SoftEther VPN Client Linux issue

[raymi]

Hello,

I've configured a SoftEther VPN server that also uses IPSec/L2TP. On the Virtual Hub I configured the SecureNAT for accessing behind systems that are in a specific subnet (172.10.*.*).

Connecting from native operating system client (MacOSX, Windows, iOS, Android), everything is working properly. Not from Linux (CentOS).

So I installed SoftEther VPN Client. On Windows, I can connect the VPN server and access behind NAT systems by just activating SE VPN Client. On Linux, I can connect the VPN server (via vpncmd), the dedicated virtual interface is well receiving an IP address from the VPN server (192.168.*.*) and a static route is defined to route all NAT subnet (172.10.*.*) through this virtual interface. However I cannot access behind NAT systems.

I feel a bit lost as on Windows the SE client was very easy to install, configure and run without any problem. But on Linux, with which I normally feel more comfortable, I'm struggling.

Any help would be much appreciated. Did someone already succeeded to run the SE client for Linux with NAT?

Thanks in advance
Raymi

[thisjun]

Could you show routing table and ifconfig result and traceroute result of the Linux?

[raymi]

Connecting to the server:
-------------------------------
# /usr/local/vpnclient/vpncmd localhost /client /CMD accountconnect con-SoftEther
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608 (English)
Compiled 2016/04/17 21:59:35 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.

Connected to VPN Client "localhost".

VPN Client>accountconnect con-SoftEther
AccountConnect command - Start Connection to VPN Server using VPN Connection Setting
The command completed successfully.

Route
-------
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_softether
172.10.0.0 192.168.30.10 255.255.0.0 UG 0 0 0 vpn_softether
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 vpn_softether
0.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0

ifconfig
----------
# ifconfig vpn_softether
vpn_softether Link encap:Ethernet HWaddr 00:AC:1F:B1:51:6A
inet addr:192.168.30.10 Bcast:192.168.30.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:1fff:feb1:516a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:163 errors:0 dropped:0 overruns:0 frame:0
TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:10410 (10.1 KiB) TX bytes:17358 (16.9 KiB)

traceroute
-------------
# traceroute 172.10.10.12
traceroute to 172.10.10.12 (172.10.10.12), 30 hops max, 60 byte packets
1 192.168.30.10 (192.168.30.10) 3000.483 ms !H 3000.481 ms !H 3000.476 ms !H

[cmd wh0ami]

#! /bin/sh
### BEGIN INIT INFO
# Provides: vpnclient
# Required-Start: $all
# Required-Stop: $network $local_fs $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# chkconfig: 345 44 56
# description: Start VPN Client at boot time.
# processname: vpnclient
### END INIT INFO

# /etc/init.d/vpnclient

case "$1" in
start)
echo "Starting VPN Client"
/usr/local/vpnclient/vpnclient start

sleep 1
if ifconfig -a | grep vpn_vpn >/dev/null
then
echo "Setting up vpn_vpn..."
else
sleep 1
ifdown vpn_vpn
sleep 1
ifup vpn_vpn
sleep 1
if ifconfig -a | grep vpn_vpn >/dev/null
then
echo "Setting up vpn_vpn..."
else
echo "Interface vpn_vpn not found" &1>2
exit 1
fi
route add -host 55.55.55.55 gw 192.168.0.1
#route del default
#route add default gw 192.168.30.1 dev vpn_vpn
#/usr/local/vpnclient/./vpncmd
;;

stop)
echo "Stopping VPN Client"
/usr/local/vpnclient/vpnclient stop
route del -host 55.55.55.55
route del default
route add default gw 192.168.0.1 dev wlan0


*)
echo "Usage: /etc/init.d/vpnclient {start|stop}"
exit 1
;;
esac

exit 0

[cmd wh0ami]

Im using a bash in /etc/init.d to set up routes with my server using NAT.

here is a link to my gist on Github. https://gist.github.com/cmdwhoami/77ebb ... d23baaeebe

[raymi]

Doubting it would solve my issue, I however adapted the proposed script to my IP addresses.

It does not solve the issue: ssh: connect to host port 22: No route to host

[cedar]

> # route -n
> Kernel IP routing table
> 172.10.0.0 192.168.30.10 255.255.0.0 UG 0 0 0 vpn_softether

In default setting, SecureNAT have IP address as 192.168.30.1.
This may be incorrect.

[raymi]

You are right, this was my before configuration. I changed the route to force going through the local VPN dedicated interface IP address, none of them do allow connecting the 172.x NAT.

Still not route to host.

[cedar]

Please show latest configuration and traceroute result.

[raymi]

VPN client config
---------------------
# Software Configuration File
# ---------------------------
#
# You may edit this file when the VPN Server / Client / Bridge program is not running.
#
# In prior to edit this file manually by your text editor,
# shutdown the VPN Server / Client / Bridge background service.
# Otherwise, all changes will be lost.
#
declare root
{
bool DisableRelayServer false
bool DontSavePassword false
bool EnableVPNGateService false
byte EncryptedPassword ************************
bool HideVPNGateServiceMessage false
bool PasswordRemoteOnly false
string UserAgent Mozilla/5.0$20(Windows$20NT$206.3;$20WOW64;$20rv:29.0)$20Gecko/20100101$20Firefox/29.0
uint UseSecureDeviceId 0

declare AccountDatabase
{
declare Account0
{
bool CheckServerCert false
uint64 CreateDateTime 1528344345662
uint64 LastConnectDateTime 1530576668295
string ShortcutKey D623AD9891814708DEC5378B607882E103449773
bool StartupAccount false
uint64 UpdateDateTime 1528346664357

declare ClientAuth
{
uint AuthType 1
byte HashedPassword ******************
string Username **************
}
declare ClientOption
{
string AccountName con-SoftEther
uint AdditionalConnectionInterval 1
uint ConnectionDisconnectSpan 0
string DeviceName SoftEther
bool DisableQoS false
bool HalfConnection false
bool HideNicInfoWindow false
bool HideStatusWindow false
string Hostname as-vpn.intern.net
string HubName VPN_Hub
uint MaxConnection 1
bool NoRoutingTracking false
bool NoTls1 false
bool NoUdpAcceleration false
uint NumRetry 4294967295
uint Port 443
uint PortUDP 0
string ProxyName $
byte ProxyPassword $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
bool RequireBridgeRoutingMode false
bool RequireMonitorMode false
uint RetryInterval 15
bool UseCompress false
bool UseEncrypt true
}
}
}
declare ClientManagerSetting
{
bool EasyMode false
bool LockMode false
}
declare CommonProxySetting
{
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare Config
{
bool AllowRemoteConfig false
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
string KeepConnectHost keepalive.softether.org
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 1
bool NoChangeWcmNetworkSettingOnWindows8 false
bool UseKeepConnect false
}
declare RootCA
{
}
declare UnixVLan
{
declare SoftEther
{
bool Enabled true
string MacAddress 00-AC-1F-B1-51-6A
}
}
}

route -n result (After [vpnclient start] and [vpncmd localhost /client /CMD accountconnect con-SoftEther]
-----------------------------------------------------------------------------------------------------------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_softether
172.10.0.0 192.168.30.1 255.255.0.0 UG 0 0 0 vpn_softether
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1006 0 0 vpn_softether
0.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0

traceroute result
---------------------
traceroute to 172.10.1.12 (172.10.1.12), 30 hops max, 60 byte packets
1 192.168.30.10 (192.168.30.10) 3000.178 ms !H 3000.143 ms !H 3000.135 ms !H

[cedar]

It seems SecureNAT is not responding.
Is SecureNAT working on 192.168.30.1 now?

[raymi]

Yes, connection through 443 from SoftEther client on a Windows platform is working properly. Using the MacOSX native VPN client is also working, but for this last it is not the same ports as it is using IPSec/L2TP.

[cedar]

ping 192.168.30.1 works?

[raymi]

No, but this is because the firewall will block icmp. But I don't see why 192.168.30.1 would not work since the VPN server is successfully connected from the Linux client, it is NAT behind that is not reachable. I attached a small diagram to ensure.

[attachment=0]SoftEtherDiagram.png[/attachment]

[cedar]

it's wrong understanding.

the client and securenat is on same segment virtually.
icmp is sent encupsulated.
firewall shouldn't recognize encrypted VPN payload.

[raymi]

Ok, I understand now. However, ping is not working...

# ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
From 192.168.30.10 icmp_seq=2 Destination Host Unreachable

192.168.30.10 is the address received from SoftEther VPN server DHCP.

[cedar]

I think 'Destination Host Unreachable' error is due to lack of ARP response.

Is there any 192.168.30.* entry in 'arp -a' result?

I suspect that instability of the VPN of communication might be the cause of the problem.

[raymi]

No there is no 192.168.30.* entry issuing "arp -a"...

Is there a way to workaround?

[raymi]

Adding manually and statically the arp entry does not solve the issue.

Weird.

[cedar]

is there any client entries in MAC table or IP table of the virtual hub?
it seems VPN doesn't work completely.

[raymi]

When connected, yes I can see the session and the machine's MAC in the SoftEther Admin console

[cedar]

Sometimes, communication by UDP is the cause of packet loss.
The symptom is that packets will not arrive after a few seconds from the start of connection.

Please try disabling NAT-T and UDP Acceleration.
To stop NAT-T, append '/tcp' to the connection destination host name.

[raymi]

Do you mean changing in the config file the line "string Hostname as-vpn.intern.net" by "string Hostname as-vpn.intern.net/tcp"?

[raymi]

ok, have added /tcp to the hostname. I suppose it is going better, however did not succeed to connect behind machine.

SoftEther client is connected to the server, however trying to pass thru to connect behind machine in ssh does not succeed: Connection timed out after 30 seconds

[raymi]

I obviously checked firewall settings to ensure ssh is allowed on behind machine.

[cedar]

please try disable udp acceleration.

[raymi]

Hostname as-vpn.intern.net/tcp
NoUdpAcceleration true

Doesn't work either.
Connection timeout

[cedar]

Timeout?
Is not your problem that a ping to SecureNAT does not reach?

[raymi]

No, I don't think so. The route looks to be correct now since I manually update both static route and ARP table.

Why is it that I'm able to connect behind machines though the same SoftEther server when connecting from SoftEther on Windows and not from SoftEther on Linux?

On Windows I did not remove any UDP config...

[cedar]

With the VPN connected, is the route to the VPN server on the tap device?
On the Windows version client, add a route to the VPN server at the time of VPN connection to prevent overwrite the route.

[raymi]

Looks that yes:

route -n before connecting
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

route -n after connecting
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_softether
172.10.0.0 192.168.30.1 255.255.0.0 UG 0 0 0 vpn_softether

[cedar]

Is there no default gateway?
Is the VPN server on 10.10.1.* network?

[raymi]

No the VPN server is 192.168.30.1 which is defined through vpn_softether interface as default gateway

[thisjun]

Is there no default gateway?

[kawaGUCCi]

Ok I have the exact same issue, did anyone find the fix? It seems nattable is empty but it shouldnt be that way