Creating a VPN connection on Starlink (CGNAT) ISP

Great to hear!,
always make sure you use an IP range that is going to minimize the chances of an IP conflict. I tend to stay away from subnets such as 192.168.0.0/24, 192.168.2.0/24, 10.0.0.0/24 these are usually used by ISP's and most people tend to use these on their out of the box setups with their own routers. my next video will be explaining all of this and I'm looking to address adding access to an entire subnet.

On starlink it wouldn't work because your clients won't be able to route to the fortigate. You would need an intermediate machine that both source and destination can reach.

When I had initially spoken with starlink support VPNs were still not officially supported however the same rules still apply where the starlink client will need to connect into a VPN server. The starlink wan cannot accept connections due to it being a cgnat

That's right you can't use it directly on an starlink router. You can either use a VPN router or setup a device to act as a VPN gateway

Glad you enjoyed the explanation. If you look at the diagrams with a cgnat isp ypu can't open ports to the Internet which is where you need a 3rd machine in the middle to become the server. Both other wireguard networks connect into this wireguard server. You can see the difference between page 1 and page 2. If you have any further questions don't hesitate to reply. All the best.

@@aktuMedia Thanks for the answer. Just clarifying: Yes, I have a VPS with a fixed ip in Oracle Cloud being the VPN Server, and my Windows Server server behind Starlink and a link with a fixed ip, routed in a Mikrotik (starlink is a failover). When I connect to the VPN server using the fiber link, it works perfectly. When you enter Starlink it does not connect. I followed step by step but I believe something is still wrong because the connection between the Windows Server and the VPN Server on Oracle Cloud is not established via Starlink.Thanks again for support!

without seeing your network config and based on what you're saying the reason it's not working when you connect via Starlink would be because the VPS server is attempting to connect out to your Starlink connection, but if you look at the diagram that won't work because CGNAT won't route that traffic, so you may want to setup your server that is behind the CGNAT (As Secondary) to connect outbound only and not require an inbound connection. this way regardless on it being on your primary or failover it will be the one initiating the connection to your VPS and of course make sure the keep-alive is set to something small enough that it won't wait too long to re-initiate the connection.

we would be happy to discuss this with you, please reach out to info@aktuconsulting.ca and someone will work with you on this.

at a technical level there is no reason why not use an IPv6 that really comes down to ensuring the devices you use are configured to work with IPv6. Your device simply needs to be accessible from both ends to route the traffic.

@@aktuMedia thanks for the quick reply! I tested it out and everything worked out. For the record I completely agree with using IPv4 for the demo since more people understand it. Thanks again.

exactly glad it worked for you, honestly the biggest thing you need to worry when it comes to this design is to ensure your wireguard server has a static IP and not dynamic. I've had lots of people reach out about these setups and they look to set it up with DynDNS and that can work to a point but if the IP changes Wireguard won't always catch that on time and cause a disconnect. I'm always happy to hear how things work out let me know how your system works in the wild!

Hey There, yea I do'nt see any reason why this wouldn't work on windows. Sorry it's on my list of videos to put out. I've been slammed lately and i'm trying to put up one that has wireguard on a wireguard server, but I will add this to my list of videos. it isn't in line with my open source guides but it would be a matter of setting up wireguard as a service after you setup the config and then setting it up to start at boot.