VPN Setup - Starlink & remote.it

Connections
1

Hello. I am having a difficult time finding a solution for this. My ISP is Starlink. I obviously have a public IP challenge with CGNAT and getting a VPN setup. I want a VPN so that I can have clients GET INTO their networks. The security is a benefit, but I want them to be on their own network, so that they can remotely access systems and hardware.

Additionally, I am looking for a hardware VPN solution. I don’t have a high-end processor router. I would love it if I can use remote.it to connect to an L2TP tunnel, setup in my router. I have one setup, but with Starlink I can not connect its server, with the lack of public IP. I am able to get to my router when I use remote.it. I just don’t know how to get the L2TP tunnel to connect, thereafter.

Any ideas or tips? I am testing this on a Ubiquiti EdgeRouter.

Thank you.

2

Typically our users want to access specific services on the LAN or device rather than the whole network. This ensures greater security for the LAN and only allows access for users to the specific things that they want to access, such as a NAS, VNC/RDP to specific computers, IP cameras, etc. You do not need a VPN in these situations. You just need one device on the LAN which has Remote.It installed that will be on 24/7 to act as the access point. You can install Remote.It on each device and then set up the services which need access OR if you cannot install Remote.It on a device such as some routers or NVRs, you can use Jump Services. Network Services - Jump Box
General set up instructions can be found here. Getting Started - Connect to a physical device

Your router doesn’t need to be involved in this set up since we are not doing any port forwarding. However, as you can see from the Jump Services article, you can use a router to act as the device which Remote.It installed. We have a blog post on Ubiquiti Router set up as well. Ubiquiti EdgeRouter support

3

Brenda, I appreciate and understand what you have mention. Fine. However, a few things…

1- I would prefer to have access to anything I want
2- I would prefer to have an encrypted tunnel, from wherever I am in the world, at that time
3- I do already have remote.it on my Ubiquiti router
I set up an http access to point to my NVR, but this is causing me a problem. I keep getting errors when I try to view files. I get a “Missing Plug-in” error. What plug-in? I’m using your app. Where would a plug-in go. This just another reason that I want a given device, to be able to access my router, via an already-setup VPN, which is hardware based, on my router. I looked at remote.it because you can get me past my Starlink ISP CGNAT-IP issue. That is great. Now I just want to know how to leverage that to get my VPN server connected.

Thank you.

4
  1. You can still set up a VPN, but there are sometimes challenges with having the VPN on the device where remote.it is running. In this case, try a jump service to your VPN. However, often, you will find that you do not really need a VPN.
  2. With Remote.It, it is always an encrypted tunnel for all connections. We wrap the connection tunnel with encryption on top of the encryption provided by whatever protocol you are using. Unlike traditional port forwarding or open ports, you do not need an IP allow list or completely wide open allow list to connect from anywhere.

What type of NVR? The plugin is usually dealt with by the browser, but your NVR might only want things on port 80/443. Make sure you are using the same browser that you use when you are on the LAN since some NVR webpages require specific browsers and you may need to install the necessary plug-in yourself. This is a browser plugin and not something that Remote.It supplies. We only provide the tunnel and not the software to use the tunnel. I am not sure I can help with the NVR, but I might have had some experience with it. You may need to go to your particular NVR support channels.

5

I understand most of what you are saying. However, I am concerned with a few items…

  • remote.it limits the amount of devices that can be accessed, and I think you pay per device. If you want unlimited access to your network, that could grow to be quite an extravagant luxury. VPN’s have not such restriction or cost, at all.
  • I don’t understand how remote.it works, then. When I open my remote.it app, on my iPad, I can connect. I can get to the login page of my NVR. This one is a test case, and is a Hikvision unit, and it’s on port 8000. There is no browser. I am connecting via the remote.it app. So where would the plugin be, go? I don’t understand.
  • Even if remote.it was free, and totally wide open. How do I utilize proprietary 3rd-party apps, on a phone or tablet, that require you to be on the same network? I connect to the router with remote.it, but how does my app see that I’m on the local network, for me to use that app?

Thank you, Brenda.

6

If you use one device with multiple jump targets, it counts as one device. A device is an endpoint where remote.it is installed and not the number of services. Which will hopefully ease your concern.
Now that I understand it is a HikVision system, then I understand a bit more. HikVision uses multiple ports for connections.
If are not using Hik Connect, then we can support you. The Hik Connect app actually is using their cloud which is like a bridge between the site and the user’s Hik Connect app. This is problematic because the Hik Cloud cannot use the connection information from remote.it and requires a public IP and fixed ports. If we are not using Hik Connect then we can proceed with the following.

Setup up your services:

Install remote it onto a device on the site where the camera system is installed. You will need a device that will be on 24/7 (in this case your Ubiquiti router). This will act as your jumpbox. Then you will add a service for each camera/port needed. See this article on Jump Services. Network Services - Jump Box
The Hik system requires 4 ports. I do not recall them all, however you typically see them in your Hik System configurations.

Setup your connection(s) (This will be the person and each device using the the connections):

Install the Remote.It Desktop application remote.it Desktop Applications for Windows macOS Raspberry pi OS Linux Debian (You will not be able to do this on our web portal app.remote.it)

You will need to disable named connection for this to work:
Click on your avatar in the top left, and then Settings. On the page, toggle the Named Connections field.

For each site which would normally have a public IP address we are going to setup a unique localhost address (127,0.0.2, and so on.)

  1. For each service at the site, click on the service, click on Connection Configuration.
  2. Click on Local Network Sharing.
  3. On the second screen, Enable LAN Sharing.
  4. In the Bind IP Address field put in 127.0.0.2 (you will increment this for each new site. i.e. 127.0.0.3, etc). Click Save.
  5. If you are on a Mac, then you will need to allow your Mac to bind on the 127.0.0.2 IP address. Open Terminal and run the following command ​sudo ifconfig lo0 alias 127.0.0.2
  6. Then back on the Connection Configuration page, override the Local Port to match the port for the service (for instance if the service is on port 443, set it to 443). Click the check box to save.
  7. Make your connection

Repeat this for all of the services you need for a single site. Then in your application once you make your connections you will use the IP address 127.0.0.2.
Then you can repeat for each new site where you need a remote.it connection for access only each site should have a new IP address such as 127.0.0.3, 127.0.0.4, etc. If you are using a Mac, you will need to add a binding for each new IP address using the command, for example
​sudo ifconfig lo0 alias 127.0.0.3

I have had several customers use our system successfully for this type of set up on Starlink networks.

In the worst case scenario, you could also Remote Desktop to a windows computer on the LAN where the camera system is located and just use that computer to view the cameras on that system. You can do this with the iPad and on tablets. You just would need a Remote Desktop application on the iPad, Tablet or PC/Laptop that you will be using to connect to the system.

7

Hi, Brenda. Okay. That makes sense to me. I realize what you are trying to do with the NVR.

What about my app question? How can I handle the apps, that are proprietary, on my remote phone or tablet, and need to function, while on the the internal LAN? Is this possible without some crazy workaround?

Thank you.

8

When you are on the internal LAN, You should just be able to use their LAN IP addresses. If you are using a VPN or on the LAN via wifi at the actual location (the later, has nothing to do with Remote.It). If you set up each service as a jump service, then you can just use your phone and a browser to app.remote.it to get your url and port. This assumes that your proprietary app doesn’t need to connect to their cloud service to make the connection. Otherwise, it would the same as using Hik Connect where their cloud server brokers the connection which would require their cloud server to have a Remote.It connection directly.