Softether and Samba on the same machine, shares inaccesible

[inten]

no way with a magic. this is by design. all concerns to the SE developer.

[thisjun]

Please see Points to Note when Local Bridging in Linux http://www.softether.org/4-docs/1-manua ... r_Mac_OS_X



---------------------------------------------------------------------------------------------
Limitations within the Linux or UNIX operating system prevent communication with IP addresses assigned to the network adapter locally bridged from the VPN side (Virtual Hub side). The cause of this restriction lies with OS's internal kernel codes rather than with the SoftEther VPN. When wishing to communicate in any form with a UNIX computer used for local bridging from the VPN side (Virtual Hub side), (for instance, when running both the VPN Server / VPN Bridge service & the HTTP Server service and wishing to grant access to the server service from the VPN side as well), prepare and connect a local bridge network adapter and physically connect both it and the existing network adapter to the same segment (as explained in 3.6 Local Bridges, it is recommended to prepare a network adapter for exclusive use in local bridging for this and other situations).

[inten]

Looks like it doesn't matter what OS, the same problem is under Windows.

[qupfer]

what will work is to bridge the vpn-adapter to a virtual tap device and doing NAT or routing.

[Oooo1]

It's necessary to add other ideology to SoftEther.
By the way, xl2tpd+open/Strongswan as Samba4 installed at the same machine works fine with accessing shares sited here.
But it works fine with engaging of proxyarp between local eth and ppp faces and with bcrelay.
I tried to use SoftEther tap and proxyapr but tap device don' t have IP assigned.
So, please describe step-by-step, how can it work: "vpn-adapter to a virtual tap device and doing NAT or routing" ?
What vpn-adapter ?
SoftEther don' t create any VPN faces, tap only.

[qupfer]

Oooo1 wrote:
> What vpn-adapter ?

Sorry, I mean the virtual hub.
Just follow these tutorials and ignore he speaks about VPS. Works also in homenetworks.
http://07q.de/tut1
http://07q.de/tut2

[Oooo1]

I saw at ttp://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/.
But in descrobed conf was you able to access Samba shares located at the same machine where SoftEther is ?
And is it possible to assign static internal IP for tap interface ?
I tried but failed.

What it is what I wrote about that such siple ideology is necesary to add to SoftEther as built-in feture.
Assignment of IP for Vpn server (which will be as server in connection properties) , assignment of IP for Vpn clients pool (as some mini Dhcp) , also some looks like proxyrp checkbox and bcrelay with interfaces choosing despite on of with or without using SecureNat.

[dnobori]

This limitation is by the design of Linux network stack, not by SoftEther VPN Server.

You should:

1. Add a physical network adapter (PCI-e or USB) as a dedicated local-bridge interface. The local-bridge adapter and another adapter (which serves for Samba) should be connected to the single Ethernet segment via physical Ethernet switches.

or

2. Add a tap device on the configuration of the local-bridge function.

or

3. Use Windows. Local-bridge for Windows can communicate with the interface itself.

1 is the best way.

[Oooo1]

You said - "This limitation is by the design of Linux network stack"
I don' t agree with you.
X2ltp+StrongSwan+Samba4 at the same machine give accessing to Samba4 shares from as Lan as Remote area network.
As following it due to SoftEther limitations functionaly.
As I posted earlier here (meaning in other topic but at this forum) there is no built-in ideological connection way what is used in pptpd/xl2tpd servers.
When there is no fully functionl bridge and also no permanent tap iface.
But point-to-point iface is created on the fly after connection is established.
And proxyarping abd bcrelaying are necessary to make some looks like the most bridge (fron lan iface to ppp iface) functions.
And Vpn server IP as Vpn clients IPs are assigned to Vpn clilents by Vpn server (not separate dhcp server) automatically but from specified by admin range.
As I saw there are released some of mentioned above functional at SoftEther, but it would be very good if author add some more.
I don' t understand why I can' t access Samba shares in the bridge mode.
But IP addresses assgiment is made, in the SecureNat mode but made.
But I think there is a bug, even I specify server IP as 192.168.0.1 in SecureNat, I see 10.0.0.1 as server IP in a client connection propertie.
So, I see that it is necessary to add: 3rd variant of iface - making on-the-fly ppp, then add correct IP assigment for server/clients (what is made partially) , then add manual IP assignment ability for tap face (of course with netmask, DNS IP) , and turn on IP Assignment for clients not only for SecureNat mode but simply mode (if there is no installed Dhcp) .
And add Wins providing also to SecureNat.
That is 3 modes:
- bridge mode;
- tap mode (permament iface) ;
- ppp mode (on-the-fly iface) ;
Dhcp (meaning Vpn client IP assignment) :
- turned off;
- turned on without SecureNAT;
- turned on for SecureNAT only;
as for Vpn server IP assignment:
- turned off;
- got from Dhcp server (where SoftEther is installed) as for non SecureNAT mode as for SecureNAT mode;
- specifing manually (with netmask, DNS/Wins) as for non SecureNAT mode as for SecureNAT mode;
in the last case: Vpn server IP address (netmask, DNS/Wins) got from Dhcp or put manually will be used as for tap device (permanent iface) as for ppp device (appeared during connection process) ;
Also proxyarp between lan iface and tap or ppp ifaces can add to SoftEther functional as bcrelay (for local bridge of course do not) . At the moment proxyarp can be handled by OS (or by such separate soft) and bcrelay is by appropriate separate soft.
Also IPSec ikev2 and ikev1 without l2tp would be good to add as functional.
If you contact with developer or devteam you cab resend it as request.
I can be as adviser/tester. I have Ubuntu 14.04 LTS server with Samba4 installed at it.

[inten]

dnobori wrote:
> This limitation is by the design of Linux network stack, not by SoftEther
> VPN Server.

Could you please point out what exactly this limitation is and does?

[dnobori]

To implement the local-bridge function, SoftEther VPN Server uses Packet Socket (SOL_PACKET) interface.
http://man7.org/linux/man-pages/man7/packet.7.html

The Packet Socket interface can interact with the Ethernet interface (e.g. eth0) on the Linux kernel. Using Packet Socket, the user-mode process, such as VPN Server, can send/receive any Ethernet frame with any Ethernet devices on the Ethernet segment.

However, by the limitation of Linux Kernel, the Packet Socket interface cannot exchange Ethernet packets with other protocol stacks (TCP/IP or UDP/IP stacks) in the same machine (same-kernel). It means that VPN Server can communicate to any Ethernet hosts EXCEPT the localmachine. This is the reason why something to loop-back Ethernet packets to the localmachine (two Ethernet interfaces with a physical bridge, or in-kernel tap device) is necessary.


Unlike SoftEther VPN Server, other layer-3 based (in other word, ppp interface-based) VPN servers can easily to communicate with localmachine TCP/UDP stacks, because the Linux kernel helps exchanging layer-3 packets between several L3 interfaces.


If you do not agree with my observation about the Packet Socket's limitation, please show me the proof.

[Oooo1]

May be it is worth to add ppp interface additionally to existing ones ?

[sigmasigma]

Hello, this is my first post here, just registered.
I am using softether VPN server since may 2013, it is the best vpn solution by far, congrats. I have installed on my windows 8.1 x64 HOME machine which is running behind a router. Until yesterday I was using secureNAT but I've read over the forums here that is better to disable secureNAT and use Local bridge. I've made this modification yesterday and is working just fine. I am connecting daily from work to be able to access via windows file sharing my shared folders with documents, music and so on on the same computer running softether server (HOME computer a read about above).
I always set to keep my client IP. On secureNAT was very easy deleting the gateway and DNS from secureNAT configuration (options applied to clients (optional)) on the server side and then adding the desired route to the client side to be able to reach my home resources. I have succeed doing the same thing using Local bridge on the server side by adding a high manual metric on the client side on the VPN client adapter (virtual NIC). Doing so, I don't get the server IP on the client side, it is exactly what I want. Normally you get the server's Ip on the client side, but modifying the metric does the trick. I don't understand how it works but IT WORKS :)

Well, a friend of mine have a server with some content and I want to access the resources without copying it to my computer (pretty same procedure I am doing daily from my work computer to home computer). The server is running centos 6.5 x64 and is behind a TPLink router. The WAN connection on router it has public ip, ofc.
There are 4 forwarded ports from router to the private centos: 443 and 5555 TCP / 500 and 4500 UDP.
On this server there is a hard drive with some content on it and it has samba server installed also. In his LAN he can access the shared folders without any problems from windows clients (private IPs 100 and 101) just pointing to the \\172.16.0.102(centos private ip).
There is only a eth0 physical NIC and the server is not running virtualized.
ifconfig -a displays just eth0 and lo adapters.
uname-a displays something like: Linux censored.ro 2.6.32-358.23.2.el6.x86_64
We have installed the latest server Softether build.

The problems is once connected from a different network, you can NOT access shared folders from centos (samba) where softether server is running also but you can access other stations behind the router: \\172.16.0.100 and \\172.16.0.101 via file sharing. I've tried using secureNAT and then disabled and activated local bridge, the same result: you can access 100 and 101 but NOT 102. On linux at Local bridge section you can use the eth0 or a TAP adapter (this option is not available on windows server version). I've tried with etho not with tap......

From this point we are lost because we don't know what we have to do further, some additional settings on the server side or maybe some special settings on samba?

I've found some tutorials on the internet but doesn't sounds to be too trustable. One example is how to set a centos server with softether using local bridge: https://www.scribd.com/doc/187770965/Lo ... -on-CENTOS
The problem is that I have to modify some system files like /etc/sysctl.conf and then adding an IPTABLES rule where I have to specify [YOUR VPS IP ADDRESS] ......we really are stuck at this points and no ideas left.....as long as this tutorial is NOT official we didn't try following the explanations.

Any explanation or advise will be VERY HIGH APPRECIATED. I just want to access the resources securely. Installing a pptp server on centos is a piece of cake but when it comes to security BIG SUCKS and that's why I want to use an IPSEC solution where Softether IS THE BEST.

I don't know if this post is well formulated and explained but I know that I am not off topic.
You can ask me anything and I will reply back

Thank you very much in advance!

sigma

[sigmasigma]

Like I said, any explanation or advise will be VERY HIGH APPRECIATED.
Thanks again.

[sigmasigma]

I succeeded to install and configure Softether vpn server using Allen's tutorial: http://wp.secretnest.info/archives/1529
Very nice explained, everything works like a charm.

All due respect but the support from your side here as official need A LOT of improvements....