Problem to connect to the SoftEther VPN Server behind NAT

[valgussev]

Hi, SoftEther,

I've faced with the connection problem to the SoftEther VPN Server behind NAT.
The SoftEther Version 4.12 Build 9514 is used.

Actually I have the following configuration:
1. macbook pro with SoftEther VPN Server behind NAT (Mac OS X 10.9)
2. digital ocean server with static IP with SoftEther VPN Client (CentOS 6.4 x64)
The configuration was made just in the test purposes.

On the VPNserver side I've enabled VpnAzure
VPN Server/VPN>VpnAzureGetStatus
VpnAzureGetStatus command - Show the current status of VPN Azure function
Item |Value
---------------------------------------------------+----------------------
VPN Azure Function is Enabled |Yes
Connection to VPN Azure Cloud Server is Established|Yes
Hostname of this VPN Server on VPN Azure Service |valgussev.vpnazure.net
The command completed successfully.

VPN Server/VPN>DynamicDnsGetStatus
DynamicDnsGetStatus command - Show the Current Status of Dynamic DNS Function
Item |Value
----------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------
Assigned Dynamic DNS Hostname (Full) |valgussev.softether.net
Assigned Dynamic DNS Hostname (Hostname)|valgussev
DNS Suffix |.softether.net
Global IPv4 Address |178.238.117.98
Global IPv6 Address |Connection to the server failed. Check network connection and make sure that address and port number of destination server are correct.
The command completed successfully.

On the VPNclient side I've connected to VPNserver
VPN Client>AccountStatusGet myconnection
AccountStatusGet command - Get Current VPN Connection Setting Status
Item |Value
------------------------------------------+------------------------------------------
VPN Connection Setting Name |myconnection
Session Status |Connection Completed (Session Established)
VLAN ID |-
Server Name |valgussev.vpnazure.net
Port Number |TCP Port 443
Server Product Name |SoftEther VPN Server (64 bit)
Server Version |4.12
Server Build |Build 9514
Connection Started at |2014-12-05 (Fri) 08:53:27
First Session has been Established since |2014-12-05 (Fri) 08:53:33
Current Session has been Established since|2014-12-05 (Fri) 08:53:33
Number of Established Sessions |1 Times
Half Duplex TCP Connection Mode |No (Full Duplex Mode)
VoIP / QoS Function |Enabled
Number of TCP Connections |2
Maximum Number of TCP Connections |2
Encryption |Enabled (Algorithm: RC4-MD5)
Use of Compression |No (No Compression)
Physical Underlay Protocol |TCP/IP via VPN Azure (IPv4)
UDP Acceleration is Supported |Yes
UDP Acceleration is Active |Yes
Session Name |SID-TEST-2
Connection Name |CID-2
Session Key (160 bit) |1113E2059CE3FD650ABA5593EB3A3CEFC5C2F56F
Bridge / Router Mode |No
Monitoring Mode |No
Outgoing Data Size |14,206 bytes
Incoming Data Size |14,331 bytes
Outgoing Unicast Packets |50 packets
Outgoing Unicast Total Size |4,140 bytes
Outgoing Broadcast Packets |6 packets
Outgoing Broadcast Total Size |468 bytes
Incoming Unicast Packets |20 packets
Incoming Unicast Total Size |1,720 bytes
Incoming Broadcast Packets |42 packets
Incoming Broadcast Total Size |2,562 bytes
The command completed successfully.

SecureNAT is enabled.
configuration files attached.
remote login is enable on my mac ssh valgussev@192.168.1.51

ping is ok
[root@webtest ~]# ping valgussev.vpnazure.net
PING valgussev.vpnazure.net (130.158.6.125) 56(84) bytes of data.
64 bytes from 130.158.6.125: icmp_seq=1 ttl=49 time=291 ms

telnet on 443 is ok
[root@webtest ~]# telnet valgussev.vpnazure.net 443
Trying 130.158.6.125...
Connected to valgussev.vpnazure.net.
Escape character is '^]'.

So if the VPNclient is connected to VPNserver it should be possible to connect to my macbook pro from the digital ocean server using ssh valgussev@192.168.1.51, unfortunately this private IP is unreachable.

Could you please suggest me what am I doing wrong?

[valgussev]

anybody?

[dajhorn]

> So if the VPNclient is connected to VPNserver it should be possible to connect to my macbook pro from the digital ocean server using ssh valgussev@192.168.1.51, unfortunately this private IP is unreachable.

Check whether the Linux computer has a tap interface with an IP address in 192.168.1.0/24 after it starts a SoftEther VPN session. Also run `route -n` or `ip route` and check that there is a line for 192.168.1.0/24.

If not, then the SoftEther virtual hub that backs the VPN session must be bridged into a new tap interface that is configured for DHCP.

Note that bridging eth0 in the virtual machine probably won't work. A separate tap device is often required in a VPS.

[valgussev]

dajhorn wrote:
> Check whether the Linux computer has a tap interface with an IP address in
> 192.168.1.0/24 after it starts a SoftEther VPN session. Also run `route -n` or `ip
> route` and check that there is a line for 192.168.1.0/24.
ifconfig -a shows me the following
vpn_myadapter Link encap:Ethernet HWaddr 00:AC:1B:3E:08:48
inet6 addr: fe80::2ac:1bff:fe3e:848/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
so you are right, there is no IP address

> If not, then the SoftEther virtual hub that backs the VPN session must be bridged
> into a new tap interface that is configured for DHCP.
>
> Note that bridging eth0 in the virtual machine probably won't work. A separate tap
> device is often required in a VPS.

alright, I will try it

[dajhorn]

Is 192.168.1.51 on the Mac OS X server assigned statically or by DHCP?

SoftEther does not completely plumb the VPN interface on all Linux distributions. Depending on the server configuration, setting a static address or running `dhclient vpn_myadapter` might resolve the problem.

[valgussev]

dajhorn wrote:
> Is 192.168.1.51 on the Mac OS X server assigned statically or by DHCP?
This is my private network address and every start it changes, so assigned by DHCP.

>
> SoftEther does not completely plumb the VPN interface on all Linux
> distributions. Depending on the server configuration, setting a static
> address or running `dhclient vpn_myadapter` might resolve the problem.

running 'dhclient vpn_myadapter' on the Digital Ocean's VPS take away ssh access to the server.

[dajhorn]

> running 'dhclient vpn_myadapter' on the Digital Ocean's VPS take away ssh access to the server.

This could be happening because `dhclient` is changing the default gateway. This also means that the SoftEther session is probably connected.

The next step is to create a permanent configuration for the `vpn_myadapter` interface. On most RPM systems, the configuration goes in /etc/sysconfig/network-scripts. On most DEB systems, the configuration goes in /etc/network/interfaces.

Set something like this with a metric higher than the default route:

allow-hotplug vpn_myadapter
iface vpn_myadapter inet dchp
metric 400

Depending on your needs, a static IP address for vpn_myadapter would be just as good.