VPN to access router remotely over Starlink -- not working

lighting

Regular Contributor
I'm not a sophisticated networking type, but I manage an Internet connection for a tiny school on a remote island off Cape Cod. We've got an ASUS RT-AC86U router running latest rMerlin firmware. On our old setup with a microwave link I had OpenVPN working so I could remotely access the router via GUI and SSH. We installed a Starlink satellite Internet connection recently, which is a nice upgrade, but I can no longer get the VPN connection. I suspect the Starlink is giving the router a non-public IP address. (I think the old microwave setup had a static IP address.) The ASUS router is connected to the optional Ethernet adapter on the Starlink kit, and it's providing a nice, reliable Internet connection. I use Tunnelblick on a Mac in my shore-based office to (attempt to) connect.

Thank you for any advice!
 

eibgrad

Part of the Furniture
P.S. Assuming it is CGNAT, one way to get around the issue is to establish an OpenVPN client on the remote router to an OpenVPN server, then route from the server back into the remote network over that same tunnel. That could be a server established on your own home router, or perhaps a VPS, or more conveniently, a commercial OpenVPN provider that supports port forwarding on their end of the tunnel (AirVPN, Mullvad, etc.).
 

lighting

Regular Contributor
P.S. Assuming it is CGNAT, one way to get around the issue is to establish an OpenVPN client on the remote router to an OpenVPN server, then route from the server back into the remote network over that same tunnel. That could be a server established on your own home router, or perhaps a VPS, or more conveniently, a commercial OpenVPN provider that supports port forwarding on their end of the tunnel (AirVPN, Mullvad, etc.).
VERY helpful! I'll try that, using my home office router as the server. Think I even know how... Thank you!
 

eibgrad

Part of the Furniture
P.S. Technically, it could also be done using SSH and remote port forwarding. But it suffers from several issues, one of which is being able to maintain the SSH connection over time. Unlike a true VPN, ssh has no built-in mechanism to keep the connection alive should somewhere along the connection path some firewall sees a lack of activity as reason to drop it. So the autossh utility was created to mitigate that problem. But there's also the issue of SSH on the router only being a downsided version called dropbear. I don't know if I would trust it nearly as much as the full-fledged implementation (openssh).

I only mention it for reasons of completeness. It was actually a common thing many years ago for technically savvy users to punch a whole in the company firewall and make resources available via the tunnel from the server side. Compared to a VPN, setup was trivial, which made it appealing. But I'm sure it got more than a few of those ppl FIRED as a result. Regardless, as a technical solution, it may be viable in some limited circumstances, but I'd still prefer using an actual VPN for numerous reasons.
 

Yota

Very Senior Member
Yes, Starlink uses CGNAT, I heard they used to provide public IPv4 addresses in the early days, but they don't anymore, also, I don't know when they will provide IPv6, but the best way to do it now is as eibgrad said, set up a reverse tunnel/VPN.

There are also methods out there, called firewall hole punching, which can establish a peer-to-peer connection on a network where both sides are CGNATs.
 

RMerlin

Asuswrt-Merlin dev
Yes, Starlink uses CGNAT, I heard they used to provide public IPv4 addresses in the early days, but they don't anymore, also, I don't know when they will provide IPv6, but the best way to do it now is as eibgrad said, set up a reverse tunnel/VPN.
I'm surprised a brand new ISP that started offering services during the last 5 years hasn't launched with IPv6 right out of the gate. Sounds like poor/rushed planning to me.
 

Yota

Very Senior Member
I'm surprised a brand new ISP that started offering services during the last 5 years hasn't launched with IPv6 right out of the gate. Sounds like poor/rushed planning to me.
Not exactly, they don't officially support IPv6, but they've deployed IPv6 for experimentation in some regions, just /56, and it requires a lot of configuration. So for most users, there is no IPv6, but some can try the guide written by @Deekers to get Starlink's experimental IPv6 to work (or not, depending on the region they're experimenting with) on Asuswrt-Merlin.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top