LAN-to-LAN VPN (L3) with single interface

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Dilbert92011
Posts: 3
Joined: Fri Jul 08, 2022 7:34 am

LAN-to-LAN VPN (L3) with single interface

Post by Dilbert92011 » Fri Jul 08, 2022 10:40 am

I am trying to build a LAN-to-LAN VPN (Using L3 IP Routing) between my home network and the home network of my friend.

At my home I compiled and started VPN Server on a Ubuntu 20.04 device.
At my friends home I compiled and started VPN Bridge on a Debian 10 device.

Both devices have only one physical ethernet interface, and this is connected to the respective LAN. On each of these LANs there is also a router of the ISP.

This is my main question: Is it even possible to connect two distant LANs using SoftethVPN on computers which are just normal participants of the LANs? Their connection to the LAN and to the internet is the same physical ethernet interface!

This is what I tried:


AT MY HOME SITE:
routing table:

Code: Select all

default via 10.0.0.138 dev eno0 proto static 
10.0.0.0/24 dev eno0 proto kernel scope link src 10.0.0.5 
I started VPN Server and used vpncmd for configuration as follows:

Code: Select all

HubCreate hublan /PASSWORD:hublan
BridgeCreate hublan /device:eno0
HubCreate hubremote /PASSWORD:hubremote
hub hubremote
UserCreate friend /GROUP:none /REALNAME:my_friend /NOTE:none
UserPasswordSet friend /PASSWORD:secret
RouterAdd myl3r
RouterIfAdd myl3r /HUB:hublan /IP:10.0.0.254/24
RouterIfAdd myl3r /HUB:hubremote /IP:192.168.101.254/24
RouterStart myl3r

AT MY FRIENDS SITE:
routing table:

Code: Select all

default via 192.168.101.100 dev eth1 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.101.0/24 dev eth1 proto kernel scope link src 192.168.101.102 
I started VPN Bridge and used vpncmd for configuration as follows:

Code: Select all

BridgeCreate BRIDGE /device:eth1
hub BRIDGE
CascadeCreate tohome /SERVER:my.home.site:443 /HUB:hubremote /USERNAME:friend
CascadePasswordSet tohome /PASSWORD:secret /TYPE:standard
CascadeOnline tohome
CascadeList  --> shows "Online (Established)"
The `Online` status tells me that VPN Server and VPN Bridge have found each other and they can talk.
But I can not ping anything from the remote side.

Am I missing something or is my envisioned setup simply impossible?

Thanks in advance for any hints!

solo
Posts: 383
Joined: Sun Feb 14, 2021 10:31 am

Re: LAN-to-LAN VPN (L3) with single interface

Post by solo » Thu Jul 14, 2022 12:59 am

AT MY HOME SITE
ip route add 192.168.101.0/24 via 10.0.0.254

AT MY FRIENDS SITE
ip route add 10.0.0.0/24 via 192.168.101.254

Then you can cross-ping.

Dilbert92011
Posts: 3
Joined: Fri Jul 08, 2022 7:34 am

Re: LAN-to-LAN VPN (L3) with single interface

Post by Dilbert92011 » Fri Jul 22, 2022 12:31 pm

solo wrote:
Thu Jul 14, 2022 12:59 am
AT MY HOME SITE
ip route add 192.168.101.0/24 via 10.0.0.254

AT MY FRIENDS SITE
ip route add 10.0.0.0/24 via 192.168.101.254

Then you can cross-ping.
Thank you for you response, but adding those routes unfotunately didn't help.
now AT MY HOME SITE

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 eno0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eno0
192.168.101.0   10.0.0.254      255.255.255.0   UG    0      0        0 eno0
now AT MY FRIENDS SITE

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.101.100 0.0.0.0         UG    0      0        0 eth1
10.0.0.0        192.168.101.254 255.255.255.0   UG    0      0        0 eth1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.101.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
What I don't understand is how would the kernel know that a packet (destined for the other site) should be handed over to SoftEther?
My understanding of this particular route is that the packet shall be sent out eno0 (in case I ping from HOME to FRIEND).

When I ping from 10.0.0.5 (HOME) to 192.168.101.X (FRIEND), then tcpdump@HOME shows lots of ARP requests for 10.0.0.254 with replies like

Code: Select all

13:32:18.976278 ARP, Request who-has 10.0.0.254 tell UbuntuHome, length 28
13:32:18.976769 ARP, Reply 10.0.0.254 is-at 5e:a3:22:88:c4:c9 (oui Unknown), length 28
I don't recognize this MAC address 5e:a3:22:88:c4:c9. Whose is it?
And ping tells me "Destination Host Unreachable".

Is it correct, that the VPNserver(HOME) needs two hubs, one with a virtual bridge to my 'only' ethernet interface, and the VPNbridge(FRIEND) cascading to the 'other' hub?
Here is my topology:

Code: Select all

HOME:
  VPNServer (@10.0.0.5) with:
    Hub "hublan" with:
      virtual bridge to device "eno0" # eno0 is connected to a LAN port on the ISPs box @HOME.
    Hub "hubremote" with:
      user "friend"
    Router with
      interface /HUB:hublan    /IP:10.0.0.254/24
      interface /HUB:hubremote /IP:192.168.101.254/24

FRIEND:
  VPNBridge (@192.168.101.102) with:
    Hub "BRIDGE" with:
      virtual bridge to device "eth1" # eth1 is connected to a LAN port on the ISPs box @FRIEND.
      cascade to /SERVER:my.home.site:443 /HUB:hubremote /USERNAME:friend
BTW: vpncmd@FRIEND can connect to my.home.site:443 and actually can manage VPNserver@HOME. This tells me that a connection is possible and port forwarding in ISPbox@HOME is set up correctly. IMHO

solo
Posts: 383
Joined: Sun Feb 14, 2021 10:31 am

Re: LAN-to-LAN VPN (L3) with single interface

Post by solo » Fri Jul 22, 2022 1:21 pm

On both sides:
  • the NICs' ifconfig must confirm "PROMISC"
  • iptables do "ACCEPT"
  • ip_forward=1

Post Reply