General Advice to Achieve Secure Internet Browsing on Client

[triwaves]

Hello,

New user of SoftEther VPN solution - haven't got it figured out yet but very impressed with the package so far! I'm sure the issue is a general configuration/capability - I'm looking for advice to point me in the right direction based on what I am trying to achieve in my network.

The tutorials didn't quite have the situation I was looking to setup but I tried to do it myself. I have gotten the server and one client installed - the client does connect to the sever from a remote location so I thought that was a positive sign :)

Please see my attached Network layout.
Server is running on Linux Mint 17.3 (new install) and no in a VM, just on the box itself.

All I am trying to do to start is Connect Client #1 to the server, and make the Internet Browsing traffic from Client #1 go through the server. I do not want any local traffic from Client #1 to go through the local network, only the VPN. Step two will be to get Client #1 able to browse PC#1 ... but I tackle that later...

Client #1 is a Win 10 laptop ; it does connect to the server. When it connects the physical wlan network changes to connected (but no internet connection) and the VPN connection is added. I think the internet browsing is happening over the VPN but it doesn't really work.

It looks like the DNS is working - if I type something it tries to resolve it ; If I open a Google page it resolves it and displays it ; but anything else just times out. So perhaps the DNS servers are working but still something not correct on how I route general internet traffic over that VPN.

I would also like to mention that the server is connected to the router via WLAN (for convenience reasons) and I though perhaps that is the issue, so I tried to temporarily use ETH1 instead to see if that fixed my issue but it was no change. If for debug reasons I can use Eth1 but ultimately I need the little server to sit in a room with WiFi only...

I have played with all sorts of things and I feel I'm missing something fundamental about the topology I am using. If anybody can give advice on how I should be setting up the system to get internet routing working I would appreciate it!

Thanks in advance. -W

[triwaves]

Seems wired ethernet may be the key ... using Eth1 i can get a connection and browse the web. I can also verify through whatsmyip that the route to the internet is through the server.

Is there a way to make this work with the server on a wireless connection??

[thisjun]

Please try to use SecureNAT and disable local bridge.

[triwaves]

Ok I can do that easy enough but I thought you always need a local bridge, otherwise how is the virtual network getting connected to the real network ?

[thisjun]

Where is default gateway 192.168.30.1?

Client can connect to real network via SecureNAT also.
However, SecureNAT is NAT, so PC#1 or #2 can't connect to Client #1.

[triwaves]

Default gateway 192.168.30.1 is the address of the Secure NAT device

I now basically have this working , the clients can connect to the server, but one thing still puzzles me.

Using Secure NAT , the DHCP server and a local TUN interface (as the server is Linux) things are working. I removed a local bridge to either WLAN, ETH0 or ETH1 and the client can access everything on the server network.

Except using a linux client ...

The Linux VPN server also has a shared directory (/Public) -- I can see it and exchange files if I connect via Android, Win 10 built in L2TP , or the Softether Client in Win 10.

I also have a Linux client and spent a lot of time figuring out how to do the manual routing changes to make it work - so now it connects, and I can browse the web via VPN (sending all traffic to the VPN) and access devices on the network. What I CANNOT see however is the (/Public) shared folder that the other clients access no problem on the server itself.

I have tried using a network browser in Linux and smbtree and just opening file manager pointing to the IP address of the server and run out of ideas.

Is this a limitation of the Linux Client or is there an additional configuration I need to make?

Thanks

[triwaves]

> The Linux VPN server also has a shared directory (/Public) -- I can see it
> and exchange files if I connect via Android, Win 10 built in L2TP , or the
> Softether Client in Win 10.
>
Actually I have another possibly related issue with this.

The LINUX server running SoftEther is not available from any client in it's current configuration. I moved it from my home test/setup network (Cable Modem) to a vacation house. Now the internet access is via a LTE modem (Verizon Wireless) which is a private IP address. To overcome that I use the SecureNAT functions and it gets around that and is reachable.

But I cannot see, ping, SSH, VNC ... to the server itself ... only the other devices on the network.

In summary, the server running SoftEther is connecting to clients, and the clients can see the network except for the Linux server itself.

Any tips for how I get full network visibility including the serving running SoftEther ?

[triwaves]

triwaves wrote:

> But I cannot see, ping, SSH, VNC ... to the server itself ... only the other devices
> on the network.
>
Sorry for the continued posts, but I'm confused on what the setup options are for SecureNAT and the limitations. My understanding now is that there is a limitation with accessing services on the same machine as the Linux Host. Is this correct?

If so, is there a configuration I can employ to enable it? I want to SSH to my Linux machine hosting SoftEther VPN Server.

Can I take advantage of the fact that I have multiple NICS available? Currently I have ETH0 connected to the main WiFi router ; ETH1 is unconnected and WLAN0 is unconnected. Only a tunnel is defined in the bridge setup.

Should I do something different to access the Linux server itself?

Tried to update my network diagram attached... Thanks in advance

[thisjun]

Please create localbridge to tap device.
Please don't set up default gateway on the tap.