Works perfect after some changes in my case! Thanks.. When I use class A IP on VPN with Starlink not work, but I have changed the port default to other and set class C IP works like a charm... Thanks Thanks!!!
Great to hear!, always make sure you use an IP range that is going to minimize the chances of an IP conflict. I tend to stay away from subnets such as 192.168.0.0/24, 192.168.2.0/24, 10.0.0.0/24 these are usually used by ISP's and most people tend to use these on their out of the box setups with their own routers. my next video will be explaining all of this and I'm looking to address adding access to an entire subnet.
There shouldn't be an issue with using those router types at either end, all that matters, what matters is how you configure the connection. many times when you use a built in wireguard service it will provide the option to accept routes that are provided in the config, although there may be a requirement to add routes manually on your own.
Nice video! Planning to use my FortiGate Firewall. Set the Starlink router in bypass mode and do all source NATing on my firewall. Plan to use ddns to setup my ssl VPN on the FortiGate. What do you think about this approach please?
On starlink it wouldn't work because your clients won't be able to route to the fortigate. You would need an intermediate machine that both source and destination can reach.
Thanks for explanation. I'm trying to connect my starling with vpn tunnel on my wireguard server but not work. With my normal internet provider it work... I see that you not supply listen port on starling client. What the range port I need to release on server because when I connect a random listen port is open on client. I use wireguard client for windows over starlink. Thanks for support
Glad you enjoyed the explanation. If you look at the diagrams with a cgnat isp ypu can't open ports to the Internet which is where you need a 3rd machine in the middle to become the server. Both other wireguard networks connect into this wireguard server. You can see the difference between page 1 and page 2. If you have any further questions don't hesitate to reply. All the best.
@@aktuMedia Thanks for the answer. Just clarifying: Yes, I have a VPS with a fixed ip in Oracle Cloud being the VPN Server, and my Windows Server server behind Starlink and a link with a fixed ip, routed in a Mikrotik (starlink is a failover). When I connect to the VPN server using the fiber link, it works perfectly. When you enter Starlink it does not connect. I followed step by step but I believe something is still wrong because the connection between the Windows Server and the VPN Server on Oracle Cloud is not established via Starlink.Thanks again for support!
without seeing your network config and based on what you're saying the reason it's not working when you connect via Starlink would be because the VPS server is attempting to connect out to your Starlink connection, but if you look at the diagram that won't work because CGNAT won't route that traffic, so you may want to setup your server that is behind the CGNAT (As Secondary) to connect outbound only and not require an inbound connection. this way regardless on it being on your primary or failover it will be the one initiating the connection to your VPS and of course make sure the keep-alive is set to something small enough that it won't wait too long to re-initiate the connection.
Starlink supports VPNs that utilize TCP or UDP, for example SSL based VPNs, or, for example, VPN PPTP (Point-to-Point Tunneling Protocol). VPN IPSEC types are currently not compatible with Starlink.
When I had initially spoken with starlink support VPNs were still not officially supported however the same rules still apply where the starlink client will need to connect into a VPN server. The starlink wan cannot accept connections due to it being a cgnat
Any reason to not use a IPv6 VPN gateway? I am about to test my proof of concept idea before I go to my employer with the idea. Edit: IPv6 of course so that you don't have to get a web server and you can just use a low powered device as your gateway as a one time cost (~$20) Editx2: Other than IPv4 interop issues (I have that sorted out)
at a technical level there is no reason why not use an IPv6 that really comes down to ensuring the devices you use are configured to work with IPv6. Your device simply needs to be accessible from both ends to route the traffic.
@@aktuMedia thanks for the quick reply! I tested it out and everything worked out. For the record I completely agree with using IPv4 for the demo since more people understand it. Thanks again.
exactly glad it worked for you, honestly the biggest thing you need to worry when it comes to this design is to ensure your wireguard server has a static IP and not dynamic. I've had lots of people reach out about these setups and they look to set it up with DynDNS and that can work to a point but if the IP changes Wireguard won't always catch that on time and cause a disconnect. I'm always happy to hear how things work out let me know how your system works in the wild!
Hey There, yea I do'nt see any reason why this wouldn't work on windows. Sorry it's on my list of videos to put out. I've been slammed lately and i'm trying to put up one that has wireguard on a wireguard server, but I will add this to my list of videos. it isn't in line with my open source guides but it would be a matter of setting up wireguard as a service after you setup the config and then setting it up to start at boot.
Works perfect after some changes in my case! Thanks.. When I use class A IP on VPN with Starlink not work, but I have changed the port default to other and set class C IP works like a charm... Thanks Thanks!!!
Great to hear!,
always make sure you use an IP range that is going to minimize the chances of an IP conflict. I tend to stay away from subnets such as 192.168.0.0/24, 192.168.2.0/24, 10.0.0.0/24 these are usually used by ISP's and most people tend to use these on their out of the box setups with their own routers. my next video will be explaining all of this and I'm looking to address adding access to an entire subnet.
Can i used mikrotik on site A and 2nd mikrotik on site B as vpn gateway ? Because mikrotik have wireguard packaged
There shouldn't be an issue with using those router types at either end, all that matters, what matters is how you configure the connection. many times when you use a built in wireguard service it will provide the option to accept routes that are provided in the config, although there may be a requirement to add routes manually on your own.
Nice video! Planning to use my FortiGate Firewall. Set the Starlink router in bypass mode and do all source NATing on my firewall. Plan to use ddns to setup my ssl VPN on the FortiGate. What do you think about this approach please?
On starlink it wouldn't work because your clients won't be able to route to the fortigate. You would need an intermediate machine that both source and destination can reach.
Thanks for explanation. I'm trying to connect my starling with vpn tunnel on my wireguard server but not work.
With my normal internet provider it work... I see that you not supply listen port on starling client. What the range port I need to release on server because when I connect a random listen port is open on client.
I use wireguard client for windows over starlink. Thanks for support
Glad you enjoyed the explanation. If you look at the diagrams with a cgnat isp ypu can't open ports to the Internet which is where you need a 3rd machine in the middle to become the server. Both other wireguard networks connect into this wireguard server. You can see the difference between page 1 and page 2. If you have any further questions don't hesitate to reply. All the best.
@@aktuMedia Thanks for the answer. Just clarifying: Yes, I have a VPS with a fixed ip in Oracle Cloud being the VPN Server, and my Windows Server server behind Starlink and a link with a fixed ip, routed in a Mikrotik (starlink is a failover). When I connect to the VPN server using the fiber link, it works perfectly. When you enter Starlink it does not connect. I followed step by step but I believe something is still wrong because the connection between the Windows Server and the VPN Server on Oracle Cloud is not established via Starlink.Thanks again for support!
without seeing your network config and based on what you're saying the reason it's not working when you connect via Starlink would be because the VPS server is attempting to connect out to your Starlink connection, but if you look at the diagram that won't work because CGNAT won't route that traffic, so you may want to setup your server that is behind the CGNAT (As Secondary) to connect outbound only and not require an inbound connection. this way regardless on it being on your primary or failover it will be the one initiating the connection to your VPS and of course make sure the keep-alive is set to something small enough that it won't wait too long to re-initiate the connection.
So I cannot install a VPN on directly on my Starlink Router? I need to use a personal router which supports VPN?
That's right you can't use it directly on an starlink router. You can either use a VPN router or setup a device to act as a VPN gateway
Starlink supports VPNs that utilize TCP or UDP, for example SSL based VPNs, or, for example, VPN PPTP (Point-to-Point Tunneling Protocol). VPN IPSEC types are currently not compatible with Starlink.
When I had initially spoken with starlink support VPNs were still not officially supported however the same rules still apply where the starlink client will need to connect into a VPN server. The starlink wan cannot accept connections due to it being a cgnat
I want to buy a Starlink server to build a VPN. Can you provide it?
we would be happy to discuss this with you, please reach out to info@aktuconsulting.ca and someone will work with you on this.
Any reason to not use a IPv6 VPN gateway? I am about to test my proof of concept idea before I go to my employer with the idea.
Edit: IPv6 of course so that you don't have to get a web server and you can just use a low powered device as your gateway as a one time cost (~$20)
Editx2: Other than IPv4 interop issues (I have that sorted out)
at a technical level there is no reason why not use an IPv6 that really comes down to ensuring the devices you use are configured to work with IPv6. Your device simply needs to be accessible from both ends to route the traffic.
@@aktuMedia thanks for the quick reply! I tested it out and everything worked out. For the record I completely agree with using IPv4 for the demo since more people understand it. Thanks again.
exactly glad it worked for you, honestly the biggest thing you need to worry when it comes to this design is to ensure your wireguard server has a static IP and not dynamic. I've had lots of people reach out about these setups and they look to set it up with DynDNS and that can work to a point but if the IP changes Wireguard won't always catch that on time and cause a disconnect. I'm always happy to hear how things work out let me know how your system works in the wild!
Any chance of this working on windows?
Hey There, yea I do'nt see any reason why this wouldn't work on windows. Sorry it's on my list of videos to put out. I've been slammed lately and i'm trying to put up one that has wireguard on a wireguard server, but I will add this to my list of videos. it isn't in line with my open source guides but it would be a matter of setting up wireguard as a service after you setup the config and then setting it up to start at boot.