How does SoftEther bypass iptables policy?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Limon
Posts: 3
Joined: Mon Apr 15, 2024 12:02 am

How does SoftEther bypass iptables policy?

Post by Limon » Mon Apr 15, 2024 1:20 am

Greetings to all! 😀 I recently started learning Ubuntu v20.04 on a remote VPS and the first thing I did was set up SoftEther VPN. Everything works, but there is one question left.

My rules in iptables are configured so that access to the server is possible only from one IP address - my home PC, other packets are dropped (iptables -P INPUT DROP). However, when I connect from my home PC via a smartphone, with a different IP address, the connection to SoftEther VPN is established 🐱‍👤I came to the conclusion that SoftEther somehow bypasses the iptables -P INPUT DROP policy. The secure NAT function is disabled.

Please explain how SoftEther bypasses iptables rules and what function is responsible for this?🧐
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1349
Joined: Sun Feb 14, 2021 10:31 am

Re: How does SoftEther bypass iptables policy?

Post by solo » Mon Apr 15, 2024 1:59 am

Limon wrote:
Mon Apr 15, 2024 1:20 am
...The secure NAT function is disabled.
Please explain how SoftEther bypasses iptables rules and what function is responsible for this?🧐
Since SecureNAT's status is irrelevant to the issue at hand and SoftEther does not bypass iptables, it means your rules are incorrect. For Linux support go to https://ubuntuforums.org/.

shakibamoshiri
Posts: 289
Joined: Wed Dec 28, 2022 9:10 pm

Re: How does SoftEther bypass iptables policy?

Post by shakibamoshiri » Wed Apr 17, 2024 3:05 pm

please share your iptables rules,
run this on your server

Code: Select all

iptables-save
copy all the output and paste them here as code block

Limon
Posts: 3
Joined: Mon Apr 15, 2024 12:02 am

Re: How does SoftEther bypass iptables policy?

Post by Limon » Wed Apr 17, 2024 6:23 pm

shakibamoshiri wrote:
Wed Apr 17, 2024 3:05 pm
copy all the output and paste them here as code block
Here you are:

Code: Select all

# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*mangle
:PREROUTING ACCEPT [1296897:193942728]
:INPUT ACCEPT [1218334:155848549]
:FORWARD ACCEPT [32261:30806755]
:OUTPUT ACCEPT [1064496:112904514]
:POSTROUTING ACCEPT [1096950:143725871]
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*filter
:INPUT DROP [158028:12856103]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1025004:108648745]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i tap_tap_virtual -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 81.13.109.166/32 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tap_tap_virtual -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*nat
:PREROUTING ACCEPT [210697:20675008]
:INPUT ACCEPT [407:25131]
:OUTPUT ACCEPT [998708:69056389]
:POSTROUTING ACCEPT [998708:69056389]
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 17 19:12:10 2024

shakibamoshiri
Posts: 289
Joined: Wed Dec 28, 2022 9:10 pm

Re: How does SoftEther bypass iptables policy?

Post by shakibamoshiri » Thu Apr 18, 2024 7:58 am

your rules seem correct to me

drop by default

Code: Select all

:INPUT DROP [158028:12856103]
just allow this source IP

Code: Select all

-A INPUT -s 81.13.109.166/32 -m conntrack --ctstate NEW -j ACCEPT
no other IPs should be able to connect, please check SE server log at server_log/ directory to see from what IP the connection is made

Limon
Posts: 3
Joined: Mon Apr 15, 2024 12:02 am

Re: How does SoftEther bypass iptables policy?

Post by Limon » Sun Apr 21, 2024 11:04 pm

shakibamoshiri wrote:
Thu Apr 18, 2024 7:58 am
no other IPs should be able to connect, please check SE server log at server_log/ directory to see from what IP the connection is made
This time a warning window appeared when I switched to a mobile connection: This VPN Client is connected to the VPN Server 'name' by using the NAT Traversal (UDP Hole Punching) technology.
Accordingly, the IP address of the mobile device was recorded in the logs.
SoftEther VPN turned out to be a very cool development. The issue was successfully resolved, thank you for your participation! ;)

solo
Posts: 1349
Joined: Sun Feb 14, 2021 10:31 am

Re: How does SoftEther bypass iptables policy?

Post by solo » Sun Apr 21, 2024 11:33 pm

Using NAT-T on a remote VPS is completely superfluous and unheard of. Disable it along with DDNS in vpn_server.config.

Code: Select all

	declare DDnsClient
	{
		bool Disabled true

	declare ServerConfiguration
	{
		bool DisableNatTraversal true

Post Reply