@DominikHoffmann said in OpenVPN with Netgate connected directly to Starlink dish.:

The only way to get around that would be to subscribe to a static IP address. How much does Starlink charge for that?

I don't think its even an option at any price.

But you can get a dynamic public IP

https://support.starlink.com/topic?category=10&category=46

How do I set my IP address to Public?

The ability to update the IP policy to a Public IP is only available with a Priority or Mobile Priority service plan:

Login to your account www.starlink.com/account Select "Manage" in the Your Starlinks section Select the "pencil" icon next to "IP Policy" Select "Public IP" from the drop down menu Save Reboot your Starlink

But you would need priority plan..

They are suppose to be rolling out IPv6 - if you have that you could use that for an unsolicited inbound connection for you vpn. Or there are other ways to work around the cgnat issue, with creating the outbound connection. Something like tailscale or wireguard could work.

https://www.starlink.com/service-plans/all

Wonder if have public inbound data is metered.. That can get pretty expensive.

publicip.jpg

Not exactly how those priority tiers work.. But 20$ more a month isn't horrible for a public IP. But 250 a month for 1TB seems a bit high!

@MoonKnight
Thanks for the feedback. I have since gotten rid of the destination rule inversion on the IPGROUP_ROUTE_VIA_EXPRESSVPN and set it to Any. This gives me better protection to make sure absolutely nothing goes out that is in that group if it does not go out the ExpressVPN gateway.

@viragomann Yes, I think I tracked it down to the VPN instances getting the same virtual IP in pfsense, which is making it conflict. And these are not changeable.... so.... currently looking at setting up a dedicated vpn connection on the linux box for the static route for the mailserver.

@DominikHoffmann Since you can reproduce it I'd create a bug report at redmine.pfsense.org.

edit:

Apr 26 11:17:34 openvpn 83673 do_ifconfig, ipv4=1, ipv6=0
Apr 26 11:17:34 openvpn 83673 /sbin/ifconfig ovpns4 172.16.10.1 172.16.10.2 mtu 1500 netmask 255.255.255.255 up
Apr 26 11:17:34 openvpn 83673 /usr/local/sbin/ovpn-linkup ovpns4 1500 0 172.16.10.1 172.16.10.2 init
Apr 26 11:17:34 openvpn 83673 /sbin/route add -net 10.4.0.0 172.16.10.2 255.255.0.0
Apr 26 11:17:34 openvpn 83673 /sbin/route add -net 172.16.20.0 172.16.10.2 255.255.255.0
Apr 26 11:17:34 openvpn 83673 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1800 tailroom:568 ET:32 ]
Apr 26 11:17:34 openvpn 83673 Socket Buffers: R=[42080->524288] S=[57344->524288]
Apr 26 11:17:34 openvpn 83673 UDPv4 link local (bound): [AF_INET]175.144.139.191:1120
Apr 26 11:17:34 openvpn 83673 UDPv4 link remote: [AF_UNSPEC]

This is log from Server.
Is there any indicator showing something wrong or its perfectly fine?

VPN has been down for awhile when using openvpn after update on pfsense.

anyone care to help?

@James92
It's pretty hard to tell you, what's wrong there, when only seeing two rows extracted from the log.

Clear the OpenVPN log. Go into the server settings and set the log verbosity level to 4. Then try to connect from a client.

Post the whole OpenVPN log after. You can obscure public IPs of course.

I want to force the client to use its own internet gateway. In my scenario, the client must definitely use its own internet. Some clients can send all traffic over VPN and the internet can be accessed through the VPN server's internet. I prevent this situation with security rules, but this time the internet cannot be accessed in any way. Even if routing is done to access the internet via VPN, my VPN server must not allow this and force it to use its own gateway. How do I do this?

@lifeboy Does the windows client machine have other network adapters such as vmware virtual adapters ?

@guillaume14
I made some tests with 2 pfsense box on the remote site:

the first one (192.168.10.254) is the default gateway for the remote site computers (192.168.10.0/24) the second one (192.168.10.129) has only one interface (WAN) with 192.168.10.254 as a the default gateway and the OpenVPN client instance to the OpenVPN HQ instance

If i add a route to the HQ site (192.168.14.0/24) on the first pfSense box using 192.168.10.129 as the gateway i cant access devices on the remote site (copier web interface for instance) from a computer in the HQ site but i can do a tracert to the same copier.

Any clue ?
Thanks

@JonathanLee

Thanks this fixed worked for me. My iPhone would not connect without it.

Thanks @viragomann that works perfect