Regarding Port Forwarding setting for my Router to the server machine

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
igodspeed
Posts: 4
Joined: Fri Nov 19, 2021 11:19 am

Regarding Port Forwarding setting for my Router to the server machine

Post by igodspeed » Fri Nov 19, 2021 11:39 am

I have installed SoftEther VPN server on one of the desktop and am using the wireless card. But i am not able to connect to the server through another computer which is using the URL to log in. I am however able to use the server which i use the local IP address.
Untitled.png
I suspect the reason why i am not able to connect to the listening port on the server machine is port forwarding.
Here is a screenshot of what i have forwarded:
Untitled1.png
WAN 500 --> 5555 LAN on Local
WAN 4500 --> 5555 LAN on Local

I am not able to get response and as you can see i am still getting connection error messages. Could you please advise what i could try next in order to resolve this issue?
Untitled2.png
In my last ditch effort i even opened all the ports on WAN. 0 ~ 9999 --> LAN on local 5555 But i still got the same message. Clearly there is another issue. Any help you can provide, i would be grateful
You do not have the required permissions to view the files attached to this post.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by nobody12 » Fri Nov 19, 2021 7:11 pm

When you say:
I have installed SoftEther VPN server on one of the desktop and am using the wireless card. But i am not able to connect to the server through another computer which is using the URL to log in. I am however able to use the server which i use the local IP address.

You mean: you cannot connect using the softether VPN client to the VPN? But managment of the VPN Server from inside the network is ok?

Network cards:
While a Wifi connection should work, a connection with a ethernet-cable ist more reliable, gives better performance, and has a lower latency. Try not to use Wifi if you want to get the best performance possible. Still, Wifi should work. But if the computer hosting SE-Server ist multihomed (more the one network card) make sure outgoing traffic of the SE Server goes trough the correct interface. It should even work if not if wifi and ethernet is connectet to the same router, but then why use wifi anyway? To make the wifi interface the default: in the windows network cards properties, open the IPv4 protocol, then advanced. There is a box with a "metric" value. Uncheck the "automatic" checkbox. Manually input a value. The card which will be used preferred should have a lower value then the other. So if for example you have a wifi card and an ethernet card. but want to send packets default using the Wifi interface, set the Wifi interface metric to 1, set the ethernet interface to 10

Regarding port forwards:
For a first try, disable any firewall on the Machine running SoftetherVPN Server (or better, add rules to allow incoming and outgoing traffic for all ports needed)
If you use only the softether client, a single port will be sufficent. one of thse which are listed under the Listener List. Of course also all of these are fine.
If you want to use clients which use L2TP over IPSec, add the ports: UDP port 500 and 4500. On the NAT, UDP 500 and 4500 should be transferred to the VPN Server. If any packet filters or firewalls are existing, open UDP 500 and 4500 (go to: https://www.softether.org/4-docs/2-howt ... VPN_Server and scroll to the bottom)
However, do not map (unless you know better) different external ports to different internal ports. Only use 1:1 mappings. So external port 443 has to be mapped to 443 on the VPN Server. The same or all other needed ports.

Now, if you create a new VPN connection with the VPN client specify not only the FQDN of the VPN Server but also the correct port (one of those Softether server is listening)

If this still does not work, start by finding out if you really have a public IPv4 address on you router which connects your network to the Internet.

igodspeed
Posts: 4
Joined: Fri Nov 19, 2021 11:19 am

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by igodspeed » Sat Nov 20, 2021 9:40 am

Thank you for your detailed response @nobody12. When i connect using 192.168.1.6/tcp i am able to connect from a different laptop on local network however when I use the URL 234281.softether.net to connect I am only able to connect through UDP protocol and not through tcp from a client computer. As you pointed out that a connection through a ethernet is more reliable i have even tried to connect through ethernet and turning off the wifi, I was still not able to connect using the TCP; I had connected laptop which designated as vpn server to the router but client laptop was on a different network. I had even tried to bridge the connection with the router to the server laptop but same result. I did disable the windows firewall on the server but that did not change the results although this was not done when i connected the ethernet to the laptop.
Couple of question:
make sure outgoing traffic of the SE Server goes trough the correct interface.
Since I am able to connect through UDP, I would image I do not need to make any changes to interface?
However, do not map (unless you know better) different external ports to different internal ports. Only use 1:1 mappings. So external port 443 has to be mapped to 443 on the VPN Server. The same or all other needed ports.
Untitled6.png
Do you mean this was not suppose to be done ? Where I had mapped port 500 and 4500 to 5555? So 500 should be mapped to 500 and same for 4500? Although port 5555 was mapped to 5555:
Untitled7.png
I added port 1194, 443, 992 with 1:1 mapping as you have suggested, while the firewall(windows Defender) was turned off.
Image
Image

After making these changes i am still getting the same error:

Code: Select all

Error (Error Code 1):
Connection to the server failed. Check network connection and make sure that address and port number of destination server are correct.
This would imply there is issue with port forwarding still right?
You do not have the required permissions to view the files attached to this post.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by nobody12 » Sat Nov 20, 2021 12:20 pm

There are still strange NAT mappings:
500 -> 5555
4500 -> 5555
also those higher ports.
if 192.168.1.6 is the SE server ip, remove all these you only need exactly one port (unless you use L2TP).

Also check if your router needs firewall rules to allow traffic to a port in addition of the NAT mappings.
And, then if it still does not work, what kind of internet are you using?
Do you have a public IPv4 or not?

Also: do not try to connect from the internal network to the vpn. That might not work. Go to a location where you are outside in the internet.
which port to you try to connect to? you may try to use telnet and test if you can connect to this port.
(activate the telnet client frorm windows features, then start a cmd window)
telnet hostname portnumber
what happens?

igodspeed
Posts: 4
Joined: Fri Nov 19, 2021 11:19 am

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by igodspeed » Sun Nov 21, 2021 2:40 pm

As you have pointed out regarding strange mapping. I have fixed them so 500 and 4500 is pointing to 500 and 4500. I also ran an service at https://www.canyouseeme.org/ to find open ports but for some reason it is showing all ports as closed. Below i have attached a screen shot from nmap. This one below is for my router which is 192.168.1.1. Although i had opened the ports 5555 from my earlier screen shot, for some reason it is not being shown as open.
Image
The one below is from the laptop which is running as the server:
Image
Do you have a public IPv4 or not?
Yes can confirm i have a public IPv4
Also: do not try to connect from the internal network to the vpn. That might not work. Go to a location where you are outside in the internet.
which port to you try to connect to?
I have been using my mobile network internet to connect to the VPN server when using the web address to login.
telnet hostname portnumber

Output:

Code: Select all

telnet vpn881***781.softether.net 5555
Connecting To vpn881***781.softether.net...Could not open connection to the host, on port 5555: Connect failed
Although running tracert on that web address is point to my external IP though.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by nobody12 » Sun Nov 21, 2021 6:16 pm

Well, I am not at your site and I dont know the make and model of your router, and I dont know about your internet connection.
But assuming that your port forwardings are working (running a portscan from the internal network to the internal ip of you router might not give correct results most likely), aut a port scan from the internet only shows closed ports, I would now check if your router needs more then just the entry of the port forward.
What router are you using?
Also, find out if you really have a public IPv4 Address:
On your router, enable managment access from the internet using http or https (check if the port used for mamagent is not forwarded!). Assign a string password for the router managment.
Then go surfing somewhere else and try to acess your routers Web-UI. If you cannot access it, chances are good you dont have a public IPv4.but behind a provider NAT.
You also might get information about your IP Adress from inside the routers Web-UI.
What company are you using for internet-access?

igodspeed
Posts: 4
Joined: Fri Nov 19, 2021 11:19 am

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by igodspeed » Mon Nov 22, 2021 5:43 pm

Thanks for your help @nobody12. I have just discovered that i am behind a CGNAT thus port forwarding has been disabled by the ISP. I guess that is the reason why the connection has been rejecting. I am looking at ways of TCP punching.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Regarding Port Forwarding setting for my Router to the server machine

Post by nobody12 » Mon Nov 22, 2021 7:06 pm

OK, so I was right with my guess: No public Ipv4 Address
My condolences to your Situation.
I think If you buy "internet access" from someone, that the provider actively and before signing thecontract must inform if you are located behind a NAT.
But most people internet access needs are opening a browser and search. And of course you pay 5Euros less for a one way connection. And then everybody only looks at the price 1st.
Maybe, ask them if they offer an IPv4 for a moderate charge, much easier and also much better regarding quality and speed of the VPN

Post Reply