Documentation clarification
Posted: Fri Jun 30, 2017 4:47 am
Hi all,
I'm trying to access work resources from my home network. Obviously, this involves setting up SoftEther VPN server on a computer at work, and installing SoftEther client on my home PC.
I can connect to the VPN server at work successfully, by using example.vpnazure.net (either with 'Disable NAT-T' ticked or unticked). Ok, that's good, but the encryption it's using is RC4 (which is weak), despite the encryption I've configured as DHE-RSA-AES256-SHA256. Furthermore, since the VPN connection goes through Azure as a relay, I fear that it'll be slower than a direct client to site VPN connection. So while this works, I'd like to leave it as a last resort.
The next thing I tried was connect to the DDNS (example.softether.net) on port 443. I can connect to the VPN server via NAT-traversal (UDP hole punching). However, the performance is reduced using this method. What's also confusing about this method is that if you stop/delete all the ports (except for port 5555 for management) on the VPN server, I am still able to connect to the VPN. In fact, it doesn't matter if the VPN server is configured to listen to a specific port, you can specify e.g. port 9999 on the client and it will still connect. Why is that?
Anyway, the main issue as mentioned is the degraded performance with NAT-T. So then I've tried unticking 'Disable NAT-T' (not using UDP hole punching) and connect on 443, but it fails to connect. That's understandable, as my VPN server is behind a company firewall/NAT and most of the ports are blocked (except for HTTPS/443). However, I thought the selling point of the SoftEther SSL-VPN protocol is that it uses HTTPS and can bypass firewalls?
OR, is that in terms of the SoftEther client perspective - where you're inside a restricted network but can still connect externally via 443? If this is the case, does that mean if I want to use the SSL-VPN protocol, I'll need to port forward 443 from the company's router to my VPN server and connect from the client without using NAT-T? This should then give me the best performance possible?
And finally, can someone please explain how VPN over DNS/ICMP works? I've enabled both on the VPN server, but I can't get my client to connect over either protocols. My understanding here is as follows:
- You cannot untick 'Disable NAT-T' on the client side.
- SoftEther will automatically pick the best protocol in some sort of order, e.g. (TCP, UDP, ICMP, DNS).
Since my home PC can connect to the VPN server via NAT-T, it's NOT going to use VPN over DNS/ICMP. So then I've tried creating an outbound rule under Windows Firewall, that blocks ALL UDP ports and TCP ports. I can still ping example.softether.net (after flushing DNS), so that means DNS over ICMP should work right? NOPE it doesn't. And you can't port forward ICMP on a router as far as I know. OK, then I tried adding another outbound rule that allows port 53 on both TCP and UDP. I then ping google.com (after flushing DNS) and it works OK, All other ports are still blocked. Then I try to connect to the VPN server, still fails.
Would I need to port forward port 53 on the company router to my VPN server to make this work then?
Most of the documentations are useless, they are written like sales ads. Most of the documentations mention how SSL-VPN (SoftEther's own protocol) is better than OpenVPN and is good in this and that. The only thing that works for me (in terms of connecting to a VPN server in a locked down company environment) is using NAT-T (which gives you crappy performance) and via example.vpnazure.net (again, crappy performance due to the relay).
TL;DR version:
1. VPN over DNS requires port forwarding from company router to VPN server?
2. VPN over ICMP does not work when all TCP & UDP ports are disabled on the client machine (but can still ping).
3. VPN over DNS/ICMP relies on NAT-T ?
4. "SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls" - only if you enable NAT-T, which slows down performance.
5. NAT-T does not require any ports on the VPN server to be listening. You can specify any port on the client side and it will still connect.
6. VpnAzure works as a relay for connecting a client to the VPN server behind a locked down company network, but performance will probably be poor due to data/traffic passing through Azure as relay. Just to give you some perspective, company's network without VPN is about 5ms ping, 90 Mbps down and 91 Mbps up. With Azure VPN, it's about 448 ms, 1.47 Mbps down and 2.46 Mbps up. You might be asking, if you're using a VPN then won't you be connecting from the client side, i.e from your home network (which may be crap)? True, but I'm actually connected to the VPN while i'm the company. I'm on the same LAN/subnet as the server. I'm simply connecting to the server via VPN Azure, but ultimately I'm on the same network. NAT-T however is close to the speed of non-VPN, so avoid using Azure VPN unless necessary.
7. If you want to enjoy the full performance of SoftEther's proprietary SSL-VPN (HTTPS VPN), you'll need to port forward 443 to the VPN server ?
I'm trying to access work resources from my home network. Obviously, this involves setting up SoftEther VPN server on a computer at work, and installing SoftEther client on my home PC.
I can connect to the VPN server at work successfully, by using example.vpnazure.net (either with 'Disable NAT-T' ticked or unticked). Ok, that's good, but the encryption it's using is RC4 (which is weak), despite the encryption I've configured as DHE-RSA-AES256-SHA256. Furthermore, since the VPN connection goes through Azure as a relay, I fear that it'll be slower than a direct client to site VPN connection. So while this works, I'd like to leave it as a last resort.
The next thing I tried was connect to the DDNS (example.softether.net) on port 443. I can connect to the VPN server via NAT-traversal (UDP hole punching). However, the performance is reduced using this method. What's also confusing about this method is that if you stop/delete all the ports (except for port 5555 for management) on the VPN server, I am still able to connect to the VPN. In fact, it doesn't matter if the VPN server is configured to listen to a specific port, you can specify e.g. port 9999 on the client and it will still connect. Why is that?
Anyway, the main issue as mentioned is the degraded performance with NAT-T. So then I've tried unticking 'Disable NAT-T' (not using UDP hole punching) and connect on 443, but it fails to connect. That's understandable, as my VPN server is behind a company firewall/NAT and most of the ports are blocked (except for HTTPS/443). However, I thought the selling point of the SoftEther SSL-VPN protocol is that it uses HTTPS and can bypass firewalls?
OR, is that in terms of the SoftEther client perspective - where you're inside a restricted network but can still connect externally via 443? If this is the case, does that mean if I want to use the SSL-VPN protocol, I'll need to port forward 443 from the company's router to my VPN server and connect from the client without using NAT-T? This should then give me the best performance possible?
And finally, can someone please explain how VPN over DNS/ICMP works? I've enabled both on the VPN server, but I can't get my client to connect over either protocols. My understanding here is as follows:
- You cannot untick 'Disable NAT-T' on the client side.
- SoftEther will automatically pick the best protocol in some sort of order, e.g. (TCP, UDP, ICMP, DNS).
Since my home PC can connect to the VPN server via NAT-T, it's NOT going to use VPN over DNS/ICMP. So then I've tried creating an outbound rule under Windows Firewall, that blocks ALL UDP ports and TCP ports. I can still ping example.softether.net (after flushing DNS), so that means DNS over ICMP should work right? NOPE it doesn't. And you can't port forward ICMP on a router as far as I know. OK, then I tried adding another outbound rule that allows port 53 on both TCP and UDP. I then ping google.com (after flushing DNS) and it works OK, All other ports are still blocked. Then I try to connect to the VPN server, still fails.
Would I need to port forward port 53 on the company router to my VPN server to make this work then?
Most of the documentations are useless, they are written like sales ads. Most of the documentations mention how SSL-VPN (SoftEther's own protocol) is better than OpenVPN and is good in this and that. The only thing that works for me (in terms of connecting to a VPN server in a locked down company environment) is using NAT-T (which gives you crappy performance) and via example.vpnazure.net (again, crappy performance due to the relay).
TL;DR version:
1. VPN over DNS requires port forwarding from company router to VPN server?
2. VPN over ICMP does not work when all TCP & UDP ports are disabled on the client machine (but can still ping).
3. VPN over DNS/ICMP relies on NAT-T ?
4. "SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls" - only if you enable NAT-T, which slows down performance.
5. NAT-T does not require any ports on the VPN server to be listening. You can specify any port on the client side and it will still connect.
6. VpnAzure works as a relay for connecting a client to the VPN server behind a locked down company network, but performance will probably be poor due to data/traffic passing through Azure as relay. Just to give you some perspective, company's network without VPN is about 5ms ping, 90 Mbps down and 91 Mbps up. With Azure VPN, it's about 448 ms, 1.47 Mbps down and 2.46 Mbps up. You might be asking, if you're using a VPN then won't you be connecting from the client side, i.e from your home network (which may be crap)? True, but I'm actually connected to the VPN while i'm the company. I'm on the same LAN/subnet as the server. I'm simply connecting to the server via VPN Azure, but ultimately I'm on the same network. NAT-T however is close to the speed of non-VPN, so avoid using Azure VPN unless necessary.
7. If you want to enjoy the full performance of SoftEther's proprietary SSL-VPN (HTTPS VPN), you'll need to port forward 443 to the VPN server ?