You are here

Starlink and Tunnels

15 posts / 0 new
Last post
Starlink and Tunnels
Has anyone established tunnels over SpaceX's Starlink Internet service?
I recently transitioned to Starlink and static IPs are not availible.

Hank K1DOS
K6CCC's picture
Tunnel client or server?
Are you intending to use a tunnel as the client end or the server end?  If client, should not be a problem - nothing magic to set up (related to having a DHCP address).  If you are going to operate as the server end, you will need a domain name and a Dynamic DNS provider (and it's associated client).  You will also be dependent on StarLink allowing an inbound initial connection on port 5525.
Good luck and let us know how it works out.
I am not a networking guy.  I would like to host a server that I currently have but switched from a local WISP w/static IP to Starlink.  I found this post online but I don't understand all the terms.

"...DDNS does not work if you are connected with Starlink because Starlink uses CGNAT. To unravel the acronyms, the purpose of dynamic DNS is to provide a URL which will always map to your external IP address even if your ISP changes your IP address from time to time as most do. With CGNAT (Carrier Grade Network Address Translation), you never have a unique external IP address. Your network is inside a larger Starlink network which has an external IP address you share with others. Cell phones work much the same way for data. Anyway, when something shows up at the top router of the Starlink network which is NOT a response to something sent from inside the network, that router doesn't know whom it is for so just throws it away..."
nc8q's picture
DDNS does not work if you are connected with Starlink because St
Hi, Hank:

I think it is kinda like starlink is akin to using your neighbor's Wi-Fi to access the internet.
You cannot configure your neighbors router to port-forward 5525 to your tunnel server.
You cannot configure Starlink's router to port-forward port 5525 to your dynamic IP address.
Starlink will drop any packets addressed to you that were not 1st established as coming from your home-network.
You can request a web page from an external server:80 from your web browser:1025
When the page returns, Starlink knows that the remote web servers returning packet to your web browser:1025
was already established and related.

Clear as mud, eh?

73, Chuck

K6CCC's picture
I had heard that StarLink was
I had heard that StarLink was using CGNAT - but not confirmed.  In that case you really only can run an AREDN tunnel as the client end without some magic.  The other option would be to establish a VPN tunnel from your StarLink based location to some other place that you can control.  Then have a AREDN tunnel client point to the external location that you control and that points to your StarLink location via the VPN tunnel.  There are some fairly inexpensive hosting locations - comes to mind (not a customer, but a friend uses them).  There are MANY others.
Starlink tunnel working with issues

I am using a tunnel over Starlink.  It sometimes works for several days, sometimes several hours.
Then it disconnects and will not reconnect.  Rebooting the tunnel client sometimes gets it working again,
mostly not.  I think perhaps when the tunnel server is rebooted then it comes back up.

Given that I've only had Starlink for a couple weeks, the causes are really not understood yet. I am
still troubleshooting.

I am running Tailscale in a docker container on a server attached to my network. That
seems to work fine and allows me to VPN into my home network through Starlink.  Tailscale is setup not
to advertise the 10.x.x.x/29 AREDN network to the VPN, just the network and  (the Starlink web interface).

In limited testing that container is the only thing I can find that might be killing the tunnel. When it is
not running the tunnel seems to be stable (or maybe more stable).

All three or four times the tunnel crashed the Tailscale docker container was running.  There's
not enough information yet to correlate this to the problem - it could be something else entirely.   The
next step will probably be to install 3.22.6 release once our local AREDN network does some testing
and see if tunnel stability improves.

-- Tom, N5EG


kj6dzb's picture
Starlink user for about
Starlink user for about 6months. You will not be able to host a tunnel server on your terminal. Sorry that's just not what starlink is intended for natively... I do a tunnel client out with a hap to a Tunnel hub server that I run. As the user above has done you can setup a few layers of VPN. 73 glad to others have terminals. Kj6dzb cm87
K9CQB's picture
We are also using Starlink soon.
There are a few of us here in Northern Virginia and Western Maryland that also have Starlink and will be wanting to do the same thing.

-Damon (K9CQB)
Update on Starlink tunnels

The advertisement of the client tunnel endpoint through the VPN was (manually) removed from the Tailscale configuration.
This seems to have stabilized the tunnel client through Starlink. It has been working for ~1 week without dropping (ver 3.22.1).
Then updating the node firmware to 3.22.6 it has been stable (about 5 days so far).
Thus, the tunnel client seems to work well through Starlink.

- Tom, N5EG

K9CQB's picture
Good news. There may be another solution for server side.
Starlink also has a premium service called Starlink Business. The equipment is over $2K and it's $500/month. So this is very expensive, but it allows you to host a VPN server or pretty much anything that requires you to bypass CGNAT IP/Port controls. I know it's very expensive, but when your network is configured correctly on Starlink, you can theoretically stay connected without your traffic hitting a ground station or the Internet, especially now that the ver1.5 satellites are connecting to each other via ISL (laser link in space). 
So, you would need a very expensive Starlink Business terminal somewhere in your network, but it seems like a promising capability.
-Damon (K9CQB)
Starlink and Aredn ..updates?

Aredn offers many possibilities, but one of it's potential fail points is in the tunneling of nodes using terrestrial based internet services. When the hurricanes, ice storms or tornados strike; the power and internet goes out when the local terrestrial infrastructure becomes damaged. I know something about this, experiencing the 320 Kph Cat 5+ winds of Hurricane Patricia. A local hotel lost it's roof...and my breezeway was in the neighbours yard.  

Starlink however, is 100% independent of the local terrestrial infrastructure. To that end, my Starlink now runs on Solar power, 12V DC 24/7. In this mode, the Ver2 (rectangular dish) with a third party TP Link router (Archer C80)  consumes only 35 watts, while delivering over 200 Mbps throughput.... what's not to like? There is plenty of info on the net on how to do the mod, some commercial kits are out, and it's neither difficult to do nor expensive. "Just follow the instructions".

In a sense this is a proof of concept project... 

So you can see where I am going with this, an Aredn node that is 100% independent of the local infrastructure that exists in a small Mexican pueblo, 225km south of Puerto Vallarta. I want to client tunnel via Starlink to a host near Nanaimo on Central Vancouver Island. 

The possibilities here are significant.  

I have a GL iNet 300M-Ext flashed with the latest Aredn firmware, and a modicum of networking experience, but if someone has done this successfully, in particular the process of interfacing the 300M to the net I would appreciate... step-by-step info would be helpful.. I have a third party configurable router.. by the way the the Starlink router is useless, you can't do anything with it... and it now sits in a cupboard.   

Edit: if anyone has managed to do a host/server using a Starlink... that information would be highly useful... eg, do you need a VPN, or what ports to forward..UDP..TCP?... and how do you manage DHCP and the CGNat IPv4 that Starlink uses? Me thinks they sure as heck are not going to be offering up  static IPV4 address to the unwashed masses... s'pose maybe if you paid big bucks.   

Richard VA7AA Jalisco Mexico

K6CCC's picture
I have never tried it, but to
I have never tried it, but to run a tunnel as the client end over Starlink should be no different than any other internet service.
To run as the server end would be more involved - likely quite a bit since you don't get a real public IP.
kd2etu's picture
cloudflare tunnels!
cloudflare tunnels may be a good resolution for this... looks like this describes how you can setup port forwarding for cctv systems.. any other port/service should work just the same
Aredn Client Tunnel Starlink Problems...

.... most of the discussion on here has been about running an AREDN server on Starlink... that's not my problem, rather I am a wannabe client with a GL-iNet 300M-EXT, am located in Mexico, use Starlink and I want to tunnel to a host server in Canada... tried most tricks but so far...  no go. It appears port forwarding 5525 on Starlinks' CGNAT IP addressing is the issue... any workarounds?  

One person mentioned they kinda got things going... what was the magic? How would you implement Tailscale if that is one option.. you need something to put on a router or on the device itself.   


kj6dzb's picture
I have no problem connecting
I have no problem connecting to my tunnel server, from the hAP directly attached to the statlink Ethernet adapter SL router is in (passthrough mode).

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer