how to connect ocserv (OpenConnect) to softether double vpn [ solved ]

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

how to connect ocserv (OpenConnect) to softether double vpn [ solved ]

Post by KatherineEddie » Sun Dec 11, 2022 9:14 pm

HI all
Separately I have two vpn servers
1. is a ocserv (Open Connect Linux server)
2. is a double vpn (cascading from server A to server B).
- server A (Linux) secure NAT is disabled + cascade to server B + Users have been added
- server B (Linux) secure NAT is enabled + a single user for cascading from server A

Now I would like to merge these two servers (ocserv + server A) into one (Linux server) so users can connect (via open-connect client) to server A (SE) and in server A the income traffic of ocserv be (I do not know how)
- be forwarded , or
- be bridged or
- be routed
- etc
to server B via that cascade connection has been defined in VPN virtual hub.

Code: Select all

old workflow
# open connect
client =======> server X (OC)

# SE
client =======> server A (SE) =======> server B (SE)

new workflow 
client (SE or open connect) =======> server A (SE + OC) =======> server B
Question first. is this possible?
Question second. if yes, how?
I was thinking of
- local bridge
- layer 3 switching
but was not sure how to use exactly

Regards
Last edited by KatherineEddie on Mon Dec 26, 2022 11:51 am, edited 1 time in total.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by solo » Sun Dec 11, 2022 10:35 pm

Go L2 if possible, otherwise adapt the Linux NAT method I described in context of interconnecting a VPN Gate client to SoftEther server - "Is possible to route all Softether Traffic by ip route and iptable command?" aka "Route all traffic from SoftEther VPN Server to Softether Client".

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by KatherineEddie » Mon Dec 12, 2022 7:02 am

solo wrote:
Sun Dec 11, 2022 10:35 pm
Go L2 if possible, otherwise adapt the Linux NAT method I described in context of interconnecting a VPN Gate client to SoftEther server - "Is possible to route all Softether Traffic by ip route and iptable command?" aka "Route all traffic from SoftEther VPN Server to Softether Client".
@solo

Yes I would like to make it work with Layer 2 local bridge, I do think it is possible but not just via SE alone.
Second, I did not want to run second VPN client on server A to have a full or split tunnel to server B, since there is already a cascade connection from server A to server B via SE on server A.
So this is not my case.
In other words you'd like to "Route all traffic from softether VPN server to Softether Client".
What I have done so far.

server A
- SE server + cascade to server B + no NAT (NAT is from server B)
- WG server with 10.43.193.0/24
- OcServ with 10.10.10.0/24
server B
- SE server in unrestricted country

iptable for WG and OcServ on server A

Code: Select all

*nat
:PREROUTING ACCEPT [17:795]
:INPUT ACCEPT [9:401]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
-A POSTROUTING -s 10.43.193.0/24 -o ens160 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.10.10.0/24 -o ens160 -m comment --comment ocserv-nat-rule -j MASQUERADE
So WG/OC clients are connected to server A.

Adding two local bride in SE server A

Code: Select all

ip -br a
tap_vpns0        UNKNOWN        IP_V6/64 
tap_wg0          UNKNOWN        IP_V6/64
Allocation IP address for these two tap_* from server B via

Code: Select all

dhclient -v tap_vpns0
dhclient -v tap_wg0
result after allocation (IPv6 have been deleted from output)

Code: Select all

ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens160           UP             x.x.x.x/24  # public IP
wg0              UNKNOWN        10.43.193.1/24 
tap_vpns0        UNKNOWN        10.10.3.3/24 
tap_wg0          UNKNOWN        10.10.3.2/24 
So I can ping server B gateway with is 10.10.3.1

Code: Select all

ping 10.10.3.1 -c4
PING 10.10.3.1 (10.10.3.1) 56(84) bytes of data.
64 bytes from 10.10.3.1: icmp_seq=1 ttl=128 time=172 ms
64 bytes from 10.10.3.1: icmp_seq=2 ttl=128 time=172 ms
64 bytes from 10.10.3.1: icmp_seq=3 ttl=128 time=172 ms
64 bytes from 10.10.3.1: icmp_seq=4 ttl=128 time=171 ms

--- 10.10.3.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 171.460/171.753/172.257/0.313 ms
Now I should be able to forward (or route) WG/OC two SE local bride since tap_vpns0 and tap_wg0 have access to server B gateway (10.10.3.1)
Question: how?

Regards

mjthelearner
Posts: 28
Joined: Fri Nov 25, 2022 6:08 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by mjthelearner » Mon Dec 12, 2022 11:32 am

##SERVER 1
OC_SERVER1= OpenConnect Server with 15.0.0.1 gateway on VPS1
SE_SERVER1= SoftEther server On VPS1 [ this server is cascaded to SE_SERVER2 , SecureNat disabled]

## SERVER 2
SE_SERVER2= SoftEther Server on VPS2 [ tap_tap local bridge, dnsmasq

cat /etc/dnsmasq.conf

Code: Select all

interface=tap_soft
dhcp-range=tap_soft,15.0.0.10,15.0.0.99,12h
dhcp-option=tap_soft,3,15.0.0.1
server=1.1.1.1
iptables-save -t nat

Code: Select all

-A POSTROUTING -s 15.0.0.0/24 -j SNAT --to-source xxx.xxx.xxx.xxx
# xxx.xxx.xxx.xxx = my vps ip

How to do this, routing OpenConnect Users to Server2?

Clients --[ connecting to ] --> OC_SERVER1 ---> SE_SERVER1 -->[ CASCADED to ] --> SE_SERVER2

normally i can route connection eachother when i have interfaces, but when cascading between 2 servers usuing softether, i dont know what is the GW and IP addresses.

and another question
SE_SERVER1 is connected to SE_SERVER2, using CASCADE option in SoftetherManager.

Clients can't connect to SE_SERVER1 when firewall is enabled on SE_SERVER2, which ports should be open and allowed on SE_SERVER2? [USING OPENVPN and L2TP on Server1]
or i had to disabled firewall on server2?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by solo » Mon Dec 12, 2022 12:35 pm

KatherineEddie wrote:
Mon Dec 12, 2022 7:02 am
I did not want to run second VPN client on server A to have a full or split tunnel to server B, since there is already a cascade connection from server A to server B via SE on server A.
So this is not my case.
But it is, only the perspective is slightly different:
- your SE tap (just one, delete the second) is equivalent to my VPN Gate vNIC
- my SE tap is equivalent to your WG/OC interfaces
All you need to do is NAT both WG/OC to the tap instead of ens160.

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by KatherineEddie » Mon Dec 12, 2022 2:41 pm

solo wrote:
Mon Dec 12, 2022 12:35 pm
KatherineEddie wrote:
Mon Dec 12, 2022 7:02 am
I did not want to run second VPN client on server A to have a full or split tunnel to server B, since there is already a cascade connection from server A to server B via SE on server A.
So this is not my case.
But it is, only the perspective is slightly different:
- your SE tap (just one, delete the second) is equivalent to my VPN Gate vNIC
- my SE tap is equivalent to your WG/OC interfaces
All you need to do is NAT both WG/OC to the tap instead of ens160.
Since I used
- dhclient tap_wg0
I thought it could be easy to just use iptables and forward the traffic , and you are saying
All you need to do is NAT both WG/OC to the tap instead of ens160.
is enough: something like

Code: Select all

 # example
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120
but in your https://www.vpnusers.com/viewtopic.php? ... 926#p97433 post you said

Code: Select all

...
ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap
...

/etc/dnsmasq.conf
interface=tap_tap
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1

iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120
So I can ignore ip route add ... , right?
and just need iptables -t nat ?

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by solo » Mon Dec 12, 2022 10:18 pm

KatherineEddie wrote:
Mon Dec 12, 2022 2:41 pm
is enough: something like
# example
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120
Well, if you keep using dhclient, then better something like:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tap_vpns0 -j MASQUERADE
So I can ignore ip route add ... , right?
Not at all, routing is critical and essential for the above POSTROUTING to function properly.

EDIT
ensure: net.ipv4.ip_forward = 1
BTW, @mjthelearner says "It doesn't work for me" because of messed up routing for sure.

mjthelearner
Posts: 28
Joined: Fri Nov 25, 2022 6:08 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by mjthelearner » Tue Dec 13, 2022 12:11 am

i had to create table and it works

Interface CLIENT, im using PPP interface and connected to External VPN Server

# ppp0 config and stats
pppstip=10.8.0.150 #static Ip for ppp0
pppgw=10.8.0.1 #ppp server gateway
pppipr=10.8.0.0/24 # ppp ip pool range

Code: Select all

ifconfig ppp0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.150  netmask 255.255.255.255  destination 10.8.0.1

openVPN Server is running with this config
#open vpn config and stats
opengw=10.10.10.1 #openvpn gatewway
openipr=10.10.10.0/24 #openvpn IP range

Code: Select all

ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.10.1  netmask 255.255.255.0  destination 10.10.10.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
now what im done to route openVPN server traffic through the ppp0 Client.

check for ipv4 forwarding, enable it:

Code: Select all

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -p
1: creating new table [table name =1000]

Code: Select all

/usr/bin/systemctl start iptables
ip route add 10.10.10.0/24 dev tun0 table 1000
ip route add default via 10.8.0.150 dev ppp0 table 1000
ip route add 10.8.0.0/24 dev ppp0 table 1000
2: adding rule

Code: Select all

ip rule add iif ppp0 lookup 1000
ip rule add iif tun0 lookup 1000
2-a: check if table is defined correctly

Code: Select all

/sbin/ip rule | grep 1000
# output must be like

Code: Select all

/sbin/ip rule | grep 1000

218:    from all iif tun0 lookup 1000
219:    from all iif ppp0 lookup 1000
3: flushing NAT forwarding

Code: Select all

/sbin/iptables -t nat -F
4: adding NAT forward

Code: Select all

/sbin/iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ppp0 -j MASQUERADE
4-a: ## i don't know if need or not

Code: Select all

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source 10.8.0.150

Code: Select all

/sbin/iptables-save -t nat
5: saving current iptables

Code: Select all

service netfilter-persistent save

now every user connects through vpnserver [tun0], it will get the [ppp0] gateway and directs to external vpn server.

sorry if i point something wrong for description, lack of networking acknowledge .

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by KatherineEddie » Wed Dec 14, 2022 5:54 pm

solo wrote:
Mon Dec 12, 2022 10:18 pm
KatherineEddie wrote:
Mon Dec 12, 2022 2:41 pm
is enough: something like
# example
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j SNAT --to-source 10.8.0.120
Well, if you keep using dhclient, then better something like:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tap_vpns0 -j MASQUERADE
So I can ignore ip route add ... , right?
Not at all, routing is critical and essential for the above POSTROUTING to function properly.

EDIT
ensure: net.ipv4.ip_forward = 1
BTW, @mjthelearner says "It doesn't work for me" because of messed up routing for sure.

Fortunately I could make it work and no iptables was needed at all :) with the help of @mjthelearner answer

Also I forgot the tell I was looking for partial routing not full routing.
I already did full routing and it just needs adding default route to SE client and delete the VM (public IP) default route

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by KatherineEddie » Wed Dec 14, 2022 6:09 pm

mjthelearner wrote:
Tue Dec 13, 2022 12:11 am
i had to create table and it works

Interface CLIENT, im using PPP interface and connected to External VPN Server

# ppp0 config and stats
pppstip=10.8.0.150 #static Ip for ppp0
pppgw=10.8.0.1 #ppp server gateway
pppipr=10.8.0.0/24 # ppp ip pool range

Code: Select all

ifconfig ppp0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.150  netmask 255.255.255.255  destination 10.8.0.1

openVPN Server is running with this config
#open vpn config and stats
opengw=10.10.10.1 #openvpn gatewway
openipr=10.10.10.0/24 #openvpn IP range

Code: Select all

ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.10.1  netmask 255.255.255.0  destination 10.10.10.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
now what im done to route openVPN server traffic through the ppp0 Client.

check for ipv4 forwarding, enable it:

Code: Select all

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -p
1: creating new table [table name =1000]

Code: Select all

/usr/bin/systemctl start iptables
ip route add 10.10.10.0/24 dev tun0 table 1000
ip route add default via 10.8.0.150 dev ppp0 table 1000
ip route add 10.8.0.0/24 dev ppp0 table 1000
2: adding rule

Code: Select all

ip rule add iif ppp0 lookup 1000
ip rule add iif tun0 lookup 1000
2-a: check if table is defined correctly

Code: Select all

/sbin/ip rule | grep 1000
# output must be like

Code: Select all

/sbin/ip rule | grep 1000

218:    from all iif tun0 lookup 1000
219:    from all iif ppp0 lookup 1000
3: flushing NAT forwarding

Code: Select all

/sbin/iptables -t nat -F
4: adding NAT forward

Code: Select all

/sbin/iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ppp0 -j MASQUERADE
4-a: ## i don't know if need or not

Code: Select all

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source 10.8.0.150

Code: Select all

/sbin/iptables-save -t nat
5: saving current iptables

Code: Select all

service netfilter-persistent save

now every user connects through vpnserver [tun0], it will get the [ppp0] gateway and directs to external vpn server.

sorry if i point something wrong for description, lack of networking acknowledge .

More testing with your method, finally I could make it work and fortunately no iptables was needed.

For WG was pretty simple since WG has a static (fixed) virtual interface (wg0), so we can add

Code: Select all

# for access the server (not part of custom table)
ip route add 10.43.193.0/24 dev wg0 proto kernel scope link src 10.43.193.1

# a custom table for wg0
ip route add 10.43.193.0/24 dev wg0 table 1000

# select the incoming device to match
ip rule add iif wg0 lookup 1000
and for our tap which has been bridged

Code: Select all

# add default to our custom table
ip route add default via 10.10.3.1 dev tap_tap table 1000

# select the incoming device to match
ip rule add iif tap_tap lookup 1000
So we made wg0 interface be routed to tap_tap via SE local-bridge which it has a cascade connection to server B.
No iptables at all.

How about ocserv?
Well, it has a dynamic interface which is added on the fly. And fortunately ocserv has a user connected/disconnected functionality and can call "ip route" to be added dynamically.

first

Code: Select all

connect-script = /etc/ocserv/fw.sh
disconnect-script = /etc/ocserv/fw.sh
second

Code: Select all

if [[ -n $STATS_DURATION ]]; then
    # delete - user has been disconnected 
    ip rule del iif $DEVICE lookup 1000
else
    # add - user has been connected
    ip route add $IP_REMOTE/32 dev $DEVICE table 1000
    ip rule add iif $DEVICE lookup 1000
fi

tested several times (near 2 days) on Ubuntu 20.04.1 LTS and had no issues., but I think more tests are needed.

mjthelearner
Posts: 28
Joined: Fri Nov 25, 2022 6:08 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by mjthelearner » Thu Dec 15, 2022 8:46 am

Glad to see it helps, btw the last script is to check for ocser and delete disconnected user ips from table?

Also you could put the script in crontab for automation
If your script is located on /root/myScript.sh

Code: Select all

crontab -e
then add your script to run every 5 mins ,like scheduler

Edit cronrab and add to end of crontab file

Code: Select all

*/5 * * * * sudo bash  /root/myScript.sh
More info about crontab editing https://crontab.guru/

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by solo » Thu Dec 15, 2022 10:53 pm

mjthelearner wrote:
Tue Dec 13, 2022 12:11 am
1: creating new table ... 2: adding rule ...
We can optimize the core setup to just 3 commands:
  1. ip route add default via 10.8.0.150 dev ppp0 table 1000
  2. ip rule add iif tun0 lookup 1000
  3. iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ppp0 -j MASQUERADE
Proven to work.

KatherineEddie wrote:
Wed Dec 14, 2022 5:54 pm
Fortunately I could make it work and no iptables was needed at all :) with the help of @mjthelearner answer
Well, I had suggested to adapt, not adopt, the VPN Gate example.

But let's wait and see how's your VPN going because SecureNAT has performance, scalability and functionality limitations. You need a NAT somewhere, currently it is the SecureNAT's vNAT but depending on the size and traffic of your VPN you may have to scrap it and go with iptables+dnsmasq after all :)

Before you ask, one can not use VPN Gate's SecureNAT without iptables because they do not allow cascade/L2 connections and you get "the security policy for the connecting user forbids both bridge mode and router mode".

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by KatherineEddie » Fri Dec 16, 2022 7:10 am

But let's wait and see how's your VPN going because SecureNAT has performance, scalability and functionality limitations. You need a NAT somewhere, currently it is the SecureNAT's vNAT but depending on the size and traffic of your VPN you may have to scrap it and go with iptables+dnsmasq after all :)
Yes, sure.
This method is relatively new to me. I just wanted keeping it simple. And mostly it is for learning. Of course for a
- business
- large scale traffic
there should be some optimization/limitation
Before you ask, one can not use VPN Gate's SecureNAT without iptables because they do not allow cascade/L2 connections and you get "the security policy for the connecting user forbids both bridge mode and router mode".
Thank you

One thing I would like to mention is that SE deserves more attention, unfortunately SE is not as popular as it should be.
Finally I appreciate you @solo and @mjthelearner to share your knowledge/experience with me/others.

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: how to connect ocserv (OpenConnect) to softether double vpn

Post by KatherineEddie » Fri Dec 16, 2022 7:15 am

mjthelearner wrote:
Thu Dec 15, 2022 8:46 am
Glad to see it helps, btw the last script is to check for ocser and delete disconnected user ips from table?

Also you could put the script in crontab for automation
If your script is located on /root/myScript.sh

Code: Select all

crontab -e
then add your script to run every 5 mins ,like scheduler

Edit cronrab and add to end of crontab file

Code: Select all

*/5 * * * * sudo bash  /root/myScript.sh
More info about crontab editing https://crontab.guru/
Thank you dear @mjthelearner
Yes this is they way to automate "ip route" command for each user, if the OC would not have "hocks".
There are OC hocks

Code: Select all

# if a user connected, this script is executed
connect-script = /etc/ocserv/fw.sh

# if a user disconnected, this script is executed
disconnect-script = /etc/ocserv/fw.sh
It is reliable, and works fine.

Post Reply