Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client traffic to Starlink (CGNAT)

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterthompson
      last edited by

      I have set up OpenVPN Server on an SG-3100 2.4.5-RELEASE-p1 and can reliably connect in via OpenVPN client from various devices. I have a Windows 7 system connected by ethernet to a 10/1 DSL at 192.168.1.200 and by USB WiFi to a Starlink dish at 192.168.1.222. Starlink does not currently allow any changes to their IP configuration during the beta cycle. I am currently unable to change the DSL router configuration due to Covid access restrictions- one configuration mistake and the DSL is down for all the devices there!

      Question- I have been able to use VNC to install OpenVPN at the client end, and using VNC over the DLS can activate the connection back to the Netgate reliably. The problem is that OpenVPN brings up its tunnel on the DSL connection, so I do not get the benefit of the much faster Starlink back to the Netgate. Since Starlink uses CGNAT, I have to first connect to VNC through DSL, then activate the OpenVPN connection.

      I have tried setting the METRIC for the DSL interface on the PC to be much higher than the Starlink, but OpenVPN always uses the DSL connection rather than the WiFi on IF 16.

      Is there a line I can add to the .OVPN client configuration file to tell it to connect using the USB WiFi adapter at IF 16 rather than the DSL?

      I also purchased an SG-2100 which I plan to ship up there pre-configured, but want to confirm that this setup works on a single client machine before attempting to set up the entire network on Starlink with DSL failover.

      Thanks

      DaddyGoD P 2 Replies Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @peterthompson
        last edited by

        @peterthompson said in OpenVPN client traffic to Starlink (CGNAT):

        Is there a line I can add to the .OVPN client configuration file to

        Hi,

        probably: push "route-metric X"

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        1 Reply Last reply Reply Quote 0
        • P
          peterthompson @peterthompson
          last edited by

          @peterthompson I am considering trying to add a route on the client PC to direct traffic to the OpenVPN server to use the Starlink, but not sure how to do that with both the DSL and Starlink networks sitting at 192.168.1.1- something like this?

          route add 172.73.38.25 255.255.255.255 192.168.1.222 METRIC 2 IF 16

          But I think that would also make the DSL routing stop working as soon as the VPN link turned off?

          I have also tried:
          --local host
          Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

          by adding at the top of the .OVPN configuration:

          dev tun
          persist-tun
          local 192.168.1.222
          persist-key
          ...

          without luck. The OpenVPN client log appears to indicate that this command is being ignored though:

          3/28/2021, 4:59:03 PM UNUSED OPTIONS
          1 [persist-tun]
          2 [local] [192.168.1.222]
          3 [persist-key]
          4 [data-ciphers] [AES-256-GCM:AES-128-GCM]
          5 [data-ciphers-fallback] [AES-128-CBC]
          7 [tls-client]
          9 [resolv-retry] [infinite]
          11 [lport] [0]
          12 [verify-x509-name] [VPNServer_Cert] [name]

          When I check the OpenVPN server log, I can see that the tunnel is connected from the DSL "real address", not Starlink.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @peterthompson
            last edited by

            @peterthompson said in OpenVPN client traffic to Starlink (CGNAT):

            route add 172.73.38.25 255.255.255.255 192.168.1.222 METRIC 2 IF 16
            But I think that would also make the DSL routing stop working as soon as the VPN link turned off?

            Think of the metric as cost. The traffic will go by the cheapest route. You set the preferred route with the lowest metric (cost) and it will be used when both paths are available. If only one of the two is available, it will be used. I have the same situation here with my ThinkPad running Linux. The metric for the Ethernet connection is lower than that for WiFi. So, if the Ethernet cable is connected, that is the path that will be used. Otherwise, WiFi. In this case, however, both interfaces are on the same subnet, which means I don't have to worry about gateways and such. With ADSL and Starlink, that info will change according to which method is used. This won't be an issue for new TCP connections or UDP, but existing TCP connections will fail. There might be issues with UDP if whatever is using UDP checks IP addresses. For example, OpenVPN has a setting Dynamic IP. If it's set, OpenVPN can switch between connections, but if it isn't switching between ADSL and Starlink will cause the VPN to fail.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • P
              peterthompson
              last edited by peterthompson

              I finally took a chance and remotely changed the DSL to 192.168.5.0/24 so it would not conflict with the Starlink range. After a reboot, I was able to get OpenVPN to properly use the faster Starlink path. I "lost" an IoT device or two during the migration, but will eventually fi those.

              R 1 Reply Last reply Reply Quote 0
              • R
                raider @peterthompson
                last edited by

                @peterthompson Hi

                i have the same problem, I am using Starlink and a router with OpenWRT and installed OpenVPN.. on slow DSL it is working fine, but with the Starlink I can't connect VPN, it fails on TLS Handshake.
                can you maybe give details, how you get OpenVPN and Starlink working? :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.