Google Nest Wifi: A Speaker With Mesh Wifi

I got my pair of Google Nest Wifi before last Christmas. Just in time.

I have been using a NetGear Nighthawk R7000 for many years, time for an upgrade. The Google Nest Wifi is very easy to setup, only need to connect the Nest Wifi router to existing router/modem and the rest can be done on a phone with Google Home app.

Here are some good stuff I got from a pair of Google Nest Wifi( 1 router + 1 node ):

  • Better control with the Google Home app
  • Easy toggle on/off of guest network
  • Parental controls which allow I to turn on safe search for kids’ devices
  • and also set schedules to limit screen/internet time
  • The node is also a very good smart speaker, thinking something between the original Google Home and a Google Home Max
  • Automatic wifi mesh network, no setup required
  • Internet speed test now automated, and with history of speed of past days
  • Extendable mesh so I can buy another node later


5G + Public IP with OpenVPN

I’ve done a proof of concept with SSH tunneling to add a public IP to my 5G home broadband connection, it works for my garage-hosted blogs but it’s not a complete solution. Since I still have free credit in my personal Google Cloud account, I decided to make an improvement with OpenVPN. The diagram looks like:

       [iptables DNAT]
      [OpenVPN tunnel]
[local server tun0 interface:]

Following an outstanding tutorial on DigitalOcean I set up an OpenVPN server on Debian 10 running in a Google Cloud Compute instance. There’s a few more thing to do for my case.

First I needed to add port forwarding from the public interface of the OpenVPN server to home server’s tunnel interface. Here’s my ufw configuration file:

# this is /etc/ufw/before.rules
# NAT table rules
# port forwarding to home server
-A PREROUTING -i eth0 -p tcp -d <public ip> --dport 80 -j DNAT --to

# Allow traffic from OpenVPN client to eth0, ie. internet access

Make sure to restart ufw after this.

Then in my home server, the OpenVPN client can be configured to run as a service:

# this is /etc/systemd/system/vpnclient.service
Description=Setup an openvpn tunnel to kite server

ExecStart=/usr/sbin/openvpn --config /etc/openvpn/client1.conf


To enable it and start immediately:

sudo systemctl daemon-reload
sudo systemctl enable vpnclient
sudo systemctl start vpnclient

Also I need my home server to have a fixed IP for its tun0 network interface, so the nginx server can proxy traffic to this IP reliably. I followed this guide, except it suggested to do client-config-dir on both server and client sides but I only did on the server side and it worked for me:

# this is /etc/openvpn/server.conf
# uncomment the following line
client-config-dir ccd

# this is /etc/openvpn/ccd/client1

After this the OpenVPN server on the VM needs to be restarted:

sudo systemctl restart [email protected]

Reload the nginx server and it should be working. I tested it with curl -H "Host:" 35.197.x.x and the request hit my home server.


5G is Fast but There’s No Public IP

I’m super happy that I can finally have a broadband that does have a broad bandwidth. However like all other cellular services the 5G gateway has a private IP as its external IP, ie. everything I got is behind huge NAT servers of Optus and they will not open any port just for me.

The NBN wasn’t as fast but there was a public IP assigned to the router… Should I go back to use NBN because of this reason? I’ve done countless internet/cloud solutions, can I do one for myself? I remember when I worked on a private network behind NAT gateways I could do SSH tunneling and expose a port in the private network to outside for 3rd party partners. All I need is a virtual machine in the cloud that has a public IP. It will look like this:

       [SSH Tunnel]
[local server:192.168.1.x:80]

I need to create a SSH tunneling service between my home server and the cloud instance, then point CloudFlare DNS to the public IP of the cloud instance, that’s it! But hang on, I can’t bind to port 80 using a non-privileged user. So there’s a local port forwarding in the cloud instance to handle this:

        [SSH Tunnel]
[local server:192.168.1.x:80]

Ok let’s do it. First I created a cloud instance in Google Cloud, because it gave me $400 free credit last year and I haven’t used much yet. I opened port 80 for the instance, added my SSH public key and installed an nginx server forwarding traffic from port 80 to local port 8080. Here’s the simple nginx configuration:

# This file can be saved as /etc/nginx/site-enabled/proxy
# in the cloud instance
        listen 80;
	client_max_body_size 100M;

        location / {
		proxy_pass http://localhost:8080;
		proxy_set_header Host              $host;
		proxy_set_header X-Real-IP         $remote_addr;
		proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		proxy_set_header X-Forwarded-Host  $host;
		proxy_set_header X-Forwarded-Port  $server_port;

Don’t forget to reload nginx. Done! The next step is to create an SSH tunneling service in my home server. My home server is running Ubuntu so the service is defined with systemd syntax:

# The file can be saved as /etc/systemd/system/mytunnel.service
# in my home server
# replace the id_rsa with yours of course
Description=Setup a secure tunnel to kite server

ExecStart=/usr/bin/ssh -NT -i /home/ray/.ssh/id_rsa -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -R 8080:localhost:80 [email protected]

# Restart every >2 seconds to avoid StartLimitInterval failure


Then use the following commands to start and check the service:

$ systemctl daemon-reload
$ systemctl start mytunnel
$ systemctl status -l mytunnel

The status of the tunnel can also be verified in the cloud instance by:

$ sudo netstat -tlnp
tcp        0      0*               LISTEN      1460/sshd: ray      

By now all the dots have been connected. I can test the round trip on my laptop with:

$ curl http://35.197.x.x -H 'Host:'
# this should print out the HTML of my blog's homepage.

The last step is to update CloudFlare DNS to send traffic to the new cloud instance. Did it work? You’re looking at the result right now 🙂

5G Is Fast! Bye Bye NBN

A few months ago I knew Optus was rolling out the shiny 5G services but to my surprise it’s available in my suburb already. It took NBN years.

It’s a tough time at the moment as everyone is ordered to stay home, but it’s a perfect time to upgrade my home broadband and without paying more: The 5G plan costs $70/month and has unlimited data, same as my NBN50 price, but much faster. The deal is here.

I placed my order online on Sunday, it was processed on Monday and 3 days later I received the Nokia 5G gateway. It’s really big and heavy comparing to any DSL or Cable modem I’ve ever used.

Nokia FastMile 5G Gateway with plastic wraps

It’s much easier to install this thing, if this can be called an installation at all. Basically I only need to put it on a surface near a window and facing the 5G tower and power it on. It will compare signal strength among its 5 antennas and indicate the one it will use. (So why have 5 antennas in the first place?) For me I’m very lucky because I can see the telecomm tower through my window so I pointed the active antenna at the tower with laser precision then doing the speed test which I waited for too long.

Optus 5G Home Broadband Speed Test

It’s about 8 times faster than my NBN when downloading and 2.5 times faster when uploading. I used to prefer a wired connection, but not anymore.

There’s 1 issue though: there’s no public IP allocated to the gateway. I guess that makes sense as cellular devices never have a real IP anyway. This translates to that I can’t do either uPnP or port forwarding! How can I still host this little blog in a Raspberry Pi in garage then?

(the answer is in next blog) 🙂