I have Starlink Gen 2 in bypass mode.
The hAP ac lite (ROS 7.7) is connected to Starlink via adapter as external router.
Some PC connected to Mikrotik and Internet is working good in such network.
But I need to connect remotely to my Mikrotik router from WAN.
As you know, Starlink uses CGNAT and we cannot access the router by external IP address.
People say that solution is VPN tunnels. But I don’t know what I should start from.
Making Mikrotik Router as Open VPN server is not working because we cannot forward any traffic to Mikrotik.
You would have to initiate the VPN from the MikroTik (run a VPN client) to a public VPN server.
Thank you for quick response.
May I ask you for more details:
- What public VPN Server is better to use for this purpose? Is there free (without paid subscription) service?
- May you advise some modern (concerning ROS 7.7) manual for setting Mikrotik as OVPN client?
To add to what erlinden has said, you first have a server that is publicly accessible. It could be a DigitalOcean droplet virtual server, a Linode instance, or even a RPi server running in a buddy’s rack. The point is, that you have a server outside of the CGNAT environment. The MikroTik behind CGNAT initiates and maintains a VPN connection to this server under your control. You VPN to this server, there are rules and accessibly features in place, and thus you can VPN back to your MikroTik.
The only free option is if you have a friend who can run a wireguard server for you ( assuming said friend has a publicly accessible WANIP ). Then your mikrotik as a client would connect to the wireguard server at your friends house. When away from home, you simply need to also wireguard remotely into the same server at your friends house and then you can connect to the Wireguard server.
Install TeamViewer on a PC if that PC belongs to your or is from your company?
When you take over the PC, you can Winbox straight to the Mikrotik.
If you are running RoS v7, ZeroTier would most likely solve your problems with cgnat. ZT is also very easy to administrate using their centralized web interface.
https://help.mikrotik.com/docs/display/ROS/ZeroTier
https://www.zerotier.com/2014/08/25/the-state-of-nat-traversal/
Yeah, TeamViewer is very good at nat traversal.
If it’s a company pc, do not install it without approval as it might considered as a serious security breach by some organisations.
Configure the standard installation using ”Unattended Access” or just install the separate package called “TeamViewer Host”
https://www.teamviewer.com/en-us/unattended-access-security/
Also, ZeroTier works though a CGNAT and I know that it works with starlink. Just need a ARM device however.
I remembered that I have VPN paid account at SurfShark.
And I found detailed tutorial how to connect router to the SurfShark VPN servers via IKEv2:
https://support.surfshark.com/hc/en-us/articles/360012906220-Mikrotik-router-tutorial-with-IKEv2
I made all steps successfully. The manual says that I should see IP-address of selected country VPN server at PC connect to Mikrotik.
It should be some Poland Server.
But I still have Starlink external IP.
So something goes wrong…
Yeah, if it was an arm device, ZeroTier would be a better choice as it is extremly good at nat travarsal (better than TeamViewer)
ZT is also very easy to administrate using their centralized web interface, way more easy to setup than for example Wireguard.
https://help.mikrotik.com/docs/display/ROS/ZeroTier
https://www.zerotier.com/2014/08/25/the-state-of-nat-traversal/
Unfortunately my hAP ac lite router is not ARM but it is MIPSBE one.
Btw, surfshark won’t help you to enable incoming connections.
I’d install ZeroTier on the local pc and then enable LAN access or optionaly buy a cheap RPI and install it on if you want ZT up and running 7/24.
Yeah sorry, I missed the “lite” part of hAP. I run into the remote access to MIPSBE problem myself, which ZeroTero solves perfectly for ARM… It is annoying.
I believe starlink offers public IPs now, but only on the business plans, but that start at US$500/month.
But if you’re looking for access a few devices, you can just install ZeroTier directly on them, and it be on the same network as other ZeroTero “members”. You can then use some Remote Desktop (RDP, VNC, TeamViewer, whatever) to one of them with ZeroTier, and you can run winbox (or ssh etc) on that PC/Mac to access the router.
Or optionall, install ZeroTier on just one of the devices and enable LAN access. Then you will be able to access the entire local network.
@Larsa, what do you mean by “enable LAN access”? I wasn’t aware that was an option in the desktop clients…
@Amm0, @Larsa and others -
Thank you very much for helping.
There are some special moments for this router that I am configuring:
Router will be with Starlink in real field conditions. It will be very hard conditions, if you guess what I mean.
I don’t know which client devices will connect to the router. It will be some laptops or mobile phones.
So I can’t use TeamViewer or something else “at PC”.
I have to configure this system to have access to the router.
For now, this system is with me and I have only a few days before I should send it to the field.
Question: Is it 100% that Surfshark can’t help?
That’s the beauty of ZT, it works like any normal network with routing etc.
Let’s use 10.0.0.x as ZeroTier’s internal virtual network with ZeroTier installed on three computers on three different local networks 192.168.10.x .. 192.168.30.x
Node ZT WAN LAN
1 10.0.0.10 92.168.10.0/24
2 10.0.0.20 92.168.20.0/24
3 10.0.0.30 92.168.30.0/24
If you want to expose LAN on node 1 (92.168.10/24), you only need to push the route using the ZeroTier web controll center, menu Managed Routes: “192.168.10.0/23 via 10.0.0.10”.
Then of course you have to take into account normal settings on the local network such as default gateways using masquerade, src-nat etc just like any tunnel.
https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks
There is also an option to control packet flow and routing on an even more detailed level using “Flow Rules”:
https://docs.zerotier.com/zerotier/rules/
https://www.zerotier.com/2022/05/19/using-flow-rules-to-direct-users-to-services/
Larsa, the issue is that the MT on site is NOT ARM. Therefore it cannot host zerotier.
Point two, he does not control any of the devices connected to the Router and thus zerotier is not probable.
Conclusion: Need Router connectivity via VPN, native to the router.
His best bet in this case is
a. a friend who will host wireguard server on friends MT
b. OP puts an MT router at his own house to host wireguard
c. Business puts an MT router at work to host wireguard
You need an external host for wireguard. Then the MT on site will connect over starlink to that host opening up two way traffic.
Thus, the host can be setup to allow traffic from host to MT on site from the lan, or from another wireguard tunnel coming in from a remote user such as yourself (admin).
As far as third party VPN goes, I dont think it will work. They are setup mainly for USERS to access the internet outside ( and multiple accounts so as to be able to internet through different geographic locations). Not for allowing multiple users to see each other.
I have my own RB3011 (ARM32). It has static WAN address and it is working 24/7
So how this ARM router can help for “starlink+hAP ac lite”? May I ask you for further steps?