You are here

Starlink and Tunnels

10 posts / 0 new
Last post
K1DOS
Starlink and Tunnels

Has anyone established tunnels over SpaceX's Starlink Internet service?
I recently transitioned to Starlink and static IPs are not availible.

Hank K1DOS
 

K6CCC
K6CCC's picture
Tunnel client or server?

Are you intending to use a tunnel as the client end or the server end?  If client, should not be a problem - nothing magic to set up (related to having a DHCP address).  If you are going to operate as the server end, you will need a domain name and a Dynamic DNS provider (and it's associated client).  You will also be dependent on StarLink allowing an inbound initial connection on port 5525.
Good luck and let us know how it works out.
 

K1DOS
Terms

I am not a networking guy.  I would like to host a server that I currently have but switched from a local WISP w/static IP to Starlink.  I found this post online but I don't understand all the terms.

"...DDNS does not work if you are connected with Starlink because Starlink uses CGNAT. To unravel the acronyms, the purpose of dynamic DNS is to provide a URL which will always map to your external IP address even if your ISP changes your IP address from time to time as most do. With CGNAT (Carrier Grade Network Address Translation), you never have a unique external IP address. Your network is inside a larger Starlink network which has an external IP address you share with others. Cell phones work much the same way for data. Anyway, when something shows up at the top router of the Starlink network which is NOT a response to something sent from inside the network, that router doesn't know whom it is for so just throws it away..."

nc8q
nc8q's picture
DDNS does not work if you are connected with Starlink because St

Hi, Hank:

I think it is kinda like starlink is akin to using your neighbor's Wi-Fi to access the internet.
You cannot configure your neighbors router to port-forward 5525 to your tunnel server.
You cannot configure Starlink's router to port-forward port 5525 to your dynamic IP address.
Starlink will drop any packets addressed to you that were not 1st established as coming from your home-network.
You can request a web page from an external server:80 from your web browser:1025
When the page returns, Starlink knows that the remote web servers returning packet to your web browser:1025
was already established and related.

Clear as mud, eh?

73, Chuck

 

K6CCC
K6CCC's picture
I had heard that StarLink was

I had heard that StarLink was using CGNAT - but not confirmed.  In that case you really only can run an AREDN tunnel as the client end without some magic.  The other option would be to establish a VPN tunnel from your StarLink based location to some other place that you can control.  Then have a AREDN tunnel client point to the external location that you control and that points to your StarLink location via the VPN tunnel.  There are some fairly inexpensive hosting locations - DigitalOcean.com comes to mind (not a customer, but a friend uses them).  There are MANY others.
 

N5EG
Starlink tunnel working with issues

I am using a tunnel over Starlink.  It sometimes works for several days, sometimes several hours.
Then it disconnects and will not reconnect.  Rebooting the tunnel client sometimes gets it working again,
mostly not.  I think perhaps when the tunnel server is rebooted then it comes back up.

Given that I've only had Starlink for a couple weeks, the causes are really not understood yet. I am
still troubleshooting.

I am running Tailscale in a docker container on a server attached to my 192.168.1.0/24 network. That
seems to work fine and allows me to VPN into my home network through Starlink.  Tailscale is setup not
to advertise the 10.x.x.x/29 AREDN network to the VPN, just the 192.168.1.0/24 network and
192.168.100.1/32  (the Starlink web interface).

In limited testing that container is the only thing I can find that might be killing the tunnel. When it is
not running the tunnel seems to be stable (or maybe more stable).

All three or four times the tunnel crashed the Tailscale docker container was running.  There's
not enough information yet to correlate this to the problem - it could be something else entirely.   The
next step will probably be to install 3.22.6 release once our local AREDN network does some testing
and see if tunnel stability improves.

-- Tom, N5EG

 

kj6dzb
kj6dzb's picture
Starlink user for about

Starlink user for about 6months.

You will not be able to host a tunnel server on your terminal. Sorry that's just not what starlink is intended for natively... I do a tunnel client out with a hap to a Tunnel hub server that I run. As the user above has done you can setup a few layers of VPN.

73 glad to others have terminals. Kj6dzb cm87

K9CQB
K9CQB's picture
We are also using Starlink soon.

Hank,
There are a few of us here in Northern Virginia and Western Maryland that also have Starlink and will be wanting to do the same thing.

-Damon (K9CQB)

N5EG
Update on Starlink tunnels

The advertisement of the client tunnel endpoint through the VPN was (manually) removed from the Tailscale configuration.
This seems to have stabilized the tunnel client through Starlink. It has been working for ~1 week without dropping (ver 3.22.1).
Then updating the node firmware to 3.22.6 it has been stable (about 5 days so far).
Thus, the tunnel client seems to work well through Starlink.

- Tom, N5EG
 

K9CQB
K9CQB's picture
Good news. There may be another solution for server side.

Starlink also has a premium service called Starlink Business. The equipment is over $2K and it's $500/month. So this is very expensive, but it allows you to host a VPN server or pretty much anything that requires you to bypass CGNAT IP/Port controls. I know it's very expensive, but when your network is configured correctly on Starlink, you can theoretically stay connected without your traffic hitting a ground station or the Internet, especially now that the ver1.5 satellites are connecting to each other via ISL (laser link in space). 
So, you would need a very expensive Starlink Business terminal somewhere in your network, but it seems like a promising capability.
-Damon (K9CQB)

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer