Page 1 of 1
How does SoftEther bypass iptables policy?
Posted: Mon Apr 15, 2024 1:20 am
by Limon
Greetings to all! 😀 I recently started learning Ubuntu v20.04 on a remote VPS and the first thing I did was set up SoftEther VPN. Everything works, but there is one question left.
My rules in iptables are configured so that access to the server is possible only from one IP address - my home PC, other packets are dropped (iptables -P INPUT DROP). However, when I connect from my home PC via a smartphone, with a different IP address, the connection to SoftEther VPN is established 🐱👤I came to the conclusion that SoftEther somehow bypasses the iptables -P INPUT DROP policy. The secure NAT function is disabled.
Please explain how SoftEther bypasses iptables rules and what function is responsible for this?🧐
Re: How does SoftEther bypass iptables policy?
Posted: Mon Apr 15, 2024 1:59 am
by solo
Limon wrote: ↑Mon Apr 15, 2024 1:20 am
...The secure NAT function is disabled.
Please explain how SoftEther bypasses iptables rules and what function is responsible for this?🧐
Since SecureNAT's status is irrelevant to the issue at hand and SoftEther does not bypass iptables, it means your rules are incorrect. For Linux support go to
https://ubuntuforums.org/.
Re: How does SoftEther bypass iptables policy?
Posted: Wed Apr 17, 2024 3:05 pm
by shakibamoshiri
please share your iptables rules,
run this on your server
copy all the output and paste them here as code block
Re: How does SoftEther bypass iptables policy?
Posted: Wed Apr 17, 2024 6:23 pm
by Limon
shakibamoshiri wrote: ↑Wed Apr 17, 2024 3:05 pm
copy all the output and paste them here as code block
Here you are:
Code: Select all
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*mangle
:PREROUTING ACCEPT [1296897:193942728]
:INPUT ACCEPT [1218334:155848549]
:FORWARD ACCEPT [32261:30806755]
:OUTPUT ACCEPT [1064496:112904514]
:POSTROUTING ACCEPT [1096950:143725871]
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*filter
:INPUT DROP [158028:12856103]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1025004:108648745]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i tap_tap_virtual -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 81.13.109.166/32 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tap_tap_virtual -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
# Generated by iptables-save v1.8.4 on Wed Apr 17 19:12:10 2024
*nat
:PREROUTING ACCEPT [210697:20675008]
:INPUT ACCEPT [407:25131]
:OUTPUT ACCEPT [998708:69056389]
:POSTROUTING ACCEPT [998708:69056389]
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 17 19:12:10 2024
Re: How does SoftEther bypass iptables policy?
Posted: Thu Apr 18, 2024 7:58 am
by shakibamoshiri
your rules seem correct to me
drop by default
just allow this source IP
Code: Select all
-A INPUT -s 81.13.109.166/32 -m conntrack --ctstate NEW -j ACCEPT
no other IPs should be able to connect, please check SE server log at server_log/ directory to see from what IP the connection is made
Re: How does SoftEther bypass iptables policy?
Posted: Sun Apr 21, 2024 11:04 pm
by Limon
shakibamoshiri wrote: ↑Thu Apr 18, 2024 7:58 am
no other IPs should be able to connect, please check SE server log at server_log/ directory to see from what IP the connection is made
This time a warning window appeared when I switched to a mobile connection: This VPN Client is connected to the VPN Server 'name' by using the NAT Traversal (UDP Hole Punching) technology.
Accordingly, the IP address of the mobile device was recorded in the logs.
SoftEther VPN turned out to be a very cool development. The issue was successfully resolved, thank you for your participation! ;)
Re: How does SoftEther bypass iptables policy?
Posted: Sun Apr 21, 2024 11:33 pm
by solo
Using NAT-T on a remote VPS is completely superfluous and unheard of. Disable it along with DDNS in vpn_server.config.
Code: Select all
declare DDnsClient
{
bool Disabled true
declare ServerConfiguration
{
bool DisableNatTraversal true