Starlink and BOVPN

KarimKarim
in Technical Discussion

We have our main Firebox with a static Public IP in Arizona, and another Firebox on a Starlink connection in Colorado. I gathered that I can setup the Colorado Firebox on the Starlink network as a BOVPN over TLS client, and our main Arizona Firebox with the static IP as a BOVPN over TLS server, but that will only allow the users in Colorado to connect to Arizona. Unfortunately for admin support, we need to be able to VPN in from Arizona to Colorado. Any suggestions would be greatly appreciated.

Comments

  • Bruce_BriggsBruce_Briggs

    There is a post here from Iain_G which said that there was a successful BOVPN setup from a WG firewall behind a Starlink to another not behind a Starlink.

    VPN : T35-R to T35-R with Starlink at BOTH ends
    https://community.watchguard.com/watchguard-community/discussion/2732/vpn-t35-r-to-t35-r-with-starlink-at-both-ends

    No success when both were behind a Starlink, presumably because of multiple Starlink devices using the same public IP addr.

    I would assume that the success requires the firewall behind the Starlink to be the initiator of the BOVPN connection.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Karim

    How does your traffic show up in traffic monitor when you attempt to do this?
    -If you see red Deny messages for your traffic trying to go across the VPN, ensure that there's a policy to allow that traffic out.
    -If you see green Allow messages, does the traffic show that it's going to the correct interface? If there's any kind of IP address overlap on the distant side, you may not be able to send traffic.

    -James Carson
    WatchGuard Customer Support

  • KarimKarim

    Thanks guys for your answers but unfortunately Starlink is a bit complicated. Starlink uses CGNAT and their IPs are not public IPs, so no DDNS, or any of that can be used. The BOVPN over TLS can work because the watchguard firebox on the Starlink network is set as a client and initiate the connection like any personal vpn application, but this is a one-way street. I have not setup a BOVPN over TLS yet, so my assumption may be wrong in thinking that the tunnel will only go one way. So really my question is, once a tunnel is created through a BOVPN over TLS is the tunnel a 2 way channel? Can anyone confirm? Thank you.

  • Bruce_BriggsBruce_Briggs

    You can see the public IP addr that outgoing access from the Starlink firewall uses from whatismyipaddress.com
    That would be the public IP addr that you can use for the BOVPN setup.

    BOVPN over TLS is bi-directional.
    From the docs:

    . Devices on the local network behind Firebox A can connect to the local networks behind the Fireboxes (n).
    . Devices on the local networks behind Fireboxes (n) can connect to the local network behind Firebox A.

    About Branch Office VPN over TLS
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_tls_about_c.html

  • KarimKarim

    Bruce, the public IP you get on the Starlink network is not a routable IP since it is using CGNAT. It is the same principle then trying to reach a PC with a private IP behind a watchguard NAT. Actually, the Watchguard public interface gets a dynamic IP which is a none routable IP that is not the public IP you get from WhatIsMyIP, that is why the regular BOVPN cannot be setup.

    Hummm... I misread the manual info about the BOVPN over TLS. Indeed, it seems that it is a bidirectional tunnel. That is awesome. I need to have someone on location in Colorado to switch the Starlink modem into pass-through mode first. I will report back as soon as I have it done.

    Thank you Bruce!

  • Bruce_BriggsBruce_Briggs

    Clearly the Starlink public IP is routable since you do get reply packets from the Internet back though the Starlink public IP addr to your local Starlink device to whatever is connected behind that.

    However I don't disagree that CGNAT seems to prevent incoming connections/sessions.

    Note my statement above which is what you will be doing with your BOVPN TLS connection - initiating the connection from behind the Starlink device.
    "I would assume that the success requires the firewall behind the Starlink to be the initiator of the BOVPN connection."

  • KarimKarim

    OK, finally I was able to sort out my VPN connection. So, on the Starlink side in Colorado, I setup my watchguard with a BOVPN over TLS Client, and in AZ my Watchguard that has a static public IP, I setup a BOVPN over TLS Server. Works like a charm. I did not even have to setup the STARLINK modem/router in passthrough mode, change the STARLINK service to business which still does not offer static IPs, or anything else. The only hurdle was to be able to connect to a PC on the remote STARLINK network for me to program my Watchguard in Colorado. Of course, there are many ways to do that like any remote support programs which I leave to your preference! I love my Watchguards... they are so awesome... thank you for your support.

  • Bruce_BriggsBruce_Briggs

    You can run WSM Policy Manager or the Web UI over a BOVPN.
    Just update the desired policies to allow this.

Sign In to comment.