I have a user that will use a residential StarLink on location, and that thing is behind a CGNAT.
How to punch through to make a WireGuard work for remote access / admin?
BTH function is done exactly for such cases.
Thank you very much! 
But don’t do it in prod.
It’s only for HO.
Why? It is WireGuard, with specific client in. Should be quite safe. Or? What am I missing?
(I have done some tests today, but nothing much. Didn’t work out of the box, need some tweaking.)
It’s working today, but maybe not tomorrow.
Take a look at this answer from Mikrotik Own Support Technician.
http://forum.mikrotik.com/t/new-feature-back-to-home-vpn/168434/409
A bit over the top, but it should not be used as a business entity as on occasion, not very frequently the Mikrotik servers have gone offline. A couple of times a year is probably a safe bet.
Nothing for you to worry about unless your a hospital, a bank or any business requiring 24/7 VPN up time.
If that is concern then rent a server in the cloud, for like $7 a month and put a CHR on it and use that as the wireguard server.
Exactly my point. If a client is not willing to shelve out for a business connection with an fixed IP, then I don’t really see them willing to finance a CHR instance configuration and maintenance.
As on the price of the cloud server - the issue is not a few bucks needed to make it work, but time to do so. All these costs need to be passed onto the client, and it adds up. It is simply more cost effective to have a business class internet access.
Also, 24/7 is overrated for most use cases.
(Also, I haven’t forgot about that EAP I promised you, but I have so much work to do that I couldn’t yet muster time to do a write up.)
Why is CHR necessary just for Wireguard peer? It can be setup on Linux running on cloud server and save some money for CHR licence. Once setup on Linux is created, image can be made of it for reuse.
Initially some time will be spent to create setup, but later it should be more faster and charge more know-how than spent time and profit from such clients.
So we must clarify what business use means. If the BTH is used for occasional management access for a support company, then support intervention is not possible if the BTH infrastructure is unavailable. That’s definitely unpleasant but it is not the same like if BTH was hypothetically used to provide service for end customers, because support interventions are only required at random times and the BTH infrastructure becomes unavailable at other random times, so the probability that these two events coincide is not that high.
But looking at it from the other side, if I provide support, it should not be a big deal for me to have a public (or global) IP address and let these customers actively connect to it so that I could reach their router for support interventions?
Concur with Sindy, if you are providing a paid service, then having your own cloud wireguard to support all your clients ( shared cost ), is the smart way to go.
Just to chip in a send a christmass thumbs up to anav and sindy. All the best guys.
All the best to you and your loved ones in 2025 there AtomD.
This is a mikrotik forum, and I have no clue how to use linux LOL.
why don’t you use IPv6? router should be reachable.
Interesting proposition. But I think that local providers still use IPv4 here. Not sure about StarLink?
Would check, as this actually could be useful in practice.
Starlink indeed gives you a/56 global subnet, but only in “bypass” mode (or how do they call the bridge mode of their router), or if you connect your own router directly to the dishy, bypassing their router that way. So along with a Hurricane Electric tunnel that allows you to get a global subnet using your IPv4-only uplink, this is the budget way to get there.
We have end-user starlink terminal, the configuration options are more or less devoid of any options. Currently I have enabled BTH option and that one works flawlessly. However, I haven’t yer configured firewall properly, so there is that… Configured BTH on site 2 days ago. I was surprised how easy it was… Probably the easiest setup for anything Mikrotik ever.
As for StarLink, I presume bypass works only for business models, or?
As for the antenna, it draws a lot of power. From what I understand the ethernet cable they provide is out of standard, as is power delivery, as it needs to supply up to 100W+ to the antenna itself? Meaning I can’t really bypass the SL router itself.
It works also for the consumer grade service.
3rd party solutions are available that allow to exclude the indoor router from the scheme completely and provide the non-standard power supply via the non-standard connector to the dish and the data lines on a standard RJ-45 socket. But the “bypass mode” is actually a setting of the “router” which then becomes a bridge (for some models, you need a separate Ethernet adaptor, for others the router has the Ethernet port directly).
This was most informative. - Their “Bypass mode” is a bit a bit convoluted tho. Do I understand correctly that when I enable bypass mode, what happens is that the router itself is in bridge mode and “dead”, but I will still get a DHCP ip from the antenna itself? It is like both antenna and router kind of redundant? The rotuer then just feeds the antenna and uses as an internal interface.