VPN lan to lan on same subnet

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

VPN lan to lan on same subnet

Post by Jace-99 » Sat Sep 25, 2021 9:28 am

Hi all. I am a complete noob who is trying to create a VPN lan to lan network. I have installed VPN Server on ‘Machine A’ (Win 10), and VPN Bridge on ‘Machine B’ (Win 10). I have managed to create a session and both server and bridge appear to be talking to each other. However, everything slows to a crawl.

I should point out that ‘Machine A’ and ‘Machine B’ are currently connected to the same network, i.e. both physically connected to the same switch and subnet behind my broadband router. This arrangement is for test purposes only. I plan to move the ‘Machine B’ off-site eventually.

Is it ok to try test a setup this way or have I broken some cardinal rule? When the session is running it seems my broadband router is being flooded. Even my home WiFi slows to a halt. Cheers in advance.

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Sun Sep 26, 2021 9:17 am

You created a network loop with broadcast storm which slows everything down.

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Mon Sep 27, 2021 7:38 am

That sounds about right. It is probably pointless in me testing this setup. Or perhaps that proves it works. I will be moving the bridge off-site soon. Cheers

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Tue Oct 12, 2021 4:40 pm

So I have finally got the VPN Server and Bridge set up on 2 isolated networks bat separate sites. I am satisfied the remote bridge has established a connected to the server's virtual hub. This is about as far as I can go. I was hoping the local and remote LANs would be as one. I have tried to do a basic communications test like pinging or trying to access a shared folder from one site to the other but I have not had any success. Am I missing a step?

I have attached a screen grab of their Virtual Hub's session IP Table. It list my local subnet (192.168.0.x) and the remote subnet (192.168.1.x). Do I need to 'bond/ bridge' these Lans or setup NAT to establish routing?

Cheers

Image
Capture.PNG
You do not have the required permissions to view the files attached to this post.

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Tue Oct 12, 2021 11:43 pm

Use Layer 3 switch and static routes as described here https://www.softether.org/4-docs/1-manu ... ork_Layout

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Wed Oct 13, 2021 12:22 pm

Thanks for that. It has put me on the right track but I have hit a stumbling block. I have created a Virtual L3 Switch. I have added 2 virtual interfaces in the switch configuration connecting to 2 virtual hubs respectively. But when I try to add a routing table entry, the 'OK' button is greyed out. Any ideas?
Capture.PNG
You do not have the required permissions to view the files attached to this post.

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Wed Oct 13, 2021 11:36 pm

You need to add static routes to the routers or PCs in the subnets.

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Wed Oct 13, 2021 11:38 pm

That is not the screenshot I meant to upload in my last post. I'll try again.
Capture.PNG
The 'OK' button is still greyed out so I can't add a routing entry.
You do not have the required permissions to view the files attached to this post.

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Thu Oct 14, 2021 8:33 am

No, you need to add static routes to the routers or PCs in the subnets.

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Fri Oct 15, 2021 12:16 pm

I'm confused here. The only PCs connected at the moment are the VPN Server (locally) and the VPN Bridge (remotely). The VPN bridge has a virtual hub set up that has established a connection with a virtual hub set up on the VPN Server. The VPN server has a second virtual hub setup that binds to its nic.
topology1.png
The VPN Server is set up locally. It has 2 virtual hubs set up.
(1) Local-Virtual-hub. This is bound to the server nic and local ethernet infrastructure.
(2) Remote-Virtual-hub. This is set up to accept connection from a VPN bridge at the remote site.
(3) A Layer 3 switch attempt to route traffic between local LAN and remote LAN

VPN Bridge is set up at remote site.
(1) It has a single virtual hub which is bound to the nic and ethernet structure and establishes a cascade connection to the VPN server


The VPN Server Layer 3 switch has the following entries.
Capture2.PNG
192.168.0.254 and 192.168.1.254 are presviously non-assigned IP addresses and so are notional/ virtual addresses assigned as gateways to the Layer-3 switch. I think this is what I'm supposed to do.

The next thing I would like to do now is establish a basic ping between 192.168.0.99 and 192.168.1.100 and access shared folders, before I even add more hardware. So do I still need to add static routes? The VPN server can see the local IP table and the remote IP table. Would it not have all it needs to now perform the routing between the 2 subnets, if the entries are added to the Layer-3 switch on the server?
You do not have the required permissions to view the files attached to this post.

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Sat Oct 16, 2021 12:38 am

Ignore the SE "Add Routing Table Entry" option, it's useless in this particular context.

L3 switch is not a NAT and a ping across subnets will arrive OK but with an unroutable return address, resulting with the "unreachable" error.

Try out whatever you conceive but in the end you WILL...

...add static routes to the routers or PCs in the subnets.

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Sun Oct 17, 2021 3:32 pm

Ok Solo. I am more than willing to try this. But I don't think it is working for me or I have done it correctly.??

On the VPN Server (local) I have 2 virtual interfaces defined, 1 per virtual hub, as already stated. If I have done it correctly, I have assigned previously non-assigned IP addresses to be the virtual interface gateways,i.e. 192.168.0.254 for the local subnet, 192.168.1.254 for the remote subnet. Both subnets use 192.168.0.1 and 192.168.1.1 for the actual physical gateway, so these addresses are unavailable.

I have applied this static route to the server
route add -p 192.168.1.100 mask 255.255.255.0 192.168.0.254

and this route to the remote bridge
route add -p 192.168.0.99 mask 255.255.255.0 192.168.1.254

I don't think I have achieved much by doing this. Does this tally with what you were suggesting?

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Sun Oct 17, 2021 10:23 pm

You need to add them to any unit involved in communication across the L3 switch. If all are involved, then the most efficient way is to only add them to the routers with default gateways, here...
Both subnets use 192.168.0.1 and 192.168.1.1 for the actual physical gateway

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Mon Oct 18, 2021 1:50 pm

Solo, it makes sense doing it at the router level as you have pointed out. I will eventually have a couple of non-windows, embedded devices that will need to communicate over IP and will not have a static route configuration exposed to me. In the meantime however, there are just two PCs connected, The Server and The Bridge. I only need to try it configured at the Windows level for proof of concept.

So I spotted what I was doing wrong. My static routes should have looked like this:

On the VPN Server PC
route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.254

On the VPN Bridge
route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.254

Earlier I was specifying a destination IP address as opposed to a destination subnet address. Now that I have made this change I can ping back and forth between the two. So first step achieved I think.

Cheers

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Tue Oct 19, 2021 9:10 am

The saga continues .....

I am now trying to set up an embedded device on the Server subnet. The static route added to the server PC needed to route traffic to the remote PC, cannot be applied at the router level unfortunately. It is a limitation of this domestic router and ISP provider. This is a problem for said embedded device. I can't set a static route for it. And while I can set the device's IP address and subnet mask, there is no setting for a gateway. ?? So setting its IP to 192.168.0.xxx , and connecting it to the local switch is enough to communicate on the local lan, it can not talk to the remote lan.

I could set the device to use DHCP but I am not sure this will help in this sittuation.

solo
Posts: 95
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN lan to lan on same subnet

Post by solo » Tue Oct 19, 2021 11:43 pm

Yes, try DHCP.

In the DHCP server set default gateway to the L3 switch address and use MAC-to-IP address reservation for the device to ensure static IP if required.

Jace-99
Posts: 11
Joined: Sat Sep 25, 2021 9:00 am

Re: VPN lan to lan on same subnet

Post by Jace-99 » Wed Nov 03, 2021 7:29 pm

My solution in the end was to avoid static routes altogether and layer 3 switching by installing a second NIC in each Softhether PC. NIC 1 (192.168.1.xx) connects to the router and outside world at each end. NIC 2 (20.20.20.xx) connects to the local lan switch at each end, which bridges to a virtual hub appearing as one subnet, (20.20.20.xx).

What I'm not sure about though, is if I need to open up certain ports in Softether server, do I need to do likewise at the internet router?

Post Reply