Good Morning All,
Hope you are doing well.
I’m currently looking onto providing a OpenVPN service so integrators can access to their respective systems. We had OpenVPN server running on a PFsense, which we still are, but due to our SpeedFusion setup, NAT is getting in the way of it. This is the current topology:
Starlink Public IP(100.100.23.80 as an example)>Pepwave SDX 172.17.50.x/24>PFSense (OpenVPNServer)>VLANS.
I was wondering if there is a way to skip NAT for this paticular service? I have 4 SDX Uplink VLAN interfaces for this. I could use one specificatlly for this setup.
In order to “skip NAT” for this, you would need a /30 or larger to give you multiple IPs, and then provide one of them directly to your PFsense box (assuming you wanted to continue hosting on the PFSense box).
One additional note, you say “Starlink Public IP(100.100.23.80…)” but that is not a public IP, that is a CGNAT address which is not publically routable. In this case you would actually not be able to host OpenVPN at all with the SDX or PFSense acting as an OpenVPN server due to no publically accessible IP for clients to reach.
There are a few ways to do this with FusionHub or a Peplink device as an appliance in a location with a public IP that is connected via SpeedFusion to your SDX.
so the peplink sdx primary untagged lan should be a /30? and have only two IP’s ?
no, don’t do this. the /30 was referring to your public block, but since you’re using starlink you can’t get a /30, you essentially get a single static IP from a larger block and Starlink routes this for you.
assuming you’re not running any additional VPNs on that network/peplink, you could simply forward the openVPN ports to the PFsense box (insert normal warning for port forwarding, etc. here). this may be the easiest given your setup and having starlink. if you do this, given that your starlink IP will change, you can use FindMyPeplink as DDNS and use that in your OVPN config files.
