PepVPN w/ Carrier Grade NAT

In order to establish a PepVPN between a product like Balance One Core and FusionHub deployed in Azure or AWS, it is required that one of the two WANs has a Public IP address.

In my case, I have Starlink on WAN 1 and a AT&T LTE Modem (Nighthawk M1) on WAN 2. Starlink doesn’t offer Public IP addresses and is very limited in terms of being configured while AT&T uses Carrier Grade NAT (CGNAT) which also means no Public IP address.

The result is a newly created PepVPN connections hangs forever trying to connect. Argh!!

Is there really no work around for this? I’m a little confused why PepVPN requires on both end points whereas services like SpeedFusion Cloud, which I’m assuming is doing a very similiar VPN connection between the Balance One and their own instance running in their cloud, does not require knowledge of my WAN Public IPs. To be clear, SpeedFusion Cloud works fine in my situation, but I am after the throughput capability and configuration granularity of FusionHub in Azure.

Does any clever person here have a work around for customers like me with no Public IP address on either WAN port?

1 Like

Welcome to the forum!
I have the same deployment situation as you (Starlink and LTE) and can build a tunnel to a hosted
Fusionhub fine.

I suspect your AZURE network security settings are blocking TCP 32015 and UDP 4500 inbound. Suggest you start fault finding there.

For PepVPN /SpeedFusion to build between two endpoints only one needs a public routable IP for inbound traffic. I build PepVPN/Speedfusion tunnels many times a day from CNAT only WAN IPs to Hosted Fusionhubs with no issue.


Huge thanks, MartinLangmaid! You were correct. The root cause of the issue is I fat-fingered 32015 to be UDP instead of TCP. When I read that one of the WANs needed to be a Public IP I vectored off full steam in the wrong direction.

Thank you very much for the guidance, I really appreciate it! It’s all up and working now :slight_smile:

1 Like