OpenVPN server on pfSense behind Starlink router in bridge mode

LawRi

Hi,

I have problem with client connecting to my OpenVPN server on pfSense after switching from 4G modem (router in bridge mode) to Starlink router (dishy v2) in bridge mode.
I have dynamic dns working and pfSense has right public IP. When client tries to connect to my network it doesn't work. I know Starlink has cgnat and I see my WAN IP is private address (different than what dynamic dns shows).
Is there something I could do to get it to work again?

Thanks in advance

rcoleman-netgate

@lawri Doesn't Starlink use CGNAT for it's IP blocks? If so you will need a 3rd system to do your bridging -- basically you connect to the 3rd device that also gets connected to via OVPN by the pfSense behind dishy.

Same design applies to having a home LTE internet service that uses a CGNAT for configurations -- you need something to play the intermediary.

chpalmer

@lawri

Is the client behind CGNAT as well?

LawRi

@rcoleman-netgate thanks for answer, I thought it might be something like that. Have to learn how to do that.

@chpalmer no client is not behind CGNAT

chpalmer

@lawri said in OpenVPN server on pfSense behind Starlink router in bridge mode:

@chpalmer no client is not behind CGNAT

Could you make the client side the server side instead? I don't know your particular circumstance there so just throwing the idea out there.

rcoleman-netgate

@chpalmer said in OpenVPN server on pfSense behind Starlink router in bridge mode:

Could you make the client side the server side instead? I

If the client is using something like TMO home internet the routed IP will change regularly. Had that trouble at a friend's business last week when his FTTP broke.

chpalmer

@rcoleman-netgate Wouldn't dynamic DNS work for that?

rcoleman-netgate

@chpalmer No because the routing IP on cellular networks almost never remains the same for more than a few seconds. If you think CGNAT is bad, this is 1000x times worse. DynDNS might be one 1 IP on moment and another the next.

chpalmer

I do know that a customer of (at least Verizon) can get a public IP address assigned to their number.. This may now only be for commercial accounts but this might be a solution available from any of the carriers..

But according to LawRi> "no client is not behind CGNAT"

thus my comment that he could possibly put the server side on the "client" side.. and make his side the "client" side of the connection. Not sure why that couldn't work for him as I do it here for one of my radio sites..

LawRi

Thanks for all answers but I stopped using OpenVPN cause CGNAT.
Now I made cloudflare tunnel so client can connect directly to services it needs.
Client is me in office, server is me at home .

wgstarks

@lawri said in OpenVPN server on pfSense behind Starlink router in bridge mode:

Thanks for all answers but I stopped using OpenVPN cause CGNAT.
Now I made cloudflare tunnel so client can connect directly to services it needs.
Client is me in office, server is me at home .

I’m going to be relocating (soon) to an area with no cable and very spotty cell phone coverage and planning to use Starlink for internet access since it’s really the only option and is expected to be available sometime this year. I use the OpenVPN server builtin to pfsense a lot to connect my iPhone back to my home network when I’m at work. Could you describe how you setup the cloudflare tunnel to access your network?

LawRi

@wgstarks I watched a few videos on YT and made a tunnel for myself. There is free plan to sign for. You need a domain, if you don't have one you can buy one from them (10$ a year). Then you make new tunnel, you need local machine that is always connected to internet and install client on it. As I understand that client connects tunnel to Cloudflare. After that you expose some services to that tunnel, like NAT. You can protect your tunnel with few options, I used mail protection on each service. I watched this two videos
NetworkChuck
Lawrence systems

wgstarks

@lawri
Thanks. I've seen that but I really need something I can run Plex through. It's my understanding that the Cloudflare ToS doesn't allow streaming through the tunnel.

Thanks for the video links though. I'm sure the process is basically the same for any endpoint.

LawRi

@wgstarks I don't use Plex for home streaming, and generally I didn't expose my home cinema server to tunnel. I looked at Cloudflare Tos but can't see where it says that streaming services are not allowed.