How would you remotely administer a hub?

Yeah I tried that but have had no luck opening a port. I have an AT&T modem running in passthru mode with Deco M5 mesh routers so it should be easy but no love. The router even has option for DDNS so I don't need static IP.

I'm probably rehashing stuff you have already tried or know, but anyways, to try to help "the next person" I'll post it:

  • If your AT&T modem is indeed in passthrough/bridged mode, then it is completely out of play as a problem since it'll just be letting traffic in and out with zero restrictions. If it happens to be still dishing out internal IPs then this is a problem as your devices are "double NAT-ed", that creates all kinds of issues with things like port forwarding

  • I see in the documentation for the Deco 5 that it doesn't allow one to manually type an IP address to set up a port forwarding rule, the device has to be first connected to the network and then has to be selected during the rule setup. (Google WiFi is the same way)

Other than that small caveat about being hooked up first, there is absolutely zero reason why a mini VPN wouldn't work with your configuration.

I don't know much about networking but the modem assigned an IP to the Deco router in the 172.10.0.xx range and the Deco assigns IPs in the 192.168.68.xx range. No other device shows up in the modem's IP table other than the Deco router and all of my devices are in the 192.168.68.xx as expected. I think I followed correct instructions for AT&T modem found in YouTube.

I haven't invested to much time on it because the VPN is more of a curiosity than a necessity for me.

Arghhh more double-natting!!!!

The other thing is embrace the ISPs router's subnet and set the WiFi router to bridging/access point mode instead... A desperation trick if unable to change the mode that I've used in the past is configuring a WifI's IP "WAN" address on the router as the "DMZ" (or whatever they call it). On the plus side most devices like Google Wifi and Deco have their own firewall management so you are still protected.

Deco (check your model)
https://www.tp-link.com/us/support/faq/1842/

(Google WiFi only allows this with one Wifi device !@%#!@#$!@#!!)