Starlink and Harware based VPNs

[RedneckRedcoat]

I’m an IT Consultant, and one of the companies that I work for has asked me to put a secondary VPN in for when I’m outside of US waters . Been using Starlink for over a year and are happy with it.

The company has a software VPN on the provided laptop and Laptop VM but they are asking that I get a U.S. based Ip address and look at putting a hardware VPN in line with my Starlink. I know that a lot of traffic goes though Stalinist Atlanta Hub but there is no actual VPN option with the Starlink router.

Can you use a VPN with Pepwave or Raymarine’s Yacht Link with a VPN provider ?

Anyone have any experience with this for those that still hold corporate jobs down and require VPN services ?

[wholybee]

You can put the Starlink router in Bypass and use any other router with it. VPN's supported in the router work fine.

What might not work is a VPN through a VPN. That is, if you have a VPN to a VPN provider via your router, and then you VPN to the company via the VPN on your laptop, that might be an issue.

Does the companies VPN require whitelisting an IP address, and is that why they want you to have a US IP address? Using a VPN provider isn't adding any security, and it throughs up all kinds of red flags to any good security team. Occasionally one of my users will check email from home while their 3rd party VPN is up, and their account is instantly locked out and an email sent to me to advise of the situation.

Check with Starlink about a business account. More money, but you can get a static IP address instead of a CGNAT address. That would be a much better solution. And after all, it does seem this is a business use.

[RedneckRedcoat]

Thanks for replying , yes they require that I maintain a U.S. IP address so that I’m not blocked

[svmobert]

You can use a Peplink router with SpeedFusion to route through a US endpoint or through your land home ISP connection depending on how you deploy it. I host dedicated SpeedFusion endpoints with static/public IP's for customers who neeed that, which would also allow vpn/port forwarding INTO the boat network if you wanted that. But if you just need a US IP address regardless of your location then a SpeedFusion cloud endpoint or a Home Relay would work.

Let me know if you want help setting up the Peplink for this.

Quote:

Originally Posted by RedneckRedcoat

Thanks for replying , yes they require that I maintain a U.S. IP address so that I’m not blocked

[RedneckRedcoat]

Quote:

Originally Posted by Sea-TechSystems

You can use a Peplink router with SpeedFusion to route through a US endpoint or through your land home ISP connection depending on how you deploy it. I host dedicated SpeedFusion endpoints with static/public IP's for customers who neeed that, which would also allow vpn/port forwarding INTO the boat network if you wanted that. But if you just need a US IP address regardless of your location then a SpeedFusion cloud endpoint or a Home Relay would work.

Let me know if you want help setting up the Peplink for this.

Do you have contact details ? I will have some other questions

[svmobert]

Hi,

You can send email to ahoy@sea-tech.com.

Quote:

Originally Posted by Sea-TechSystems

You can use a Peplink router with SpeedFusion to route through a US endpoint or through your land home ISP connection depending on how you deploy it. I host dedicated SpeedFusion endpoints with static/public IP's for customers who neeed that, which would also allow vpn/port forwarding INTO the boat network if you wanted that. But if you just need a US IP address regardless of your location then a SpeedFusion cloud endpoint or a Home Relay would work.

Let me know if you want help setting up the Peplink for this.

[s/v Jedi]

Quote:

Originally Posted by RedneckRedcoat

Thanks for replying , yes they require that I maintain a U.S. IP address so that I’m not blocked

Tell them that they are idiots. Every lunatic can get a free VPN with US IP address, it’s completely BS’ed illogical nonsense to use that kind of security!

[wholybee]

Quote:

Originally Posted by s/v Jedi

Tell them that they are idiots. Every lunatic can get a free VPN with US IP address, it’s completely BS’ed illogical nonsense to use that kind of security!

It really depends on the company. I did work for a company where the data i saw could not be legally seen by anyone outside the US. Didn't matter who they were, if not on US soil, they could not connect to the network.
I was required to have a US static IP address to be whitelisted, and they were able to detect if i was using a 3rd party VPN and would be locked out if i used one.
Regardless of that restriction, i would say any company with good security would block any connection from a free VPN service. No reason ever to allow that.

Anyway, the question i have for the OP. Are you being asked to stay in the US, and you intend not to, and want to hide your location? Because that really isn't ok. And if the company is aware of your intents, your IP address should not matter as long as you use the company's VPN.

[s/v Jedi]

Quote:

Originally Posted by wholybee

It really depends on the company. I did work for a company where the data i saw could not be legally seen by anyone outside the US. Didn't matter who they were, if not on US soil, they could not connect to the network.
I was required to have a US static IP address to be whitelisted, and they were able to detect if i was using a 3rd party VPN and would be locked out if i used one.
Regardless of that restriction, i would say any company with good security would block any connection from a free VPN service. No reason ever to allow that.

Anyway, the question i have for the OP. Are you being asked to stay in the US, and you intend not to, and want to hide your location? Because that really isn't ok. And if the company is aware of your intents, your IP address should not matter as long as you use the company's VPN.

Whitelisting a certain IP address is great and it also is completely different than requiring a US based IP address. Also, it is not true that users of US IP addresses are on US soil, so you simply can not block people who are not on US soil, it is impossible.

You also can’t block VPN IP addresses. You can block some, but you can never block all because you simply do not know all. Anyone can order a dedicated IP address which is completely undistinguishable from any other regular US based address… because it -is- a regular US based address.

Access security should be based on the person that is allowed in having a key to open the door.

[shimari]

"look at putting a hardware VPN in line with my Starlink"

Do they really mean a hardware? If so, you probably want to clarify what qualifies as a HW VPN. A peplink router may qualify as it can do PPTP with 256 bit AES. I think it can do IPsec as well, but I'm not sure.

I've a big fan of Tailscale, https://tailscale.com/security/, Their free tier includes most everything and allows three users and unlimited devices. Starlink uses carrier grade NAT (CGNAT) so you don't get a publicly addressable IP address as mentioned earlier. I've Raspberry Pi running SignalK on our boat along with Tailscale. I can connect remotely and stream data from the boat anywhere in the world securely.

I also use a Peplink router, but I've not played with their VPN/bonding solution much yet.

There's no need for you to get a biz starlink, and I'm not sure you can roam with it. If you get a Peplink, you can get a Google FI account and get a data SIM card that the Peplink will bond and allow you to prioritize Teams, Zoom etc. If Starlink drops (which it does sometimes), your stream is unaffected.

If your employer is paying, I'd go with Peplink via Doug Miller at Onboard Wireless, https://onboardwireless.com. He's incredibly helpful and knowledgeable. If you have to pay, I'd get a Raspberry Pi and install Tailscale. Then, open an account at Digital Ocean and spin up a Linux box as a Tailscale exit node in NYC or SFO. That's what I do when I'm traveling internationally.

Feel free to PM if you have any specific questions - happy to help.

[wholybee]

Quote:

Originally Posted by s/v Jedi

Whitelisting a certain IP address is great and it also is completely different than requiring a US based IP address. Also, it is not true that users of US IP addresses are on US soil, so you simply can not block people who are not on US soil, it is impossible.

You also can’t block VPN IP addresses. You can block some, but you can never block all because you simply do not know all. Anyone can order a dedicated IP address which is completely undistinguishable from any other regular US based address… because it -is- a regular US based address.

Access security should be based on the person that is allowed in having a key to open the door.

I will argue that most VPN IP addresses are known, and to the extent that they are not, it is only a matter of time. The whois database can be used not with 100% reliability, but if you are conservative you can block most VPNs, as well as some false positives, which are not really a problem. Just block any IP that has an incomplete or anonymous whois record.

Having a US IP address does not guarantee you are on US soil. But, combined with a whitelist, it does, because you can specifically verify that one IP address. It isn't difficult, for example an IP address that is part of a block that Comcast assigns in San Francisco, cannot be outside the US. Again, easy with whois.

And while I agree in concept that what matters is who you trust with the keys, in my case US Law did not allow the content I was viewing to be viewed outside the US. It didn't matter who had the keys. Many employers right now will allow someone to work from home, but probably don't want them cruising in Mexico. So wanting a static IP in the US is perfectly reasonable.

[SeaShred]

No offense but How are you an IT consultant and not know this? This is basic IP routing. Of course you can easily configure a VPN link to your home network, no need to pay anyone or use some third party app. Get two of your favorite VPNs set up one at home and one on the go.

Now you control the keys and your endpoints.

Any corporation worth anything is routed through security i.e. VPN, IDS, Packet Shapers etc this is very basic stuff.

No work will not know you left home. Unless they are trespassing on your home network. Which is very wrong and I would leave that company and sue the crap out of them if they did.

[ohgary]

While not specifically marine, I have a VPN server on my home internet connection so regardless of where I am locatedt It looks network wise like I am home. I use openwrt on an old router. The VPN router sets between my internet modem and my normal router.

I use this for both streaming and my stream appears from my home IP. I use it with a company laptop that has a VPN already on it so vpn over vpn.

Remote routers sets up a tunnel to the home router, anything remote is bounced through the home location. the company laptop goes over the tunnel then off to the work location.

[s/v Jedi]

Exactly, you can use any normal US based IP from anywhere on the Internet as your source address using VPN’s.