この実現方法として、eth0の443番ポートをリバースプロキシに割り当て、SNIによりホスト名に基づいてWebサーバーやSoftEther Serverに転送するという方式を考えています。
流れとしては以下のようになります。
なお、SoftEther Serverには5555番ポートを割り当てています。
リバースプロキシ不使用
(SoftEther Client) --[internet]-- eth0:5555(SoftEther Server)
リバースプロキシ使用
(SoftEther Client) --[internet]-- eth0:443(Reverse Proxy) --[localhost]-- lo:5555(SoftEther Server)
さて、この際、リバースプロキシを使用しない場合であれば接続に成功するのですが、リバースプロキシを介した接続の場合、一旦接続には成功するものの、DHCP割り当ての前にエラーが発生し、切断されてしまいます。
動作環境は以下のとおりです。
クライアント
- SoftEther VPN4.0 (Ver 4.34, Build 9745)
- Windows 10 Pro
- SoftEther VPN Server (64 bit) Version 4.34 Build 9745
- CentOS7
- sslh (リバースプロキシ / nginxのTCPプロキシでも同様の症状が発生)
出力されるエラー内容として、クライアント側では、エラー13
Code: Select all
エラー13: VPN セッションの通信がタイムアウトしました。クライアントから VPN Server への接続が切断された可能性があります。
Code: Select all
terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
Code: Select all
terminated by the cause "Time-out occurred during VPN session communication. It is possible the connection from the client to the VPN Server has been disconnected." (code 13).
サーバーにてtcpdumpを実行し、パケットを調査したところ、SoftEther Serverからリバースプロキシに向けて[FIN, ACK]のTCPパケットが送信されているとことが確認できました。
[FIN, ACK]のTCPパケットは、リバースプロキシを介さずに接続した場合には発生しませんでした。
次のような対策も行いましたが、状況に変化はありませんでした。
- サーバー: firewalldの無効化
- サーバー: SELinuxの無効化
- SoftEther Client: SSL暗号化の無効化
- SoftEther Server: SecureNATの無効化
- SoftEther Server: 仮想DHCPサーバーの無効化
- リバースプロキシ: SNIによるホスト名判定をせず、全てのパケットをSoftEther Serverに転送
サーバーログは次のとおりです。
なお、ホスト名やIPアドレスなどは一部加工しております。
リバースプロキシ使用
Code: Select all
2021-03-07 05:11:34.118 On the TCP Listener (Port 5555), a Client (IP address 127.0.0.1, Host name "localhost", Port number 58788) has connected.
2021-03-07 05:11:34.118 For the client (IP address: 127.0.0.1, host name: "localhost", port number: 58788), connection "CID-2262" has been created.
2021-03-07 05:11:34.210 SSL communication for connection "CID-2262" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
2021-03-07 05:11:34.311 [HUB "VPN"] The connection "CID-2262" (IP address: 127.0.0.1, Host name: localhost, Port number: 58788, Client name: "SoftEther VPN Client", Version: 4.34, Build: 9745) is attempting to connect to the Virtual Hub. The auth type provided is "Password authentication" and the user name is "hoge".
2021-03-07 05:11:34.311 [HUB "VPN"] Connection "CID-2262": Successfully authenticated as user "hoge".
2021-03-07 05:11:34.311 [HUB "VPN"] Connection "CID-2262": The new session "SID-HOGE-73" has been created. (IP address: 127.0.0.1, Port number: 58788, Physical underlying protocol: "Standard TCP/IP (IPv4)")
2021-03-07 05:11:34.311 [HUB "VPN"] Session "SID-HOGE-73": The parameter has been set. Max number of TCP connections: 2, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2021-03-07 05:11:34.311 [HUB "VPN"] Session "SID-HOGE-73": VPN Client details: (Client product name: "SoftEther VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "Windows 10", Client OS version: "Build 19042, Multiprocessor Free (19041.vb_release.191206-1406)", Client product ID: "--", Client host name: "fuga", Client IP address: "192.168.0.1", Client port number: 57485, Server host name: "server.example.com", Server IP address: "200.0.0.1", Server port number: 443, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "CCA8662036FAEA684BA8E93D408684C8")
2021-03-07 05:11:34.563 [HUB "VPN"] Session "SID-HOGE-73": The session has been terminated. The statistical information is as follows: Total outgoing data size: 149 bytes, Total incoming data size: 1774 bytes.
2021-03-07 05:11:34.593 Connection "CID-2262" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2021-03-07 05:11:34.593 Connection "CID-2262" has been terminated.
2021-03-07 05:11:34.593 The connection with the client (IP address 127.0.0.1, Port number 58788) has been disconnected.
2021-03-07 05:11:35.773 On the TCP Listener (Port 5555), a Client (IP address 127.0.0.1, Host name "localhost", Port number 58790) has connected.
2021-03-07 05:11:35.773 For the client (IP address: 127.0.0.1, host name: "localhost", port number: 58790), connection "CID-2263" has been created.
2021-03-07 05:11:35.853 SSL communication for connection "CID-2263" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
2021-03-07 05:11:36.004 Connection "CID-2263" terminated by the cause "Time-out occurred during VPN session communication. It is possible the connection from the client to the VPN Server has been disconnected." (code 13).
2021-03-07 05:11:36.004 Connection "CID-2263" has been terminated.
2021-03-07 05:11:36.004 The connection with the client (IP address 127.0.0.1, Port number 58790) has been disconnected.
Code: Select all
2021-03-07 05:15:34.122 On the TCP Listener (Port 5555), a Client (IP address 100.0.0.1, Host name "client.example.com", Port number 25143) has connected.
2021-03-07 05:15:34.122 For the client (IP address: 100.0.0.1, host name: "client.example.com", port number: 25143), connection "CID-2264" has been created.
2021-03-07 05:15:34.172 SSL communication for connection "CID-2264" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
2021-03-07 05:15:34.253 [HUB "VPN"] The connection "CID-2264" (IP address: 100.0.0.1, Host name: client.example.com, Port number: 25143, Client name: "SoftEther VPN Client", Version: 4.34, Build: 9745) is attempting to connect to the Virtual Hub. The auth type provided is "Password authentication" and the user name is "hoge".
2021-03-07 05:15:34.253 [HUB "VPN"] Connection "CID-2264": Successfully authenticated as user "hoge".
2021-03-07 05:15:34.253 [HUB "VPN"] Connection "CID-2264": The new session "SID-HOGE-74" has been created. (IP address: 100.0.0.1, Port number: 25143, Physical underlying protocol: "Standard TCP/IP (IPv4)")
2021-03-07 05:15:34.253 [HUB "VPN"] Session "SID-HOGE-74": The parameter has been set. Max number of TCP connections: 2, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2021-03-07 05:15:34.253 [HUB "VPN"] Session "SID-HOGE-74": VPN Client details: (Client product name: "SoftEther VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "Windows 10", Client OS version: "Build 19042, Multiprocessor Free (19041.vb_release.191206-1406)", Client product ID: "--", Client host name: "fuga", Client IP address: "192.168.0.1", Client port number: 58971, Server host name: "server.example.com", Server IP address: "200.0.0.1", Server port number: 5555, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "CCA8662036FAEA684BA8E93D408684C8")
2021-03-07 05:15:34.515 [HUB "VPN"] SecureNAT: The DHCP entry 11 has been created. MAC address: 5E-48-67-62-84-48, IP address: 172.20.1.1, host name: fuga, expiration span: 7200 seconds
2021-03-07 05:15:34.515 [HUB "VPN"] Session "SID-SECURENAT-33": The DHCP server of host "5E-AC-7F-23-9F-89" (172.20.0.1) on this session allocated, for host "SID-HOGE-74" on another session "5E-48-67-62-84-48", the new IP address 172.20.1.1.
2021-03-07 05:15:34.636 [HUB "VPN"] SecureNAT: The UDP session 697 has been created. Connection source 172.20.1.1:58419, Connection destination 172.20.0.1:53
2021-03-07 05:15:35.513 On the TCP Listener (Port 5555), a Client (IP address 100.0.0.1, Host name "client.example.com", Port number 24886) has connected.
2021-03-07 05:15:35.513 For the client (IP address: 100.0.0.1, host name: "client.example.com", port number: 24886), connection "CID-2265" has been created.
2021-03-07 05:15:35.554 SSL communication for connection "CID-2265" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
2021-03-07 05:15:35.584 Connection "CID-2265" has been terminated.
2021-03-07 05:16:04.520 [HUB "VPN"] Session "SID-HOGE-74": The session has been terminated. The statistical information is as follows: Total outgoing data size: 67399 bytes, Total incoming data size: 103401 bytes.
2021-03-07 05:16:04.550 Connection "CID-2264" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2021-03-07 05:16:04.550 Connection "CID-2264" has been terminated.
2021-03-07 05:16:04.550 The connection with the client (IP address 100.0.0.1, Port number 25143) has been disconnected.
不足している情報などがあればお申し付けください。
ご助力のほど、何卒宜しくお願い致します。