Documentation clarification

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
chaoscreater
Posts: 12
Joined: Fri Jun 30, 2017 12:32 am

Documentation clarification

Post by chaoscreater » Fri Jun 30, 2017 4:47 am

Hi all,

I'm trying to access work resources from my home network. Obviously, this involves setting up SoftEther VPN server on a computer at work, and installing SoftEther client on my home PC.

I can connect to the VPN server at work successfully, by using example.vpnazure.net (either with 'Disable NAT-T' ticked or unticked). Ok, that's good, but the encryption it's using is RC4 (which is weak), despite the encryption I've configured as DHE-RSA-AES256-SHA256. Furthermore, since the VPN connection goes through Azure as a relay, I fear that it'll be slower than a direct client to site VPN connection. So while this works, I'd like to leave it as a last resort.

The next thing I tried was connect to the DDNS (example.softether.net) on port 443. I can connect to the VPN server via NAT-traversal (UDP hole punching). However, the performance is reduced using this method. What's also confusing about this method is that if you stop/delete all the ports (except for port 5555 for management) on the VPN server, I am still able to connect to the VPN. In fact, it doesn't matter if the VPN server is configured to listen to a specific port, you can specify e.g. port 9999 on the client and it will still connect. Why is that?

Anyway, the main issue as mentioned is the degraded performance with NAT-T. So then I've tried unticking 'Disable NAT-T' (not using UDP hole punching) and connect on 443, but it fails to connect. That's understandable, as my VPN server is behind a company firewall/NAT and most of the ports are blocked (except for HTTPS/443). However, I thought the selling point of the SoftEther SSL-VPN protocol is that it uses HTTPS and can bypass firewalls?

OR, is that in terms of the SoftEther client perspective - where you're inside a restricted network but can still connect externally via 443? If this is the case, does that mean if I want to use the SSL-VPN protocol, I'll need to port forward 443 from the company's router to my VPN server and connect from the client without using NAT-T? This should then give me the best performance possible?


And finally, can someone please explain how VPN over DNS/ICMP works? I've enabled both on the VPN server, but I can't get my client to connect over either protocols. My understanding here is as follows:

- You cannot untick 'Disable NAT-T' on the client side.
- SoftEther will automatically pick the best protocol in some sort of order, e.g. (TCP, UDP, ICMP, DNS).

Since my home PC can connect to the VPN server via NAT-T, it's NOT going to use VPN over DNS/ICMP. So then I've tried creating an outbound rule under Windows Firewall, that blocks ALL UDP ports and TCP ports. I can still ping example.softether.net (after flushing DNS), so that means DNS over ICMP should work right? NOPE it doesn't. And you can't port forward ICMP on a router as far as I know. OK, then I tried adding another outbound rule that allows port 53 on both TCP and UDP. I then ping google.com (after flushing DNS) and it works OK, All other ports are still blocked. Then I try to connect to the VPN server, still fails.

Would I need to port forward port 53 on the company router to my VPN server to make this work then?

Most of the documentations are useless, they are written like sales ads. Most of the documentations mention how SSL-VPN (SoftEther's own protocol) is better than OpenVPN and is good in this and that. The only thing that works for me (in terms of connecting to a VPN server in a locked down company environment) is using NAT-T (which gives you crappy performance) and via example.vpnazure.net (again, crappy performance due to the relay).



TL;DR version:

1. VPN over DNS requires port forwarding from company router to VPN server?

2. VPN over ICMP does not work when all TCP & UDP ports are disabled on the client machine (but can still ping).

3. VPN over DNS/ICMP relies on NAT-T ?

4. "SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls" - only if you enable NAT-T, which slows down performance.

5. NAT-T does not require any ports on the VPN server to be listening. You can specify any port on the client side and it will still connect.

6. VpnAzure works as a relay for connecting a client to the VPN server behind a locked down company network, but performance will probably be poor due to data/traffic passing through Azure as relay. Just to give you some perspective, company's network without VPN is about 5ms ping, 90 Mbps down and 91 Mbps up. With Azure VPN, it's about 448 ms, 1.47 Mbps down and 2.46 Mbps up. You might be asking, if you're using a VPN then won't you be connecting from the client side, i.e from your home network (which may be crap)? True, but I'm actually connected to the VPN while i'm the company. I'm on the same LAN/subnet as the server. I'm simply connecting to the server via VPN Azure, but ultimately I'm on the same network. NAT-T however is close to the speed of non-VPN, so avoid using Azure VPN unless necessary.

7. If you want to enjoy the full performance of SoftEther's proprietary SSL-VPN (HTTPS VPN), you'll need to port forward 443 to the VPN server ?

chaoscreater
Posts: 12
Joined: Fri Jun 30, 2017 12:32 am

Re: Documentation clarification

Post by chaoscreater » Fri Jun 30, 2017 7:52 am

Just got home and did a test (I'm able to manage my own router and open ports and port forward them obviously).

I've setup a Windows Firewall outbound rule for both TCP and UDP that blocks the following -> 0-52,54-65535. This basically means any port between 0~65535 EXCEPT for port 53 are blocked.

Did a test with 'Disable NAT-t' ticked, test failed. Then I port forwarded 53 to my VPN server, did another test, still fails. Finally, did the test again but unticked 'Disable NAT-t' and this time it works. If I then remove the port forward and try again, test fails. In other words, VPN over ICMP and DNS does rely on NAT-t and you have to setup port forward for 53 to the VPN server to make this work. And to test it, simply block all ports (TCP & UDP) and leave 53 as the only port able to communicate from the client side.

The problem here though, is that while I was connected successfully, I did not get anything from my DHCP server (using the built-in DHCP that comes with SoftEther). I have already configured it properly, but it got a 169.x.x.x address. Tested several times and the result is the same. If I remove my Windows Firewall rules and connect again, I get DHCP assignment no problem. So it seems to me that this is a buggy/beta feature. I'm not using L2 Bridging here, just using SecureNAT with the DHCP. I did test out bridging yesterday and got DHCP assignment from my physical router at home so that works all good, maybe I should test that with VPN over DNS to see if I still get an IP assigned or not....

ICMP on the other hand just doesn't work. Tried using Windows Firewall to block ALL TCP and UDP ports and leave ICMP live (tested ping and works fine), but it just won't work. Many others mentioned the same issue as well. So conclusion here is, VPN over DNS/ICMP just sucks and it won't penetrate the firewall where the VPN server is sitting behind (as you need to port forward 53 to make it work). This will only be useful within your network (in this case my home network), where DNS is allowed and I can use it to connect to an external VPN that's listening on 53.

OpenVPN also requires port forwarding setup as you would with the standard official version. Once you've got it setup, you can see the connection status shows Legacy OpenVPN-L3.

SoftEther's proprietary SSL-VPN also requires port forwarding. NAT-t will work fine but like I said, performance will be degraded. If you have port forwarding setup, it talks to the VPN server directly and the connection will show something like 'Standard TCP/IP (IPv4)'.

Finally, I'd like to share some benchmark results that I found quite interesting. First of all, I'm on a fiber connection (200 Mbps down, 20 Mbps up). The VPN client is installed on a shitty old laptop. I'm just using WiFi here (yes I know it's not accurate blah blah), but if I keep all variables the same it should be somewhat OK. Without VPN connected, my laptop's Wifi gets an average (tested 3 times) of 41Mbps down and 19Mbps up. The WiFi signal strength is full and is about 5m away from my router. The Wifi chip is crap so the max speed I can get on the laptop is 65 Mbps (as show in the WiFi connection status).

Now, with VPN connected (not using NAT-t, just direct SSL-VPN connection), I get 115.56 Mbps down, 21.20 Mbps up. I've tested several times and the result is the same. I'm connected to the same Speedtest server prior to turning on VPN, and I'm testing all this within the same home network so the Speedtest server doesn't change anyway. The virtual NIC created by SoftEther is a 100 Megabit NIC. I haven't adjusted this at all.

I'm not good with networking, but my understanding is that the max speed I should be getting is 100 Mbps (theoretical), because that's what my virtual NIC is maxed at. How did I get 115.56? Also, the underlying physical NIC isn't even 100Mbps, so how was this even possible?

The WiFi NIC is a Qualcomm Atheros AR9285 and supports wireless-N. Max speed it can go up to (according to Google) is 150 Mbps. OK, but if I'm getting max signal strength 5m away from the router and connection stat shows 65 Mbps (even if I move right next to the router I still get 65 Mbps on the Wifi NIC) and Speedtest gives me 41 Mbps, then how am I suddenly getting 115.56 Mbps from the same spot with nothing else changed?

If I remove the port forward to the VPN server and use NAT-t, I get about 99 Mbps down and 19Mbps up. If I use OpenVPN GUI to connect via port 1194, I get about 24 Mbps down and 19 Mbps up. So looks like NAT-t performance isn't that far off to direct. I've made sure to check the connection status and can see one shows Standard TCP/IP and one shows VPN over UDP with NAT.

I'm using Windows 10 latest build, no modifications to Wifi NIC (just defaults) and driver is the latest from Windows Update. I did check the WiFi NIC settings and the mode is set to auto, full duplex etc. None of those really matters because i'm not changing any variables here. Just weird to see that a virtual NIC utilizing a physical NIC actually scored better.
Last edited by chaoscreater on Fri Jun 30, 2017 10:09 am, edited 3 times in total.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Documentation clarification

Post by cedar » Fri Jun 30, 2017 9:35 am

> 1. VPN over DNS requires port forwarding from company router to VPN server?

Yes.

> 2. VPN over ICMP does not work when all TCP & UDP ports are disabled on
> the client machine (but can still ping).

Theoretically, it works.

> 3. VPN over DNS/ICMP relies on NAT-T ?

No.
However, if available, there is a possibility that the UDP acceleration function will make a NAT-T connection after connection.

> 4. "SSL-VPN Tunneling on HTTPS to pass through NATs and
> firewalls" - only if you enable NAT-T, which slows down performance.

Normally, performance will not degrade with NAT-T connection.
However, it seems that some routers sometimes can not properly perform NAT processing on UDP packets.

> 5. NAT-T does not require any ports on the VPN server to be listening. You
> can specify any port on the client side and it will still connect.

Yes.
To be precise, the port used for UDP connections is an ephemeral port.
There is no way to specify the port number.

> 6. VpnAzure works as a relay for connecting a client to the VPN server ...

Since all users share one relay host, you should not expect for performance.
In order to reduce the load on the relay system, the encryption algorithm is limited.
The VPN Azure service is intended to be used when you want to place a server behind a carrier grade NAT or when you want users not familiar with certificate installation methods to use SSTP.

> 7. If you want to enjoy the full performance of SoftEther's proprietary
> SSL-VPN (HTTPS VPN), you'll need to port forward 443 to the VPN server ?

You should forward one of the TCP ports on which the server is listening.

chaoscreater
Posts: 12
Joined: Fri Jun 30, 2017 12:32 am

Re: Documentation clarification

Post by chaoscreater » Fri Jun 30, 2017 10:52 am

Thanks for the clarifications, that helps a lot.

Regarding #3, I couldn't get it working VPN over DNS working if I Disable NAT-t. If I enable NAT-t, I could at least connect to the server, just not have an IP assigned by DHCP (still unsure why).

According to the documentation, it looks like VPN over DNS won't work without NAT-t, as 'Disable NAT-t' is effectively the same as adding /tcp at the end of the hostname? Quote:

VPN over ICMP, and VPN over DNS are implemented based on ICMP and DNS protocol specifications. However, they sometimes behaves irregularly. It might causes memory-overflow or something problems on the "buggy routers" on the network. Some routers might reboot because of these problems. It might affect other users of Wi-fi around you. In such an event, disable VPN over ICMP and VPN over DNS functions by appending "/tcp" suffix after the destination hostname.



As a side note, why isn't the forum using HTTPS?

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Documentation clarification

Post by cedar » Fri Jun 30, 2017 11:02 am

"disable NAT-T" is not acculate expression.
This mode makes using only TCP.

chaoscreater
Posts: 12
Joined: Fri Jun 30, 2017 12:32 am

Re: Documentation clarification

Post by chaoscreater » Sat Jul 01, 2017 12:03 am

Thanks, I'll experiment with this some more. I appreciate your help.

BTW I've done some testing and looks like SSL-VPN is indeed much faster than OpenVPN as per the documentation....just to share some stats. Since I can't access the work router/firewalls, I can't open ports or setup port forwarding. So the premise here is to test remote access from my work to my home, rather than the other way round.

I'm running SoftEther VPN server on my home PC, OpenVPN docker on my home PC and also OpenVPN on my ASUS AC-88u router running a custom Merlin firmware. This OpenVPN server is a stripped down version of the full version.

- openVPN client installed on work PC is the latest build.
- softether client installed on work PC is the latest build.
- virtual NICs (for both openvpn and softether) on work PC is set to metric of 1 (to avoid split tunneling / split dns).
- virtual NIC on work PC is configured as 1Gigabit.
- OpenVPN server (latest build) on my router and on my docker (latest OpenVPN image) are both configured to redirect internet traffic for clients, i.e no split tunnelling. All traffic will be routed to my home.

Stats:

Work internet speedtest - 93 down, 93 up
My home (fiber connection) speedtest - 200 down, 20 up

work pc connects to home via softether SSL-VPN - 116 down, 19 up
work pc connects to OpenVPN server running on router - 20 down, 18 up
work pc connects to OpenVPN docker - 44 down, 15 up

my router is running a stripped down version of openVPN server, so it makes sense that it's not as optimized as docker openvpn.....but the difference between SSL-VPN and OpenVPN is quite huge. I'm not sure why the download speed didn't go higher though (as the max is 200 down). Perhaps it's because my work's internet is limited to 93 down, so it can't get any higher (even though it did get up to 116 down...) ?

Post Reply