Tosibox over Starlink Considerations
Many customers who have Starlink do not realise its limitations when trying to implement VPN technology. Starlink uses CGNAT (carrier grade network translation), - CGNAT does not support port forwarding to an internal service – such as a VPN, web servers etc… nor does it allocate a routable static IP address. Outbound sessions operate just like any other internet service, allowing traffic to flow back and forth over an established session state.
Tosibox architecture overcomes CGNAT limitations. The Tosibox server (lock) is situated on the LAN side of the Starlink connection (the inside of the network), an outbound connection is established to a Tosibox connection broker; when a Tosibox client device (software key, hardware key) wants to connect to the server (lock), a connection is made from the Tosibox client to the connection broker, the broker then bridges the two connections, and a secure VPN tunnel is established. The Tosibox platform is simple to implement with Starlink, however the devil is in the detail...
There are two connection methods, Wi-Fi & WAN
1. Wi-Fi Client Method
This connection is the easiest to implement and requires no alteration to the standard Starlink package.
Additionally, this method is wireless and eliminates the need for cable runs. Keep in mind that distance and obstructions can lower Wi-Fi throughput, so be aware of where the Tosibox is. Any Tosibox lock that supports Wi-Fi client mode can connect to the Starlink Wi-Fi Router. Simply place the Tosibox into Client Mode, set the SSID and password fields to that of the Starlink router, set WPA2 for the authentication method.
DO NOT use 192.168.1.0/24 for the Tosibox LAN address, as this will conflict with the Starlink router.
With this method, you will have two networks: 192.168.1.0/24 – the Starlink Wi-Fi network, and the Tosibox LAN network – which must be set to anything other than 192.168.1.0/24.
TOSIBOX Wi-Fi Client method, StarLink Gen 1/2/3 Router Topology
2. Ethernet WAN Method with Starlink Bypass Mode
This method is written for Gen2 Starlink routers and requires additional hardware:
- Router/firewall - to act as your main internet gateway
- Wireless Access Point – if Wi-Fi is required
- Network switch – if necessary
- Or, an all-in-one router, Wi-Fi, switch
WAN Method
- Shut down Starlink and install the Ethernet dongle.
- Power on, login, and place the Starlink into Bypass mode.
- Starlink router will reboot.
- Plug the Ethernet dongle into your router's WAN port.
- A dynamic WAN IP address will be allocated to your router.
- Configure LAN IP address and DHCP range.
TOSIBOX WAN method, StarLink Router Topology
TOSIBOX Wi-Fi Client method, StarLink Gen 1/2/3 Router Topology
Related TOSIBOX Devices
TOSIBOX® Lock 600 Series
Devices for all connectivity scenarios that meet the most demanding operating conditions, and can be used in power-hungry industrial applications where speed and robustness are at the heart of the solution.
TOSIBOX® 500 Series
A high-end connectivity device bringing unprecedented possibilities for customers to manage their operations and to build new IoT solutions, compatible with all existing TOSIBOX® products.
TOSIBOX® Key
Intelligent cryptoprocessing device that enables a secure connection between your computer and one or more TOSIBOX® Nodes Encrypted VPN tunnel.
The Tosibox VPN over Starlink Whitepaper
Many Starlink users face issues with VPNs due to CGNAT, which lacks port forwarding and static IPs. ECS solves this by establishing a secure Tosibox VPN tunnel through its connection broker, allowing seamless integration with Starlink. The setup is simple, though details matter for smooth operation. You can download the ECS whitepaper to learn how.