Starlink and BOVPN

We have our main Firebox with a static Public IP in Arizona, and another Firebox on a Starlink connection in Colorado. I gathered that I can setup the Colorado Firebox on the Starlink network as a BOVPN over TLS client, and our main Arizona Firebox with the static IP as a BOVPN over TLS server, but that will only allow the users in Colorado to connect to Arizona. Unfortunately for admin support, we need to be able to VPN in from Arizona to Colorado. Any suggestions would be greatly appreciated.


  • Options

    There is a post here from Iain_G which said that there was a successful BOVPN setup from a WG firewall behind a Starlink to another not behind a Starlink.

    VPN : T35-R to T35-R with Starlink at BOTH ends

    No success when both were behind a Starlink, presumably because of multiple Starlink devices using the same public IP addr.

    I would assume that the success requires the firewall behind the Starlink to be the initiator of the BOVPN connection.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Karim

    How does your traffic show up in traffic monitor when you attempt to do this?
    -If you see red Deny messages for your traffic trying to go across the VPN, ensure that there's a policy to allow that traffic out.
    -If you see green Allow messages, does the traffic show that it's going to the correct interface? If there's any kind of IP address overlap on the distant side, you may not be able to send traffic.

    -James Carson
    WatchGuard Customer Support

  • Options

    Thanks guys for your answers but unfortunately Starlink is a bit complicated. Starlink uses CGNAT and their IPs are not public IPs, so no DDNS, or any of that can be used. The BOVPN over TLS can work because the watchguard firebox on the Starlink network is set as a client and initiate the connection like any personal vpn application, but this is a one-way street. I have not setup a BOVPN over TLS yet, so my assumption may be wrong in thinking that the tunnel will only go one way. So really my question is, once a tunnel is created through a BOVPN over TLS is the tunnel a 2 way channel? Can anyone confirm? Thank you.

  • Options

    You can see the public IP addr that outgoing access from the Starlink firewall uses from whatismyipaddress.com
    That would be the public IP addr that you can use for the BOVPN setup.

    BOVPN over TLS is bi-directional.
    From the docs:

    . Devices on the local network behind Firebox A can connect to the local networks behind the Fireboxes (n).
    . Devices on the local networks behind Fireboxes (n) can connect to the local network behind Firebox A.

    About Branch Office VPN over TLS

  • Options

    Bruce, the public IP you get on the Starlink network is not a routable IP since it is using CGNAT. It is the same principle then trying to reach a PC with a private IP behind a watchguard NAT. Actually, the Watchguard public interface gets a dynamic IP which is a none routable IP that is not the public IP you get from WhatIsMyIP, that is why the regular BOVPN cannot be setup.

    Hummm... I misread the manual info about the BOVPN over TLS. Indeed, it seems that it is a bidirectional tunnel. That is awesome. I need to have someone on location in Colorado to switch the Starlink modem into pass-through mode first. I will report back as soon as I have it done.

    Thank you Bruce!

  • Options

    Clearly the Starlink public IP is routable since you do get reply packets from the Internet back though the Starlink public IP addr to your local Starlink device to whatever is connected behind that.

    However I don't disagree that CGNAT seems to prevent incoming connections/sessions.

    Note my statement above which is what you will be doing with your BOVPN TLS connection - initiating the connection from behind the Starlink device.
    "I would assume that the success requires the firewall behind the Starlink to be the initiator of the BOVPN connection."

Sign In to comment.