unfortunately not accessible from the public internet, so no games for you!

However, there is a way to get a public IP address for your router so that it can be accessed from the internet. That is to sign up with a VPN provider who offers dedicated IP addresses. I personally use PureVPN. Note that you need to ensure that you have a dedicated IP address assigned by your VPN provider, because otherwise your router will still not be addressable by the public internet.

You will need a router that supports connecting to a VPN service (i.e. has a VPN client); a lot of routers don't support this with the built in firmware. I was using a 3 year old Linksys e3200 which didn't support this (and whose 5GHz functionality is unsupported by DD-WRT and poorly supported by Tomato), so I bought a Netgear R7000 and installed DD-WRT on it.

Common VPN client types are PPTP and OpenVPN. PPTP is much easier to configure but less secure. I'm personally using PPTP because the traffic I care about is already encrypted, and it's more secure than my previous connection to my building's network anyway (if a nefarious person on my building network wanted to sniff my packets before, nothing was stopping them).

Any decent VPN provider has tutorials for configuring your router; once it's setup and connecting to a VPN with a dedicated IP address, then everything should just work.

Things that break with VPNs.

I've been using this for several weeks, working from home over it, and routing all my home network's traffic over it. Performance is indistinguishable from the old connection.

There is one thing that I've found that doesn't work, and that is Hulu Plus. That's because those goons are actively checking for connections from IP ranges known to be used by VPN providers, in order to prevent foreigners from daring to tunnel into the USA and pay them money for their service. Simple solution: go to the Hulu web-page, and shut down the account. I was giving them money, but not any more; how I configure my internet is none of their business, so good riddance.