VPN client acquires incorrect subnet mask

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
dmare
Posts: 2
Joined: Sat Apr 18, 2015 1:43 am

VPN client acquires incorrect subnet mask

Post by dmare » Sat Apr 18, 2015 1:55 am

I'm using this IP block on my LAN: 10.10.8.0/22, i.e. my subnet mask is 255.255.252.0
DHCP server hands out 10.10.10.xx IP addresses on the LAN and the correct /22 subnet mask above. It definitely works on the LAN.

SoftEther is set up to offer L2TP / IPSec VPN services. It resides at 10.10.8.10.

My VPN client (Mac OS X 10.8.5. built in), acquires a 10.10.10.xx IP address as expected, however, routing tables look like this:
10.10.10/24 ppp0 # i.e. incorrect /24 subnet mask.

I have read this page of manual: https://www.softether.org/index.php?tit ... d-in_Users

The above page says:
An IP address will be leased from the DHCP server, and the IP address will be assigned on the L2TP VPN client session. Default gateway, subnet mask, DNS address and WINS address will be also applied on the L2TP VPN client. So if no DHCP server, no login successes.

Therefore I expect /22 to be applied to VPN client route.

Is this a bug or incorrect setup? Has anyone seen this as well? Does anyone have advice about how to fix?

I guess I can probably fix via SecureNAT implementation, but is this the only way? I would like to keep setup as simple as possible and prefer a single network over a separate subnet for VPN clients, which I would end up with if I used SecureNAT.

Any feedback appreciated!

dmare
Posts: 2
Joined: Sat Apr 18, 2015 1:43 am

Re: VPN client acquires incorrect subnet mask

Post by dmare » Sun Apr 19, 2015 1:52 pm

No replies yet, but maybe I didn't include enough info initially.

Basically, when I connect to other VPNs from Mac OS X L2TP client, traffic destined for private networks go over VPN link, but normal internet traffic goes through normal link, unless I tick the "Send all traffic over VPN" tickbox. I've tested Windows and default is to simply send all traffic over VPN, which obviously works, as it does in OS X, when tickbox is ticked, but if what I'm reading in that manual page is correct, I would expect route added to client to be a /22 route instead of /24. Bug possibly?

Other info:

1. Operating system name and the type of CPU-bits
Latest Debian 7 Wheezy:
root@vpn1:~# cat /proc/version
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.65-1+deb7u2


2. The result of "ifconfig –a" (UNIX) or "ipconfig /all" (Windows)
(note that MAC address values changed)
root@vpn1:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0c:19:ab:36:c3
inet addr:10.10.8.33 Bcast:10.10.11.255 Mask:255.255.252.0
inet6 addr: fe80::20c:19ff:fbbb:36c3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:150227 errors:0 dropped:2874 overruns:0 frame:0
TX packets:181624 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21926119 (20.9 MiB) TX bytes:21494057 (20.4 MiB)

eth1 Link encap:Ethernet HWaddr 00:0c:13:eb:26:cd
inet addr:10.10.10.6 Bcast:10.10.11.255 Mask:255.255.252.0
inet6 addr: fe80::20c:29aa:fssb:36cd/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1986 Metric:1
RX packets:1003777 errors:0 dropped:0 overruns:0 frame:0
TX packets:506530 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:154117887 (146.9 MiB) TX bytes:31890051 (30.4 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41428 errors:0 dropped:0 overruns:0 frame:0
TX packets:41428 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4324849 (4.1 MiB) TX bytes:4324849 (4.1 MiB)



3. The result of "uname –a" (UNIX) or "systeminfo" (Windows)
Linux vpn1 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u2 x86_64 GNU/Linux


4. The build number of SoftEther VPN
Version 4.15 Build 9539 Compiled 2015/04/04 00:39:39 by yagi at pc25


5. Which SoftEther VPN component are you using?
VPN Server


6. Whether or not there is a NAT or Firewall between your VPN server and the Internet.
Yes, UDP ports 500 and 4500 port forwarded to VPN server.


7. Are you using SecureNAT?
No, but seems I might have to, to get custom route working.


8. Your current vpn_server.config or vpn_bridge.config file should be attached on the post.
First attached. I see no vpn_bridge.config, but my local bridge is between eth1 and the default hub.
You do not have the required permissions to view the files attached to this post.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN client acquires incorrect subnet mask

Post by thisjun » Thu Apr 30, 2015 8:14 am

It's by design.
PPP based protocol (Ex. L2TP) session isn't noticed real subnet mask.

donaldii
Posts: 9
Joined: Tue Sep 11, 2018 5:46 pm

Re: VPN client acquires incorrect subnet mask

Post by donaldii » Sat Sep 22, 2018 7:16 pm

Hi @thisjun,

I am new to softEther but have determined to learn seriously.

I have asked two questions on the forum but have heard nothing back. Could you please take a look at them?

Your input will be much appreciated!

viewtopic.php?f=7&t=4850#p12338

viewtopic.php?f=7&t=63326

fenice
Posts: 183
Joined: Sun Jul 19, 2015 4:23 pm

Re: VPN client acquires incorrect subnet mask

Post by fenice » Sat Sep 22, 2018 7:21 pm

donaldii wrote:
Sat Sep 22, 2018 7:16 pm
I have asked two questions on the forum but have heard nothing back. Could you please take a look at them?
You've only waited two hours since your first post and you do realise that the people that reply here do so in their spare time, don't you?

You should also not post the same information in three different posts, post it once and then wait for an answer.
Regards


Bill

donaldii
Posts: 9
Joined: Tue Sep 11, 2018 5:46 pm

Re: VPN client acquires incorrect subnet mask

Post by donaldii » Sat Sep 22, 2018 7:37 pm

Hi @fenice,

As much as I respect your time, I do respect all other people's time.

I do respect forum's rules and hope to adhere to the best practice at all times.

As you may also notice, most of questions in the forum do not get an answer, including my first question. This is why I reluctantly step a bit over the line and post my first question under two related discussions. And a second question (which is somewhat more straight-forward) as a separate question.

Those questions I asked are impacting my users as I type these words, so I hope you can understand the anxiety in me to address them as quickly as possible.

Regards

itskv
Posts: 43
Joined: Thu Mar 22, 2018 11:56 am

Re: VPN client acquires incorrect subnet mask

Post by itskv » Mon Sep 24, 2018 6:05 am

dmare wrote:
Sat Apr 18, 2015 1:55 am
I'm using this IP block on my LAN: 10.10.8.0/22, i.e. my subnet mask is 255.255.252.0
DHCP server hands out 10.10.10.xx IP addresses on the LAN and the correct /22 subnet mask above. It definitely works on the LAN.

SoftEther is set up to offer L2TP / IPSec VPN services. It resides at 10.10.8.10.

My VPN client (Mac OS X 10.8.5. built in), acquires a 10.10.10.xx IP address as expected, however, routing tables look like this:
10.10.10/24 ppp0 # i.e. incorrect /24 subnet mask.

I have read this page of manual: https://www.softether.org/index.php?tit ... d-in_Users

The above page says:
An IP address will be leased from the DHCP server, and the IP address will be assigned on the L2TP VPN client session. Default gateway, subnet mask, DNS address and WINS address will be also applied on the L2TP VPN client. So if no DHCP server, no login successes.

Therefore I expect /22 to be applied to VPN client route.

Is this a bug or incorrect setup? Has anyone seen this as well? Does anyone have advice about how to fix?

I guess I can probably fix via SecureNAT implementation, but is this the only way? I would like to keep setup as simple as possible and prefer a single network over a separate subnet for VPN clients, which I would end up with if I used SecureNAT.

Any feedback appreciated!
Hello friend,

1.Have you verified the content of Routing Table in SoftEther server application?
2. I doubt, you have to use SecureNAT

Post Reply