Hey everyone,
I'm trying to set up a VPN tunnel for a client whose equipment is located on a vessel using Starlink for internet. The challenge is that Starlink provides a dynamic public IP via DHCP to the main business firewall, and there's a second firewall on a separate subnet managing the internal network.
I'm looking to transmit data from the vessel to our site, but the dynamic public IP and unreliable DDNS due to Starlink's behavior make things tricky. I want to know if it's feasible to set up a VPN tunnel without relying on a public IP or DDNS from the vessel side.
My initial thought was to install a VPN client on the data server behind the firewall to initiate an outbound connection to the destination VPN server. Before I go down that path, I'd like to know if there's a more reliable way to implement this with IPsec or a better method for NATed connections like Starlink. Has anyone faced a similar situation or have any ideas? Thanks!
5 Answers
True about CGNAT! It’s just one more reason we need a transition to IPv6 to solve these connection headaches. Insisting on dynamic IPs with routing issues can be such a pain!
Keep in mind that if you’re on a 'Home' or 'Maritime' Starlink plan, most VPNs are blocked due to their internal network routing. You'd need to switch to a business plan for more reliable VPN use. Hardware peer-to-peer VPN connections struggle under CGNAT, which is what affects the Home and Maritime plans.
Just so you know, the public IP for Starlink maritime service is pretty much static. They tend to assign the same IP every time you connect. Plus, if you're concerned about DDNS, keep the TTL low and it should handle dynamic IPs just fine.
You can actually have the dynamic side initiate the tunnel. On Fortigate firewalls, this is referred to as a 'dial-up' tunnel. Also, Starlink does offer a static IP option if your situation allows for it. But I think a better solution might be to use TailScale with a subnet router at each end for ease of use.
If I understand correctly, you need a tunnel between the vessel and your site. Since the vessel is on Starlink behind NAT, I’d suggest having the Starlink side initiate the tunnel towards your end while using a dynamic DNS for your end's IP address. Any modern VPN-capable firewall or router should work well for this.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures