Port forward for VPN Server and softether VPN manual

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
gvilkas
Posts: 8
Joined: Fri Mar 28, 2014 8:28 pm

Port forward for VPN Server and softether VPN manual

Post by gvilkas » Sun Jan 17, 2016 4:55 pm

The Softether VPN Manual is a very good guide for setting up and using the software. Thank you to those that have worked so hard to create it.

There is one area that it needs improvement and that is on the topic of port forwarding when the server is installed behind a nat firewall. Section 11.2.6 explains clearly that you will need to forward ports on your firewall to the server. However it does not explain which ports or how many ports need forwarding.

Upon installing the VPN server software one is shown "listener" ports on an administrator screen. Based on the description of their function I would conclude that these need to be port forwarded to function when behind a Nat firewall. However that does not appear to be enough to get the VPN server able to accept connections from clients.

I have read pretty much the whole vpn server manual and I did not come across any specific reference to the ports that need opening in addition to the listener ports the default hub is configured with. These listener ports are defaulted to 443, 1194, 992, 5555. They could also be any ports you create as the administrator.

After using Google to search the topic I came across a number of posts that all recommend also port forwarding 500, 4500 and 1701. Another suggested 53. Unfortunately there is no explanation of their function in SOFTETHER VPN server. Some experimentation shows that indeed forwarding these extra ports enables the server to successfully authenticate and connect VPN clients.

So the burning questions that remain are:
-What is the function of ports 53, 500, 4500 and 1701?
-What part of the VPN server manual can I read about their use? Or can someone describe where I find them on the server?
-Are there other ports I need to consider to ensure flawless server operations behind a nat firewall?
-Should we forward bot tcp and udp or just one of them? If so which?

Can someone provide some advice please? We all know that forwarding ports without understanding their function is not a wise idea. Many thanks to all.

eastavin
Posts: 42
Joined: Tue Jan 19, 2016 7:13 pm

Re: Port forward for VPN Server and softether VPN manual

Post by eastavin » Tue Jan 19, 2016 10:07 pm

Here are a few things that might help you omegagrant. First question to ask yourself is how am i conducting the test? Is my L2TP device local to the server or remote?

If it is remote then keep looking for port forwarding issues. The default listener ports plus ports 500 and 4500. Is your VPN server on a PC that has a static IP address or is it getting an ip address by DHCP? If you did not create a static IP address yourself then chances are almost 100% that the ip address is dynamic and changes anytime your router reboots or your pc powers down beyond the lease expiry time. A dynamic address means your server may no longer be at the address the ports are forwarded to (something to remember to check). So either increase the lease time or switch to a static ip for the server.

If the LT2P device is local (on the same lan and router), the issue here is some routers have a security setting in the firewall section called: Filter WAN NAT Redirection . If this is checked it means that when you are trying to conduct a local test -you are instructing your L2TP device to exit onto the internet and loop back into your VPN Server - you are asking the router firewall to block your test. So either uncheck this and try again or visit you local internet hotspot or your neighbour down the road and try from there.

Last if still no success you might consider a simpler local test. In fact this should probably be the very first test. Try using the internal IP address of your vpn server in your LT2P device configuration in place of the external VPN Server IP or DDNS address only when you are local. So replace that vpn1234456?.softether.net string with your actual internal IP address of the VPN Server. It may look like something like this 192.168.1.100 for example. You should be able to log in now as you no longer have any firewall or redirection issues. Congratulations you have a VPN over your intranet/lan.

If you succeed now go back to testing with your external IP address or DDNS address in your L2TP device (and with filter wan nat redirection unchecked) and thinking about what is port forwarded and where. One thing I noticed was that when testing attempting to connect at least 3 times is important to keep you from chasing your tail. I have often connected on the second or third attempt due to protocol errors in transmission after failing on the first 1 or 2.

When testing remotely your neighbour is probably the best option as their internet is unlikely to be blocking the ports you are trying to use. With internet hotspots - blocks are common so you often have to try 3 or 4 different establishments until you find one that is not blocking VPNs.

eastavin
Posts: 42
Joined: Tue Jan 19, 2016 7:13 pm

Re: Port forward for VPN Server and softether VPN manual

Post by eastavin » Fri Jan 22, 2016 4:04 am

Hi gvilkas .

You dont need to forward port 1701. The communication is done within the encrypted channel under IP Sec on that channel. This is probably why it never really gets mentioned in the server manual. My users log in on L2TP/IPSEC and Openvpn ok and the port is not forwarded.

You also can choose whether or not to forward TCP 5555. As far as I can tell it only serves a purpose if you plan to login to your VPN Server admin page remotely from outside your LAN. Opening it otherwise only lets the darkside hack your admin interface all day long from around the globe.

UDP 1194 is used for Openvpn.

500, 4500 only need UDP forwarded for IPSec client sessions.

I have not been able to find out how TCP 992 is used yet. It gets mentioned in the documentation but I cant recall seeing it in the logs during a connection setup. I have been running for a week with it open but will test next week with it closed.

TCP 443 is used for SSTP. OpenVPN supposedly has the ability to use this port too but as my experience with this software is still building I will say I have not yet seen a log file showing this has taken place. I wonder if the android 5.1 client i am using has this feature operational?

VPN over DNS server uses port 53 UDP. I admit I am not overly familiar with this one and I keep it turned off.

So there you go my list of what ports get used for. Some day I might make a nice table. If anyone knows if OPENVPN Connect client for android can actually use TCP 443 I would appreciate a short note.

eastavin
Posts: 42
Joined: Tue Jan 19, 2016 7:13 pm

Re: Port forward for VPN Server and softether VPN manual

Post by eastavin » Tue Jan 26, 2016 4:26 am

Hi gvilkas .
Since the last note I have discovered that the Sample OpenVPN client config file generated by Softether VPN Server only sets up access to UDP 1194. If you have specified other UDP ports in the VPN Server setup screen or want the client to attempt logins on the default TCP listener ports you need to manually edit the sample Open VPN client config file the server generates to add these ports.

It would have been nice if there was some documentation explaining the above. I had to learn it by trial and error.

If you need help editing the client I found the following web page helpful.
Openvpn23ManPage – OpenVPN Community
https://community.openvpn.net/openvpn/w ... n23ManPage

triwaves
Posts: 27
Joined: Mon May 16, 2016 3:11 pm

Re: Port forward for VPN Server and softether VPN manual

Post by triwaves » Thu Mar 16, 2017 4:35 am

Thanks for the great info in this thread, it was a good read - but unfortunately I still can't get an OpenVPN client (on android phone) to connect.

Thinking about the suggestions and ideas here I have the following info:
* ports forwarded as recommended here
* server management tool works (port 5555)
* Windows 10 PC with softether vpn client works
* Unable to connect with android openvpn client (or any other client for that matter)
* Thinking ports were the issue I put the server in a DMZ zone, but no change in behavior

When the openvpn client fails it fails with a TLS Key timeout (60 sec) and suggests I check network connectivity.

Trying to solve this issue I am concluding that the port forwarding and DDNS resolution is working and something else is my problem. Does this make sense?

If so - where do I look next?

I thought maybe authentication was suspect, but I tried connecting on my local network with same client/setup and it connects quickly without error. As soon as I turn off wifi and let the phone switch to LTE the connection is broken. Its also broken on other wifi networks.

If anybody can suggest where to focus my efforts to get the handshake to work I would be grateful... running out of ideas , but feel like I eliminated a couple of things.

The server BTW is a Raspberry Pi with Raspian running the server, secure NAT enabled , a virtual NAT device and an ethernet port to the router.

Thanks!

EDIT: In the log, Channel 0 opens and then nothing happens. On a succesful connection I see message and such start exchanging.
Last edited by triwaves on Tue Apr 04, 2017 3:46 pm, edited 1 time in total.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Port forward for VPN Server and softether VPN manual

Post by thisjun » Thu Mar 23, 2017 7:47 am

Could you show the log of client?
Did you use .ovpn file generated from SoftEther VPN?

triwaves
Posts: 27
Joined: Mon May 16, 2016 3:11 pm

Re: Port forward for VPN Server and softether VPN manual

Post by triwaves » Tue Mar 28, 2017 2:48 am

I think I have figured out this portion of my problem - the router was not behaving as it should. Applying the port forward rules and rebooting the router was not taking effect properly until I reset the router and restored my config with the new forwarding rules. Now I can connect with Android OpenVPN client as well as the built in client in a Win 10 pc.

Thanks

Post Reply