SoftEther VPN User Forum

If I'm understanding correctly, the only config required on the server is to enable the DDNS and point my client to that address. However I've tried it behind NAT routers on two different networks and neither one would work. I can open firewall ports but I really like the idea of not opening any firewall ports to reduce attack surface. I tried the Azure and that works but it's unusably slow because it's routing all the traffic through that service.

Am I missing something, or does the NAT traversal function just not work? Thanks.

Nat traversal works as long as both ends have a Nat type that is not symmetric. That’s something you can do nothing with.

Re "not opening any firewall ports to reduce attack surface", yeah wise policy in general but if an attacker intends to probe SE weakness then simulating a SE client via NAT-T is really simple with the help of the source code...

You're not wrong, however that's also extra steps beyond what is usually done, that being a typical port scan or Shodan search for candidate targets. Conversely, it's easier to monitor a single open TCP port than to monitor a random UDP NAT tunnel.

Re "I tried the Azure and that works but it's unusably slow" - there is an alternative. Cascade it to another SE server under your control which does not need to keep a low profile, while your low profile site will need no NAT-T, port-FWD, nor DDNS, and symmetric NAT or CGNAT are of no concern.

If you don't have another SE server, try a VHUB on http://www.packetix.net/en/vpn/
- perhaps it is faster than the Azure.