Is possible to route all Softether Traffic by ip route and iptable command?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
mjthelearner
Posts: 28
Joined: Fri Nov 25, 2022 6:08 am

Is possible to route all Softether Traffic by ip route and iptable command?

Post by mjthelearner » Fri Nov 25, 2022 10:53 am

Hi dear guys

Im running ubuntu and have a question to routing the soft ether traffic to another gateway on running os.

Reachable OpenVpn Client interface on running server
Interface name= tun0
gw=10.8.0.1
Local IP=10.8.0.120

Can i route all softether server traffic through this connection, using ip rules and iptable command?


I have not seen any interface created by Softether Server on ifconfig -a command

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Sat Nov 26, 2022 1:01 am

In other words you'd like to "Route all traffic from softether VPN server to Softether Client".

As you've already implemented the multi-hop VPN solution, let's modify it for the new task.

In the blocked country setup SE Server with a vHUB as follows:
- yes bridge to SoftEther's own soft tap_tap
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users

Connect your OpenVpn Client on tun0 gw=10.8.0.1 IP=10.8.0.120
Next Linux/Ubuntu setup on the same PC/VM:

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

net.ipv4.ip_forward = 1

/lib/systemd/system/vpnserver.service
...
ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap
...

/etc/dnsmasq.conf
interface=tap_tap
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1

iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120

apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4

Finally, something for the ultra-paranoid I mentioned before - SoftEther server in a blocked country may be indirectly detected unless the following vpn_server.config mod is applied:

Code: Select all

	declare DDnsClient
	{
		bool Disabled true

	declare ServerConfiguration
	{
		bool DisableNatTraversal true

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Wed Nov 30, 2022 2:24 am

mjthelearner wrote:
Fri Nov 25, 2022 10:53 am
Im running ubuntu and have a question to routing the soft ether traffic to another gateway on running os.
Any progress?

An addendum to the above setup. Instead of...
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120
...in the context of a VPN Gate interconnection, it is easier to use...
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o vpn_vpn -j MASQUERADE

Code: Select all

														  
                        SOFTETHER VPN SERVER AND CLIENT              
                               +-----+                    
                        +--<<<-| PC1 |<<<--+---------+---------+
                        |      +-----+     |         |         |
                        |                  |         |         |
                        |                  |         |         |
                ~ ~ ~ I ~ N ~ T ~ E ~ R ~ N ~ E ~ T ~ ~ ~ ~ ~ ~ ~ ~ ~
                        |                  |         |         |
                        |                  |         |         |
                        |                  |         |         |
                        |                  |         |         |
                        |                  |         |         |
                     +-----+            +-----+   +-----+   +-----+
                     | PC0 |            | PC2 |   | PC3 |   | PC4 |
                     +-----+            +-----+   +-----+   +-----+
														  
PC0 - VPN Gate Server
PC1 - SoftEther VPN Server and Client on Ubuntu Server in a FIREWALLED/BLOCKED country
PC2 - OpenVPN test client
PC3/PC4/PCx/Android/iPhone/Mac - SoftEther, OpenVPN, MS-SSTP and IPsec/L2TP clients

PC1 log

netstat -tapn
...
tcp        0      0 10.0.2.15:33248         219.100.37.193:443      ESTABLISHED 
...

route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.245.254.254  0.0.0.0         UG    0      0        0 vpn_vpn
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s3
10.245.0.0      0.0.0.0         255.255.0.0     U     0      0        0 vpn_vpn
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 tap_tap
219.100.37.193  10.0.2.2        255.255.255.255 UGH   0      0        0 enp0s3

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  10.245.254.254 (10.245.254.254)  269.346 ms  271.233 ms  275.009 ms
 2  gw2.vpngate.v4.open.ad.jp (219.100.37.253)  275.002 ms  274.985 ms  274.968 ms
 3  igp1.green.v4.open.ad.jp (202.222.12.190)  278.554 ms  278.548 ms  278.532 ms
 4  bgp4.openospf2.v4.open.ad.jp (202.222.12.41)  274.866 
 5  150.99.184.33 (150.99.184.33)  274.782 ms  285.923 ms  285.910 ms
 6  150.99.21.21 (150.99.21.21)  330.771 ms  428.453 ms  288.348 ms
 7  as13335.ix.jpix.ad.jp (210.171.224.134)  263.637 ms  263.496 ms  263.675 ms
 8  103.22.201.36 (103.22.201.36)  262.009 ms 172.68.116.2 (172.68.116.2)  266.443 ms  266.471 ms
 9  one.one.one.one (1.1.1.1)  266.304 ms  274.849 ms  279.456 ms

PC2 log

[OpenVPN connection]
PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.9.105 192.168.9.106,dhcp-option DNS 1.1.1.1,route-gateway 192.168.9.106,redirect-gateway def1'

C:\>tracert 1.1.1.1
Tracing route to one.one.one.one [1.1.1.1] over a maximum of 30 hops:
  1    10 ms    21 ms    10 ms  192.168.9.1
  2   274 ms   261 ms   258 ms  10.245.254.254
  3   279 ms   268 ms   258 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   279 ms   263 ms   279 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   300 ms   333 ms   268 ms  bgp3.openospf1.v4.open.ad.jp [202.222.12.33]
  6   297 ms   283 ms   269 ms  150.99.184.33
  7   295 ms   311 ms   257 ms  150.99.21.21
  8   472 ms   300 ms   290 ms  as13335.ix.jpix.ad.jp [210.171.224.134]
  9   292 ms   271 ms   279 ms  103.22.201.36
 10   268 ms   268 ms   257 ms  one.one.one.one [1.1.1.1]
Trace complete.

mjthelearner
Posts: 28
Joined: Fri Nov 25, 2022 6:08 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by mjthelearner » Thu Dec 01, 2022 4:12 am

It doesn't works for me, i had to setup new iptable and route traffic through that, I'll update the instruction .

Because of my lack of networking acknowledgement, have to sort the commands , then post it here.
I'll update this post, what im done

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Thu Dec 15, 2022 10:42 pm

Update on the setup. Note that VPN Gate is the default gateway on the server which may or may not be desired so here is a policy-based routing variant:

/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185
dhclient vpn_vpn
ip route add default via 10.245.254.254 dev vpn_vpn table 99
ip rule add iif tap_tap table 99
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o vpn_vpn -j MASQUERADE

PC1 log

Code: Select all

ip route
default via 10.0.2.2 dev enp0s3
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.15
10.245.0.0/16 dev vpn_vpn  proto kernel  scope link  src 10.245.74.108
192.168.9.0/24 dev tap_tap  proto kernel  scope link  src 192.168.9.1

ip rule
0:      from all lookup local
32765:  from all iif tap_tap lookup 99
32766:  from all lookup main
32767:  from all lookup default

ip route show table 99
default via 10.245.254.254 dev vpn_vpn
PC2 log [Windows OpenVPN client to Linux SoftEther server connection]

Code: Select all

C:\>tracert 8.8.8.8
Tracing route to dns.google [8.8.8.8] over a maximum of 30 hops:
  1    10 ms    11 ms    10 ms  192.168.9.1
  2   268 ms   257 ms   300 ms  10.245.254.254
  3   289 ms   300 ms   311 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   301 ms   257 ms   269 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   282 ms   365 ms   451 ms  bgp3.openospf1.v4.open.ad.jp [202.222.12.33]
  6   528 ms   459 ms   300 ms  150.99.184.33
  7   644 ms   376 ms   323 ms  150.99.21.21
  8   333 ms   258 ms   261 ms  101.203.88.173
  9   279 ms   268 ms   268 ms  108.170.242.161
 10   546 ms   583 ms   566 ms  74.125.251.235
 11   297 ms   279 ms   268 ms  dns.google [8.8.8.8]
Trace complete.

fa1rid
Posts: 8
Joined: Tue Feb 07, 2023 10:59 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by fa1rid » Tue Feb 07, 2023 11:02 am

Can I use the same method but with keeping SecureNAT?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Tue Feb 07, 2023 11:09 am

You can keep vDHCP but not vNAT.

fa1rid
Posts: 8
Joined: Tue Feb 07, 2023 10:59 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by fa1rid » Tue Feb 07, 2023 1:09 pm

I'm facing some issues and I need support please:

My setup is Debian with the following 3 items:

1- Docker container assigned ip 172.25.0.2 bridged with the host (172.25.0.1/16). Inside the container I have a Generic VPN Client connected and set as a default route. (ip forwarding and masquerade all, is already setup inside the container)

2- OpenConnect (ocserv) VPN Server (10.5.5.0/24) (clients routed through the docker container)
-ip rule add from 10.5.5.0/24 table vpn
-ip route add default via 172.25.0.2 proto static table vpn

This setup works perfectly for ocserv!

3- SE Server (trying to configure clients to be routed through the docker container, similar to how I did with ocserv)

I tried the following for SE server:

First attempt (partially failed):
- I disabled Virt.NAT and bridged SE server directly with the docker container interface and it was lagging a lot (even the internet inside the container became irregular) IP for the Virtual Hub: 172.25.0.1/16 (same as docker host) and default gateway: 172.25.0.2 (docker container).

Second Attempt (failed):
- I created a tap device (tun_vpn) and disabled Virt.NAT, then added: "ip rule add from 192.168.30.0/24 table vpn"
I am able to ping 192.168.30.1 from the SE client but no reply from python http server listening on 0.0.0.0:8000
Internet is not working from clients.

What is the optimal solution in this case? To bridge SE directly with docker or to create Tun and then route it to docker, or any other method?

Thank you!

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Tue Feb 07, 2023 2:17 pm

fa1rid wrote:
Tue Feb 07, 2023 1:09 pm
Second Attempt (failed):
- I created a tap device (tun_vpn) and disabled Virt.NAT, then added: "ip rule add from 192.168.30.0/24 table vpn"
I am able to ping 192.168.30.1 from the SE client but no reply from...
Third Attempt (?)
...as above +

Code: Select all

ExecStartPost=/bin/sleep 3
ExecStartPost=/sbin/ip addr add 192.168.30.2/24 brd + dev tun_vpn

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by shakibamoshiri » Tue Feb 07, 2023 2:45 pm

fa1rid wrote:
Tue Feb 07, 2023 11:02 am
Can I use the same method but with keeping SecureNAT?
What is your scenario?
Do you have a double-vpn and you have issue on hop-1 while using both
- ocserv
- SE server
inside a single docker container?

as @solo pointed out, if you use a "Local Bridge" you have two options
1. vDHCP + local bridge
2. local bridge + dnsmasq as DHCP

and you assign an IP to your local bridge

Code: Select all

ip addr add x.x.x.x/24 brd + dev tap_xxx
which
- x.x.x.x is an IP in your DHCP range (not used by users)
- tap_xxx is a soft interface created

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by shakibamoshiri » Tue Feb 07, 2023 2:56 pm

solo wrote:
Tue Feb 07, 2023 2:17 pm

Third Attempt (?)
...as above +

Code: Select all

ExecStartPost=/bin/sleep 3
ExecStartPost=/sbin/ip addr add 192.168.30.2/24 brd + dev tun_vpn
I noticed that this will be confusing later

Code: Select all

192.168.30.2/24 
To keep it simple; disabling vNAT but enabling vDHCP, I changed vDHCP IP to 192.168.30.2 and Gateway to 192.168.30.1, then using

Code: Select all

p addr add 192.168.30.1/24 brd + dev tun_vpn
Usually gateways are selected from first or last number.
If I am wrong please correct me.

fa1rid
Posts: 8
Joined: Tue Feb 07, 2023 10:59 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by fa1rid » Tue Feb 07, 2023 9:24 pm

Thank you so much guys, I realized that I was putting the same IP for Virtual Host in SecureNat and the tun device. It was 192.168.30.1 for both. I changed one of them to be …30.2 and now it works. Can you please clarify why they can't be the same?

So both methods now work (tun or direct bridge), but which one is better?
Two advantages of bridging directly to docker is that firstly I don't need to assign an IP (as I do to the tun device) every time I restart the vpn server. And secondly I don't need routing rules.

And regarding the DNS, how is it handled? Is it fine if I use the same gateway ip as DNS?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Tue Feb 07, 2023 9:28 pm

shakibamoshiri wrote:
Tue Feb 07, 2023 2:56 pm
I noticed that this will be confusing later
...
Usually gateways are selected from first or last number.
Yes, but by not altering the SecNAT defaults my replies are shorter ;-)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Tue Feb 07, 2023 9:42 pm

fa1rid wrote:
Tue Feb 07, 2023 9:24 pm
...
Can you please clarify why they can't be the same?
...
So both methods now work (tun or direct bridge), but which one is better?
...
Is it fine if I use the same gateway ip as DNS?
- Layer 2 essential requirement
- tap allows server access via VPN
- yes

fa1rid
Posts: 8
Joined: Tue Feb 07, 2023 10:59 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by fa1rid » Wed Feb 08, 2023 5:02 pm

Regarding the DNS, I tried to put it same as the gateway IP internet didn't work.
I think I need to forward DNS traffic to the actual DNS set inside /etc/resolv.conf
How to do that dynamically even if the DNS changed on the server while the client is connected?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Wed Feb 08, 2023 10:51 pm

fa1rid wrote:
Wed Feb 08, 2023 5:02 pm
How to do that dynamically even if the DNS changed on the server while the client is connected?
Off-topic here. Do the opposite of this request or just give them 1.1.1.1 and/or 8.8.8.8

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by a.saneie » Mon Feb 13, 2023 4:59 pm

solo wrote:
Thu Dec 15, 2022 10:42 pm
Update on the setup. Note that VPN Gate is the default gateway on the server which may or may not be desired so here is a policy-based routing variant:

/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185
dhclient vpn_vpn
ip route add default via 10.245.254.254 dev vpn_vpn table 99
ip rule add iif tap_tap table 99
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o vpn_vpn -j MASQUERADE
I don't understand this part, where vpn_vpn came from? and what you mean by "/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185" what we should do about it?

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by shakibamoshiri » Mon Feb 13, 2023 6:50 pm

a.saneie wrote:
Mon Feb 13, 2023 4:59 pm
I don't understand this part, where vpn_vpn came from? and what you mean by "/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185" what we should do about it?
Please ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by a.saneie » Mon Feb 13, 2023 9:04 pm

shakibamoshiri wrote:
Mon Feb 13, 2023 6:50 pm
Please ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks
I asked for clarification over the provided answer on the same topic that it was given.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Is possible to route all Softether Traffic by ip route and iptable command?

Post by solo » Mon Feb 13, 2023 10:12 pm

a.saneie wrote:
Mon Feb 13, 2023 4:59 pm
where vpn_vpn came from?

and what you mean by "/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185"

what we should do about it?
- from a connection of SE vpnclient
- a VPN Gate server account
- you replace these with your OVPN client connection

Post Reply