SoftEther VPN User Forum

I have a macbook pro that I am trying to setup SoftEther VPN on as a proof of concept. I'm planning to create a user interface for OS X and Linux if I can get this to work (just as a little side project). My macbook is connected to my internet router (my LAN) via wifi. My goal is to create a VPN where all connecting clients can communicate with any device connected to my LAN, and vice versa. I understand that local bridging is not exactly functional over wifi so I've experimented with SecureNAT as well to no avail. I've tried MANY configurations with both local bridging AND SecureNAT (I've been looking into this for months now), and the closest I've gotten is being able to connect to the VPN and ping the virtual host from the connecting device. When my macbook is connected via ethernet cable to the router and I fire up the vpn server, my client can connect and ping all LAN devices but none of the LAN devices can ping the client. What I've also noticed is that in either case, the mac address of the clients and the virtual host of the VPN hub show up in the list of connected devices on my router, so I feel as I've been getting close!...Just can't ping anything. Can anybody give me a walkthrough as to how I can make this configuration work where all devices, LAN and client, can see each other? I want to be able to make this work whether the VPN server is connected to a LAN via ethernet OR wifi. If I can't do both and still have full connectivity between all devices, I find it very limiting. Correct me if I'm wrong, but I don't think OpenVPN has that kind of limitation. I find this software much easier to configure things and OpenVPN to be much more cumbersome (still never got that setup to work properly), so I'd rather use this if the flexibility is there. Really appreciate anybody willing to help!

If the clients can ping the LAN devices, the local bridge is configured properly because the traffic of both direction is working.

I think you can check the OS and firewall configurations. Some operating systems do not respond to ping by default, such as Fedora.

I greatly appreciate you replying. So what's happening is my clients can't ping the LAN devices. The server is able to see all the LAN devices, but any client that connects to the server can only ping the server's virtual host. The Internet connectivity also is lost for the clients, as well.

Local bridge on wireless LAN may not work.

Right, I understand that. My question is whether or not it is possible to create a VPN using SecureNAT and still have full connectivity between the LAN and the clients. In any configuration I've created, the closest I came was the client being able to connect to LAN devices but the LAN devices could not connect to the client. If it's possible to make full connectivity between LAN and clients using SecureNAT, that is the understanding I am trying to get to.

Please do routing with your own OS, no need NAT.

Help me to understand please. As far as what I know, to establish a connection from the client I have to use SecureNAT if not using local bridge (which doesn't work well with wifi), so are you saying not to use the NAT function and just use the DHCP for connection? Would I then need to route the LAN devices to the virtual hub's host for them to communicate with client connections?

Yes, just use the DHCP. However, the routing is done by your own OS. Make sure you configure the static routes properly on your router as well.

Okay, so when setting up the routes what is supposed to be the gateway for the VPN network? Is it the IP of the virtual hub host or the IP of the server hosting SoftEther VPN? Do I need to push a route for the LAN to the clients as well?

Anybody have an answer??

The default route of the clients should be pointing at the VPN Server. The default route of the VPN Server should be pointing at the router. The router should have a static route pointing the subnet which is used in the virtual hub to the VPN Server.

kh_tsang wrote:
> The default route of the clients should be pointing at the VPN Server.

I need clarification of terms. Which IP should the clients be looking at? The IP of the physical server hosting SoftEther VPN or the IP of the virtual host? And we are talking about STRICTLY private IP addresses right?

kh_tsang wrote:
> The default route of the VPN Server should be pointing at the router.

Again, are we talking about the physical server or the virtual host? As fas as I know, there is no command for setting a gateway of the virtual host.

I decided to post my configuration file so you can see where I'm at and what I may need to change. My network router address is 10.5.23.1 and my server's address is 10.5.23.3, all with a 255.255.255.0 subnet mask. The all ports for the VPN listeners are open. Please be very specific so I can understand exactly what you are suggesting and what addresses I should be pointing things to.

Thanks!

# Software Configuration File
# ---------------------------
#
# You may edit this file when the VPN Server / Client / Bridge program is not running.
#
# In prior to edit this file manually by your text editor,
# shutdown the VPN Server / Client / Bridge background service.
# Otherwise, all changes will be lost.
#
declare root
{
uint ConfigRevision 280
bool IPsecMessageDisplayed false
string Region US
bool VgsMessageDisplayed false

declare DDnsClient
{
bool Disabled false
byte Key 8LvKA3tbNSXr2YlwKu84h9cuYUg=
string LocalHostname jonathan-paynes-macbook-pro
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare IPsec
{
bool EtherIP_IPsec true
string IPsec_Secret payne
string L2TP_DefaultHub ENTRY
bool L2TP_IPsec true
bool L2TP_Raw true

declare EtherIP_IDSettingsList
{
}
}
declare ListenerList
{
declare Listener0
{
bool DisableDos false
bool Enabled true
uint Port 443
}
declare Listener1
{
bool DisableDos false
bool Enabled true
uint Port 992
}
declare Listener2
{
bool DisableDos false
bool Enabled true
uint Port 1194
}
declare Listener3
{
bool DisableDos false
bool Enabled true
uint Port 5555
}
}
declare LocalBridgeList
{
}
declare ServerConfiguration
{
bool AcceptOnlyTls false
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
uint AutoDeleteCheckIntervalSecs 300
uint AutoSaveConfigSpan 300
bool BackupConfigOnlyWhenModified true
string CipherName RC4-MD5
uint CurrentBuild 9562
bool DisableCoreDumpOnUnix false
bool DisableDeadLockCheck false
bool DisableDosProction false
bool DisableGetHostNameWhenAcceptTcp false
bool DisableIntelAesAcceleration false
bool DisableIPv6Listener false
bool DisableNatTraversal false
bool DisableOpenVPNServer false
bool DisableSessionReconnect false
bool DisableSSTPServer false
bool DontBackupConfig false
bool EnableVpnAzure false
bool EnableVpnOverDns false
bool EnableVpnOverIcmp false
byte HashedPassword +WzqGYrR3VYXrAhKPZLGEHcIwO8=
string KeepConnectHost keepalive.softether.org
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 1
uint64 LoggerMaxLogSize 1073741823
uint MaxConcurrentDnsClientThreads 512
uint MaxConnectionsPerIP 256
uint MaxUnestablishedConnections 1000
bool NoHighPriorityProcess false
bool NoSendSignature false
string OpenVPNDefaultClientOption dev-type$20tun,link-mtu$201500,tun-mtu$201500,cipher$20AES-128-CBC,auth$20SHA1,keysize$20128,key-method$202,tls-client
string OpenVPN_UdpPortList 1194
bool SaveDebugLog false
byte ServerCert MIIEJjCCAw6gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkTEqMCgGA1UEAwwham9uYXRoYW4tcGF5bmVzLW1hY2Jvb2stcHJvLmxvY2FsMSowKAYDVQQKDCFqb25hdGhhbi1wYXluZXMtbWFjYm9vay1wcm8ubG9jYWwxKjAoBgNVBAsMIWpvbmF0aGFuLXBheW5lcy1tYWNib29rLXByby5sb2NhbDELMAkGA1UEBhMCVVMwHhcNMTUwNjIyMjMyMzMzWhcNMzYxMjMxMjMyMzMzWjCBkTEqMCgGA1UEAwwham9uYXRoYW4tcGF5bmVzLW1hY2Jvb2stcHJvLmxvY2FsMSowKAYDVQQKDCFqb25hdGhhbi1wYXluZXMtbWFjYm9vay1wcm8ubG9jYWwxKjAoBgNVBAsMIWpvbmF0aGFuLXBheW5lcy1tYWNib29rLXByby5sb2NhbDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7aT7YQk5cB+3qPM6idsFfrjSVQfgzsW8IJggLIntsyW0sN1bppEAu8AWkXtUNpWjqLOMjzwEGIYt3Z53AGVoEG7UMacQ4r7JBUVMz2H0xptjiQEYiYmfdnoz9IIlyh+ecOkLxYqJadnP8vRA/PE5/LzlS4uhWB/cdrNmnJ9UfcZVzNV4MqZXzJV/u5bCDR2BNu8eUvs/xQbJrn5J9vL0tEVByh5CLq2mdqcDoW8LnPX+ILqIle9T81xZlnsggJnwoMkToLkml5C5uSP7jYBsAgxip3P3P72hZkBacrajsjtCenO/zZGUsmonANcUoTK/g3R9l5FlrzZUyKGwg3Av9AgMBAAGjgYYwgYMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAfYwYwYDVR0lBFwwWgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFBwMIBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAg+jXwKbfsxYIw02q0M6FieHZyqLYTqECsGSNcN3GzPSFyM6S2ORHXpaUIlgoJ7bdj9412BCQW9KPsPte1rBudCWD2Y7GMhcwtPPl6w6pU6oBfPudlI6hSDaio3pQ70wN3nCXiTZIM4/z2hgnXi0k5+Ey9aVC1iiOL+Tm7QgiO0aOkB8iLp/5jKNAct7Rr0aRfj2SAmxADeGYuVBkXGOHYgHiY+HmweF6eWHzb6jXW8r2cObanNWIU66+c4FrdDBCEmnndYqVbupBAhKU1B9IV9Z9WmSh3tfzoikmBbIPfqqqEUH1G9x+HM5/mFcApdWclJo7mZdG8CN185kL6/Kl5g==
byte ServerKey MIIEowIBAAKCAQEAu2k+2EJOXAft6jzOonbBX640lUH4M7FvCCYICyJ7bMltLDdW6aRALvAFpF7VDaVo6izjI88BBiGLd2edwBlaBBu1DGnEOK+yQVFTM9h9MabY4kBGImJn3Z6M/SCJcofnnDpC8WKiWnZz/L0QPzxOfy85UuLoVgf3HazZpyfVH3GVczVeDKmV8yVf7uWwg0dgTbvHlL7P8UGya5+Sfby9LRFQcoeQi6tpnanA6FvC5z1/iC6iJXvU/NcWZZ7IICZ8KDJE6C5JpeQubkj+42AbAIMYqdz9z+9oWZAWnK2o7I7Qnpzv82RlLJqJwDXFKEyv4N0fZeRZa82VMihsINwL/QIDAQABAoIBAQCL49B0LnI9QfH2MXNwU8Kd//PiIb76HwypAXJplVCZ8HScV6Z5ehAquSENA3h22ixI+D6H4SF7iRiIhYB7/rBxdpka7ev5ADTHisPXZFZ29HrZz25KhjfPdmT5IQtXwVhCBj8n3R8g9WA4nIt/GC3jw8U/OH6CkSmFLhu9KP9tmt0KoaTyaJMS6zVznR2SO+/LLb4o+HIBQZmjPMVwmuDztnSFEI5XGBiALwL+VWJxMJSDXfbcxamWFyGnw7QTylpZtyJuaFBRgWt+RtTXtdODem2sQAuPHp7Bvu/5wpsvvkUIetu8Fv0lBuvrcH1wbSI2IhK812R3b8x1kUSNlsIFAoGBAN9pNQfQty7ki5h5mc9wqVMF7ofY0S2/CoMqYm14IsTjdHzaDtgTWM6A6RaGbowHntQTceQ+X0EgZr2zC/SkrK+3d+kLNbhREE7xKRxstXdOVvIe/aNVhDiaAK3ZkirOT0U+mQVWJyDoc7q5t0DKg8yKdailOjCk8OOIOAy+Gu+7AoGBANa/s+y72Ot9Um8M6chy75gy5dUdl1guIBSxOH55p7bkISEslwi3gV27OaDwrJtvjqW934Z5iDtcCOYqY7/lt3xyOjLObJZ9/4R0Y4RhGj7WCRUeJ8v6moFWFSYZR0oBNQbo7jaoQav3Tsz2LNVm5zCXzRzydmrorWBheiJnm+unAoGASU8bgKoDQhbqm6jjSMd+OGkM4XTLBwjWKT5COAug1RyR/9oJ3utSS8jPM33/TmG9w3dx+uRgm11HeV4EQU28AJjidw0fnpCzGkRWKiad0T1amG6E6hDIp04ZhPKM3RD/wAgPbEnd4xWDzDTephsN7pNMkn9NPeMRzIfJZJ0I97sCgYBbCO03H/K28WtulCTOyppzBLCVhXPQ98y1uOLgCqZkS5UXwRVNpqz6lRG6/gvN4J6x+Cm3kfGEaGGFYNbkVHdSFAJD42n46fTVq5k8VwWPOaCkCSKJv/Sbe2h/vBuSbayS/09scCtWwQHwtTMQTA0ZdmCHMumsLHLC9s+VoiJg5QKBgE0I78POiSQeuEkmeI+rjAOFyuQ8J0IgY63zy71XKQ/B6I5ToynmAhJxMdeCG3LCIl4kOS7IZmyZ5pnXinu6027VHpOrMbrHA4JBqIu6J4Ocaw/7lE+ebeSaPHfJJdhBansU2/mcN/4UdRMlYNEOYHY19RSKeabe/eaHcZTY1h/M
uint ServerLogSwitchType 4
uint ServerType 0
bool UseKeepConnect true
bool UseWebTimePage false
bool UseWebUI false

declare GlobalParams
{
uint FIFO_BUDGET 10240000
uint HUB_ARP_SEND_INTERVAL 5000
uint IP_TABLE_EXPIRE_TIME 60000
uint IP_TABLE_EXPIRE_TIME_DHCP 300000
uint MAC_TABLE_EXPIRE_TIME 600000
uint MAX_BUFFERING_PACKET_SIZE 2560000
uint MAX_HUB_LINKS 1024
uint MAX_IP_TABLES 65536
uint MAX_MAC_TABLES 65536
uint MAX_SEND_SOCKET_QUEUE_NUM 128
uint MAX_SEND_SOCKET_QUEUE_SIZE 2560000
uint MAX_STORED_QUEUE_NUM 1024
uint MEM_FIFO_REALLOC_MEM_SIZE 655360
uint MIN_SEND_SOCKET_QUEUE_SIZE 320000
uint QUEUE_BUDGET 2048
uint SELECT_TIME 256
uint SELECT_TIME_FOR_NAT 30
uint STORM_CHECK_SPAN 500
uint STORM_DISCARD_VALUE_END 1024
uint STORM_DISCARD_VALUE_START 3
}
declare ServerTraffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 40303770791
uint64 BroadcastCount 138239443
uint64 UnicastBytes 32466297118
uint64 UnicastCount 51966880
}
declare SendTraffic
{
uint64 BroadcastBytes 47607988287
uint64 BroadcastCount 165018330
uint64 UnicastBytes 881718976
uint64 UnicastCount 7212825
}
}
declare SyslogSettings
{
string HostName $
uint Port 0
uint SaveType 0
}
}
declare VirtualHUB
{
declare ENTRY
{
uint64 CreatedTime 1439562511235
byte HashedPassword 53PBrUWUrGSQzU6jU7HyPpMlHNM=
uint64 LastCommTime 1440125739400
uint64 LastLoginTime 1440103141613
uint NumLogin 41
bool Online true
uint RadiusRetryInterval 0
uint RadiusServerPort 1812
string RadiusSuffixFilter $
byte SecurePassword Hz2Rr/B/LTCTzmUx74wsZtfZU5Y=
uint Type 0

declare AccessList
{
}
declare AdminOption
{
uint allow_hub_admin_change_option 0
uint deny_bridge 0
uint deny_change_user_password 0
uint deny_empty_password 0
uint deny_hub_admin_change_ext_option 0
uint deny_qos 0
uint deny_routing 0
uint max_accesslists 0
uint max_bitrates_download 0
uint max_bitrates_upload 0
uint max_groups 0
uint max_multilogins_per_user 0
uint max_sessions 0
uint max_sessions_bridge 0
uint max_sessions_client 0
uint max_sessions_client_bridge_apply 0
uint max_users 0
uint no_access_list_include_file 0
uint no_cascade 0
uint no_change_access_control_list 0
uint no_change_access_list 0
uint no_change_admin_password 0
uint no_change_cert_list 0
uint no_change_crl_list 0
uint no_change_groups 0
uint no_change_log_config 0
uint no_change_log_switch_type 0
uint no_change_msg 0
uint no_change_users 0
uint no_delay_jitter_packet_loss 0
uint no_delete_iptable 0
uint no_delete_mactable 0
uint no_disconnect_session 0
uint no_enum_session 0
uint no_offline 0
uint no_online 0
uint no_query_session 0
uint no_read_log_file 0
uint no_securenat 0
uint no_securenat_enabledhcp 0
uint no_securenat_enablenat 0
}
declare CascadeList
{
}
declare LogSetting
{
uint PacketLogSwitchType 4
uint PACKET_LOG_ARP 1
uint PACKET_LOG_DHCP 1
uint PACKET_LOG_ETHERNET 2
uint PACKET_LOG_ICMP 2
uint PACKET_LOG_IP 1
uint PACKET_LOG_TCP 1
uint PACKET_LOG_TCP_CONN 1
uint PACKET_LOG_UDP 0
bool SavePacketLog true
bool SaveSecurityLog true
uint SecurityLogSwitchType 4
}
declare Message
{
}
declare Option
{
uint AccessListIncludeFileCacheLifetime 30
uint AdjustTcpMssValue 0
bool ApplyIPv4AccessListOnArpPacket false
bool AssignVLanIdByRadiusAttribute false
bool BroadcastLimiterStrictMode false
uint BroadcastStormDetectionThreshold 0
uint ClientMinimumRequiredBuild 0
uint DetectDormantSessionInterval 0
bool DisableAdjustTcpMss false
bool DisableCheckMacOnLocalBridge false
bool DisableCorrectIpOffloadChecksum false
bool DisableHttpParsing false
bool DisableIPParsing false
bool DisableKernelModeSecureNAT false
bool DisableUdpAcceleration false
bool DisableUdpFilterForLocalBridgeNic false
bool DisableUserModeSecureNAT false
bool DoNotSaveHeavySecurityLogs false
bool DropArpInPrivacyFilterMode true
bool DropBroadcastsInPrivacyFilterMode true
bool FilterBPDU false
bool FilterIPv4 false
bool FilterIPv6 false
bool FilterNonIP false
bool FilterOSPF false
bool FilterPPPoE false
uint FloodingSendQueueBufferQuota 33554432
bool ManageOnlyLocalUnicastIPv6 true
bool ManageOnlyPrivateIP true
uint MaxLoggedPacketsPerMinute 0
uint MaxSession 0
bool NoArpPolling false
bool NoDhcpPacketLogOutsideHub true
bool NoEnum false
bool NoIpTable false
bool NoIPv4PacketLog false
bool NoIPv6AddrPolling false
bool NoIPv6DefaultRouterInRAWhenIPv6 true
bool NoIPv6PacketLog false
bool NoLookBPDUBridgeId false
bool NoMacAddressLog true
bool NoManageVlanId false
bool NoPhysicalIPOnPacketLog false
bool NoSpinLockForPacketDelay false
bool RemoveDefGwOnDhcpForLocalhost true
uint RequiredClientId 0
uint SecureNAT_MaxDnsSessionsPerIp 0
uint SecureNAT_MaxIcmpSessionsPerIp 0
uint SecureNAT_MaxTcpSessionsPerIp 0
uint SecureNAT_MaxTcpSynSentPerIp 0
uint SecureNAT_MaxUdpSessionsPerIp 0
bool SecureNAT_RandomizeAssignIp false
bool SuppressClientUpdateNotification false
string VlanTypeId 0x8100
bool YieldAfterStorePacket false
}
declare SecureNAT
{
bool Disabled false
bool SaveLog true

declare VirtualDhcpServer
{
string DhcpDnsServerAddress 10.5.23.50
string DhcpDnsServerAddress2 8.8.8.8
string DhcpDomainName $
bool DhcpEnabled true
uint DhcpExpireTimeSpan 7200
string DhcpGatewayAddress 10.5.23.50
string DhcpLeaseIPEnd 10.5.23.80
string DhcpLeaseIPStart 10.5.23.70
string DhcpPushRoutes $
string DhcpSubnetMask 255.255.255.0
}
declare VirtualHost
{
string VirtualHostIp 10.5.23.50
string VirtualHostIpSubnetMask 255.255.255.0
string VirtualHostMacAddress 00-AC-D5-D6-9E-5C
}
declare VirtualRouter
{
bool NatEnabled false
uint NatMtu 1500
uint NatTcpTimeout 1800
uint NatUdpTimeout 60
}
}
declare SecurityAccountDatabase
{
declare CertList
{
}
declare CrlList
{
}
declare GroupList
{
}
declare IPAccessControlList
{
}
declare UserList
{
declare jpayne
{
byte AuthNtLmSecureHash MhSkRCnRnN/dTQYHf02o4A==
byte AuthPassword Pgbx+fsfl148OL1R+bCW+yNK5VY=
uint AuthType 1
uint64 CreatedTime 1439562765495
uint64 ExpireTime 0
uint64 LastLoginTime 1440103141613
string Note $
uint NumLogin 41
string RealName Jonathan$20Payne
uint64 UpdatedTime 1439562778255

declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 5208127
uint64 BroadcastCount 29298
uint64 UnicastBytes 205065
uint64 UnicastCount 4136
}
declare SendTraffic
{
uint64 BroadcastBytes 92520
uint64 BroadcastCount 1302
uint64 UnicastBytes 1902109
uint64 UnicastCount 24659
}
}
}
}
}
declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 80357683
uint64 BroadcastCount 500763
uint64 UnicastBytes 4757189789
uint64 UnicastCount 6458401
}
declare SendTraffic
{
uint64 BroadcastBytes 78173476
uint64 BroadcastCount 415948
uint64 UnicastBytes 15303665
uint64 UnicastCount 312047
}
}
}
}
declare VirtualLayer3SwitchList
{
}
}

I use Linux as an example.

You can't create localbridge to tap device on Mac OS.
Promiscuous mode will not supported on WiFi.