Personal VPN setup - see attached topology

[zerocool]

Hi everyone.

I recently rented a VPS server and setup SoftEther on it. I'm a Cisco Engineer although I've only just started down this career so my knowledge of VPN's is limited.

My purpose for this VPN is educational and I'll be using it for these reasons;

* To encrypt my internet traffic from home devices and when out - for example using public WiFi.
* To allow site to site connectivity between LAN devices in 'My House' and a 'Friends House'
* To connect to LAN devices in 'My House' and a 'Friends House' when in public wifi areas.

So the server is up and running I have tested from my home network by applying VPN config to specific devices; phones, tablets etc on my home wifi. I can also connect from any other public location.

The next steps for me are to configure either a Cisco 1841 or ASA 5505 to have a permanent tunnel so I don't need to worry about securing each device in my home. I will look at doing this myself on the 1841 using tutorials on SoftEther site. Is it possible to do the same on a Cisco ASA? I would prefer this because of performance.

The reason for my post is for assistance in configuring the server.

1. Operating system name and the type of CPU-bits
14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)
1 Ghz CPU, 256 RAM on a VPS Server with 1 physical interface

2. The result of "ifconfig –a" (UNIX)
eth0 Link encap:Ethernet HWaddr 00:16:3e:75:8b:5a
inet addr:30.30.30.30 Bcast:<ommitted> Mask:<ommitted>
inet6 addr: <ommitted> /64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:722074 errors:0 dropped:287 overruns:0 frame:0
TX packets:71727 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44304785 (44.3 MB) TX bytes:15515349 (15.5 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:53 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:23730 (23.7 KB) TX bytes:23730 (23.7 KB)

3. The result of "uname –a" (UNIX)
root@shedether:~# uname -a
Linux shedether 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

4. The build number of SoftEther VPN
VPN Server/vpn>about
About command - Display the version information
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.08 Build 9449 (English)

5. Which SoftEther VPN component are you using?
VPNServer

6. Whether or not there is a NAT or Firewall between your VPN server and the Internet.
(If there is a NAT or Firewall, you should open a TCP port for the VPN listener.)
No nat, no firewall

7. Are you using SecureNAT?
(If so, why don't you use the Local Bridge function instead?
Can I use Local Bridge? There are no LAN resources I need to access on the Virtual Hub\SoftEther server network

8. Your current vpn_server.config or vpn_bridge.config file should be attached on the post.
Attached along with my network diagram.
[attachment=1]Visio SoftEther.PNG[/attachment]
[attachment=0]00000028_vpn_server.config.txt[/attachment]

So what I'm trying to achieve, looking at the diagram; I want to be able to access the media server at my friends house and vice-versa. I also want to be able to access either from public wifi spots and also my IP camera.

While connected to the VPN all internet traffic should go via the Virtual Hub. (I'm looking at doing some Policy Based Routing on the 1841 to exclude certain types of traffic, but not asking for help on that)

Appreciate any and all replies, thanks.

[qupfer]

Hi,

I'm somewhat surprising about your IP. DoD? Seriously? ;-)

But as long they are reachable from anywhere, why not.

Without reading the full text and only look at your picture, I would recommend you do a local bridge to a tap-device and making SNAT with iptables.

Good tutorials are:
07q.de/tut1 (basic SoftEther installation)
07q.de/tut2 (bridge and NAT)

With this "solution", all your clients will use the 30.30.30.30 IP and can reach all destinations which 30.30.30.30 can reach.

[zerocool]

qupfer, thanks for your reply. I will certainly have a go at this over the weekend. Long one for me as I have Friday and Monday off :D

BTW I changed the public IP to protect my VPS ;-) I'm not DOD. It does begin with a 3, but that's the only similarity. No issue with only having a single Ethernet adapter? I read in the guide that it is better to have two at the head end. Possibly I could have a word with my provider.

So I don't need to enable the virtual L3 switching?

Will post back with results. Thanks again.

[qupfer]

zerocool wrote:
> I read in the guide that it is better to have two
> at the head end.

Better is relativ ;)
If you only use your VPS as a "Gateway", a second ethernet adapter has no notable advantages. Its used to seperate other services (like SAMBA) from the vpn-traffic and make other servies on the server avaliable for vpn-clients.
But because you are bridging to a (virtual) second adapter (the tap-device), you can access other servies hosted on the vpn-server. So, in your case, a second adapter is useless.

> So I don't need to enable the virtual L3 switching?
I can't tell you, because I have no idea about your cisco devices but would say no. But you may to set some routes or re-assingn your Ips for your local network. I think, your "cisco-example" is a kind of LAN-to-LAN* and your Coffe-Shop a Client-to-LAN*.
Maybe read this part of the manuel too.
https://www.softether.org/4-docs/1-manu ... L2_Bridge)

*(your server side is a one-host-LAN)