OpenVPN client traffic to Starlink (CGNAT)
-
I have set up OpenVPN Server on an SG-3100 2.4.5-RELEASE-p1 and can reliably connect in via OpenVPN client from various devices. I have a Windows 7 system connected by ethernet to a 10/1 DSL at 192.168.1.200 and by USB WiFi to a Starlink dish at 192.168.1.222. Starlink does not currently allow any changes to their IP configuration during the beta cycle. I am currently unable to change the DSL router configuration due to Covid access restrictions- one configuration mistake and the DSL is down for all the devices there!
Question- I have been able to use VNC to install OpenVPN at the client end, and using VNC over the DLS can activate the connection back to the Netgate reliably. The problem is that OpenVPN brings up its tunnel on the DSL connection, so I do not get the benefit of the much faster Starlink back to the Netgate. Since Starlink uses CGNAT, I have to first connect to VNC through DSL, then activate the OpenVPN connection.
I have tried setting the METRIC for the DSL interface on the PC to be much higher than the Starlink, but OpenVPN always uses the DSL connection rather than the WiFi on IF 16.
Is there a line I can add to the .OVPN client configuration file to tell it to connect using the USB WiFi adapter at IF 16 rather than the DSL?
I also purchased an SG-2100 which I plan to ship up there pre-configured, but want to confirm that this setup works on a single client machine before attempting to set up the entire network on Starlink with DSL failover.
Thanks
-
@peterthompson said in OpenVPN client traffic to Starlink (CGNAT):
Is there a line I can add to the .OVPN client configuration file to
Hi,
probably: push "route-metric X"
-
@peterthompson I am considering trying to add a route on the client PC to direct traffic to the OpenVPN server to use the Starlink, but not sure how to do that with both the DSL and Starlink networks sitting at 192.168.1.1- something like this?
route add 172.73.38.25 255.255.255.255 192.168.1.222 METRIC 2 IF 16
But I think that would also make the DSL routing stop working as soon as the VPN link turned off?
I have also tried:
--local host
Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.by adding at the top of the .OVPN configuration:
dev tun
persist-tun
local 192.168.1.222
persist-key
...without luck. The OpenVPN client log appears to indicate that this command is being ignored though:
3/28/2021, 4:59:03 PM UNUSED OPTIONS
1 [persist-tun]
2 [local] [192.168.1.222]
3 [persist-key]
4 [data-ciphers] [AES-256-GCM:AES-128-GCM]
5 [data-ciphers-fallback] [AES-128-CBC]
7 [tls-client]
9 [resolv-retry] [infinite]
11 [lport] [0]
12 [verify-x509-name] [VPNServer_Cert] [name]When I check the OpenVPN server log, I can see that the tunnel is connected from the DSL "real address", not Starlink.
-
@peterthompson said in OpenVPN client traffic to Starlink (CGNAT):
route add 172.73.38.25 255.255.255.255 192.168.1.222 METRIC 2 IF 16
But I think that would also make the DSL routing stop working as soon as the VPN link turned off?Think of the metric as cost. The traffic will go by the cheapest route. You set the preferred route with the lowest metric (cost) and it will be used when both paths are available. If only one of the two is available, it will be used. I have the same situation here with my ThinkPad running Linux. The metric for the Ethernet connection is lower than that for WiFi. So, if the Ethernet cable is connected, that is the path that will be used. Otherwise, WiFi. In this case, however, both interfaces are on the same subnet, which means I don't have to worry about gateways and such. With ADSL and Starlink, that info will change according to which method is used. This won't be an issue for new TCP connections or UDP, but existing TCP connections will fail. There might be issues with UDP if whatever is using UDP checks IP addresses. For example, OpenVPN has a setting Dynamic IP. If it's set, OpenVPN can switch between connections, but if it isn't switching between ADSL and Starlink will cause the VPN to fail.
-
I finally took a chance and remotely changed the DSL to 192.168.5.0/24 so it would not conflict with the Starlink range. After a reboot, I was able to get OpenVPN to properly use the faster Starlink path. I "lost" an IoT device or two during the migration, but will eventually fi those.
-
i have the same problem, I am using Starlink and a router with OpenWRT and installed OpenVPN.. on slow DSL it is working fine, but with the Starlink I can't connect VPN, it fails on TLS Handshake.
can you maybe give details, how you get OpenVPN and Starlink working? :)