Site to Site VPN with NAT for site's systems

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Stefan A.
Posts: 2
Joined: Thu Oct 10, 2019 10:29 am

Site to Site VPN with NAT for site's systems

Post by Stefan A. » Thu Oct 10, 2019 11:13 am

I love this project and it's flexibility. Thank You!

But I'm new to SoftEther and currently using OpenVPN with SOCAT, what drives me crazy...


I have a system at a central location which must communicate with systems on several remote locations... bidirectional.
My remote locations are behind ISP's NAT routers and my central system has a public IP address.
Remote locations must not communicate to each other.
The central system is Linux based, remote location's systems are Linux too, but the remote's SE client may be Windows or Linux.

I think I'd get this running as of the tutorials.
... but:

Challenge A) systems at different remote locations have similar IP address spaces.
Challenge B) systems at remote locations are only allowed to communicate to IP addresses, assigned by the remote's local admin. Luckily, this admin is friendly and will configure the routing for this particular addresses remote's SE client's internal IP address.


My envisioned setup for discussion:

Thesis:
Central site must address all remote systems using virtual IP addresses to overcome the duplicates among the remote locations.

IPs Central site:
Public IP e.g. 166.12.1.100
Internal IP address, where the packets will be sent from: 10.255.1.10

IPs Remote A:
System_1: 10.1.1.20 (virtual 2.0.0.2)
System_2: 10.1.1.30 (virtual 2.0.0.3)
SE Client: 10.1.1.10
Central System's virtual IP 144.17.1.22
Host routing on System_1 and _2: "144.17.1.22 mask 255.255.255.255 gateway 10.1.1.10"

IPS Remote B:
System_1: 10.1.1.20 (virtual 3.0.0.2)
System_2: 10.1.1.30 (virtual 3.0.0.3)
SE Client: 10.1.1.10
Central System's virtual IP 14.45.65.3
Host routing on System_1 and _2: "14.45.65.3 mask 255.255.255.255 gateway 10.1.1.10"
..
ActiveProbeNAT01.png
..
I'm building a static pool of remote system's relations of real addresses to virtual addresses.
I think I need to NAT on SE client to allow virtual IP addresses for their related remote systems as well as allowing the remote systems to address the central system using a local define IP (virtual) address.


The NAT Process must act like this:
Packets from central to remote
--> SCR 10.255.1.10 DST 2.0.0.2
--> Routing: packet to be forwarded to SE client on Remote A (host routing to remote system's virtual IP address)
--> on SE client at Remote A: NAT SCR 10.255.1.10 DST 2.0.0.2 into SCR 144.17.1.22 DST 10.1.1.20
Packets from remote to central
<-- SCR 10.1.1.20 DST 144.17.1.22
<-- NAT SCR 10.1.1.20 DST 144.17.1.22 into SRC 2.0.0.2 DST 10.255.1.10
<-- Packet to be forwarded to SE server on central site
<-- send Packet to 10.255.1.10 (SRC 2.0.0.2 DST 10.255.1.10)


How can I do this with SoftEther?

Thanks
Best
Stefan
You do not have the required permissions to view the files attached to this post.

Post Reply