[BUG] DHCP lease time 300000000sec = 10days only

[PizzaProgram]

I would like to set DHCP lease time of the Virtual NAT to infinite.
The setup does not allow to set it to 1 sec. (That would be the official "infinite")

DHCP setup.jpg

If I set it to 300-450M sec (= 10-15 years) :
- it is still expiring after ca. 10 days!
I've tested with 5.01 developer version too.
Result: The SAME :-(

DHCP expire.jpg

How do i set those IP addresses to be fixed forever?

[shakibamoshiri]

I would like to set DHCP lease time of the Virtual NAT to infinite.
The setup does not allow to set it to 1 sec. (That would be the official "infinite")

DHCP setup.jpg

If I set it to 300-450M sec (= 10-15 years) :
- it is still expiring after ca. 10 days!
I've tested with 5.01 developer version too.
Result: The SAME :-(
DHCP expire.jpg

How do i set those IP addresses to be fixed forever?

1. using MAC:se:00:00:00:00:00 in NOTE section + dnsmasq

Code: Select all

# If you’d like to have dnsmasq assign static IPs to some clients, bind the LAN computers NIC MAC addresses:
# dhcp-host=ae:00:00:00:00:01,192.168.100.111
# dhcp-host=ae:00:00:00:00:02,192.168.100.112

2. statically being set by the client

[PizzaProgram]

Thank you very much the quick answer!

1.

using MAC:se:00:00:00:00:00 in NOTE section + dnsmasq

A NOTE section of what?

• Somewhere in the server's config file?

Please tell me more about this.
I've found your prev. topic about DHCP speed measuring before, but it does not tell, where to put those lines.
https://www.vpnusers.com/viewtopic.php?t=68065

2.

statically being set by the client

You mean manually setting the VPN's adapter like any other adapter?


Doing this for 2-300 clients one by one is a huge extra work.
Isn't this a bug, that should be reported and fixed?
Why only 10 days?

[PizzaProgram]

... and the other problem with these methods:
- How will the client get the "static routing table" pushed from the server ?

That built-in SecureNAT is working perfectly fine, if that "max 10 days" problem could be solved... ?

[solo]

The max is 6.9 days
The min is 0.69 days

If you don't like it, use an external DHCP server.
You could modify the source code, in TcpIp.c

Code: Select all

		// Lease time
		a = GetDhcpOption(o, DHCP_ID_LEASE_TIME);
		if (a != NULL && a->Size == 4)
		{
			ret->LeaseTime = READ_UINT(a->Data);
		}

...remove the "if" line but it may have unintended consequences.

[PizzaProgram]

Recompiling the whole thing would be too difficult for me,
but Thank you (again) for the quick and detailed information! :-)

An other, completely different approach:
- Is it possible to add "names" to the PCs, so no mater what the current IP assigned by SecureNAT, it would "find" it ?
- what is the "domain" field good for at the SecureNAT edit config window?

SecureNAT is a DHCP server itself, so theoretically should we able to resolve the IP by any name?

For example,
- if the HUB name is RobertoPizzaHUB
- and the PC name is DeliveryPC
than something like:
$> ping DeliveryPC.RobertoPizzaHUB.myServer.softether.org
should give back the current IP address of that PC that SecureNAT ?
... or maybe a MACaddress based name?
... or is there any other method to give a specific name to a user maybe? (I could create as many users, as many PCs there are...)

PS: can I donate you via PayPal? You have helped me a lot already!

[solo]

Recompiling the whole thing would be too difficult for me,
but Thank you (again) for the quick and detailed information! :-)
An other, completely different approach:...

Wait, what OS and SE version are you using? Instead of recompiling a binary patch is possible. I could look into it, no promises though.

(please donate to University of Tsukuba :-)

[PizzaProgram]

I will start renting the VPS probably tomorrow, but I'm still not 100% sure what OS should I choose.
I'm a bit lame with linux, but for stability for the next 10-20years it seems more logical to choose Debian,
unless You recommend me something else?
(Currently all my test are temporary running on my home server, which is Win7 32bit)

I will install a version, whatever you recommend. Probably latest would be best? 5.02
But this high-CPU Issue sounds bad: https://github.com/SoftEtherVPN/SoftEth ... sions/1774

Instead of recompiling a binary patch is possible. I could look into it, no promises though

IMHO a simple "hidden option" inside the server's .conf file would be the best approach, don't you think?

Code: Select all

declare VirtualDhcpServer
{ 
	bool DhcpEnabled true
	uint DhcpExpireTimeSpan 300000000
...
	bool DhcpAllowExtendedTime false ## <<... could be set to true manually
...

OFF: That new API-development looks good at 5.02, maybe I can use that later to monitor ALL my clients over the whole country in a summarized view.
(Just like I'm doing it now, based on an OpenVPN server made by somebody else ... who is demanding now +70% money pro month, which I can not effort any more.)

I'm planning to set a regular donation pro month for You, if everything goes well. (Sorry, I'm not a rich guy at all, living in the 2th poorest country of Europe.)

[PizzaProgram]

I've found the official DHCP lease time criteria:

https://www.informit.com/articles/artic ... 4&seqNum=3

MAX = 2^32 - 2 ;
INFINITE = 2^32 ;

[shakibamoshiri]

Thank you very much the quick answer!

1.

using MAC:se:00:00:00:00:00 in NOTE section + dnsmasq

A NOTE section of what?

• Somewhere in the server's config file?

Please tell me more about this.
I've found your prev. topic about DHCP speed measuring before, but it does not tell, where to put those lines.
https://www.vpnusers.com/viewtopic.php?t=68065

2.

statically being set by the client

You mean manually setting the VPN's adapter like any other adapter?


Doing this for 2-300 clients one by one is a huge extra work.
Isn't this a bug, that should be reported and fixed?
Why only 10 days?

1.
Virtual MAC address reservation
http://www.softether.org/5-download/history

2.
In dnsmasq.conf file

who said manually :)

Code: Select all

#!/bin/bash

declare -ir min_ip_range=10;
declare -ir max_ip_range=200;

for (( index=$min_ip_range; index <= $max_ip_range; ++index )); do
    if (( index <= 99 )); then
        echo "dhcp-host=ae:00:00:00:00:${index},192.168.100.${index}"
    else
        echo "dhcp-host=ae:00:00:00:0${index%??}:${index#?},192.168.100.${index}"
    fi
done

output

Code: Select all

dhcp-host=ae:00:00:00:00:10,192.168.100.10
dhcp-host=ae:00:00:00:00:11,192.168.100.11
dhcp-host=ae:00:00:00:00:12,192.168.100.12
dhcp-host=ae:00:00:00:00:13,192.168.100.13
dhcp-host=ae:00:00:00:00:14,192.168.100.14
dhcp-host=ae:00:00:00:00:15,192.168.100.15
dhcp-host=ae:00:00:00:00:16,192.168.100.16
dhcp-host=ae:00:00:00:00:17,192.168.100.17
dhcp-host=ae:00:00:00:00:18,192.168.100.18
dhcp-host=ae:00:00:00:00:19,192.168.100.19
dhcp-host=ae:00:00:00:00:20,192.168.100.20
...
...
dhcp-host=ae:00:00:00:01:92,192.168.100.192
dhcp-host=ae:00:00:00:01:93,192.168.100.193
dhcp-host=ae:00:00:00:01:94,192.168.100.194
dhcp-host=ae:00:00:00:01:95,192.168.100.195
dhcp-host=ae:00:00:00:01:96,192.168.100.196
dhcp-host=ae:00:00:00:01:97,192.168.100.197
dhcp-host=ae:00:00:00:01:98,192.168.100.198
dhcp-host=ae:00:00:00:01:99,192.168.100.199
dhcp-host=ae:00:00:00:02:00,192.168.100.200

Isn't this a bug, that should be reported and fixed?

I did not use/check this part, maybe.

[solo]

Currently all my test are temporary running on my home server, which is Win7 32bit

That's a fine choice.

I've created a binary patch to fix the lease issue but then discovered a BUG indeed in the code which can be exploited without any patching. Simply enter 4294967295 for lease time and you will get...

Code: Select all

  op=BOOTREPLY chaddr=E8:F6:46:F6:25:CE hops=0 xid=DD59761C secs=0 flags=0000
  ciaddr=0.0.0.0 yiaddr=192.168.30.10 siaddr=192.168.30.1 giaddr=0.0.0.0 sname= file=
  6 options:
     53 (DHCP Message Type): offer
     54 (Server Identifier): 192.168.30.1
     51 (IP Address Lease Time): 4294967295 (7101 weeks, 3 days, 6 hours, 28 minutes, and 15 secs)
      1 (Subnet Mask): 255.255.255.0
      3 (Router Option): 192.168.30.1
      6 (Domain Name Server Option): 192.168.30.1


        Description . . . . . . . . . . . : VPN Client Adapter - VPN
        Physical Address. . . . . . . . . : 5E-68-60-B3-FD-02
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.30.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 192.168.30.1
        Lease Obtained. . . . . . . . . . : Sunday, 26 February 2023 12:37:56 PM
        Lease Expires . . . . . . . . . . : Tuesday, 19 January 2038 2:14:07 PM

This works with SE v4.38.0.9760
Not tested on other builds.

[PizzaProgram]

WOW! Thank you VERY MUCH, this sounds great !

... but I don't fully understand this:

I've created a binary patch ... This works with SE v4.38.0.9760

1. You mean, If I simply download and install 4.38 from the official download page, it will work now?
https://www.softether-download.com/en.a ... =softether

2. That version seems to be much older than the current ones. May I ask: Why didn't you patch the latest, to make a:

• 4.42 or even better, a :
• 5.03 based on the developer version?

https://www.softether.org/5-download/history

3. If yes : did you compile it for Win32 only?

The final VPS server will be probably Debian, because it's faster, cheaper, more stable. Even if I know windows better... Do You agree ?
4. ... or is the WIN64 version more stable than the linux one?

I will have to choose the server type until tomorrow.

[solo]

4.38 is the latest, stable, RTM version you should use.
The bug may be exploitable in the betas and DE you mentioned.
Just enter 4294967295. Patching is not required.

[PizzaProgram]

... and which OS?

[solo]

Any OS. Try it for now on your W7 on the version you already have.

Should the GUI reject 4294967295 then stop the service and enter it directly in vpn_server.config

[PizzaProgram]

Some news about testing:
I was curious how the Development 5.01 version reacts to this high number:

1. The GUI accepted the 4294967295 seconds fine, saved it.
2. The client got the IP and the lease time was actually 130+ years :-)

3. But SE manager's "IP Lease table on virtual DHCP manager" windows shows:
Expires at 2023-07-17 19:31. :-(

That's = ca. 18 days + 17h + 50m = ca. 1619400 sec

So the problem remains:
- If the user turns off his spare-PC or Laptop for 3 weeks, the IP address will be lost, and I have to start to reconfigure everything again. (IP based database access, VNC, RDP, shared printers, etc...)
That's not very promising.

[solo]

As you've cozied up with the devs, ask them to revise this "2000000000" constant in Virtual.c

Code: Select all

		// Expiration date
		if (vo->DhcpExpireTimeSpan == 0 || vo->DhcpExpireTimeSpan == INFINITE)
		{
			v->DhcpExpire = INFINITE;
		}
		else
		{
			v->DhcpExpire = MAKESURE(DHCP_MIN_EXPIRE_TIMESPAN,
				MIN(vo->DhcpExpireTimeSpan * 1000, 2000000000),
				INFINITE);
		}

51 (IP Address Lease Time): 2000000 (3 weeks, 2 days, 3 hours, 33 minutes

Let us know the new github's issue # ;-)

[solo]

...that said, 4294967295 should work as expected because:

• a DHCP client will not negotiate lease renewal before currently assigned expiration time which is stored locally in the registry and preserved after a reboot

• SE server does indeed display shorter expiration but it is "ephemeral" and not stored anywhere

In any case, if SE vDHCP works like say dnsmasq, it'd ping a prospect IP to verify vacancy before re-assignment, so such expiration inconsistencies should not result in conflicts (hopefully, lol).

But as SE server does not store the lease table, if you reboot it, you'll end up with IP mess no matter what nominal lease expiration time.

In conclusion, let go of SecureNAT - it's meant for testing only, not for such large production environment. On both Linux and Windows there are decent DHCP servers available. Better yet, let go of DHCP too, as in your setup context, I'd rather opt for static VPN IP assignments.

[PizzaProgram]

@shakibamoshiri

Virtual MAC address reservation http://www.softether.org/5-download/history

I've just tried the "Note" trick, you have recommended, by setting

Code: Select all

MAC:ae:00:00:00:03:01
etc..

fixed-MAC.png

Restarted the server, but still got totally mixed up IPs :-(

Why can't SE simply save the DHCP list from memory to a .conf file
- every 5 min,
-- if it changed at all
-- and if the release time is over 5 min. ? (to exclude short-therm IPs)
- and load back, when it starts.

Used latest 5.02 builds from both server + client.

2. In dnsmasq.conf file

Do I still have to edit that too ?

[shakibamoshiri]

Where did you add this part?

Code: Select all

MAC:ae:00:00:00:03:01

It should be added to a DNS/DHCP server called "dnsmasq" which you should install ot on Debian/Ubuntu via "apt install dnsmasq".
Then add the desired MACs to dnsmasq file called "dnsmasq.conf"
Do not forget to disable SE server SecureNAT.

[PizzaProgram]

Thank you VERY much for all your time!

Turning OFF SecureNAT is not an option for me. Sorry.
Rather I would like to see that function fixed!
Opened a GitHub issue https://github.com/SoftEtherVPN/SoftEth ... ssues/1792

(Also just made a one-time donation ahead (45.000HUF = ca. 116EUR).
Sorry, but that's the max I could give. I live in the 2th poorest country in Europe.
Will set 25% of that amount as regular monthly donation, if this problem is getting solved and I can finally start using SE.)

[shakibamoshiri]

Thank you VERY much for all your time!

Turning OFF SecureNAT is not an option for me. Sorry.
Rather I would like to see that function fixed!
Opened a GitHub issue https://github.com/SoftEtherVPN/SoftEth ... ssues/1792

(Also just made a one-time donation ahead (45.000HUF = ca. 116EUR).
Sorry, but that's the max I could give. I live in the 2th poorest country in Europe.
Will set 25% of that amount as regular monthly donation, if this problem is getting solved and I can finally start using SE.)

Basically for knowing about each client IP address you have these two choices
1. a DHCP server with "FOREVER" lease time (server side)
2. statically IP assignment to each user (user side)

Solution #1 using SE server DHCP seems buggy so you are left with other DHCPs like "dnsmasq" .
For any reason if you cannot use other DCHP servers, depending upon how much skills you have and your need, you can get to know each client IP address dynamically using SE server RPC-JSON API.
You can request (= send rpc) to SE server and get JSON replay which tells you who has what IP address.

Thank you for the donation. Any ways you contribute is appreciated

[solo]

Again - why don't you "...opt for static VPN IP assignments..."?

- no need for SecureNAT

- no need for a DHCP server

- no-brainer?

[PizzaProgram]

Dear @solo , Dear @shakibamoshiri, :-)

Believe me, I'm doing nothing else than thinking about your suggestions, while searching + learning.

1. My best hope is still: someone would fix/enhance the SecureNAT code in an hour, I'll upgrade the server in 5 min, and all my problems go away.

2. I've looked at debian's dnsmasq + DHCP_Server, but it's too complicated, too risky, too much trouble.
It drops up more questions than solutions. For example:
- What is the "interface" ? The SE? The VPS's ?
- How to prevent a DNS server to work as a DNS server ? (Because I do NOT want connected clients recognise it as one.)
(It's very easy to do it under SecureNAT -> simply by deleting DNS line)
- How to prevent users connected to the server could go out to the web through it?
(It's very easy to do it under SecureNAT -> simply by deleting GATEWAY line)

3. About manually configured fix IPs on client side...

- I'm still hoping to be able to set up 1 "superadmin-HUB" later somehow, to be able to reach ALL the other clients in All the other HUBs.
... with the right Layer 3 setup + DHCP route pushing https://www.vpnusers.com/viewtopic.php?f=7&t=68165

If the clients do not get the DHCP + route automatically, I won't be able to do it later without have to reconfigure each client one by one.

[solo]

Alright, since you insist on DHCP and prefer Windows, you can replace SecureNAT with a combination of "Microsoft Loopback Adapter" and "Open DHCP Server" on your VPS and "all my problems go away".