A detailed question about routing domain within a os @cedar

[oscar]

http://www.packetix.net/en/vpn/help/site.aspx

The machine is connected to a VPN Server and working fine.

But how do i bridge this local VPN Client NIC card into the softether server local bridge to my own virtual HUB?

In dropdown menu in local bridge do not shows up any NIC adapters that starts with VPN Client.

So,inside the OS of my machine,if i do not want to touch the local Ethernet[public internet facing]default routing table,how can i transparently router the VPN Client NIC adapter into another adapter in microsoft loopback adapter? I know there's a way to create a windows bridge simply with 2 clicks but however the VPN server is DHCP forcefully used and doing so will fail to get an ip address.

So i need other ways to transparently local bridge mirror the VPN Client NIC to another microsoft loopback adapter right within windows and don't use the built in windows network MAC bridge?

[oscar]

Or

netsh interface portproxy add v4tov4 listenport=5556 listenaddress=0.0.0.0 connectport=4000 connectaddress=10.236.12.85

might do the job?

[oscar]

As a special usage method, it is going to be possible to bridge connection by layer 2 between VPN Client computer Virtual Network Adapter and existing physical network adapter connected to the computer. As for, the bridge function of the operating system is going to be use for this. With SoftEther 1.0, bridging between Virtual Hub and physical network adapter has been often accomplished by this method. With SoftEther VPN, however, because bridging could be accomplished easier and faster by local bridge connection function of VPN Server or VPN Bridge, this method ceased to be used frequently.

I have NICs in windows,but they do not support promiscuous mode at all,how to add a local bridge to the virtual HUB?

[oscar]

DHCP boardcast to softether public servers are blocked when VPN Client adapter put in windows bridge
The VPN cannot get a DHCP IP address from the VPN Server,because the VPN Client adapter is in a device called windows bridge,how to solve this problem? The policy is forcefully get ip address from VPN virtual DHCP and manaul IP address will discarded

[oscar]

A last call for softether:People found ultimate way to bypass policy limit on router bridge mode

1.Install softether VPN Server inside that 34.96.100.11 machine in system mode

2.Install https://r1ch.net/projects/forcebindip

3.https://download.vpngate.jp/common/cd.a ... 164560.zip

4.Config the VPN Client IPv4 properties with interface metric with a very large number larger than the local NIC to internet 34.96.100.11 for example 9999,in this way,even if the routing default gateway is modified by softether client,the os will still not use this route as a primary default gateway route[important]

5.Connect 219.100.37.58:443,in softether VPN Client,but keep No adjustments of routing table box unchecked.
because interface metric is sky high the windows os do not change default routes and gateway to default internet gateway at all,34.96.100.11 will remains accessiable by ssh or rdp

6.change the cmd working directory to forcebindip64.exe install directory ForceBindIP64.exe 10.236.25.51 C:\SE\So\vpnserver.exe /usermode [10.236.25.51] is the vpn client internal ip address

7.at this point,any clients using VPNazure.net services into my 34.96.100.11 with virtual HUB [bridge] with vpnmymachine.vpnazure.net will get ip address 219.100.37.58,note:they're not using any ip address in my 34.96.100.11 machine at all but still gets an 219.100.37.58,in this case the actual thing is ForceBindIP64.exe did the job,so it's still bypass the softether limits.

8.And yes,the connection is working very fine,no need to modify anything,just forcefully to make softether server to use 10.236.25.51 not 10.0.0.1,so it's not hard,and you can see my VPN Server program is forcefully using the 10.236.25.51 interface to make any outgoing connections to any softether servers [including 130.158.6.51],so in such case 219.100.37.58 is still forcefully used [you can check whether it is with https://systeminformer.sourceforge.io/]

Look here , the VPN Server is forcefully running on local NIC 10.236.25.51,there's no reason for my server not to have a public ip 219.100.37.58

So i'm actually changing the softether server in windows just allowed to use 10.236.25.51 only not to use 10.0.0.3 public internet NIC at all

How easy is this? Only 1 exe will do the job！

Look here,client ip address[source host]is not my machine local 10.0.0.1 public internet NAT NIC any more,instead it's the VPN Client NIC responsible for creating the connection！

and yes,all policy is bypassed now just with 2 clicks in windows machine,no high tech savvy things included at all,just forcefully make softether use 10.236.25.51 don't allow it to use 10.0.0.3 at all,this is all what's needed!

SID-VPN-6322 is a VPN Session created by the 219.100.37.58 session,not my machine,this is what i'm trying hard to trick softether to do:Local Mac address spoofing,and it works safe and sound,everyone's happy now!

The SID-VPN-6322 is able to populate any mac ip table entries it wants and mac spoofing is so confortable to archive,and by the way your advices are very helpful for me,still,thank you,i should find more way to trick softether into working in such local spoofing modes

people now will start bridging www.vpngate.net into http://www.packetix.net/jp/vpn/help/

Punishing people by blocking they username in this board WILL NOT WORK AT ALL , even if you patch such bug in software people just finds another BUG to archive unblocking and jailbreaking limits

[oscar]

Trust it or not? @solo

[solo]

No worries as long as you post your "successful reversals" only on this Idle Talk Board.

[oscar]

No worries as long as you post your "successful reversals" only on this Idle Talk Board.

This thread is for plan A:Use local bridge with ICS mini virtual NAT in windows
There's also plan B

// Examine a number of MAC addresses that are registered in this current session
for (i = 0;i < num_pp;i++)
{
MAC_TABLE_ENTRY *e = pp;
if (e->Session == s)
{
num_mac_for_me++;
}
}

Free(pp);

limited_count = 0xffffffff;
if (s->Policy->NoBridge)
{
limited_count = MIN(limited_count, MAC_MIN_LIMIT_COUNT);
}
if (s->Policy->MaxMac != 0)
{
limited_count = MIN(limited_count, s->Policy->MaxMac);
}
limited_count = MAX(limited_count, MAC_MIN_LIMIT_COUNT);

if (num_mac_for_me >= limited_count)
{
// Number of MAC addresses that are registered already exceeds the upper limit
char mac_str[64];

if (s != NULL)
{
MacToStr(mac_str, sizeof(mac_str), packet->MacAddressSrc);
if (s->Policy->NoBridge)
{
if (no_heavy == false)
{
HLog(hub, "LH_BRIDGE_LIMIT", s->Name, mac_str, num_mac_for_me, limited_count);
}
}
else
{
if (no_heavy == false)
{
HLog(hub, "LH_MAC_LIMIT", s->Name, mac_str, num_mac_for_me, limited_count);
}
}
}

goto DISCARD_PACKET; // Drop the packet

There's a thing called code analysis,people will eventually only modify softether's side without touching their local OS system
When that will happen?On which day? One day you'll find the answer yourself @solo

[oscar]

num_mac_for_me++; -> DELETE

if (s->Policy->NoBridge)
{
limited_count = MIN(limited_count, MAC_MIN_LIMIT_COUNT);
}

//limited_count = MIN(limited_count, MAC_MIN_LIMIT_COUNT); is commented out

if (s->Policy->MaxMac != 0)
{
//limited_count = MIN(limited_count, s->Policy->MaxMac);is commented out
}
limited_count = MAX(limited_count, MAC_MIN_LIMIT_COUNT);
goto DISCARD_PACKET; // This line is dropped

[oscar]

No worries as long as you post your "successful reversals" only on this Idle Talk Board.

Do forget that commented out lines do not runs at all,and if a code block or function or void() is omitted entirely,such function disaapears,and don't overthink softether is prone at anti code reversing and any software will potentially vulnerable to external modification,no bridge router policy can ALWAYS BYPASSED with very little efforts and with relatively low tech involved.

[oscar]

A detailed question about routing domain within a os @cedar

Let's suppose an OS,with the following configs in NIC[network interface cards,for short NIC]:

Let's suppose it's running windows.

NIC A:This is A NIC which have the following configs:

IP = 10.0.0.3 , netmask = 255.255.255.0 , gateway = 10.0.0.1 , DNS = 8.8.8.8 [suppose it got an public IP address 1.1.1.1] , and from internet , allowed users can use 1.1.1.1 IP to SSH RDP admin access via NIC A,with default routing table [target] 0.0.0.0 [netmask] 0.0.0.0 [interface] 10.0.0.1

NIC B:This is A VPN NIC which connected to a VPN corp network

IP = 192.168.30.103 , netmask = 255.255.255.0 , gateway = 192.168.30.1 , DNS = 8.8.8.8 [suppose it got an public IP address 2.2.2.2] , and from internet , users can access http frp via 2.2.2.2

The routing table ON NIC B as follows:

[target] 0.0.0.0 [netmask] 0.0.0.0 [interface] 192.168.30.1

The NIC A is local bridge with the softether server virtual HUB "MYHUB",the secureNAT on this hub is the same as NIC A.

The problem is,if i want hosts within the 10.0.0.0/24 network segment [ in this case users under HUB "MYHUB"] to directly like under the network segment 192.168.0.0/24 [ in this case users under HUB "MYHUB" uses the network resources in 192.168.30.103 or 192.168.0.0/24

Without starting ICS or RRAS NAT service on NIC B,is it possible to archive such networking architecture that meets my requirements?
Or did route add 10.0.0.0/24 in windows or static route push under "MYHUB" secureNAT configs will do it?

Or must i use virtual NAT in windows in some way? @cedar

[cedar]

It is difficult to achieve this purely through configuration.
This is because the WAN side of SecureNAT is effectively fixed to the network that has the default gateway, due to hardcoded logic in the VPN Server.

Conversely, this implies that by hacking this logic, it may be possible to force the WAN side of the virtual NAT to use a specific virtual NIC.

However, in order for the machine to continue functioning as a VPN server, the default gateway must remain assigned to the physical NIC. Therefore, it is not possible to assign the default gateway to the virtual NIC.

It is also important that the virtual NIC does not have its own IP stack, and that SecureNAT operates in kernel-mode NAT.

https://ja.softether.org/4-docs/3-kb/VPNFAQ036

[oscar]

It is difficult to achieve this purely through configuration.
This is because the WAN side of SecureNAT is effectively fixed to the network that has the default gateway, due to hardcoded logic in the VPN Server.

Conversely, this implies that by hacking this logic, it may be possible to force the WAN side of the virtual NAT to use a specific virtual NIC.

However, in order for the machine to continue functioning as a VPN server, the default gateway must remain assigned to the physical NIC. Therefore, it is not possible to assign the default gateway to the virtual NIC.

It is also important that the virtual NIC does not have its own IP stack, and that SecureNAT operates in kernel-mode NAT.

https://ja.softether.org/4-docs/3-kb/VPNFAQ036

due to hardcoded logic in the VPN Server.

Finally this problem is fixed with https://github.com/MisterCalvin/forcebi ... i/releases

It's totally possible without ANY difficulties,you can try it today right away,it'll use the NIC you select in APP to start vpnserver.exe

Also,it's possible to run 2 vpnserver.exe simultaneously inside the same windows operating system,create 2 windows users and vpnserver.exe /usermode will work,just change the vpn_config.json tcp listening ports not to conflict to each other like tcp 443 in VPNserverA.exe,then tcp 444 in VPNserverB.exe

This means in a same windows machine,vpnserver can acts as 2 different servicing parts,one using IP address 10.236.25.6 while the other uses 10.0.0.3

Also there's many 3rd party apps & plugins already in https://github.com/pkts-rs/tappers

For linux https://medium.com/@amazingandyyy/intro ... 4e0c02d084

Perhaps in one day [which day? no one knows] softether finally allows the server program to manually prompts the user to choose which NIC on the host machine to use,because https://github.com/MisterCalvin/forcebindip-gui already did this,and having such function is just a piece of cake.

Also,we're doing circles since public1.softether.com do not support IPv6 public access at all,nor vpngate.net servers have a public ipv6 address,and in IPv4 a single plugin exe is enough for the needs,however in the future if only IPv6 access is allowed we absolutely need another approach.

About vpnserver.config files posted here

sc create sevpnserver2 binPath= "\"C:\SoftEther_Server2\vpnserver.exe\" /service" DisplayName= "SoftEther VPN Server 2" start= auto

You need to actually rename them BOTH to

vpn_server.config

with such file appears independently in 2 paths like

C:\Users\Administrator\Desktop\A\Server
C:\Users\Administrator\Desktop\B\Server

If you start vpnserver.exe without having vpn_server.config exists from path from the beginning
C:\Users\Administrator\Desktop\A\Server
C:\Users\Administrator\Desktop\B\Server
It'll create a default vpn_server.config with factory defaults [without users custom config lines]

And this is another working approach in my another online forum

# Software Configuration File
#
# You can edit this file when the program is not working.
#
declare root
{
uint ConfigRevision 13
bool IPsecMessageDisplayed true
bool VgsMessageDisplayed false

declare DDnsClient
{
bool Disabled false
byte Key eTYZ5OyXI5Lf4j/CqWYjun9nPbc=
string LocalHostname iZuac37u5ts2ykZ
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare IPsec
{
bool EtherIP_IPsec true
string IPsec_Secret vpn
string L2TP_DefaultHub VPNA
bool L2TP_IPsec true
bool L2TP_Raw true

declare EtherIP_IDSettingsList
{
}
}
declare ListenerList
{
declare Listener0
{
bool DisableDos false
bool Enabled true
uint Port 443
}
declare Listener1
{
bool DisableDos false
bool Enabled true
uint Port 992
}
declare Listener2
{
bool DisableDos false
bool Enabled true
uint Port 1194
}
declare Listener3
{
bool DisableDos false
bool Enabled true
uint Port 5555
}
}
declare LocalBridgeList
{
bool EnableSoftEtherKernelModeDriver true
bool ShowAllInterfaces true

declare LocalBridge0
{
string DeviceName Red$20Hat$20(ID=1916811767)
bool FullBroadcastMode false
string HubName VPNA
bool MonitorMode false
bool NoPromiscuousMode false
}
}

# Software Configuration File
#
# You can edit this file when the program is not working.
#
declare root
{
uint ConfigRevision 13
bool IPsecMessageDisplayed true
bool VgsMessageDisplayed false

declare DDnsClient
{
bool Disabled false
byte Key eTYZ5OyXI5Lf4j/CqWYjun9nPbc=
string LocalHostname iZuac37u5ts2ykZ
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare IPsec
{
bool EtherIP_IPsec true
string IPsec_Secret vpn
string L2TP_DefaultHub VPNA
bool L2TP_IPsec true
bool L2TP_Raw true

declare EtherIP_IDSettingsList
{
}
}
declare ListenerList
{
declare Listener0
{
bool DisableDos false
bool Enabled true
uint Port 1443
}
declare Listener1
{
bool DisableDos false
bool Enabled true
uint Port 992
}
declare Listener2
{
bool DisableDos false
bool Enabled true
uint Port 1194
}
declare Listener3
{
bool DisableDos false
bool Enabled true
uint Port 5555
}
}
declare LocalBridgeList
{
bool EnableSoftEtherKernelModeDriver true
bool ShowAllInterfaces true

declare LocalBridge0
{
string DeviceName Red$20Hat$20(ID=1916811767)
bool FullBroadcastMode false
string HubName VPNA
bool MonitorMode false
bool NoPromiscuousMode false
}
}