Hello all,

I have a remote location that's connected using Starlink and all the CG-NAT nonsense that implies.

We have a requirement to occasionally reach devices at the remote location, so we're looking at VPN options.  The 2865 is using the latest 4.4.5.1_BT firmware, the (admittedly venerable) 3900 is also using the latest firmware, 1.5.1.5 although this dates back to 2023.

Because the 3900 doesn't have VPN Matcher as an option (the 2865 does), my only options are for the 2865 to dial out VPN using one of SSL VPN, OpenVPN or (eek) PPTP.  However, I can get none of these options to work.

I'm configuring a LAN to LAN profile on the 2865 in each case, set to be always on, dial-out with the correct username for each VPN type.  I've used SSL VPN in this mode before without issue, so this was my first approach - no dice.  Next I tried configuring OpenVPN on the 3900.  I can successfully connect back to the 3900 using the OpenVPN Connect client and the exported .ovpn file from a computer behind the starlink (so I know that isn't an issue) but can I get the 2865 to connect this way? Not a chance.  In desperation I tried PPTP, but the same applies.  I guess Starling may block PPTP since it's ancient and insecure.

Does anyone have any ideas / pointers for me?  I'm confident that the 3900's config is good, since I have other SSL VPN connections working to it, plus the OpenVPN works with the client on a laptop as previously provided so I'm comfortable that the .ovpn file is good, and the user I've created etc.

Puzzling!

I can't answer your question directly but you do have a couple of options to make your remote site accessible behind a CGNAT:

1. Use your 2865 to dial out to your 3900 using IPSec or Wireguard if the 3900 supports it.
2. Deploy Tailscale on a device that sits behind your 2865 and on devices at your main site. It's almost zero config and will traverse networks even if all parties are behind a CGNAT. Free for personal use, cheap for SMEs.