From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from CAN01-YQB-obe.outbound.protection.outlook.com (mail-yqbcan01on2065.outbound.protection.outlook.com [40.107.116.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 9BB0C3B29E for ; Fri, 17 Feb 2023 11:30:24 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jnvW+uvNtj/RIUizkQXQQLzvX+ypJDr1gXmy1ckh2tKCioIbL+EWQ48BETeO1fNs45XCjnlkH8Cz7V2tYnNK2Y25NZKJOkPOWl+XdMyDIaqgOGu5XnCZDGX5o2nneIhPmnx6XIyNxd9IstO3+opAwmZFePLcj/fFn+CbFU8+7/tDB6nnhkcGEfaKRw9Yr0NJyIx34sbWe7+0vGcTc0IPtscZPSKUK2qvFo2YpE6r6HWrURGbbyDI3Aiv/ZYQVEtSSGZyRdnodMAKGEa4pgQ8G3zull/NlYcBAWX97oJqAFjvye2+C6t2+u/DUWICdYoe6gdouCF7lozygeizTWr5uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0z2DGWNIMXR4Vz7Ksb0SdcmvlXQrwfhtcDToOg66cpo=; b=DcosKObZ00I0+iEZNQCVGHPgmyCxK6w0iYXTeCCRL2fookjCW0rqE4wcDydE+PlswMq0bd0L9Q2S3tmxcRg5bZRVoDeNMJGwFWpE3ZjT5vLMxTBbSPQxYN6zDag+N7E+/0WpfB3wUvxdTQbT03XMGfcMjsuM7oBzuHFXLn8T6iCSdI1GYJlEnx7y4h8Mi+SyRQSxDwnsthICDWXLEUbuJM9HJ2LrE+PB9gZAPLNUA2iLnd4WvB0jpGoKEwHG15YWEJHZyXzmPK3x/rEHzBbu8YkBnhasF4HbgpxqDiJmPNfNnwCMvrvi1Qku4HqYDpm7RCbtZCw9bHgC2sqwrMoBsQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=merlin.mb.ca; dmarc=pass action=none header.from=merlin.mb.ca; dkim=pass header.d=merlin.mb.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=merlin365.onmicrosoft.com; s=selector2-merlin365-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0z2DGWNIMXR4Vz7Ksb0SdcmvlXQrwfhtcDToOg66cpo=; b=A1Wx4Cscf+GYbaln/ZSX4kwVxldqakLILeiSX5bnI5MwDUOlubDJh3ZoAKSQtwCiZPjhnzibxoxNsuxjduxCUEq18SN7mShmyNmEZ6o8vc3LXWdMLoQN1iYgevTngtda9VqFuGiIaRMIQOTvBXhzpXEVIf9wyqjnK2K8JX8+95s= Received: from YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:59::21) by YT1PR01MB8764.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:cb::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6111.17; Fri, 17 Feb 2023 16:30:23 +0000 Received: from YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM ([fe80::8105:e0d:bd2f:7f2a]) by YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM ([fe80::8105:e0d:bd2f:7f2a%9]) with mapi id 15.20.6111.017; Fri, 17 Feb 2023 16:30:22 +0000 From: Adam Thompson To: "starlink@lists.bufferbloat.net" Thread-Topic: VPN woes, recommendations? Thread-Index: AQHZQutoZPM/D6cHiUWZIUbLf75fDg== Date: Fri, 17 Feb 2023 16:30:22 +0000 Message-ID: Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=merlin.mb.ca; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: YQBPR0101MB8925:EE_|YT1PR01MB8764:EE_ x-ms-office365-filtering-correlation-id: 8771b5ad-5ac5-4443-3807-08db11044437 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: bMmx6ruKKikFjASJyLNV40yFs+uVhLvjLWWTSJhGRII4XKjLl3BcNvN9/yu6MbzLY8RDkv7TSaowa1YQoIXsG1aEDCi+f4IV33cPuUsVg+5pycKmSukT9YQQB4ukVUes54rPFtD47ONwbiavShYImAoR4idTeCEPxc/0wNUd5UBxT9kDNVi9TPNq2IRljX3aV0SQGW2EkJeFDJhxV4RpmQ1tzEyNtROQLDIzOpeL3mqEsoeRx1MxSCc+iH2yTohWfFUg6JpkTWHr5lOduDlfH00iVwUA9Y3AjhpleKijm2uaUUI904vq9fQT395UK27omDzRyLRNENyJHxVD1FVaGqHyW9w8AcWeh5kBFrnTBC9zOqAw/Qmcxmx6ajlrt1rLJKU56y9ozSlR9XJ5xWNgP/VzZbF6fDQritMbnN4KNw2PPiTCih66JxMRJpsnE368CAqbDoRqM/stdHFMyQ35mRzRyaj+mSfmNxYQtkui+VZ1lhjUC6IbYJskdsFN2bZSZFcj+NccDo83xCVsj/+k96KNeFIYU5PY8EJ86nQN7G7rzrS9c50yC4Fz7lGtMswbyI3BTwHnxO8PETmyazRpNmJwevj1ErpfkgDhRAy7a1jmfza3pUy1OrrdLmtfu3n2PIgVLGUefg+PMAoWHmJ9YAZgiY6WBYpIqgRJoc11LR3GUVXDeqhC5TiApOqsv2Ux x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(4636009)(136003)(396003)(376002)(346002)(39840400004)(366004)(451199018)(33656002)(122000001)(38100700002)(9686003)(186003)(26005)(6506007)(66574015)(2906002)(6916009)(86362001)(66556008)(66946007)(41300700001)(66476007)(8676002)(76116006)(66446008)(64756008)(91956017)(52536014)(8936002)(5660300002)(478600001)(38070700005)(166002)(316002)(55016003)(7696005)(45080400002)(71200400001)(83380400001)(786003)(66899018)(41320700001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?gLHbSUQ21PynCCk/JncGjFExhAtf5ybvKoTQ0gEaISY+j3tE5UrQcP/1Sadu?= =?us-ascii?Q?fJ68XoWgmCDiwtgMGz12BAgJ1VNYnRLaESmkvS6uNnOA7crvJOgPRuJSu8IR?= =?us-ascii?Q?BvMVbl9W7FogH/c2ybabx3guHInbV5RLgfD6kKCXgvp5hlsEO5O3jIevdTOF?= =?us-ascii?Q?3Unpl/DVRSXVFgbNd5s5VehBUaKA0Vcs07ekLRhG2VcqypT1a35G9Bm8NqoY?= =?us-ascii?Q?hAbbsTdP2rH/9T29rJClN9OuUoqy3Znf4HbQrCPh3QjS6Az/kf8Ru/ReOCQ2?= =?us-ascii?Q?ensFE76VghOxJ9ySp+iezgFDMB/2rDjiKqEjXm9IRIAa7wiEkBzdiNQ9Y7Rv?= =?us-ascii?Q?yNYDu/5Y9UQvaGwH4x9QPuRFu6gKa5cG2A/9Q66R7w9JicTVxRPQdU4GmtpR?= =?us-ascii?Q?Tfbbx9ZLRzcFseMNSfF44EpwZw8BN5bid9DlT1TdefiFARepYtrH/+qP9JgZ?= =?us-ascii?Q?vZ3HpsMu2VmbpRA++IuievUS4P0RM63nZQcwdfiq4b/UtTrnCXlIv9oZroCw?= =?us-ascii?Q?KM3gRFrqx/ffWw1xkfx/ChfBC4f2AHPzMnswUImTVnFcJSBqIUzXzYq+vGuO?= =?us-ascii?Q?yC9twwy+VbtUoyEn5fUX7WzDj6wHrzMLF8fK4Girl48LBhXnaegwMUxRmM6+?= =?us-ascii?Q?BmBS9DWrPsEyXfl7WkYHGg2Sn1mEquh+zVsQ44xLZcxZ285t+LlPuvGJjZgl?= =?us-ascii?Q?6N0fXJxLRjhRyNHBKPPFsyB52CMpo8zEm0J41zJ0qa739ZmUYr6QWbxZk405?= =?us-ascii?Q?lyNji2dgtqfshtirYOvBxgPBxgLpW1T3eTHEhYlQ+JMMOgcFbDdihL1nOCfr?= =?us-ascii?Q?sqcDb/zyFDd8s1M5TlSfWXGv0FMUbWl+S/v0/9iac2Ypjirzk1qoHRReYsPQ?= =?us-ascii?Q?jwj3YDeEW+1lcYWlTjJ9VgLkf3Nvx12x/l+ldxTVkVYRpdPaQbLe8tDowGHn?= =?us-ascii?Q?eNXdHfKuFJqOVDcqeBrh8Ih2ka+1vQGU3mRoMV5TnRfbfJevYdSO595WUPUW?= =?us-ascii?Q?Fm0XMLqjMFeBV+xb8pxT4aiQs/6PBM2UDrUUIvtjAvqf8eu6FJu3nGoR6RdD?= =?us-ascii?Q?MN58dJzCvSaYJ/OhIeaT38hykHUU/gh+KXUx9CvZl0pi+qpL9sfM7KKhQyDo?= =?us-ascii?Q?/GeJrXKc3WDfvBWvI+T3/dwDMhKfHBmr0001sgPm4hHx6qvXyVFV847+R2ix?= =?us-ascii?Q?UxJ1FZ3kkWGvtVsS0eby/tn93Iri8hpZnzAsfe/P2mmz8GWfgRywLqw5ZnsB?= =?us-ascii?Q?O/qmsbELUaYcLbZ1/F1iqELF4X179Dy0NleUH6Kopa6V19yvp+Q4rO42i3nq?= =?us-ascii?Q?2BnSdv9/hctDqhqsjvwD4sU1TnicRIV5mnLnk0+MZQMT+IV041cc3CR6DJWG?= =?us-ascii?Q?bjHxTKis311Q8FnlpV291rtayJ3o7a4pONwSJMYDlVwPmlcoQn1EA88yM1/Z?= =?us-ascii?Q?VgBvF7uLRxc14PJv4NPKwOI3D20FjZA0k10UJvoNW9sz/lPSo+IOgBtu9n++?= =?us-ascii?Q?TfjTxFhHuISqq9u5O/e+tM4R8YHK5JVNR5dq/Ucm+pf0hkd8bO5qcY6MDYie?= =?us-ascii?Q?Ec8NnZjkZGCvsp9hibfBE3l/eW3s8irHAiM1A+TA3PYKjDIRnTY6URC/ihHv?= =?us-ascii?Q?Sg=3D=3D?= Content-Type: multipart/alternative; boundary="_000_YQBPR0101MB89254CCAC6EB4DB67D5BD6C59BA19YQBPR0101MB8925_" MIME-Version: 1.0 X-OriginatorOrg: merlin.mb.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 8771b5ad-5ac5-4443-3807-08db11044437 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2023 16:30:22.4911 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ed3d255d-84a2-47b1-85b6-30ce7fcfb52c X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 11C5PErzmLSx98qk+WwyMdxCxkVd1OQjjzcrAuYT7xN6U2ZUH6arBxPdrTsZttJD/7kbapYETpzokRr2ZI/XXA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT1PR01MB8764 Subject: [Starlink] VPN woes, recommendations? X-BeenThere: starlink@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Starlink has bufferbloat. Bad." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2023 16:30:24 -0000 --_000_YQBPR0101MB89254CCAC6EB4DB67D5BD6C59BA19YQBPR0101MB8925_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, all. We've been trying to develop a plug-and-play L2 VPN over Starlink, using Ar= uba Hospitality-series Remote APs like their RAP-505H. It's not going great, and I'm wondering about several Starlink-specific iss= ues. First, having multiple devices in serial is generally not a great idea for = reliability. Can we realistically plug our remote AP directly into the dis= h, still? (This is using Starlink Business, FWIW.). I know we lose access = to the Starlink app, but we also lose a NATing router and an unwanted wifi = AP, so that's probably a net zero. I just don't know what other dangers/pr= oblems that topology might cause. Secondly, we're only able to push about 30Mbps through the (magical Aruba-p= roprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest we sho= uld be seeing around 100Mbps, not 30. (The Aruba devices are rated for ~2G= bps encrypted at the site end, and ~7Gbps at the head end, so presumably th= at's not the bottleneck.) So: * does anyone have corroborating *or* contradicting evidence of VPN perform= ance over Starlink's particular flavor of Long Fat Pipe, and * does anyone have any positive (or negative, I guess!) recommendations for= cloud-managed VPN devices that can do at least 100M and magically work fro= m behind double-NAT/CGNAT like we see with Starlink? Bonus points if it do= es L2 tunnels or can run a dynamic routing protocol. * Other comments or suggestions welcome, too. Thanks, -Adam Get Outlook for Android --_000_YQBPR0101MB89254CCAC6EB4DB67D5BD6C59BA19YQBPR0101MB8925_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hi, all.
We've been trying to develop a plug-and-play L= 2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their R= AP-505H.
It's not going great, and I'm wondering about = several Starlink-specific issues.

First, having multiple devices in serial is ge= nerally not a great idea for reliability.  Can we realistically plug o= ur remote AP directly into the dish, still?  (This is using Starlink B= usiness, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so= that's probably a net zero.  I just don't know what other dangers/pro= blems that topology might cause.

Secondly, we're only able to push about 30Mbps= through the (magical Aruba-proprietary GRE+IPsec) tunnel.  The bandwi= dth-delay equations suggest we should be seeing around 100Mbps, not 30.&nbs= p; (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the = bottleneck.)

So:
* does anyone have corroborating *or* contradicting evide= nce of VPN performance over Starlink's particular flavor of Long Fat Pipe, = and
* does anyone have any positive (or negative, I guess!) r= ecommendations for cloud-managed VPN devices that can do at least 100M and = magically work from behind double-NAT/CGNAT like we see with Starlink? = ; Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android
--_000_YQBPR0101MB89254CCAC6EB4DB67D5BD6C59BA19YQBPR0101MB8925_--