Howto - free/cheap VPN port forwarding for Starlink type systems (

How to:
okay for those who may want cheap or free port forwarding for starlink types systems where port forwarding is blocked or not possible
for this example it will interface with your openwrt router:

signup for a free single port forward at or sign up for a premium account if you want more ports
when you create your mapping rule choose http or https depending on what your openwrt interface is using
download your ovpn file from

install openvpn and it luci counterpart

go to VPN > openvpn > "OVPN configuration file upload" and up load the file calling it "portmap"

if the openvpn version is lower then 2.5 you will need to modify the ovpn to a legacy version
basically it breaks at data-ciphers and if </cert> <ca> are together on the same line
modifications are:

cipher bf-cbc
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM

simply modify your ovpn file to look like this:


dev tun
key-direction 1
remote-cert-tls server
#data-ciphers AES-256-GCM:AES-256-CBC:AES-128-CBC:BF-CBC  <----- comment out
cipher bf-cbc   <-----  modification
remote 1194 udp

and at the end

key-direction 1
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM  <--------add this

you can test for errors in ssh terminal window by running openvpn --config /etc/opnvpn/portmap.ovpn ( or whatever you called it)

if everthing looks good start portrmap in openvpn

now create interface
for ease nano /etc/config/network

add this:

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

now save
and nano /etc/config/firewall
add this:

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

then add in your traffic rule --- I open all ports for ease on the vpn

config rule
        option target 'ACCEPT'
        list proto 'all'
        option name 'vpn_portmap'
        option src 'vpn'

now the port forwarding rule from the VPN to the local lan

config redirect
        option dest_port '80'
        option src 'vpn'
        option name 'port'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '' <------or whatever your router ip is
        option dest 'lan'

save and restart the router
now when you click on your mapping link


it will open your openwrt router login page

good luck have fun


yes i did a how to for purevpn a while back -- i have no complaint it was for a company that had moved to starlink connection . and no longer had access to their internal network devices.. this is for a FREE connection or $30 per year for 100 connections .. purevpn cost is around $120 per year.. - I also have a list of free sstp servers that use you can get a list of them from IPSpeed

hi there - complete newbie here - is there any way to use portmap io to setup port fowarding to specific devices using their local IP and port?
i have 5 devices that send information, and with starlink they don't work
thanks in advance

The free level of portmap only allows one port meaning you can only run one service on one server. Though you can have multiple external devices connecting to that port.

This overall concept works with any ISP that (as many do) uses CGNAT or blocks incoming connections. It's not specific to Starlink.

you can get the paid version of ( ~30.00 per year) for 100 ports or you can use the config page to switch ports manually as you need them . and port forwarding on openwrt to push it the secondary devices

sounds great - but I understood nothing :upside_down_face: thanks for trying though

from this section above basically just change it to point the ip of the device and what ports you are targeting
and if you setup a premium account then you just make multiple for each port and internal ip of the device you want to connect to

config redirect
        option dest_port '8080'
        option src 'vpn'
        option name 'port'
        option src_dport '8080'
        option target 'DNAT'
        option dest_ip '' <------or whatever your device ip is
        option dest 'lan'