Skip to Content

Starlink Site to Site VPN – How to Set Up – Common Issues

Starlink is not an ideal choice for networks that need to support site to site VPN connectivity. There are several important reasons that site to site VPN doesn’t work well with Starlink. There are also several solutions that can enable site to site VPN work with Starlink if you absolutely need to use it.

Site to Site VPN Slink Internet
Site to Site VPN Slink Internet
  1. CGNAT IP address is provided to Starlink users rather than a publicly routable IP address
  2. Connection instability makes VPN connectivity less reliable than with traditional broadband
  3. Upload bandwidth is relatively low with Starlink
  4. Average latency (ping) of 65 – 90 ms is too high for many site to site VPN applications
  5. Starlink blocks certain ports that some VPN systems rely on for negotiation

By far, the biggest challenge to using site to site VPN with Starlink is the lack of a public routable IP address. Starlink provides users of their standard Residential Internet Service with CGNAT private IP addresses. CGNAT makes site to site VPN virtually impossible to set up in the traditional way.

Starlink Business customers have the option of getting a publicly routable IP address instead of a CGNAT IP address. However, it is important to note that the public IP address offered by Starlink for Business is a dynamic IP address rather than a static IP address that typically comes with a business-class internet connection. Based on my hands-on testing with Starlink Business, it would appear that your public IP changes quite frequently. In some cases, it was changing daily.

This means that you would definitely need to use dynamic DNS or so other technology designed to map domain name or IP address to an ever-changing dynamic IP.

The bigger challenge is using site to site VPN with regular Starlink Residential service. Most people are going to be using Starlink Residential, which currently costs either $90 or $120 per month, depending on your location.

Starlink Business costs between $250 and $500 per month, depending on your location. Starlink currently states to contact them for a Starlink Business quote rather than listing a definitive price.

Nonetheless, you will be paying a minimum of $250 per month for Starlink Business if you want a publicly routable IP address on Starlink. Keep in mind that this is a dynamic IP and changes frequently. Starlink does not offer fixed IP addresses, even with its business plan.

Starlink CGNAT Issues VPN
Starlink CGNAT Issues VPN

Connection Instability Issues

Starlink is generally reliable. However, it is not completely stable at this time. Even with thousands of low earth orbit (LEO) satellites in orbit, there are still lapses in coverage where you will experience a momentary drop in service. For general web browsing, this is generally not an issue. However, for VPN it is quite problematic and site to site VPN is no exception.

Generally, a drop as short as even 10 seconds can be enough to bring down even the most stable of VPN tunnels. Starlink drops of 10 – 20 seconds occur somewhat regularly and make stable VPN connectivity challenging.

The positioning of your Starlink dish is also critical in determining how many drops you will experience. Some people experience more drops in their service due to trees or other obstructions blocking their dish from having a clear view of the sky.

However, even with a properly placed Starlink dish and no obstruction, drops in signal will occur somewhat frequently. This makes site to site VPN connectivity challenging. Some VPN concentrators are more forgiving than others.

Based on my experience working as a system administrator, Meraki, and Sophos VPN, tend to be the most tolerant of some connection interruptions.

Other VPN concentrators, including those from Fortinet, Ubiquiti, Juniper Networks, and some older SonicWalls tend to drop almost the moment that there is even a hit of an interruption in internet service.

One VPN connection that I could not get to work at all, even using Starlink Business, was using a pair of Unifi UDM Pros. No matter what I did, the tunnel would drop after just 30 – 40 seconds of connectivity. Previously I was using the Unifi UDM Pros with Comcast Business, and site to site VPN worked perfectly.

Using OpenVPN rather than IPsec can also help to improve site to site VPN stability on Starlink.

Starlink VPN Disconnected
Starlink VPN Disconnected

Starlink offers pings in the 65 ms – 90 ms range (on average) with some spikes of 300 ms or more during normal operation. This is significantly lower than with HughesNet, Viasat, and any other legacy satellite internet providers.

However, 65 ms – 90 ms is still significantly higher than that of a traditional fiber or coaxial cable (DOCSIS) based internet service. Many applications that people use site to site VPN for expect to see latency of 50 ms or less.

Generally, this is not an issue as most cable or fiber internet services can deliver latencies of 10 ms – 30 ms consistently. However, when you try to use applications and services that are designed around having a 30 ms or lower latency on a connection with 90 ms of latency, you will experience performance issues.

Upload Speed is Lower than Cable or Fiber

Starlink upload speeds of 10 Mbps or less also make site to site VPN less than ideal. Depending on what the VPN is being used for, 10 Mbps may be fine.

However, when compared to the 100+ Mbps that is typical with fiber, Starlink really shows its limitations. Depending on the type of traffic, the number of users, and the amount of total bandwidth, this may or may not matter to you. However, it is definitely something to be aware of if using VPN on Starlink.

Running a VPN server on a network exclusively connected to the internet via Starlink is not recommended. CGNAT makes connecting to the VPN server from the outside next to impossible without the use of an outside gateway solution.

If you do want to run a VPN server on a network served by Starlink Internet, you will need to get Starlink Business. With Starlink Business, you get a publicly routable IP address that can be used to enable connections from the outside.

You will still need to use dynamic DNS or similar technology, given that Starlink Business IPs are not static and change frequently.

The closest thing to a site to site VPN that you can set up using regular Starlink, with CGNAT is a connection to a cloud-hosted VPN server. With this option, the cloud server has a public IP address and makes the connection between the two sites.

This option is a bit more complicated than setting up a traditional site to site VPN but is relatively straightforward for someone with a little bit of knowledge of Linux.

Cloud platforms such as Amazon Web Services (AWS), DigitalOcean, and Google Cloud make ideal choices for this. Generally, you can get away with using the smallest size server for running your VPN.

The nice thing about cloud servers is that you can easily scale them up and down as needed based on your particular needs at that time.

Enabling remote access to a device that is connected to the internet via Starlink is best done using an agent-based solution. Software such as LogMeIn, TeamViewer, and ConnectWise are all options that work better with Starlink than VPN.

Due to how these remote access applications work, they are not affected by CGNAT limitations. VPN is not the preferred solution for networks that are solely using Starlink for their WAN connection.

Using site to site VPN with regular Starlink Internet does not work. The CGNAT IP address doesn’t allow for outside connections.

There are a couple of solutions that can be used to get around the problem. The first one, and by far the easiest, is to upgrade to Starlink Business which comes with a publicly routable IP address.

Another more complicated option that would work with standard Starlink service would be to put the VPN on a cloud server with a static IP address. It is possible to spin up a server using popular services such as Amazon Web Services (AWS), DigitalOcean, or Google Cloud and to route your VPN traffic through that.

This is not exactly a Starlink site to site VPN tunnel in the traditional sense, but it can replicate the functionality by allowing all traffic to flow through the central server located in the cloud.

IPv6 is also an option that could be used to create a site to site VPN tunnel now that it is officially supported on Starlink.