[Starlink] starlink and VPN

[Starlink] starlink and VPN

[David Lang]

has anyone done any work with openvpn over starlink (especially if they got the 
connectors to completely bypass the router)?

I've got the basic connectivity working, but am having problems trying to get 
openvpn to work (especially for traffic back through the cgnat to the router on 
the starlink side)

the logs on the client are reporting link local: (not bound) when trying UDP, 
when I try TCP (and clamp the mtu low) I can connect from the starlink side (st 
least sometimes) but cannot get the routing the other way to work

David Lang

Re: [Starlink] starlink and VPN

[David Collier-Brown]

[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]

Not with openvpn, but there are discussions of using tailscale instead.  
A reddit thread is at

www.reddit.com

Reddit - Dive into anything <#>

🔗 
https://www.reddit.com/r/Tailscale/comments/1ekymc1/use_tailscale_with_starlink_internet/ 
<https://www.reddit.com/r/Tailscale/comments/1ekymc1/use_tailscale_with_starlink_internet/> 


  --dave

On 1/21/25 02:25, David Lang via Starlink wrote:
> has anyone done any work with openvpn over starlink (especially if 
> they got the connectors to completely bypass the router)?
>
> I've got the basic connectivity working, but am having problems trying 
> to get openvpn to work (especially for traffic back through the cgnat 
> to the router on the starlink side)
>
> the logs on the client are reporting link local: (not bound) when 
> trying UDP, when I try TCP (and clamp the mtu low) I can connect from 
> the starlink side (st least sometimes) but cannot get the routing the 
> other way to work
>
> David Lang
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb@spamcop.net           |              -- Mark Twain

[-- Attachment #2: Type: text/html, Size: 3064 bytes --]

Re: [Starlink] starlink and VPN

[b. angel]

[-- Attachment #1: Type: text/plain, Size: 953 bytes --]

David,

I gave up on open VPN and starlink a while ago. I've implemented wireguard
tunnels with success and reliability.

Keith

On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
starlink@lists.bufferbloat.net> wrote:

> has anyone done any work with openvpn over starlink (especially if they
> got the
> connectors to completely bypass the router)?
>
> I've got the basic connectivity working, but am having problems trying to
> get
> openvpn to work (especially for traffic back through the cgnat to the
> router on
> the starlink side)
>
> the logs on the client are reporting link local: (not bound) when trying
> UDP,
> when I try TCP (and clamp the mtu low) I can connect from the starlink
> side (st
> least sometimes) but cannot get the routing the other way to work
>
> David Lang
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
>

[-- Attachment #2: Type: text/html, Size: 1583 bytes --]

Re: [Starlink] starlink and VPN

[David Lang]

b. angel wrote:

> David,
>
> I gave up on open VPN and starlink a while ago. I've implemented wireguard
> tunnels with success and reliability.

did you end up having to do anything with MTU? Did you use TCP or UDP for your 
transport?

David Lang

> Keith
>
> On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
> starlink@lists.bufferbloat.net> wrote:
>
>> has anyone done any work with openvpn over starlink (especially if they
>> got the
>> connectors to completely bypass the router)?
>>
>> I've got the basic connectivity working, but am having problems trying to
>> get
>> openvpn to work (especially for traffic back through the cgnat to the
>> router on
>> the starlink side)
>>
>> the logs on the client are reporting link local: (not bound) when trying
>> UDP,
>> when I try TCP (and clamp the mtu low) I can connect from the starlink
>> side (st
>> least sometimes) but cannot get the routing the other way to work
>>
>> David Lang
>> _______________________________________________
>> Starlink mailing list
>> Starlink@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/starlink
>>
>

Re: [Starlink] starlink and VPN

[Sebastian Moeller]

Hi David,

> On 21. Jan 2025, at 16:22, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
> 
> b. angel wrote:
> 
>> David,
>> 
>> I gave up on open VPN and starlink a while ago. I've implemented wireguard
>> tunnels with success and reliability.
> 
> did you end up having to do anything with MTU? Did you use TCP or UDP for your transport?

Wireguard itself only allows UDP IIRC, you would need an additional outer TCP tunnel if you want/need TCP on the outside...

> 
> David Lang
> 
>> Keith
>> 
>> On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
>> starlink@lists.bufferbloat.net> wrote:
>> 
>>> has anyone done any work with openvpn over starlink (especially if they
>>> got the
>>> connectors to completely bypass the router)?
>>> 
>>> I've got the basic connectivity working, but am having problems trying to
>>> get
>>> openvpn to work (especially for traffic back through the cgnat to the
>>> router on
>>> the starlink side)
>>> 
>>> the logs on the client are reporting link local: (not bound) when trying
>>> UDP,
>>> when I try TCP (and clamp the mtu low) I can connect from the starlink
>>> side (st
>>> least sometimes) but cannot get the routing the other way to work
>>> 
>>> David Lang
>>> _______________________________________________
>>> Starlink mailing list
>>> Starlink@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/starlink
>>> 
>> 
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink

Re: [Starlink] starlink and VPN

[Nils Andreas Svee]

Correct, and by design I believe, as TCP-in-TCP isn't really ideal.
The documentation points to tools such as [1] or [2] if TCP transport is absolutely necessary.

[1]: https://github.com/wangyu-/udp2raw
[2]: https://github.com/rfc1036/udptunnel

Best Regards
Nils

On Tue, Jan 21, 2025, at 22:27, Sebastian Moeller via Starlink wrote:
> Hi David,
>
>> On 21. Jan 2025, at 16:22, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
>> 
>> b. angel wrote:
>> 
>>> David,
>>> 
>>> I gave up on open VPN and starlink a while ago. I've implemented wireguard
>>> tunnels with success and reliability.
>> 
>> did you end up having to do anything with MTU? Did you use TCP or UDP for your transport?
>
> Wireguard itself only allows UDP IIRC, you would need an additional 
> outer TCP tunnel if you want/need TCP on the outside...
>
>> 
>> David Lang
>> 
>>> Keith
>>> 
>>> On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
>>> starlink@lists.bufferbloat.net> wrote:
>>> 
>>>> has anyone done any work with openvpn over starlink (especially if they
>>>> got the
>>>> connectors to completely bypass the router)?
>>>> 
>>>> I've got the basic connectivity working, but am having problems trying to
>>>> get
>>>> openvpn to work (especially for traffic back through the cgnat to the
>>>> router on
>>>> the starlink side)
>>>> 
>>>> the logs on the client are reporting link local: (not bound) when trying
>>>> UDP,
>>>> when I try TCP (and clamp the mtu low) I can connect from the starlink
>>>> side (st
>>>> least sometimes) but cannot get the routing the other way to work
>>>> 
>>>> David Lang
>>>> _______________________________________________
>>>> Starlink mailing list
>>>> Starlink@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/starlink
>>>> 
>>> 
>> _______________________________________________
>> Starlink mailing list
>> Starlink@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/starlink
>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink

Re: [Starlink] starlink and VPN

[David Lang]

Sebastian Moeller wrote:

> Hi David,
>
>> On 21. Jan 2025, at 16:22, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
>>
>> b. angel wrote:
>>
>>> David,
>>>
>>> I gave up on open VPN and starlink a while ago. I've implemented wireguard
>>> tunnels with success and reliability.
>>
>> did you end up having to do anything with MTU? Did you use TCP or UDP for your transport?
>
> Wireguard itself only allows UDP IIRC, you would need an additional outer TCP tunnel if you want/need TCP on the outside...

I agree UDP is preferred, I'm just trying to figure out what has successfully 
worked. In my google searches yesterday I saw posts from Starlink saying that 
they don't block VPNs (but won't help troubleshoot) and a lot of people saying 
that they didn't work

David Lang


>>
>> David Lang
>>
>>> Keith
>>>
>>> On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
>>> starlink@lists.bufferbloat.net> wrote:
>>>
>>>> has anyone done any work with openvpn over starlink (especially if they
>>>> got the
>>>> connectors to completely bypass the router)?
>>>>
>>>> I've got the basic connectivity working, but am having problems trying to
>>>> get
>>>> openvpn to work (especially for traffic back through the cgnat to the
>>>> router on
>>>> the starlink side)
>>>>
>>>> the logs on the client are reporting link local: (not bound) when trying
>>>> UDP,
>>>> when I try TCP (and clamp the mtu low) I can connect from the starlink
>>>> side (st
>>>> least sometimes) but cannot get the routing the other way to work
>>>>
>>>> David Lang
>>>> _______________________________________________
>>>> Starlink mailing list
>>>> Starlink@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/starlink
>>>>
>>>
>> _______________________________________________
>> Starlink mailing list
>> Starlink@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/starlink
>
>

Re: [Starlink] starlink and VPN

[Keith Simonsen]

On 1/21/2025 7:22 AM, David Lang wrote:
> b. angel wrote:
>
>> David,
>>
>> I gave up on open VPN and starlink a while ago. I've implemented 
>> wireguard
>> tunnels with success and reliability.
>
> did you end up having to do anything with MTU? Did you use TCP or UDP 
> for your transport?
It's UDP only. Standard wireguard config. I have links using PFSense to 
PFSense, Mikrotik to PFSense and Mikrotik Mikrotik all with good 
performance and months long reliability. Both permanent site-site 
circuits and "road warrior" style.

In PFSense when you set up a wireguard interface it sets the MTU to 1420 
and MSS to 1380. This depends on your WAN link of course.

If your clients are needing OpenVPN you can make a "jumpbox" to 
terminate the Starlink wireguard circuits and set up an OpenVPN server 
routing to them. I've implemented this setup for one location.

>
> David Lang
Keith
>
>> Keith
>>
>> On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
>> starlink@lists.bufferbloat.net> wrote:
>>
>>> has anyone done any work with openvpn over starlink (especially if they
>>> got the
>>> connectors to completely bypass the router)?
>>>
>>> I've got the basic connectivity working, but am having problems 
>>> trying to
>>> get
>>> openvpn to work (especially for traffic back through the cgnat to the
>>> router on
>>> the starlink side)
>>>
>>> the logs on the client are reporting link local: (not bound) when 
>>> trying
>>> UDP,
>>> when I try TCP (and clamp the mtu low) I can connect from the starlink
>>> side (st
>>> least sometimes) but cannot get the routing the other way to work
>>>
>>> David Lang
>>> _______________________________________________
>>> Starlink mailing list
>>> Starlink@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/starlink
>>>
>>

Re: [Starlink] starlink and VPN

[David Lang]

Keith Simonsen wrote:

> On 1/21/2025 7:22 AM, David Lang wrote:
>> b. angel wrote:
>> 
>>> David,
>>> 
>>> I gave up on open VPN and starlink a while ago. I've implemented wireguard
>>> tunnels with success and reliability.
>> 
>> did you end up having to do anything with MTU? Did you use TCP or UDP for 
>> your transport?
> It's UDP only. Standard wireguard config. I have links using PFSense to 
> PFSense, Mikrotik to PFSense and Mikrotik Mikrotik all with good performance 
> and months long reliability. Both permanent site-site circuits and "road 
> warrior" style.
>
> In PFSense when you set up a wireguard interface it sets the MTU to 1420 and 
> MSS to 1380. This depends on your WAN link of course.
>
> If your clients are needing OpenVPN you can make a "jumpbox" to terminate the 
> Starlink wireguard circuits and set up an OpenVPN server routing to them. 
> I've implemented this setup for one location.

my immediate use case is that I've got a friend who is retiring who will be 
traveling in his RV and as I'm his 'tech support' I need to set things up so 
that I can 'reach in' to maintain and fix things. I talked him through getting 
starlink up and running, his new laptop arrives today and I've setup various IoT 
devices that connect to wifi. He had a wndr3800 and Pi setup so that he could 
connect the Pi to campground wifi and have everything run through that (the 
starlink will greatly simplify that) and I'm giving him a newer router and 
updated pi.

David Lang

>> 
>> David Lang
> Keith
>> 
>>> Keith
>>> 
>>> On Mon, Jan 20, 2025, 23:25 David Lang via Starlink <
>>> starlink@lists.bufferbloat.net> wrote:
>>> 
>>>> has anyone done any work with openvpn over starlink (especially if they
>>>> got the
>>>> connectors to completely bypass the router)?
>>>> 
>>>> I've got the basic connectivity working, but am having problems trying to
>>>> get
>>>> openvpn to work (especially for traffic back through the cgnat to the
>>>> router on
>>>> the starlink side)
>>>> 
>>>> the logs on the client are reporting link local: (not bound) when trying
>>>> UDP,
>>>> when I try TCP (and clamp the mtu low) I can connect from the starlink
>>>> side (st
>>>> least sometimes) but cannot get the routing the other way to work
>>>> 
>>>> David Lang
>>>> _______________________________________________
>>>> Starlink mailing list
>>>> Starlink@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/starlink
>>>> 
>>> 
>
>

Re: [Starlink] starlink and VPN

[Gert Doering]

Hi,

On Mon, Jan 20, 2025 at 11:25:04PM -0800, David Lang via Starlink wrote:
> the logs on the client are reporting link local: (not bound) when trying
> UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink
> side (st least sometimes) but cannot get the routing the other way to work

If the VPN comes up (both sides declare TLS handshake success, you see
the PUSH_REPLY messages on both sides), with TCP, it "should just work"
- if not, it's not a starlink issue but something in the OpenVPN setup,
or just a plain "ipv4_forward=1" missing on the server side...

Feel free to unicast me your OpenVPN logs (verb 3) if needed.

With UDP, "it should also work just fine", but MTU might interfere - and
of course UDP rate limiting.  Try "openvpn --max-packet-size 1000" or 
even lower, if it's really MTU related (tcpdump on both ends on the outside
interface should show if packets are getting lost).

Gert Doering
        -- openvpn upstream
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Ingo Lalla,
                                           Karin Schuler, Sebastian Cler
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

Re: [Starlink] starlink and VPN

[David Lang]

Gert Doering wrote:

> Hi,
>
> On Mon, Jan 20, 2025 at 11:25:04PM -0800, David Lang via Starlink wrote:
>> the logs on the client are reporting link local: (not bound) when trying
>> UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink
>> side (st least sometimes) but cannot get the routing the other way to work
>
> If the VPN comes up (both sides declare TLS handshake success, you see
> the PUSH_REPLY messages on both sides), with TCP, it "should just work"
> - if not, it's not a starlink issue but something in the OpenVPN setup,
> or just a plain "ipv4_forward=1" missing on the server side...

I am expecting that it is something in my configs, but I think there is some 
interaction with Starlink as it did connect when I used my phone hotspot for my 
WAN (I didn't try connecting back)

> Feel free to unicast me your OpenVPN logs (verb 3) if needed.

I will probably take you up on that. I'm going to do a little more testing 
first.

> With UDP, "it should also work just fine", but MTU might interfere - and
> of course UDP rate limiting.  Try "openvpn --max-packet-size 1000" or
> even lower, if it's really MTU related (tcpdump on both ends on the outside
> interface should show if packets are getting lost).

that's more or less where I ended up that finally got it working in one 
direction. I was hoping that someone could say what MTU I needed to set it to 
rather than having to manually test. :-)

It may be that I missed a step in the client router and the tun interface is not 
in the correct firewalling to allow connections back

David Lang

> Gert Doering
>        -- openvpn upstream
>

Re: [Starlink] starlink and VPN

[Dino Farinacci]

I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.

Dino

> On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
> 
> has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
> 
> I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
> 
> the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
> 
> David Lang
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink

Re: [Starlink] starlink and VPN

[Dave Taht]

How about openvpn over ipv6?

Or with a static ip assigned to the starlink?

Wireguard works for me....

On Tue, Jan 21, 2025 at 3:02 PM Dino Farinacci via Starlink
<starlink@lists.bufferbloat.net> wrote:
>
> I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.
>
> Dino
>
> > On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
> >
> > has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
> >
> > I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
> >
> > the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
> >
> > David Lang
> > _______________________________________________
> > Starlink mailing list
> > Starlink@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/starlink
>
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink



-- 
Dave Täht CSO, LibreQos

Re: [Starlink] starlink and VPN

[Dino Farinacci]

We did test this. IPv6 over LISP. Which means IPv6 EIDs used at transport layer over IPv4 encapsulation. But we did not run  over IPv6 locators.

So what I mean is we tested:

(1) IPv4 overlay on an IPv4 satellite underlay 
(2) IPv6 overlay on an IPv4 satellite underlay 

Dino

> On Jan 22, 2025, at 2:53 PM, Dave Taht <dave.taht@gmail.com> wrote:
> 
> How about openvpn over ipv6?
> 
> Or with a static ip assigned to the starlink?
> 
> Wireguard works for me....
> 
> On Tue, Jan 21, 2025 at 3:02 PM Dino Farinacci via Starlink
> <starlink@lists.bufferbloat.net> wrote:
>> 
>> I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.
>> 
>> Dino
>> 
>>> On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
>>> 
>>> has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
>>> 
>>> I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
>>> 
>>> the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
>>> 
>>> David Lang
>>> _______________________________________________
>>> Starlink mailing list
>>> Starlink@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/starlink
>> 
>> _______________________________________________
>> Starlink mailing list
>> Starlink@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/starlink
> 
> 
> 
> -- 
> Dave Täht CSO, LibreQos

Re: [Starlink] starlink and VPN

[Darrell Budic]

I’ve run openvpn over starlink on v4 and v6, client on starlink, server in my DC. I have since switched to wireguard and haven’t had any troubles other than having to play some server side tricks to get wireguard to let me bring up more than one tunnel via the starlink CGN. I used some fixed ports and aliased a couple IP addresses and used some snat to force it to see things as different endpoints, otherwise wireguard can’t distinguish the end points on the server. I don’t think openvpn would have that problem.

  -Darrell

> On Jan 22, 2025, at 5:25 PM, Dino Farinacci via Starlink <starlink@lists.bufferbloat.net> wrote:
> 
> We did test this. IPv6 over LISP. Which means IPv6 EIDs used at transport layer over IPv4 encapsulation. But we did not run  over IPv6 locators.
> 
> So what I mean is we tested:
> 
> (1) IPv4 overlay on an IPv4 satellite underlay 
> (2) IPv6 overlay on an IPv4 satellite underlay 
> 
> Dino
> 
>> On Jan 22, 2025, at 2:53 PM, Dave Taht <dave.taht@gmail.com> wrote:
>> 
>> How about openvpn over ipv6?
>> 
>> Or with a static ip assigned to the starlink?
>> 
>> Wireguard works for me....
>> 
>> On Tue, Jan 21, 2025 at 3:02 PM Dino Farinacci via Starlink
>> <starlink@lists.bufferbloat.net> wrote:
>>> 
>>> I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.
>>> 
>>> Dino
>>> 
>>>> On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
>>>> 
>>>> has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
>>>> 
>>>> I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
>>>> 
>>>> the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
>>>> 
>>>> David Lang
>>>> _______________________________________________
>>>> Starlink mailing list
>>>> Starlink@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/starlink
>>> 
>>> _______________________________________________
>>> Starlink mailing list
>>> Starlink@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/starlink
>> 
>> 
>> 
>> -- 
>> Dave Täht CSO, LibreQos
> 
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink

Re: [Starlink] starlink and VPN

[Dino Farinacci]

[-- Attachment #1: Type: text/plain, Size: 736 bytes --]

What I was trying to test was the anticipation of ISLs so we could try house to house connectivity and measure latency. I had to implement a "decentralized NAT traversal" function inside the LISP module. We did ping, but at the time I think the packets went "up-down-up-down" rather than "up-over-down".

We also ran a IP multicast chat program over it so we were able to head-end-replicate from a starlink source to 2 starlink group members. See attached slide for the solution. 

Full sides at 

  https://www.dropbox.com/scl/fi/9iwsp7rlh3g9mrhbqqul2/ipv6-gaap-over-lisp-ietf-prague.pdf?rlkey=tzz1vwutq8d7vwm1tqzvnbpfv

GAAP was a dynmic decentralized group address alloation protocol that ran in the gaapchat app.

Dino


[-- Attachment #2: PastedGraphic-1.png --]
[-- Type: image/png, Size: 4247921 bytes --]

[-- Attachment #3: Type: text/plain, Size: 3108 bytes --]





> On Jan 22, 2025, at 3:29 PM, Darrell Budic via Starlink <starlink@lists.bufferbloat.net> wrote:
> 
> I’ve run openvpn over starlink on v4 and v6, client on starlink, server in my DC. I have since switched to wireguard and haven’t had any troubles other than having to play some server side tricks to get wireguard to let me bring up more than one tunnel via the starlink CGN. I used some fixed ports and aliased a couple IP addresses and used some snat to force it to see things as different endpoints, otherwise wireguard can’t distinguish the end points on the server. I don’t think openvpn would have that problem.
> 
>  -Darrell
> 
>> On Jan 22, 2025, at 5:25 PM, Dino Farinacci via Starlink <starlink@lists.bufferbloat.net> wrote:
>> 
>> We did test this. IPv6 over LISP. Which means IPv6 EIDs used at transport layer over IPv4 encapsulation. But we did not run  over IPv6 locators.
>> 
>> So what I mean is we tested:
>> 
>> (1) IPv4 overlay on an IPv4 satellite underlay 
>> (2) IPv6 overlay on an IPv4 satellite underlay 
>> 
>> Dino
>> 
>>> On Jan 22, 2025, at 2:53 PM, Dave Taht <dave.taht@gmail.com> wrote:
>>> 
>>> How about openvpn over ipv6?
>>> 
>>> Or with a static ip assigned to the starlink?
>>> 
>>> Wireguard works for me....
>>> 
>>> On Tue, Jan 21, 2025 at 3:02 PM Dino Farinacci via Starlink
>>> <starlink@lists.bufferbloat.net> wrote:
>>>> 
>>>> I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.
>>>> 
>>>> Dino
>>>> 
>>>>> On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
>>>>> 
>>>>> has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
>>>>> 
>>>>> I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
>>>>> 
>>>>> the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
>>>>> 
>>>>> David Lang
>>>>> _______________________________________________
>>>>> Starlink mailing list
>>>>> Starlink@lists.bufferbloat.net
>>>>> https://lists.bufferbloat.net/listinfo/starlink
>>>> 
>>>> _______________________________________________
>>>> Starlink mailing list
>>>> Starlink@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/starlink
>>> 
>>> 
>>> 
>>> -- 
>>> Dave Täht CSO, LibreQos
>> 
>> _______________________________________________
>> Starlink mailing list
>> Starlink@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/starlink
> 
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink

Re: [Starlink] starlink and VPN

[David Lang]

[-- Attachment #1: Type: text/plain, Size: 1602 bytes --]

Dave Taht wrote:

> How about openvpn over ipv6?

I don't have IPv6 at my house that it's connecting to.

> Or with a static ip assigned to the starlink?

that costs more (and much more than the 50g/m starlink mini plan)

David Lang

> Wireguard works for me....
>
> On Tue, Jan 21, 2025 at 3:02 PM Dino Farinacci via Starlink
> <starlink@lists.bufferbloat.net> wrote:
>>
>> I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.
>>
>> Dino
>>
>>> On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
>>>
>>> has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
>>>
>>> I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
>>>
>>> the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
>>>
>>> David Lang
>>> _______________________________________________
>>> Starlink mailing list
>>> Starlink@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/starlink
>>
>> _______________________________________________
>> Starlink mailing list
>> Starlink@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/starlink
>
>
>
>

Re: [Starlink] starlink and VPN

[J Pan]

http://tailscale.com works well on starlink (zero configuration
powered by wireguard ;-)
--
J Pan, UVic CSc, ECS566, 250-472-5796 (NO VM), Pan@UVic.CA, Web.UVic.CA/~pan

On Wed, Jan 22, 2025 at 7:11 PM David Lang via Starlink
<starlink@lists.bufferbloat.net> wrote:
>
> Dave Taht wrote:
>
> > How about openvpn over ipv6?
>
> I don't have IPv6 at my house that it's connecting to.
>
> > Or with a static ip assigned to the starlink?
>
> that costs more (and much more than the 50g/m starlink mini plan)
>
> David Lang
>
> > Wireguard works for me....
> >
> > On Tue, Jan 21, 2025 at 3:02 PM Dino Farinacci via Starlink
> > <starlink@lists.bufferbloat.net> wrote:
> >>
> >> I haven't tried openvpn but I have done a bunch of testing of LISP over Starlink. If anyone wants details I can point you to an Internet Draft and slides that have been presented a couple of times at IETF.
> >>
> >> Dino
> >>
> >>> On Jan 20, 2025, at 11:25 PM, David Lang via Starlink <starlink@lists.bufferbloat.net> wrote:
> >>>
> >>> has anyone done any work with openvpn over starlink (especially if they got the connectors to completely bypass the router)?
> >>>
> >>> I've got the basic connectivity working, but am having problems trying to get openvpn to work (especially for traffic back through the cgnat to the router on the starlink side)
> >>>
> >>> the logs on the client are reporting link local: (not bound) when trying UDP, when I try TCP (and clamp the mtu low) I can connect from the starlink side (st least sometimes) but cannot get the routing the other way to work
> >>>
> >>> David Lang
> >>> _______________________________________________
> >>> Starlink mailing list
> >>> Starlink@lists.bufferbloat.net
> >>> https://lists.bufferbloat.net/listinfo/starlink
> >>
> >> _______________________________________________
> >> Starlink mailing list
> >> Starlink@lists.bufferbloat.net
> >> https://lists.bufferbloat.net/listinfo/starlink
> >
> >
> >
> >_______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink