Hi everyone,
I am managing a VPN instance for my office and recently some people have been complaining of slow speeds, and we have had some connectivity issues when executing long running SQL queries while on the VPN. I did some research and found that I should disable the SecureNAT settings to help with speed and stability issues.
Basically, the way we want to use the VPN is to have any client connecting route ALL traffic such that their IP address will masquerade as the public IP of the VPN server. We use this to get everyone on the same outbound public IP so we can set up IP whitelisting rules on the assets they are trying to access.
My problem is, if I turn off SecureNAT I get great speed (with it on, it cuts bandwidth in half or worse!) but I am getting the IP address that my ISP is assigning to me, not the IP of the VPN server anymore. As I understand it, this is a function of the NAT setup but I'm unsure how to replicate it in windows without SecureNAT. I think this is called "masquerading"? Forgive me if my terminology is incorrect, I'm not very experienced in this realm. I would also like this to work with L2TP/IPSEC connections.
Our setup is:
Server
---------------
Windows Server 2016 on Azure
SoftEther VPN Server, v4.34 build 9745
Default settings mostly, except:
- Local bridge configured and pointing to the single "Ethernet" network adapter on the box
- SecureNAT currently enabled
- L2TP/IPSEC enabled to support mobile devices
Client
--------------
Same build as server
Direct TCP/IP connection
Disable NAT-T
Port 443
Advanced Settings:
8 TCP connections
Disable UDP Acceleration (this helped with performance, it was even slower with this off)
Any advice on how I can achieve IP "masquerading" in windows without using SecurNAT so all outbound traffic has the public IP of the server? I see a lot of discussion on this topic but most are linux examples and I'm not too familiar with how to translate some of those concepts to windows! I think if I can solve this issue, SoftEther will be perfect for us.
Thanks in advance,
-Zach
Windows - Disable SecureNAT but keep routing all traffic through server IP address
-
zach.bussinger
- Posts: 2
- Joined: Tue Jan 12, 2021 1:22 am
-
zach.bussinger
- Posts: 2
- Joined: Tue Jan 12, 2021 1:22 am
Re: Windows - Disable SecureNAT but keep routing all traffic through server IP address
I guess I am wondering if I'm just misunderstanding how this all works... please let me know if so.
End goal is that any client who is connecting to the VPN should have all outbound traffic coming from the same public IP as the VPN server.
I am running on Windows Server, hosted on a VM in azure, single physical network adapter.
Local bridging is not enough - it works but the public IP address of the client doesn't change.
SecureNAT does what I want but it slows things down massively, a real problem for people with slower internet connections.
Is it possible to do this without SecureNAT? I see a lot of mentions about using TAP adapter on linux, and something called dnsmasq. But from what I am reading this setup is not possible on Windows. Does anyone know how I can achieve this on Windows? I was able to do it with OpenVPN but I did not like OpenVPN as much, we had some stability issues and it wasn't as easy to manage.
End goal is that any client who is connecting to the VPN should have all outbound traffic coming from the same public IP as the VPN server.
I am running on Windows Server, hosted on a VM in azure, single physical network adapter.
Local bridging is not enough - it works but the public IP address of the client doesn't change.
SecureNAT does what I want but it slows things down massively, a real problem for people with slower internet connections.
Is it possible to do this without SecureNAT? I see a lot of mentions about using TAP adapter on linux, and something called dnsmasq. But from what I am reading this setup is not possible on Windows. Does anyone know how I can achieve this on Windows? I was able to do it with OpenVPN but I did not like OpenVPN as much, we had some stability issues and it wasn't as easy to manage.