Access Multiple Private Subnet

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Access Multiple Private Subnet

Post by singhn » Tue Jan 24, 2017 10:21 am

Hi folks,

I am planning to deploy softethernet as a vpn solution,

I have the following requirements.

Required SSTP and L2TP VPN connectivity.
need to access resource in multiple network segment like /26 /24 /21 etc.
block users routing internet traffic over VPN

Is there some specific configuration that i need to take care to achieve the above setup? Any specific documentation that you folks can share?

I appreciate any help on this, just trying to replace nightmarish windows vpn solution.

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Wed Jan 25, 2017 2:43 am

any suggestions?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Access Multiple Private Subnet

Post by moatazelmasry » Wed Jan 25, 2017 11:55 am

Assume that your network card eth0 is able to access those private subnets

In this case you need to create a local bridge in SoftEther to eth0
https://www.softether.org/4-docs/1-manu ... al_Bridges

Also have a look at the L2/L2 lan to lan bridge
https://www.softether.org/4-docs/2-howt ... Bridge_VPN
https://www.softether.org/4-docs/1-manu ... L2_Bridge)


To prevent users from redirecting internet traffic through vpn, distribute them an OpenVPN client configuration that includes the following directive:
https://community.openvpn.net/openvpn/w ... ectGateway

Obviousely if a user mangles with his/her client configuration file, he will bypass that

To really prevent users from accessing the internet do the following:
- Create access lists that allow users to your private subnets
- Block access to 0.0.0.0/0

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Thu Jan 26, 2017 1:30 am

thanks for the response mate. Yes, the server (AWS EC2 instance in VPC) has only 1 nic/eth0 and from that nic/subnet i can access rest of the subnets.

I will create a test EC2 instance and try the suggestion and will let you know.

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Thu Jan 26, 2017 2:24 am

just a quick question, do i need to push static routes on the end user pc or will soft-ether be able to handle that.

OR

do i need to place a softether vpn hub in each lan and then bridge it with the main vpn server

The local bridge says
the physical network adapter connected to that server computer on a layer 2 connection, thereby joining two segments which originally operated as separate Ethernet segments into one

In Server 2012 R2 VPN, i am using the static address pool same as network segment, won't that help? I know it doesn't work when i try to access resources in other segments and i have to add static routes on client side.

Also, the default gateway remains blank for vpn tunnel that might be an issue when accessing resources in other network segment.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Access Multiple Private Subnet

Post by moatazelmasry » Thu Jan 26, 2017 10:09 am

Usually SoftEther is able to handle that on its own. But indeed sometimes static routes are needed

I'd say just try it as it is for now, and see if it works. If not adding static routes inside SoftEther should suffice

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Tue Jan 31, 2017 8:29 am

Seems like i have hit the roadblock.

I have downloaded and installed the stable release of softether vpn.
SoftEther VPN Server and VPN Bridge (Ver 4.20, Build 9608, rtm)

However i am facing few issues before i can test the scenario.

1. I am not able to specify the username as * and use NT domain Authentication. I receive the stop error stating certificate and NT Domain authentication isn't available in this build of SoftEthernet
2. I tried to connect using password authentication

On windows client i get error at Registering your computer on the network. Error 720.

I tried to find some step by step configuration of SoftEther VPN for windows but couldn't find one either. I didn't find an install and configure documentation with actual steps on softether documentation section

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Tue Jan 31, 2017 9:05 am

Ok, I had to enable SecureNAT in order to get connected.
however i am not able to access any resources

Is there a way to not use secureNAT and specify static DHCP address pool?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Access Multiple Private Subnet

Post by moatazelmasry » Tue Jan 31, 2017 12:15 pm

Yes you can disable SecureNAT. Use a local bridge. In this case the default gateway (eth0 for example) will be asked to provide an IP. The DHCP can then be configured on an OS level, local DHCP, forward the request somewhere else etc..

Yes for the sake of this experiment, do not use external authentication method, you want to mitigate the error sources as best as possible.

If you get an error on the client side, it would be good to have a look at the server_log and if not clear, post it here

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Wed Feb 01, 2017 1:28 am

so basically, we can't use static dhcp pool, Either we need to use secureNat or DHCP server. The challenge is that, VPN server is in AWS and we don't have DHCP server there.

The current server 2012 r2 vpn use static dhcp pool ip address. The current config use the address from same segment. I would like to replicate the same if possible.

I tried earlier with secureNAT (with default ip range 192.168.x.x) but i am not able to access any resources (172.17.0.0/16) while connected to it. There are multiple subnets created from 172.16.0.0/16 CIDR where resources are located.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Access Multiple Private Subnet

Post by moatazelmasry » Wed Feb 01, 2017 2:05 am

Hmm, according to this
https://www.softether.org/index.php?tit ... CP_Servers

It is possible to use the virtual DHCP server functionality WITHOUT turning on the SecureNAT.
"Of the SecureNAT functions, it is possible to enable only the DHCP server. In other words, it is possible to use only the DHCP server function operating within the Virtual Hub Ethernet segment. This allows VPN Clients and local bridge destination client computers remotely accessing the Virtual Hub to receive IP addresses assigned by the virtual DHCP server."

Do this, and create a local bridge to your eth0 or whatever your gateway. This way you should be able to access the subnets that are usually accessible via eth0

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Wed Feb 01, 2017 9:36 am

I have enabled the secureNat, disable the virtual NAT settings.
Update the DHCP Server settings to be same as eth0 with different ip range.
eth0 is 172.17.7.108/255.255.255.192 gateway 172.17.7.65

virutal host network interface setting
IP 172.17.7.100/255.255.255.192

DHCP server setting
172.17.7.101 - 110 / 255.255.255.192
blank gateway
DNS IP from different lan segment

Created local bridge attached to eth0

I am able to connect to vpn, access the vpn server (rdp) however i am not able to access any resources in other network segments.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Access Multiple Private Subnet

Post by moatazelmasry » Wed Feb 01, 2017 11:16 am

although your settings are not wrong, for safety reasons, do not give SE same subnet as your eth0 and risking IP clash

So if your eth0 has:
eth0 is 172.17.7.108/255.255.255.192 gateway 172.17.7.65

Then in SE make the virtual host for example:
192.168.30.1
DHCP
192.168.30.10-192.168.30.254

I assume the following about your local bridge:
- It connects the correct HUB (in case you have multiple hubs) to eth0
- The local bridge status is "connected" and it is not showing errors

Maybe as you mentioned, should push the static route of the other subnets. Here's a nice answer that might help
http://forum.softether.org/viewtopic.ph ... 8590#p9900

singhn
Posts: 9
Joined: Tue Jan 24, 2017 10:17 am

Re: Access Multiple Private Subnet

Post by singhn » Thu Feb 02, 2017 2:16 am

If i use a different network on VPN DHCP, i am not able to connect. Although i have tried the suggestion but i am into a situation where i can't access the resources.

I believe we need some sort of routing between different network segments.

I have added static route but i don't see them being pushed when i use native windows vpn client.

The machine is an aws EC2 instance and i don't think aws would allow to enable promiscuous mode. i will check if that's causing the issue.
You do not have the required permissions to view the files attached to this post.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Access Multiple Private Subnet

Post by thisjun » Wed Feb 15, 2017 8:24 am

How did the VPN server connect to target segment?

What OS did the server run on?
You wrote sometime Linux sometime Windows.

Post Reply