About real virtual interfaces on a Debian with VPNServer

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

About real virtual interfaces on a Debian with VPNServer

Post by jerume » Mon Dec 09, 2013 3:09 pm

Hello,

I have planned to switch from OpenVPN to Softher, on 2 debian servers, in order to get better performance between a site in the USA and a site in UK (1Gbit/s L3 fiber line). Thus I have setup successfully a LAN to LAN using L3 IP Routing. Thanks the devs & for the open source world ;)

The VPN stream seems ok as a "cascade" has been successfully established. I can ping and access (via ssh for exemple) my client machines located in one site from the other, through the soft ether VPN TCP stream.

But from the VPN server itself I can't ping the virtual interfaces of the virtual switch (located on its own). Is that normal? ( This is the question which have motivated this post ).

Note that i don't see this virtual switch interfaces with an "ifconfig" command, so i would like to say yes :) If yes, is there a way to bring up a "real" virtual interface on the Debian VPN Server? Could it be useful in some cases or did I miss something ?

Because in my case, I think it makes impossible to setup few special ip route that i have on the Debians.
For example i can't reach from the USA another site in UK though the VPN stream, even if I can reach this "other site in UK" from the VPN server itself :)

This other site in UK is :
-> On a different subnet than the main UK site which host the VPN server;
-> So on an different subnet than the virtual interface ip address related to the UK HUB on the virtual switch;
-> Well accessible by the debian VPN server itself through the locally configured route for this special subnet.

I think that the Server "Debian SoftEther VPNServer", as it can't reach the virtual router ip interface related to UK HUB ( which doesn't exist as an ifconfig command shows ), can't route back the traffic which come from a different subnet that its eth0 card and thus its virtual interface on its virtual switches (UK HUB).

Regards,

NB : I have deleted the 2 last post on the same subjects, as I have improved and thus reduced the explanations. I sincerly apologize if somebody started to read/answer them.

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: About real virtual interfaces on a Debian with VPNServer

Post by inten » Tue Dec 10, 2013 2:03 am

Hi.

As you may know there are two ways to connect networks:

1. L2 Bridge http://www.softether.org/4-docs/1-manua ... L2_Bridge)
2. L3 Routing http://www.softether.org/4-docs/1-manua ... P_Routing)

Why did you choose L3?

And, yes, this is normal you do not see any virtual interfaces with L3. You can see TAP interface if you switch to L2 scheme.

Usually inaccessibility of several network segments is restricted to the routing process. Would you mind attaching a simple drawing to understand what exactly does not work in your case?
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

Re: About real virtual interfaces on a Debian with VPNServer

Post by jerume » Tue Dec 10, 2013 3:10 am

Hello,

Thank you for the answer. So this is normal :)

I may be wrong but I choose L3 because the site in the USA and the site in the UK doesn't share the same network subnet.

USA : 172.37.0.0/21
UK : 172.30.0.0/21
"UK other site" : 172.36.0.0/21


I gonna try another time then upload a drawing in this post.

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: About real virtual interfaces on a Debian with VPNServer

Post by inten » Tue Dec 10, 2013 3:20 am

Good. Awaiting your logical scheme.
I would also suggest installing NTttcp http://blogs.technet.com/b/wincat/archi ... lable.aspx on both ends to test the performance after we finish with routing.

Clarify please

"UK other site" : 172.36.0.0/21 is being routed via UK : 172.30.0.0/21 ?
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: About real virtual interfaces on a Debian with VPNServer

Post by inten » Tue Dec 10, 2013 3:49 am

Wait!

RFC 1918 Address Allocation for Private Internets February 1996
3. Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

WHY do you use 172.36 and 37 networks as a private space?
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

Re: About real virtual interfaces on a Debian with VPNServer

Post by jerume » Tue Dec 10, 2013 3:55 am

I am so sorry to waste your time, that was an example.
My real subnets are under 172.31.
;)

jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

Re: About real virtual interfaces on a Debian with VPNServer

Post by jerume » Tue Dec 10, 2013 6:27 am

Make the drawing is going to take times :) I will post it in few hours.

Before, maybe an highlight about this main ( routing ? ) issue :

( NB : for security reason and simplicity for me let say i have the « rights » to take 172.33.0.0/21, 172.30.0.0/21 and 172.37.0.0/21 as subnets ;) )

From a client machine, let say ip 172.33.4.46/21 ( work46.uk.softetherrocks.com ), so which belong to a different network subnet than the ones where the Virtual IP adresses are ( ip 172.37.7.254/21 && 172.30.7.254/21 ) and which are hosted by the virtual switch on the vpnserver ( physical ip 172.30.0.223/21 ), doing a simple ping in direction of these Virtual IP adresses, show no ICMP REPLY with a tcpdump on the vpn server. I see the ICMP REQUEST ( so I may think that the route from the client machine to the vpn server is well defined everywhere) but i do not see any ICMP REPLY.

[1]6:43 support@VPNSERVER vpnserver # tcpdump host 172.33.4.46 and icmp -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:43:37.165596 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
work46.uk.softetherrocks.com > 172.30.7.254: ICMP echo request, id 16096, seq 42, length 64
06:43:38.174414 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
work46.uk.softetherrocks.com > 172.30.7.254: ICMP echo request, id 16096, seq 43, length 64


-Please note that I can ping the client machine from the vpnserver itself ( and vice-versa ) :

[0]6:52 support@VPNSERVER ~ # ping 172.33.4.46
PING 172.33.4.46 (172.33.4.46) 56(84) bytes of data.
64 bytes from 172.33.4.46: icmp_req=1 ttl=63 time=0.547 ms
64 bytes from 172.33.4.46: icmp_req=2 ttl=63 time=0.173 ms

and vice-versa :

7:16 root@work46 ~ # ping vpnserver [0]
PING vpnserver.uk.softetherrocks.com (172.30.0.223) 56(84) bytes of data.
64 bytes from vpnserver.uk.softetherrocks.com (172.30.0.223): icmp_req=1 ttl=63 time=0.201 ms

-Note as well that when i do the same test ( pinging in direction of the virtual ip interfaces hosted by the virtual switch ) from a machine which belong to the same subnet than 1 of the Virtual IP adresses, it works well, I see (on the the vpnserver host ) and receive the reply ( on the client machine ) :

[0]6:47 support@VPNSERVER ~ # tcpdump host 172.30.0.11 and icmp -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:47:25.658449 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
admin1.uk.softetherrocks.com > 172.30.7.254: ICMP echo request, id 31818, seq 1, length 64
06:47:25.658579 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 84)
172.30.7.254 > admin1.uk.softetherrocks.com: ICMP echo reply, id 31818, seq 1, length 64
06:47:26.636836 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)


FYI
-> RouterIfList command - Get List of Interfaces Registered on the Virtual Layer 3 Switch
Name of Virtual Layer 3 Switch: UKvs

IP Address |Subnet Mask |Virtual Hub Name
------------+-------------+----------------
172.37.7.254|255.255.248.0|USA
172.30.7.254|255.255.248.0|UK

-> VPN Server>bridgelist
BridgeList command - Get List of Local Bridge Connection
Number|Virtual Hub Name|Network Adapter or Tap Device Name|Status
------+----------------+----------------------------------+---------
1 |UK |eth0 |Operating
The command completed successfully.

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: About real virtual interfaces on a Debian with VPNServer

Post by inten » Tue Dec 10, 2013 11:07 am

Sorry, but need the drawing. From your explanation it is not clear what you have installed. To speed up the tshooting process you may skype me.
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

Re: About real virtual interfaces on a Debian with VPNServer

Post by jerume » Tue Dec 10, 2013 4:12 pm

I try to do something like the attached drawing shows.

And the description of my problem :

( NB : for security reason and simplicity for me let say i have the « rights » to take 172.33.0.0/21, 172.30.0.0/21 and 172.37.0.0/21 as subnets ;) )

-> A client machine in UK ( 172.33.4.46 ) can't reach USA.
-> A client machine in UK ( 172.30.4.2 ) can reach USA.
-> Physical IP of the vpnserver server : 172.30.0.223.

-> Please note that I can ping a client machine ( 172.33.4.46 ) from the vpnserver itself.

-> Please not as well that when I do a simple ping test from this client machine ( 172.33.4.46 ) and in direction of the Virtual IP adresses (host by the virtual L3 switch on the vpnserver), I do not see any ICMP REPLY with a tcpdump launched on the vpn server. I see the ICMP REQUEST ( so I may think that the route from the client machine to the vpn server is well defined everywhere), but no reply.
You do not have the required permissions to view the files attached to this post.

jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

Re: About real virtual interfaces on a Debian with VPNServer

Post by jerume » Tue Dec 10, 2013 4:13 pm

inten wrote:
> To speed up the tshooting process you may skype me.

May i ask you your email address please?

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: About real virtual interfaces on a Debian with VPNServer

Post by inten » Thu Jan 02, 2014 5:21 pm

jerume wrote:

> May i ask you your email address please?

http://www.vpnusers.com/memberlist.php? ... snm&u=5167

jerume
Posts: 11
Joined: Fri Dec 06, 2013 12:05 pm

Re: About real virtual interfaces on a Debian with VPNServer

Post by jerume » Thu Jan 02, 2014 5:23 pm

I can't find a way to delete this thread.

Any idea?

Post Reply