Posted: Mon Mar 22, 2021 23:09 Post subject: StarLink help with Static IP or DDNS
I've got a Netgear R7000 running v3.0-r45192 std. I recently installed StarLink internet and I'm experiencing 3x (sometimes 4x) my original speeds. (100-150 down and 20-50 up). Now comes the problem:
StarLink uses a CGNat and does not offer a static IP. I have web cameras, remote PC, Plex, and a few web applications hosted from my home. I also have a OpenVPN Server setup through the router for safer browsing in public places. Obviously my DDNS no longer works. I've been searching for "easy" ways to do this and it seems I'm outside my expertise.
I use PIA (SOCKS5) strictly for downloads but found that I can't get enough speed to make it useful for an OpenVPN implementation.
I've seen mention of ngrok but I can't get enough information to make it work for my needs.
It seems I just need a way to connect to my VPN Server when I'm away from home and I can then manage everything from there. Can anyone give me an "idiots guide" to making this happen?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Mar 23, 2021 10:04 Post subject:
I will transfer your question to the Advanced Networking forum.
There are several possibilities @eibgrad has listed the most but his thread is MIA, I hope he will chime in.
I used port forwarding via the VPN client, I even used PIA for that with scripts form @eibgrad but PIA has changed the way port forwarding is working so I do not think the original scripts are working any more.
The classic solution is to use a VPS and create your own remote OpenVPN server. Then connect your local OpenVPN client to that server and route yourself back in from the internet (i.e., site-to-site), either via port forwarding over the VPS, or as another OpenVPN client on the internet to that same server.
To that end, I do have some scripts designed for these purposes, using either a P2P (point to point) or P2MP (point to multipoint) configuration. And to prevent wasting the one and only OpenVPN client in the GUI, it's managed separately from the CLI. I've been meaning to post them w/ the rest of my scripts on PasteBin, but just never got around to it (they need to be documented, they're just raw scripts at the moment). But they're free for the asking if someone wants them.
So it can be done, is often done this way, and I certainly have a working and tested implementation (w/ DigitalOcean if that matters). However, whether someone else would consider it *easy* is subjective. And there's the monthly cost of the VPS ($5/month). For that money, you could probably get a different OpenVPN provider that offers port forwarding, thus killing two birds w/ one stone, and having them manage the server.
One of the problems w/ PIA port forwarding is that (imo) it's one of the most complex and restrictive available. It requires an API which determines your port forward at runtime, thus the need for a script. You're only allowed one port forward, and it's only available from a small subset of specific servers. It's just a royal pain to work with. And as @egc knows, I tried to support it previously, which was a major hassle, but at least we had something working, and then PIA changed the API yet again!
There are just better and easier port forwarding options from other OpenVPN providers that use simple, static port forwarding, usually through a "Client Area" on their website where you configure your external port(s). A good example is AirVPN.
And then there's ngrok, which essentially provides port forwarding, but they maintain the server. Although I've never used it, it probably is the easiest and cheapest solution if you don't want to change VPN providers. But I can't speak to its performance or other limitations. Last I heard it's free for light usage, but these kinds of things can change over time. But it's an interesting option as long as you're willing to trust them in supporting an inbound tunnel to your network (same goes for any OpenVPN or VPS provider, frankly).
So I'm learning/teaching myself as I go, so please forgive my lack of knowledge.
It seems that the VPN slows down my entire network when implemented on the router. So I'd like to only expose certain ports to the world but keep all other outbound traffic routed through the standard routes.
So say my remote VNC machine port is 1234. I route only 1234 to something (??) public and it holds that connection open for whenever I want to connect to the machine. (VNC Viewer)
Is this something that exists? If I knew what I was looking for, I could not waste a ton of time going in the wrong direction.
Because you have a *private* IP (CGNAT), you need a means to create a *public* IP that can then be routed back into your home network. And one way to do that is to establish a tunnel between your home network and a VPS, since the VPS has a public IP. Once the tunnel is established, you can route from the VPS's public IP, back over other that tunnel, and into your home network, thus accessing anything you want remotely.
Now *how* you decide to establish that tunnel is the question.
The most common solution is to use a VPN, specifically an OpenVPN client on your home network and out to an OpenVPN server on the VPS. And yes, performance issues w/ OpenVPN (or PPTP) are a problem sometimes w/ the router, esp. for older, less powerful ones (although you could host the OpenVPN client elsewhere, like a PC, where performance is less of an issue). Or perhaps Wireguard is the solution to that issue, but I don't use it personally. Another solution would involve SSH reverse port forwarding. Or else have some other third-party manage the tunnel for you, such as ngrok or an OpenVPN provider who offers port forwarding.
I feel like I'm super close. I now have communication setup between the OVPN server with a public static IP and my OVPN client behind the cgnat.
When I connect to my server, I do have internet and my Public IP does show the static IP of the server. I'm pretty sure that I'm missing a port forwarding route from the server to the client but I can't seem to figure out the commands to do this. Here's what I have so far.
Static IP - 76.x.x.x
Ovpn Server - 10.1.1.0
Server Router - 192.168.2.0
Remote Ovpn Client - 10.1.1.2
Remote Network - 192.168.1.0
Remote VNC IP - 192.168.1.25
Remote VNC Port - 1234
A few things that I understand from just standard port forwarding (could be wrong here). I need to forward port 1234 from the static IP all the way to the Remote VNC IP. I'm not sure how to force the OVPN Server to give me a static IP or if that matters.
I'm thinking I'll need to set up a firewall rule using iptables but I've tried a few different things and failed.
The OVPN server is in a physical location that I can't just reset. If I mess up the server side, I'll be taking an expensive plane ride to fix it.
If you're setting up site-to-site, you don't need port forwarding over the tunnel. You just need to disable the "Inbound Firewall on TUN" option on the OpenVPN client and directly access your network.
