SoftEther Server Configuration Questions

[brlathanjr]

1. Operating system name and the type of CPU-bits

Raspbian


2. The result of "ifconfig –a" (UNIX) or "ipconfig /all" (Windows)

eth0 Link encap:Ethernet HWaddr b8:27:eb:49:a3:49
inet addr:192.168.0.250 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1725553 errors:0 dropped:853 overruns:0 frame:0
TX packets:598284 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:238154002 (227.1 MiB) TX bytes:84535232 (80.6 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1164 (1.1 KiB) TX bytes:1164 (1.1 KiB)


3. The result of "uname –a" (UNIX) or "systeminfo" (Windows)

Linux LOCALHOST 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l GNU/Linux



4. The build number of SoftEther VPN

SoftEther version 4.05 Build 9423



5. Which SoftEther VPN component are you using?

SoftEther Server
SoftEther Client

6. Whether or not there is a NAT or Firewall between your VPN server and the Internet.
(If there is a NAT or Firewall, you should open a TCP port for the VPN listener.)
Yes a router firewall and NAT are being use

Port 443, 500, 4500 are opened

7. Are you using SecureNAT?

No


Questions

1. I was setting up a Virtual Hub and I wanted to know what settings need to be configured to allow no network access and only Internet Access for certain clients? I was wondering if it was possible?

2. In certain cases, like when I am at work, I would like to have LAN and VPN would I have to bridge the adapter in that case? In other cases I would like to have no LAN access how would I do this?

3. Is there a way that the iPhone and iPad can connect using SSL-VPN?

4. Also I have some other services that are running on my VPN server. I want to see if there was a way to access the other services on the VPN Server, because notice I can access the server through SSH or VNC.

Any assistance would be greatly appreciate. Thanks SoftEther for making a wonderful VPN software package.

Sincerely,

brlathanjr

[mesa57]

If you need internet access only for you're clients you need to configure Securenat on you're hub.

By using 2 virtula hubs you can setup one with SecureNat and one with a Local bridge configuration. Depending on to which hub you connect you get LAN access or not.

Use L2TP for Phones.

For using services you need to connect to the local bridged hub.

[brlathanjr]

Thanks, mesa57, I have a virtual hub with SecureNAT when log in remotely I am not able to access the internet throught the VPN. I am wondering if there is additional settings I need to make?

Also I have another virtal hub that is using a local bridge, but when I connect at work. I lose local LAN connectivity at work. I would like to maintain local LAN connectivity at work and no local LAN when at places like Starbuck's. Do I need to make another Virtual Hub to bridge my remote LAN to the local LAN? If so how to do that if I only using a computer as a client?

Thanks,

brlathanjr

[mesa57]

For SecureNat let the ip address of the client be assigned by SecureNat dhcp and specify gateway and dns server addresses on the securenat configuration.

For connection to the local bridge hub, use a different vpn adapter and set the metric on in ipv4 stack on automatic. It should then route to you're local network first. Check the route table after connection.

[brlathanjr]

Thanks mesa57! I followed the settings for the SecureNAT, but it still allows me to access LAN resources on my smartphone as well as to the Internet. I have been unsuccessful at disable the LAN network access.

I will test out the other Virtual Hub when I am at work tomorrow to see if I can maintain local LAN connectivity.

[mesa57]

Maybe you should look at the vpngate solution if you only want to allow internet access.

[brlathanjr]

It is just certain users I would like to have only internet access, then other users partial or full network access. Thanks for the suggestion I will look into vpngate.

[mesa57]

On a user level you can define access list.
For instance you could allow access to port 80, but deny all others.

[brlathanjr]

I had looked at the user level settings and I did not see any port blocking capabilities. Also if I allow the web services then still user are able to access LAN web services which I do not want.

[mesa57]

I did some testing and can confirm you're observations.
I am not sure, but it looks like softether server behaves different in this on windows than in Linux.

[brlathanjr]

YES!!!! I got it mesa!!!

Actually I did it two different ways!

I was able to set up a Virtual Hub with Internet only.

Also I was able to have a Virtual Hub with multiple user and give internet access to some user and then give internet access and LAN to others.

With both cases I had to set up rules in the Manage Access List.

Then only allow traffic to route to and from the router. Then deny access to receiving from computers in the subnet.

Here are examples of what I did
[attachment=2]Access List.jpg[/attachment]

[attachment=1]Rule 1.jpg[/attachment]

[attachment=0]Rule 2.jpg[/attachment]

The main differences with the hubs I had to setup a user group to handle the multiple user types.

Thanks for you assistance, Mesa!

[mesa57]

Nice ! Thank you for posting the solution !

[brlathanjr]

No problem! I figured I would share with you since it was your idea to block all port except 80 that gave me the idea to block all subnet address except for the router. TEAM WORK! TEAM WORK! ... LOL