How does SoftEther bypass iptables policy?

[Limon]

Greetings to all! 😀 I recently started learning Ubuntu v20.04 on a remote VPS and the first thing I did was set up SoftEther VPN. Everything works, but there is one question left.

My rules in iptables are configured so that access to the server is possible only from one IP address - my home PC, other packets are dropped (iptables -P INPUT DROP). However, when I connect from my home PC via a smartphone, with a different IP address, the connection to SoftEther VPN is established 🐱‍👤I came to the conclusion that SoftEther somehow bypasses the iptables -P INPUT DROP policy. The secure NAT function is disabled.

Please explain how SoftEther bypasses iptables rules and what function is responsible for this?🧐

[solo]

...The secure NAT function is disabled.
Please explain how SoftEther bypasses iptables rules and what function is responsible for this?🧐

Since SecureNAT's status is irrelevant to the issue at hand and SoftEther does not bypass iptables, it means your rules are incorrect. For Linux support go to https://ubuntuforums.org/.

[shakibamoshiri]

please share your iptables rules,
run this on your server

Code: Select all

iptables-save

copy all the output and paste them here as code block

[Limon]

copy all the output and paste them here as code block

Here you are:

Code: Select all

# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*mangle
:PREROUTING ACCEPT [1296897:193942728]
:INPUT ACCEPT [1218334:155848549]
:FORWARD ACCEPT [32261:30806755]
:OUTPUT ACCEPT [1064496:112904514]
:POSTROUTING ACCEPT [1096950:143725871]
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*filter
:INPUT DROP [158028:12856103]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1025004:108648745]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i tap_tap_virtual -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 81.13.109.166/32 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tap_tap_virtual -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*nat
:PREROUTING ACCEPT [210697:20675008]
:INPUT ACCEPT [407:25131]
:OUTPUT ACCEPT [998708:69056389]
:POSTROUTING ACCEPT [998708:69056389]
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 17 19:12:10 2024

[shakibamoshiri]

your rules seem correct to me

drop by default

Code: Select all

:INPUT DROP [158028:12856103]

just allow this source IP

Code: Select all

-A INPUT -s 81.13.109.166/32 -m conntrack --ctstate NEW -j ACCEPT

no other IPs should be able to connect, please check SE server log at server_log/ directory to see from what IP the connection is made

[Limon]

no other IPs should be able to connect, please check SE server log at server_log/ directory to see from what IP the connection is made

This time a warning window appeared when I switched to a mobile connection: This VPN Client is connected to the VPN Server 'name' by using the NAT Traversal (UDP Hole Punching) technology.
Accordingly, the IP address of the mobile device was recorded in the logs.
SoftEther VPN turned out to be a very cool development. The issue was successfully resolved, thank you for your participation! ;)

[solo]

Using NAT-T on a remote VPS is completely superfluous and unheard of. Disable it along with DDNS in vpn_server.config.

Code: Select all

	declare DDnsClient
	{
		bool Disabled true

	declare ServerConfiguration
	{
		bool DisableNatTraversal true