[Starlink] VPN woes, recommendations?

[Starlink] VPN woes, recommendations?

[Adam Thompson]

[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]

Hi, all.
We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H.
It's not going great, and I'm wondering about several Starlink-specific issues.

First, having multiple devices in serial is generally not a great idea for reliability.  Can we realistically plug our remote AP directly into the dish, still?  (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero.  I just don't know what other dangers/problems that topology might cause.

Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.)

So:
* does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and
* does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android<https://aka.ms/AAb9ysg>

[-- Attachment #2: Type: text/html, Size: 2189 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Dave Taht]

The big winners over starlink have been wireguard and zerotier.

+ https://github.com/lynxthecat/cake-autorate#cake-with-adaptive-bandwidth---autorate
finally hit the big 2.0 mark a few days ago.

On Fri, Feb 17, 2023 at 8:30 AM Adam Thompson via Starlink
<starlink@lists.bufferbloat.net> wrote:
>
> Hi, all.
> We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H.
> It's not going great, and I'm wondering about several Starlink-specific issues.
>
> First, having multiple devices in serial is generally not a great idea for reliability.  Can we realistically plug our remote AP directly into the dish, still?  (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero.  I just don't know what other dangers/problems that topology might cause.
>
> Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.)
>
> So:
> * does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and
> * does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
> * Other comments or suggestions welcome, too.
>
> Thanks,
> -Adam
>
> Get Outlook for Android
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink



-- 
Surveillance Capitalism? Or DIY? Choose:
https://blog.cerowrt.org/post/an_upgrade_in_place/
Dave Täht CEO, TekLibre, LLC

Re: [Starlink] VPN woes, recommendations?

[Daniel C. Eckert]

[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]

Interesting scenario.  This reply only addresses a small part of your
message:  While I see you've done the math and checked the specs for the
Aruba devices -- have you already conducted a few non-VPN tests between
direct-wire-connected laptops/devices at those two locations to know what
"baseline" bandwidth you're starting from when considering the max
potential bandwidth for the encrypted traffic?  For example, since you're
on a business plan, you should have a direct public IP to target with iperf
traffic from either end, even if not encrypted.

Dan

On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <
starlink@lists.bufferbloat.net> wrote:

> Hi, all.
> We've been trying to develop a plug-and-play L2 VPN over Starlink, using
> Aruba Hospitality-series Remote APs like their RAP-505H.
> It's not going great, and I'm wondering about several Starlink-specific
> issues.
>
> First, having multiple devices in serial is generally not a great idea for
> reliability.  Can we realistically plug our remote AP directly into the
> dish, still?  (This is using Starlink Business, FWIW.). I know we lose
> access to the Starlink app, but we also lose a NATing router and an
> unwanted wifi AP, so that's probably a net zero.  I just don't know what
> other dangers/problems that topology might cause.
>
> Secondly, we're only able to push about 30Mbps through the (magical
> Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest
> we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated
> for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so
> presumably that's not the bottleneck.)
>
> So:
> * does anyone have corroborating *or* contradicting evidence of VPN
> performance over Starlink's particular flavor of Long Fat Pipe, and
> * does anyone have any positive (or negative, I guess!) recommendations
> for cloud-managed VPN devices that can do at least 100M and magically work
> from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it
> does L2 tunnels or can run a dynamic routing protocol.
> * Other comments or suggestions welcome, too.
>
> Thanks,
> -Adam
>
> Get Outlook for Android
> <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>
ᐧ
ᐧ

[-- Attachment #2: Type: text/html, Size: 4483 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Adam Thompson]

[-- Attachment #1: Type: text/plain, Size: 3251 bytes --]

Business plans include static IPs?!?!?!?
Ok, yeah, that radically changes the situation.  Also, we're not getting static or predictable IPs.  I can follow that up, anyway, thanks!
-Adam

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Daniel C. Eckert <eckertd@gmail.com>
Sent: Friday, February 17, 2023 10:36:24 AM
To: Adam Thompson <athompson@merlin.mb.ca>
Cc: starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net>
Subject: Re: [Starlink] VPN woes, recommendations?

Interesting scenario.  This reply only addresses a small part of your message:  While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic?  For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted.

Dan

On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote:
Hi, all.
We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H.
It's not going great, and I'm wondering about several Starlink-specific issues.

First, having multiple devices in serial is generally not a great idea for reliability.  Can we realistically plug our remote AP directly into the dish, still?  (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero.  I just don't know what other dangers/problems that topology might cause.

Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.)

So:
* does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and
* does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android<https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
_______________________________________________
Starlink mailing list
Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net>
https://lists.bufferbloat.net/listinfo/starlink
[https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=c1c31836-4d3e-4aad-a576-c28cbc6172cb]ᐧ
[https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=5fd7792d-7b29-429a-9e08-ab57de655a75]ᐧ

[-- Attachment #2: Type: text/html, Size: 5666 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Adam Thompson]

[-- Attachment #1: Type: text/plain, Size: 3194 bytes --]

Sorry, forgot to answer the first part: yes, absent the tunnel, we get ~200/8 consistently, occasionally bursting higher.
-Adam


Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Daniel C. Eckert <eckertd@gmail.com>
Sent: Friday, February 17, 2023 10:36:24 AM
To: Adam Thompson <athompson@merlin.mb.ca>
Cc: starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net>
Subject: Re: [Starlink] VPN woes, recommendations?

Interesting scenario.  This reply only addresses a small part of your message:  While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic?  For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted.

Dan

On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote:
Hi, all.
We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H.
It's not going great, and I'm wondering about several Starlink-specific issues.

First, having multiple devices in serial is generally not a great idea for reliability.  Can we realistically plug our remote AP directly into the dish, still?  (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero.  I just don't know what other dangers/problems that topology might cause.

Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.)

So:
* does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and
* does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android<https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
_______________________________________________
Starlink mailing list
Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net>
https://lists.bufferbloat.net/listinfo/starlink
[https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=c1c31836-4d3e-4aad-a576-c28cbc6172cb]ᐧ
[https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=5fd7792d-7b29-429a-9e08-ab57de655a75]ᐧ

[-- Attachment #2: Type: text/html, Size: 5563 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 3715 bytes --]

On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink <
starlink@lists.bufferbloat.net> wrote:

> Sorry, forgot to answer the first part: yes, absent the tunnel, we get
> ~200/8 consistently, occasionally bursting higher.
>

you really should test more deeply, and for longer periods than 15 seconds.

I keep hoping someone with business class service will repeat these 2 year
old benchmarks.

https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQKblM/edit#heading=h.fwv7fw3aeaz


> -Adam
>
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* Daniel C. Eckert <eckertd@gmail.com>
> *Sent:* Friday, February 17, 2023 10:36:24 AM
> *To:* Adam Thompson <athompson@merlin.mb.ca>
> *Cc:* starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net>
> *Subject:* Re: [Starlink] VPN woes, recommendations?
>
> Interesting scenario.  This reply only addresses a small part of your
> message:  While I see you've done the math and checked the specs for the
> Aruba devices -- have you already conducted a few non-VPN tests between
> direct-wire-connected laptops/devices at those two locations to know what
> "baseline" bandwidth you're starting from when considering the max
> potential bandwidth for the encrypted traffic?  For example, since you're
> on a business plan, you should have a direct public IP to target with iperf
> traffic from either end, even if not encrypted.
>
> Dan
>
> On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <
> starlink@lists.bufferbloat.net> wrote:
>
> Hi, all.
> We've been trying to develop a plug-and-play L2 VPN over Starlink, using
> Aruba Hospitality-series Remote APs like their RAP-505H.
> It's not going great, and I'm wondering about several Starlink-specific
> issues.
>
> First, having multiple devices in serial is generally not a great idea for
> reliability.  Can we realistically plug our remote AP directly into the
> dish, still?  (This is using Starlink Business, FWIW.). I know we lose
> access to the Starlink app, but we also lose a NATing router and an
> unwanted wifi AP, so that's probably a net zero.  I just don't know what
> other dangers/problems that topology might cause.
>
> Secondly, we're only able to push about 30Mbps through the (magical
> Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest
> we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated
> for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so
> presumably that's not the bottleneck.)
>
> So:
> * does anyone have corroborating *or* contradicting evidence of VPN
> performance over Starlink's particular flavor of Long Fat Pipe, and
> * does anyone have any positive (or negative, I guess!) recommendations
> for cloud-managed VPN devices that can do at least 100M and magically work
> from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it
> does L2 tunnels or can run a dynamic routing protocol.
> * Other comments or suggestions welcome, too.
>
> Thanks,
> -Adam
>
> Get Outlook for Android
> <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>
> ᐧ
> ᐧ
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>


-- 
Surveillance Capitalism? Or DIY? Choose:
https://blog.cerowrt.org/post/an_upgrade_in_place/
Dave Täht CEO, TekLibre, LLC

[-- Attachment #2: Type: text/html, Size: 7313 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Nathan Owens]

[-- Attachment #1: Type: text/plain, Size: 3498 bytes --]

Yes, you can run a business (HP) dish without the router, it comes with an
Ethernet cable. You can put a static route to 192.168.100.1 and still get
the stats/app.

You can also request a static IP.


On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink <
starlink@lists.bufferbloat.net> wrote:

> Sorry, forgot to answer the first part: yes, absent the tunnel, we get
> ~200/8 consistently, occasionally bursting higher.
> -Adam
>
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* Daniel C. Eckert <eckertd@gmail.com>
> *Sent:* Friday, February 17, 2023 10:36:24 AM
> *To:* Adam Thompson <athompson@merlin.mb.ca>
> *Cc:* starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net>
> *Subject:* Re: [Starlink] VPN woes, recommendations?
>
> Interesting scenario.  This reply only addresses a small part of your
> message:  While I see you've done the math and checked the specs for the
> Aruba devices -- have you already conducted a few non-VPN tests between
> direct-wire-connected laptops/devices at those two locations to know what
> "baseline" bandwidth you're starting from when considering the max
> potential bandwidth for the encrypted traffic?  For example, since you're
> on a business plan, you should have a direct public IP to target with iperf
> traffic from either end, even if not encrypted.
>
> Dan
>
> On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <
> starlink@lists.bufferbloat.net> wrote:
>
> Hi, all.
> We've been trying to develop a plug-and-play L2 VPN over Starlink, using
> Aruba Hospitality-series Remote APs like their RAP-505H.
> It's not going great, and I'm wondering about several Starlink-specific
> issues.
>
> First, having multiple devices in serial is generally not a great idea for
> reliability.  Can we realistically plug our remote AP directly into the
> dish, still?  (This is using Starlink Business, FWIW.). I know we lose
> access to the Starlink app, but we also lose a NATing router and an
> unwanted wifi AP, so that's probably a net zero.  I just don't know what
> other dangers/problems that topology might cause.
>
> Secondly, we're only able to push about 30Mbps through the (magical
> Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest
> we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated
> for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so
> presumably that's not the bottleneck.)
>
> So:
> * does anyone have corroborating *or* contradicting evidence of VPN
> performance over Starlink's particular flavor of Long Fat Pipe, and
> * does anyone have any positive (or negative, I guess!) recommendations
> for cloud-managed VPN devices that can do at least 100M and magically work
> from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it
> does L2 tunnels or can run a dynamic routing protocol.
> * Other comments or suggestions welcome, too.
>
> Thanks,
> -Adam
>
> Get Outlook for Android
> <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>
> ᐧ
> ᐧ
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>

[-- Attachment #2: Type: text/html, Size: 7156 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Adam Thompson]

[-- Attachment #1.1: Type: text/plain, Size: 4609 bytes --]

I may be able to repeat your benchmarks, if you have something that shows the methodology, tools, parameters, etc. that were used.  (The linked document does not have that level of detail.)
-Adam

Adam Thompson
Consultant, Infrastructure Services
[MERLIN]
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca<https://www.merlin.mb.ca/>
[cid:image002.png@01D942C4.5CB417F0]Chat with me on Teams<https://teams.microsoft.com/l/chat/0/0?users=athompson@merlin.mb.ca>

From: Dave Taht <dave.taht@gmail.com>
Sent: February 17, 2023 10:45 AM
To: Adam Thompson <athompson@merlin.mb.ca>
Cc: Daniel C. Eckert <eckertd@gmail.com>; starlink@lists.bufferbloat.net
Subject: Re: [Starlink] VPN woes, recommendations?



On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote:
Sorry, forgot to answer the first part: yes, absent the tunnel, we get ~200/8 consistently, occasionally bursting higher.

you really should test more deeply, and for longer periods than 15 seconds.

I keep hoping someone with business class service will repeat these 2 year old benchmarks.

https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQKblM/edit#heading=h.fwv7fw3aeaz

-Adam


Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Daniel C. Eckert <eckertd@gmail.com<mailto:eckertd@gmail.com>>
Sent: Friday, February 17, 2023 10:36:24 AM
To: Adam Thompson <athompson@merlin.mb.ca<mailto:athompson@merlin.mb.ca>>
Cc: starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net> <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>>
Subject: Re: [Starlink] VPN woes, recommendations?

Interesting scenario.  This reply only addresses a small part of your message:  While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic?  For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted.

Dan

On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote:
Hi, all.
We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H.
It's not going great, and I'm wondering about several Starlink-specific issues.

First, having multiple devices in serial is generally not a great idea for reliability.  Can we realistically plug our remote AP directly into the dish, still?  (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero.  I just don't know what other dangers/problems that topology might cause.

Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.)

So:
* does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and
* does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android<https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
_______________________________________________
Starlink mailing list
Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net>
https://lists.bufferbloat.net/listinfo/starlink
ᐧ
ᐧ
_______________________________________________
Starlink mailing list
Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net>
https://lists.bufferbloat.net/listinfo/starlink


--
Surveillance Capitalism? Or DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/
Dave Täht CEO, TekLibre, LLC

[-- Attachment #1.2: Type: text/html, Size: 13613 bytes --]

[-- Attachment #2: image001.png --]
[-- Type: image/png, Size: 13827 bytes --]

[-- Attachment #3: image002.png --]
[-- Type: image/png, Size: 359 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Dave Taht]

[-- Attachment #1.1: Type: text/plain, Size: 5089 bytes --]

A simple script is in this blog entry here:

https://blog.cerowrt.org/post/flaws_in_flent/

In your case you would want to vary it between tunnel and non-tunnel.


On Fri, Feb 17, 2023 at 9:38 AM Adam Thompson <athompson@merlin.mb.ca>
wrote:

> I * may* be able to repeat your benchmarks, if you have something that
> shows the methodology, tools, parameters, etc. that were used.  (The linked
> document does not have that level of detail.)
>
> -Adam
>
>
>
> *Adam Thompson*
>
> Consultant, Infrastructure Services
>
> [image: MERLIN]
>
> 100 - 135 Innovation Drive
>
> Winnipeg, MB R3T 6A8
>
> (204) 977-6824 or 1-800-430-6404 (MB only)
>
> https://www.merlin.mb.ca
>
> Chat with me on Teams
> <https://teams.microsoft.com/l/chat/0/0?users=athompson@merlin.mb.ca>
>
>
>
> *From:* Dave Taht <dave.taht@gmail.com>
> *Sent:* February 17, 2023 10:45 AM
> *To:* Adam Thompson <athompson@merlin.mb.ca>
> *Cc:* Daniel C. Eckert <eckertd@gmail.com>; starlink@lists.bufferbloat.net
> *Subject:* Re: [Starlink] VPN woes, recommendations?
>
>
>
>
>
>
>
> On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink <
> starlink@lists.bufferbloat.net> wrote:
>
> Sorry, forgot to answer the first part: yes, absent the tunnel, we get
> ~200/8 consistently, occasionally bursting higher.
>
>
>
> you really should test more deeply, and for longer periods than 15 seconds.
>
>
>
> I keep hoping someone with business class service will repeat these 2 year
> old benchmarks.
>
>
>
>
> https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQKblM/edit#heading=h.fwv7fw3aeaz
>
>
>
> -Adam
>
>
>
>
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
>
> *From:* Daniel C. Eckert <eckertd@gmail.com>
> *Sent:* Friday, February 17, 2023 10:36:24 AM
> *To:* Adam Thompson <athompson@merlin.mb.ca>
> *Cc:* starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net>
> *Subject:* Re: [Starlink] VPN woes, recommendations?
>
>
>
> Interesting scenario.  This reply only addresses a small part of your
> message:  While I see you've done the math and checked the specs for the
> Aruba devices -- have you already conducted a few non-VPN tests between
> direct-wire-connected laptops/devices at those two locations to know what
> "baseline" bandwidth you're starting from when considering the max
> potential bandwidth for the encrypted traffic?  For example, since you're
> on a business plan, you should have a direct public IP to target with iperf
> traffic from either end, even if not encrypted.
>
>
>
> Dan
>
>
>
> On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <
> starlink@lists.bufferbloat.net> wrote:
>
> Hi, all.
>
> We've been trying to develop a plug-and-play L2 VPN over Starlink, using
> Aruba Hospitality-series Remote APs like their RAP-505H.
>
> It's not going great, and I'm wondering about several Starlink-specific
> issues.
>
>
>
> First, having multiple devices in serial is generally not a great idea for
> reliability.  Can we realistically plug our remote AP directly into the
> dish, still?  (This is using Starlink Business, FWIW.). I know we lose
> access to the Starlink app, but we also lose a NATing router and an
> unwanted wifi AP, so that's probably a net zero.  I just don't know what
> other dangers/problems that topology might cause.
>
>
>
> Secondly, we're only able to push about 30Mbps through the (magical
> Aruba-proprietary GRE+IPsec) tunnel.  The bandwidth-delay equations suggest
> we should be seeing around 100Mbps, not 30.  (The Aruba devices are rated
> for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so
> presumably that's not the bottleneck.)
>
>
>
> So:
>
> * does anyone have corroborating *or* contradicting evidence of VPN
> performance over Starlink's particular flavor of Long Fat Pipe, and
>
> * does anyone have any positive (or negative, I guess!) recommendations
> for cloud-managed VPN devices that can do at least 100M and magically work
> from behind double-NAT/CGNAT like we see with Starlink?  Bonus points if it
> does L2 tunnels or can run a dynamic routing protocol.
>
> * Other comments or suggestions welcome, too.
>
>
>
> Thanks,
>
> -Adam
>
>
>
> Get Outlook for Android
> <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg>
>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>
> ᐧ
>
> ᐧ
>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>
>
>
>
> --
>
> Surveillance Capitalism? Or DIY? Choose:
> https://blog.cerowrt.org/post/an_upgrade_in_place/
>
> Dave Täht CEO, TekLibre, LLC
>


-- 
Surveillance Capitalism? Or DIY? Choose:
https://blog.cerowrt.org/post/an_upgrade_in_place/
Dave Täht CEO, TekLibre, LLC

[-- Attachment #1.2: Type: text/html, Size: 13689 bytes --]

[-- Attachment #2: image001.png --]
[-- Type: image/png, Size: 13827 bytes --]

[-- Attachment #3: image002.png --]
[-- Type: image/png, Size: 359 bytes --]

Re: [Starlink] VPN woes, recommendations?

[Michael Richardson]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]


Do we know for sure that the starlink terminals don't do any kind of TCP
performance enhancing proxy?  (TCP ACK spoofing)
VPNs hide that info.

I believe that the Flent tests would also ignore such things.



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 511 bytes --]

Re: [Starlink] VPN woes, recommendations?

[David Lang]

[-- Attachment #1: Type: text/plain, Size: 929 bytes --]

On Fri, 17 Feb 2023, Adam Thompson via Starlink wrote:

> First, having multiple devices in serial is generally not a great idea for reliability.  Can we realistically plug our remote AP directly into the dish, still?  (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero.  I just don't know what other dangers/problems that topology might cause.

look at youtube for people running their starlink on 12v, it requires cutting 
the cable and putting normal ends on it, but once you do that (and have a PoE 
power injector) you can connect a normal router to a starlink dish

I haven't heard of anyone doing this for the larger dish, but for the standard 
one it's quite common.

The dish then gives you a 192.168.1 IP address (and only one, so you still have 
your router NAT and dish NAT involved)

David Lang

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
Starlink mailing list
Starlink@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/starlink