I need help for some cascade like connection[Solved]

[Wubian]

Hello

sorry for my poor English.

I have a situation that can't solve it by my self. I appreciate you in advanced If you can help me for this situation.

here in our country every things are blocked.

I used Softether with cascading connection between a vps in my country and Hetzner for access to free internet and it work pretty well.

the problem is when I use sofether client or openvpn client, national censorship firewall knowing it by some how and lowering the connection speed as much as it is not useable any more.

I had and Idea to find what is problem. instead of making cascading connection I make a vpn server inside blocked area and test it if the problem is cascading connection to hetzner or not. and it is not. the connection reduced again up to 100KBs.

I test another vpn server and finally find out that ocserv will connect and connection speed won't reduced any more. I don't know why but it worked.

Now here is the challenge. how can I connect my VPS to hetzner server in order to provide free internet access for OCSERV?

I appreciate any help in advanced
Thank you

[solo]

EASY - Check these topics:

1. https://www.vpnusers.com/viewtopic.php? ... 838#p97123
2. https://www.vpnusers.com/viewtopic.php? ... ERV#p98212

[Wubian]

EASY - Check these topics:

1. https://www.vpnusers.com/viewtopic.php? ... 838#p97123
2. https://www.vpnusers.com/viewtopic.php? ... ERV#p98212

dear solo

Thanks for your reply.

For me that code is something like foreign language from another earth. I can't understand that. is there any step by step tutorial in this topic? or can I ask you make some?

Regards

[solo]

I am happy to resolve clearly defined VPN issues but writing tutorials is not my thing.
Let's hope that @shakibamoshiri can step in :-)

[Wubian]

here is an exact solution for my situation already solved in this forum. can somebody make it simple to understand for me?

https://www.vpnusers.com/viewtopic.php?t=67958

Code: Select all

old workflow
# open connect
client =======> server X (OC)

# SE
client =======> server A (SE) =======> server B (SE)

new workflow 
client (open connect) =======> server A (SE + OC) =======> server B

[Wubian]

I am happy to resolve clearly defined VPN issues but writing tutorials is not my thing.
Let's hope that @shakibamoshiri can step in :-)

I really Thank you. I see your posts everywhere somebody need help.

Thank you so much

[shakibamoshiri]

Now here is the challenge. how can I connect my VPS to hetzner server in order to provide free internet access for OCSERV?

Please tell me know how do connect your domestic VPS (=hop-1) to Hetzner VPS (=hop-2) ?
In case of setting up a double VPN using Linux (e.g Debian 11) you have these options
1.. iptables PREROUTING = port forwarding
- simple to setup but does not work in all networks and data-centers

2. running a VPN client on hop-1 to tunnel traffic to hop-2
- not easy to setup but works in any networks (if the tunnel protocol to hop-2 has been blocked)
- you have two options here
2.1 full tunnel from hop-1 to hop-2
- not recommended since all traffic is tunneled so you will be forced to add "ip route" for you SSH, Remote Server, OutBound traffic,etc
2.2. split tunnel from hop-1 to hop-2
- recommended

Q1. which one of above layouts is your condition ?

Q2 what will be used to tunnel from hop-1 to hop-2 ?
- Open Connect
- SoftEther
- or something else ?

[Wubian]

Hello dear Shakiba Moshiri

I really appreciate you for your help in advanced.

Please tell me know how do connect your domestic VPS (=hop-1) to Hetzner VPS (=hop-2) ?

Q1: split tunnel from hop-1 to hop-2 as you recommended.

Q2: my Hetzner server already configured to work with Softether. I already test cascading connection between hop 1 and hop 2 with Softether and it is fully worked. the problem is censorship firewall reduced my connection from 30Mbps to about 0.7 Mbps when I use Softether.

I tested OCSERC on my domestic VPS and it seems it works better than softether because the connection speed didn't reduced at all. but how should I connect my domestic VPS (with OCSERV) to my Hetzner VPS? I have no Idea.
so the answer for Q2 is: every thing which do the job is great. But I think If I can config ocserv to use the internet provided by Cascading softether servers, it will do the job. something like this:

Code: Select all

client (open connect) =======> server A (OCSERV)  =======> Server A (cascading softether server) =======> server B (Softether server)

I can test every setting you may provide on these servers and rebuild them if needed as I don't have any critical information on them.

Thank you in advanced

[shakibamoshiri]

the problem is when I use sofether client or openvpn client, national censorship firewall knowing it by some how and lowering the connection speed as much as it is not useable any more.

In DataCenters we have
- symmetrical traffic (1 to 1) => send and receive are equal
- asymmetrical traffic (10 to 1) -- country to country it can be different -- send is 10x than receive
by the way
- "send" means your download from the VPS
- "receive" means your upload to the VPS

When you use a double VPN
- your client traffic is asymmetrical (10 to 1)
- your hop-1 traffic is symmetrical (1 to 1) -- hop-1 to hop-2 -- send and receive are equal
- your hop-2 traffic is asymmetrical (10 to 1)

Since symmetrical traffic is usually used for routers not VPSs , simply and easily Web Hosting providers and DataCenters can detect that VPS behaves like a router, so it does a sort of "traffic or port forwarding" thus some / many of them disallow and warn users about "traffic or port forwarding" when users buy a VPNs from them.

Some Hosting are more smart, they know users ignore this warning and buy a VPS, they monitor users VPS traffic and when it became 1 to 1, they reduce the VPSs link to some lower speed e.g. 10M/bps or maybe 5M/bps.

Conclusion
I guess the issue is not the software you use (ocserv, openvpn, softether) it is the hosting company or datacenter. (I can be wrong, since I am not 100% sure)

[Wubian]

I guess the issue is not the software you use (ocserv, openvpn, softether) it is the hosting company or datacenter. (I can be wrong, since I am not 100% sure)

so could you please help to configure this scenario?

Code: Select all

client (open connect) =======> server A (OCSERV)  =======> Server A (cascading softether server) =======> server B (Softether server)

Server B which located in Hetzner already configured by Softether to accept cascading connection.
Server A have two part I think. Part A(ocserv) configured and work well. part B is the problem I have. how to force ocserv to use internet coming from softether server?

[shakibamoshiri]

Code: Select all

client (open connect) =======> server A (OCSERV)  =======> Server A (cascading softether server) =======> server B (Softether server)

relatively easy to setup

Let go ahead first with OC on hop-1
assumptions
- OC server is up and running on hop-1
- IPv4 network is 192.168.200.0/24

then
ocserv.conf network setting

Code: Select all

ipv4-network = 192.168.200.0
ipv4-netmask = 255.255.255.0

and iptables rule has been added for this network

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -m comment --comment openconnect-nat-rule -j MASQUERADE

At this point with your OC client on your PC or Phone you should be able to connect to hop-1
if done, go to next

Lets go ahead to configure SE server on hop-1
assumption
- SE server hop-2 IPv4 network is 192.168.30.0/24
- SE server hop-2 IPv4 range for DHCP is 192.168.30.10 - 192.168.30.200
- SE server hop-2 IPv4 gateway is 192.168.30.1

then
- go to SE server manager (for hop-1 = domestic VPS) or via "vpncmd" create a Local Bridge for that HUB (e.g VPN, DEFAULT, etc)
-- Local Bridge type is soft tap
-- Link your HUB to that name you want to create
- using "ip address" add a static address to tap devices you created

Code: Select all

ip addr add 192.168.30.9/24 brd + dev tap_xxx

- where "xxx" is that name you chose

At this point you should be able to ping the gateway of hop-2 which is 192.168.30.1

Code: Select all

ping -c4 192.168.30.1

if done, go to next

Now we need to route OC traffic (just OC) to SE server-1 Local Bridge (e.g. tap_xxx).
For this we can use a custom routing table for just tap_xxx we have. This is called Policy Based Routing (= PBR)

first add a table mapped to a name

Code: Select all

echo 1000 vpn >> /etc/iproute2/rt_tables

Or you can use "vim" to edit the file safely

Now we have a custom table 1000 named "vpn"

Code: Select all

ip rule add  from 192.168.200.0/24 lookup vpn

It tell the Kernel to route 192.168.200.0/24 network traffic to table "vpn" . So if you connect to OC server, the OC traffic will be managed by vpn table 1000

We just have been left to add a default route for our custom table 1000 (= vpn)

Code: Select all

ip route add default via 192.168.30.1 dev tap_xxx proto static table vpn

Remember that "192.168.30.1" is the default gateway of SE server hop-2
and "tap_xxx" is the local bridge you created

Recap
1. OC clients connect to OC server on hop-1
2. OC traffic of 192.168.200.0/24 goes to custom table 1000
3. default route for custom table 1000 is default gateway of SE server hop-2 (192.168.30.1)
4. tap_xxx is a local bridge connected to your HUB of SE server hop-1 which cascaded to SE server hop-2

that is it

[Wubian]

Dear Shakiba

I appreciate you so much.
I know you are so busy and still consume huge time to Help people. I know this tutorial taking lot of your time.
Thank you so much. you are brilliant. I thank you so much.

relatively easy to setup

you made it easy for me because as an Industrial designer, dealing with Linux code is exactly like talking to an alien creature!

and Yes! It is working!!!

Code: Select all

client (open connect) =======> server A (OCSERV)  =======> Server A (cascading softether server) =======> server B (Softether server)

Regards

[Wubian]

Code: Select all

ip addr add 192.168.30.9/24 brd + dev tap_xxx

Code: Select all

ping -c4 192.168.30.1

Code: Select all

echo 1000 vpn >> /etc/iproute2/rt_tables

Code: Select all

ip rule add  from 192.168.200.0/24 lookup vpn

Code: Select all

ip route add default via 192.168.30.1 dev tap_xxx proto static table vpn

Hello

I face a little issue. do you know why these code seems to be gone after every reboot?

after every reboot I should use all of them to get the system work properly.

Thank you much

[shakibamoshiri]

search for make ip route permanent linux
- https://www.mybluelinux.com/debian-perm ... ic-routes/
- https://www.xmodulo.com/how-to-add-a-st ... linux.html
- https://unix.stackexchange.com/question ... nent-route
- and more

[Wubian]

search for make ip route permanent linux
- https://www.mybluelinux.com/debian-perm ... ic-routes/
- https://www.xmodulo.com/how-to-add-a-st ... linux.html
- https://unix.stackexchange.com/question ... nent-route
- and more

Hello dear ShakibaMoshiri

I thank you so much for your help. finally I can setup my server based on your help and guidance. the last part seems to be most simple part but take 2days for me to figure it. the problem was that ubuntu don't use interfaces file any more and use netplan instead.

again I appreciate all your help.
Thank you so much
Regards

[shakibamoshiri]

Good, no problem.
I forgot to tell that you can use cron-job @reboot keyboard to set one time action after each reboot.
It could be more cross-platform if you need to have settings in different distributions.

[Wubian]

Good, no problem.
I forgot to tell that you can use cron-job @reboot keyboard to set one time action after each reboot.
It could be more cross-platform if you need to have settings in different distributions.

Hi Dear ShakibaMoshiri

your cron-job suggestion is far better than direct editing of netplan configuration. finally I learned how to use cron-job and use it for my case.
I have another question about IPv6 but since it is another issue I will create a new topic for that.

I thank you so much for all your help. based on your help and information my server fully working now.

I appreciate you
Regards.

[Wubian]

Good, no problem.
I forgot to tell that you can use cron-job @reboot keyboard to set one time action after each reboot.
It could be more cross-platform if you need to have settings in different distributions.

Hi Dear ShakibaMoshiri

your cron-job suggestion is far better than direct editing of netplan configuration. finally I learned how to use cron-job and use it for my case.
I have another question about IPv6 but since it is another issue I will create a new topic for that.

I thank you so much for all your help. based on your help and information my server fully working now.

I appreciate you
Regards.