how to turn softether vpn into a vpn router

[shakibamoshiri]

I have been holding this question in mind for the past few months.
It annoys me each time I connect my phone to the home modem WiFi I have to turn on a VPN (on my phone) to check sites/apps have been blocked or for privacy.
If we have a "raspberry pi box" we can connect to it via its network port, setup a VPN server on it, share the internet via pi WiFi access point; the most convenient way of having Internet over a VPN which is 24/7 up and running.
The funny part is that a pi here (Iran) is more expensive than a PC (e.g HP ProDesk G4 :| :| :| )
YouTube videos by Rob Braxman
How to Install a VPN Router
Why You Need a VPN Router



Long story short, my idea is using
- my PC (Windows or Linux)
- a SE server (not SE client)
- my modem (a home modem-router)
and when I connect my phone to the modem WiFi I should have been connected to the remote VPN server.

Two scenarios to make this fun work
First
- two HUBs one for internal net and one for external net
- a cascade connection in second HUB #2 to a remote SE server
- a Bridge for HUB #1 in home SE server
- inter HUB communication with L3 switch

Second
- two HUBs one for internal net and one for external net
- two Local Bridge for each HUB, first HUB a network adopter, second HUB a tap device
- a cascade connection from HUB #2 to remote SE server
- using IP route or maybe iproute PBC (Policy Based Routing)

Still I am learning L2 Switch so I tried the second scenario.

some clarification
1. Why I use a VM not the home PC?
because I needed to add a second network adopter. With iproute2 tools did not work
2. How I assign IP address from SE server Hub #1 my phone?
Using network adopter connected to HUB #1 via Bridging

NOTE:
Even though I guessed that connecting to home WiFi directly , the modem will handle the traffic not any of PCs on the LAN but it was worth the try.
Lets go


########## configuration ##########

Home VPN server on a VM
Hubs:
- SW0
- SW1

SW0
- network: 192.168.30.0/24
- DNCP + DNS
- No NAT
- default gateway 192.168.30.1 over Local Bridge via a network adopter no a tap device

NOTE:
I added second network adopter to a VM in order to advertise IP addresses of SW0 (network 192.168.30.0/24).
So when my a phone is connected to home WiFi gets IP from SW0 hub not from modem DHCP

SW1
- no SecureNAT
- cascade connection to a remote server
- a tap device (tap_sw1) IP: 192.168.100.3 (part of remote SE server network)


Remote SE server
- network: 192.168.100.0/24
- DHCP + DNS
- No NAT
- default gateway 192.168.100.1 over Local Bridge via a tap device (tap_vpn)

my Phone connected to home WiFi
- no VPN client
- got IP and DNS server address from home SE server SW0 (network 192.168.30.0/24)
- phone IP: 192.168.30.10


home SE server ip route

Code: Select all

ip route show
default via 192.168.1.1 dev ens192 onlink
192.168.1.0/24 dev ens192 proto kernel scope link src 192.168.1.32
192.168.30.0/24 dev ens224 proto kernel scope link src 192.168.30.1
192.168.100.0/24 dev tap_sw1 proto kernel scope link src 192.168.100.3

two routes added for
- vm network adopter 192.168.30.0/24
- tap_sw1 192.168.100.3/24

home SE server ip table

Code: Select all

iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.30.0/24 ! -d 192.168.30.0/24 -o ens192 -j SNAT --to-source 192.168.1.32

remote SE server ip route

Code: Select all

ip route show
default via aaa.bbb.ccc.1 dev ens192 onlink
192.168.30.0/24 via 192.168.100.3 dev tap_vpn
192.168.100.0/24 dev tap_vpn proto kernel scope link src 192.168.100.1
aaa.bbb.ccc.0/24 dev ens192 proto kernel scope link src aaa.bbb.ccc.ddd

- "aaa.bbb.ccc.ddd" is the remote SE server public IP address, gateway, etc
- 192.168.30.0/24 via 192.168.100.3 dev tap_vpn is for accessing gateway from the phone
- 192.168.100.0/24 dev tap_vpn is for Local Bridge a tap device


remote SE server ip table

Code: Select all

iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o ens192 -j SNAT --to-source aaa.bbb.ccc.ddd

my phone ip route

Code: Select all

 ip route show 
103.11.119.148/30 dev rmnet_data5 proto kernel scope link src 103.11.119.150 
192.168.30.0/24 dev wlan0 proto kernel scope link src 192.168.30.10

my phone ip addr

Code: Select all

ip -br a | tail -n 4
rmnet_data3@rmnet_ipa0 DOWN
wlan0            UP             192.168.30.10/24 fe80::2470:44ff:fe7c:dad0/64
swlan0           DOWN
p2p0             DOWN
wifi-aware0      DOWN

phone can ping home SE server gateway

Code: Select all

ping -c4 192.168.30.1
PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
64 bytes from 192.168.30.1: icmp_seq=1 ttl=64 time=17.0 ms
64 bytes from 192.168.30.1: icmp_seq=2 ttl=64 time=18.8 ms
64 bytes from 192.168.30.1: icmp_seq=3 ttl=64 time=18.1 ms
64 bytes from 192.168.30.1: icmp_seq=4 ttl=64 time=17.4 ms

phone can ping remote SE server gateway

Code: Select all

ping -c4 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=63 time=141 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=63 time=184 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=63 time=85.7 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=63 time=127 ms

phone can ping the Internet

Code: Select all

ping -c4 8.8.8.8                                                                                
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=182 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=204 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=227 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=114 time=147 ms

Up to this point everything works fine :) but the phone IP address is my modem public IP address :(
NOTE:
Even though I guessed that connecting to home WiFi directly , the modem will handle the traffic not any of PCs on the LAN but it was worth the try.

Q.1 Can we make this work?
Q.2 How?

Regards

[solo]

Even though I guessed that connecting to home WiFi directly , the modem will handle the traffic not any of PCs on the LAN but it was worth the try. Q.1 Can we make this work? Q.2 How?

Disable the modem's DHCP and connect to it with a static IP from the home server. Also, both home and remote servers use "ens192" device - is it a rare coincidence or an error?

[shakibamoshiri]

Disable the modem's DHCP and connect to it with a static IP from the home server. Also, both home and remote servers use "ens192" device - is it a rare coincidence or an error?

I thought no need to disable the home modem DHCP, since already after turning on the phone WiFi , ti will connect to home SE server which the network in 192.168.30.0/24 it does not connect to the home modem net 192.168.1.0/24

For being sure I manually added so the phone iP is 192.168.30.10. But this does not solve the challenge since the DHCP has changed but default gateway of the phone remains from home modem.
- phone ip: 192.168.30.10/24
- phone gateway 192.168.1.1 (home modem)

here is trace route within the phone while connected to the WiFi

Code: Select all

~ $ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  192.168.1.1 (192.168.1.1)  17.137 ms  16.444 ms  15.588 ms # the home modem gateway
 3  * * *  # my home modem public IP gateway 
 4  * * *
 5  * * *
 6  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
13  dns.google (8.8.8.8)  101.001 ms  98.141 ms  89.199 ms

s it a rare coincidence or an error?

I did not not get your question.
Maybe my objective was not clear enough or I could not express it clearly.
Once the phone connects to the the WiFi, its traffic should originate from remote SE server not the local network.
Since I was not sure, I tested it, but I think it is not possible with this setup because the phone gateway cannot be change without a client installed on the phone.

There are two solutions come to mind
1. if I root the phone, it can be possible using "ip" command to create a custom table with a default gateway of 192.168.100.1
2. A PC with a SE server connected to another SE server via cascade connection and share the PC net over WiFi hotspot

I tested method #2 on my laptop and works perfectly . Windows 10 has hotspot for WiFi and since the CC operates at L2, any devices connected to the laptop WiFi , their traffic are routed to remote SE server. so the laptop acts like a VPN router.

For linux which does not have hotspot already, it should be installed.
The most convenient way is by using home modem which seems not to work

[solo]

I thought no need to disable the home modem DHCP,
...
I think it is not possible with this setup because the phone gateway cannot be change without a client installed on the phone.
...
The most convenient way is by using home modem which seems not to work

Everything works perfectly but the router's DHCP server has to be disabled. The following L2/L3 network topology addresses all your deliberations and overcomes any potential obstacles because the router transparently offers a VPN connection as if it was a normal ISP WAN NAT via LAN or WiFi. This method applies to any router with any firmware.

Code: Select all

  WAN
+---------+               +---------+
|         |               |         |
| Router  |WiFi.......WiFi| PC2     |
|         |               |         |
+---------+               +---------+
  LAN
   |
   |
   |
   |    +---------+
   |    |         |
  LAN---| PC1     |
   |    |         |
   |    +---------+
   |    +---------+
  NIC1--|         |
   |    | VB      |
  NIC2--|         |
        +---------+

PREREQUISITES

- router's LAN subnet != dnsmasq's DHCP subnet
- router DHCP off
- PC1 host LAN on static IP
- VM on PC1
- VPN client preinstalled in VM (I connect to VPN Gate)

VM/VB 2x NICs:
NIC1 - enp0s3 - NAT on host's LAN
NIC2 - enp0s8 - bridged to host's LAN

Code: Select all

VBoxManage showvminfo...
NIC 1: Attachment: NAT, Cable connected: on, Trace: off (file: none), Type: Am79C973, Reported speed: 0 Mbps, Boot priority: 0, Promisc Policy: allow-all, Bandwidth group: none
NIC 1 Rule(0):   name = SEclient, protocol = tcp, host ip = , host port = 9931, guest ip = , guest port = 9930
NIC 1 Rule(1):   name = SEserver, protocol = tcp, host ip = , host port = 443, guest ip = , guest port = 443
NIC 1 Rule(2):   name = ssh, protocol = tcp, host ip = , host port = 3022, guest ip = , guest port = 22
NIC 2: Attachment: Bridged Interface 'Intel(R) Ethernet Connection (2) I219-V', Cable connected: on, Trace: off (file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0, Promisc Policy: allow-all, Bandwidth group: none

BOOT VM AND...

Code: Select all

ifconfig enp0s8 192.168.9.1 netmask 255.255.255.0 promisc arp up

/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185.opengw.net
dhclient vpn_vpn
ip route add default via 10.245.254.254 dev vpn_vpn table 99
ip rule add iif enp0s8 table 99
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o vpn_vpn -j MASQUERADE

route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s3
10.245.0.0      0.0.0.0         255.255.0.0     U     0      0        0 vpn_vpn
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s8

nano /etc/dnsmasq.conf
interface=enp0s8
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1

systemctl restart dnsmasq

Windows PC2 connected via WiFi to the above router

Code: Select all

Ethernet adapter Wireless Network Connection:
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.9.121
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.9.1
        DHCP Server . . . . . . . . . . . : 192.168.9.1
        DNS Servers . . . . . . . . . . . : 1.1.1.1
        Lease Obtained. . . . . . . . . . : Friday, 24 March 2023 13:17:51
        Lease Expires . . . . . . . . . . : Saturday, 25 March 2023 01:17:51

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.9.1   192.168.9.121       9
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.9.0    255.255.255.0    192.168.9.121   192.168.9.121       9
    192.168.9.121  255.255.255.255        127.0.0.1       127.0.0.1       9
    192.168.9.255  255.255.255.255    192.168.9.121   192.168.9.121       9
        224.0.0.0        240.0.0.0    192.168.9.121   192.168.9.121       9
  255.255.255.255  255.255.255.255    192.168.9.121               2       1
  255.255.255.255  255.255.255.255    192.168.9.121           10007       1
  255.255.255.255  255.255.255.255    192.168.9.121               4       1
  255.255.255.255  255.255.255.255    192.168.9.121   192.168.9.121       1
  255.255.255.255  255.255.255.255    192.168.9.121               3       1
Default Gateway:       192.168.9.1

ping 192.168.9.1
Pinging 192.168.9.1 with 32 bytes of data:
Reply from 192.168.9.1: bytes=32 time=1ms TTL=64
Reply from 192.168.9.1: bytes=32 time=1ms TTL=64
Reply from 192.168.9.1: bytes=32 time=4ms TTL=64
Reply from 192.168.9.1: bytes=32 time=2ms TTL=64

ping 10.245.74.108
Pinging 10.245.74.108 with 32 bytes of data:
Reply from 10.245.74.108: bytes=32 time=1ms TTL=64
Reply from 10.245.74.108: bytes=32 time=1ms TTL=64
Reply from 10.245.74.108: bytes=32 time=1ms TTL=64
Reply from 10.245.74.108: bytes=32 time=1ms TTL=64

ping 10.245.254.254
Pinging 10.245.254.254 with 32 bytes of data:
Reply from 10.245.254.254: bytes=32 time=348ms TTL=63
Reply from 10.245.254.254: bytes=32 time=315ms TTL=63
Reply from 10.245.254.254: bytes=32 time=265ms TTL=63
Reply from 10.245.254.254: bytes=32 time=259ms TTL=63

tracert 9.9.9.9
Tracing route to dns9.quad9.net [9.9.9.9] over a maximum of 30 hops:
  1     1 ms     4 ms     1 ms  192.168.9.1
  2   271 ms   250 ms   248 ms  10.245.254.254
  3   497 ms   289 ms   271 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   293 ms   252 ms   258 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   321 ms   258 ms   271 ms  bgp3.openospf1.v4.open.ad.jp [202.222.12.33]
  6   283 ms   290 ms   265 ms  150.99.184.33
  7   277 ms   283 ms   250 ms  150.99.21.21
  8     *        *        *     Request timed out.
  9   291 ms   247 ms   310 ms  p200.hnd.ty8-cr1.gslnetworks.com [103.137.13.9]
 10   285 ms   253 ms   254 ms  203.10.98.35
 11   295 ms   402 ms   440 ms  dns9.quad9.net [9.9.9.9]
Trace complete.

It works with any VPN client. One can use OpenVPN instead of SE, like in this example, just change interface names.

[shakibamoshiri]

It works with any VPN client. One can use OpenVPN instead of SE, like in this example, just change interface names.

I could make my setup work now. I use CC on the VM and either of bellow setting finalizes it
- ip route add default
- ip rule add iif ... lookup N + ip route add .... table N

first fix
- home modem DCHP disabled

second fix
- POSTROUTING on remote VPN server added for 192.168.30.0/24

Even it works now and tested with several LAN and WiFi devices , but I am not satisfy with it :| and would like to take it to a further level.
I had three cases in mind
1. SoftEther VPN route non-VM solution (tested on my laptop with WiFi hotsop -- worked )
2. SoftEther VPN router VM solution (tested, you tested, worked)
3. SoftEther VPN router hardware solution (next test)

Why VPN router on a physical machine ?
1. less resource consumption -- my VMware is old HP with 64 RAM, it is not wise to run it just for one VM which is our VPN router
2. be portable -- I can buy a cheap HP mini PC relatively cheap and move it around + 24/7 can be up and less power consumption
3. making profit -- we can pre configure those HP mini PC and sell them
4, promoting SoftEther -- selling a product which core functionality is done by the SE server

For achieving #3 test (router hardware solution) since we do not have a VM so we cannot add NIC adopter as we did with VMware or VirtualBox.
So I went a head test if DHCP is getting advertised using these devices or no?
- SE tap_xxx -- no did not work
- SE tap_xxx + ip bridge -- no did not work
- SE tap_xxx + ip bridge + ip dummy -- did not work
- SE Ethernet hooked to ip "veth" Ethernet type -- no did not work


In these three cases the DHCP is not advertised and devices on LAN do not get IP.
I feel we should install a tool to be able to create NIC like "ens224" on our physical machine.

Do you know any tool or any workaround to create NIC like "ens224" ?

[solo]

- SE tap_xxx -- no did not work
- SE tap_xxx + ip bridge -- no did not work
- SE tap_xxx + ip bridge + ip dummy -- did not work
- SE Ethernet hooked to ip "veth" Ethernet type -- no did not work

An alias IP works for me. No more VMs, only real PCs...

Code: Select all

		Linux PC1

ifconfig enp2s0:0 192.168.9.1 netmask 255.255.255.0 promisc arp up

ifconfig
...
enp2s0    Link encap:Ethernet  HWaddr ac:22:0b:6f:31:4b
          inet addr:192.168.55.55  Bcast:192.168.55.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

enp2s0:0  Link encap:Ethernet  HWaddr ac:22:0b:6f:31:4b
          inet addr:192.168.9.1  Bcast:192.168.9.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
...

nano /etc/dnsmasq.conf

interface=enp2s0
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1

systemctl restart dnsmasq


		Windows PC2

dhcptest --quiet --query --wait --tries 5 --timeout 10

  op=BOOTREPLY chaddr=DE:72:5C:E9:86:96 hops=0 xid=00750597 secs=0 flags=8000
  ciaddr=0.0.0.0 yiaddr=192.168.9.171 siaddr=192.168.9.1 giaddr=0.0.0.0 sname= file=  9 options:
     53 (DHCP Message Type): offer
     54 (Server Identifier): 192.168.9.1
     51 (IP Address Lease Time): 43200 (12 hours)
     58 (Renewal (T1) Time Value): 21600 (6 hours)
     59 (Rebinding (T2) Time Value): 37800 (10 hours and 30 minutes)
      1 (Subnet Mask): 255.255.255.0
     28 (Broadcast Address Option): 192.168.9.255
      6 (Domain Name Server Option): 1.1.1.1
      3 (Router Option): 192.168.9.1

route add 192.168.9.0 mask 255.255.255.0 192.168.55.55

ping 192.168.9.1
Pinging 192.168.9.1 with 32 bytes of data:
Reply from 192.168.9.1: bytes=32 time<1ms TTL=64
Reply from 192.168.9.1: bytes=32 time<1ms TTL=64
Reply from 192.168.9.1: bytes=32 time<1ms TTL=64
Reply from 192.168.9.1: bytes=32 time<1ms TTL=64

  WAN
+---------+               +---------+
|         |               |         |
| Router  |LAN---------LAN| PC2     |
|         |               |         |
+---------+               +---------+
  LAN 192.168.55.1        192.168.55.174
   |
   |
   |
   |    +---------+
   |    |         |
  LAN---| PC1     |
        |         |
        +---------+
        192.168.55.55
        192.168.9.1 (alias)

[shakibamoshiri]

An alias IP works for me. No more VMs, only real PCs...

Good and thank you.

I thought of an "alias" but did not test it, but a ran two other tests and they worked
1. two IP/NET on a single interface, on the main one
2. iproute2 => macvlan

Both work and yes VMs are not needed so I ordered an HP thin client for final test.

[solo]

I ordered an HP thin client for final test.

Which model/version/specs? Can it beat a $20 GL.iNet GL-MT300N-V2 on OpenWrt firmware and all SoftEther packages ready for instant deployment? :-)

[shakibamoshiri]

Which model/version/specs? Can it beat a $20 GL.iNet GL-MT300N-V2 on OpenWrt firmware and all SoftEther packages ready for instant deployment? :-)

I think no, because of the sanctions things are really expensive here (Iran).
here is the model : HP t610 Flexible Series Thin Client
https://support.hp.com/us-en/document/c03235347

I thought of open-wrt, I do not have a model to flash nor do I think it is available here to buy + building it from scratch is a whole different story.
Not to mention I can code front (HTML,CSS,JS) + backend with node js as web server and create a WEB UI for it :).

I prefer turn a learning process into a project and this project is for learning "Linux Networking".
Also without your help it could not be possible, thank you again.

[shakibamoshiri]

Oh it is available here to buy for $35
https://www.haio.ir/gl-mt300n-v2-mini-smart-router/

ha ha
Memory / Storage DDR2 128MB / FLASH 16MB

I prefer installing Debian and pre configure it. Lots of feature can be added e.g.
- DNS ad and malware blocker
- OpenConnect server as backup if SE fails
- Node JS and HTML to build a home page :) :) on 192.168.30.1 and adding your own background image

Oh man, I can install Arch linux or even Alpine

[solo]

The HP is OK for a VPN server.
The GL is ideal for a home VPN client.
Let us know about the progress of your projects.

[shakibamoshiri]

The HP is OK for a VPN server.
The GL is ideal for a home VPN client.
Let us know about the progress of your projects.

Yesterday I got it and set it up.



Device
HP thin client with AMD CPU x86 supporting 64 bit data width (2 cores) and 2G RAM
16G Disk

OS
Debian server 11 standard x86_64

VPN server
- local: SE server stable with two hubs , one for vDHCP, the other one for CC
- remote: SE server stable one hub

DNS server (local)
- dnsmasq
- Ad + malware blocking https://github.com/StevenBlack/hosts

Route
- iproute2 => veth for second hub connected to the remote server via CC
- iproute2 => macvlan for first hub used vDHCP part (it is faster than dnsmasq)
- iproute2 => PBR on macvlan interface for outbound connections

So far so good, everything is permanent and the server reboot gets up without any problem (just plug-and-play to the modem works fine)

First issue
Unfortunately the device (HP) it is bigger and heavier than what I thought. Before buying seemed small and lighter :|
So at least half the size and weight I should look for but at this cost ($21)

Second issue -- DNS leak
the local DNS server (using dnsmasq) listens on "192.168.40.1" which is the vDHCP gateway.

Code: Select all

# To use this computer to listen on its LAN IP address for other computers on the network.
listen-address=::1,127.0.0.1,192.168.40.1

# Set the number of cached domain names
cache-size=1000

# Google's nameservers, for example
server=8.8.8.8
server=1.1.1.1

# Uncomment expand-hosts to add the custom domain to hosts entries:
expand-hosts

When a client is assigned and IP via vDHCP, if the vDHCP DNS be set to 192.168.40.1 , dns query for blocked websites fail since 192.168.40.1 is inside the server and requests go to default gateway of the modem which is 192.168.1.1 so blocked websites cannot be open.

solution 1 ) is to use any DNS server which is not located on the HP server, e.g 8.8.8.8 (okay but Ad and malware are not blocked)
solution 2 ) is to run dnsmsaq DNS server (+ Ad and malware blocking) on remote SE server and set the vDHCP DNS to that e.g 192.168.100.1 (okay, ad and malware are blocked, but query response is slower than local DNS)
solution 3 ) is to set the VPN gateway as default route inside the server (not a good idea)

@solo any other solution you have?

Code: Select all

ip rule show 
0:	from all lookup local
32765:	from 192.168.40.0/24 iif macvlan0 lookup 1000
32766:	from all lookup main
32767:	from all lookup default

While based on the "ip rule" it seemed to me any request to 192.168.40.0/24 would go to PBR, but it did not so DNS server resolves blocked websites with domestic IP e.g 10.10.34.35

Third issue -- repetitive routes
The remote SE server side, a route should be added via the local server IP address set for the bridge e.g

Code: Select all

# remote SE server
192.168.40.0/24 via 192.168.100.4 dev tap_vpn

it is okay , but the second route with the same network cannot be added since already for 192.168.40.0/24 added. For example if a second VPN router be set to 192.168.100.5 then

Code: Select all

192.168.40.0/24 via 192.168.100.5 dev tap_vpn

fails.

solution 1 ) is to use a different network for vDHCP e.g. 192.168.41.0/24
solution 2 ) I think is to use iproute => VRF (Virtual Routing and Forwarding) feature which is used for VPNs when we have conflict for routing

@solo any other solution you know ?

So next phase is to find best solution for #2 and #3 issues.

[shakibamoshiri]

Second issue -- DNS leak
three adjustments seem to solve this issue (more testing is needed

1.

Code: Select all

root@debian:~# cat /etc/resolv.conf
nameserver ::1
nameserver 127.0.0.1

2.

Code: Select all

1.1.1.1 via 192.168.100.1 dev gw4vpn 
8.8.8.8 via 192.168.100.1 dev gw4vpn

3,
Using SE developer version for both sides and cascade connection using IP address not domain name.
Because if domain name be used, already DNS servers set to route via 192.168.100.1 which has not been started yet (the connection) after boot time

[solo]

When a client is assigned and IP via vDHCP, if the vDHCP DNS be set to 192.168.40.1 , dns query for blocked websites fail since 192.168.40.1 is inside the server and requests go to default gateway of the modem which is 192.168.1.1

Unless you've changed your objectives, this can not possibly happen because a WiFi client knows nothing about the modem, except for WiFi login, exactly as in the original specification:

when I connect my phone to the modem WiFi I should have been connected to the remote VPN server

[shakibamoshiri]

Unless you've changed your objectives, this can not possibly happen because a WiFi client knows nothing about the modem, except for WiFi login, exactly as in the original specification:

No objectives have changed.
It is possible since
- the server (VPN Router) default gateway is 192.168.1.1
- the VPN gateway is 192.168.100.1
- the vDHCP gateway is 192.168.40.1
- the vDCHP DNS server is 192.168.40.1
- and dnsmasq listens on 127.0.0.1, 192.168.40.1

vDHCP

Code: Select all

Item                           |Value
-------------------------------+--------------
Use Virtual DHCP Function      |Yes
Start Distribution Address Band|192.168.40.10
End Distribution Address Band  |192.168.40.200
Subnet Mask                    |255.255.255.0
Lease Limit (Seconds)          |7200
Default Gateway Address        |192.168.40.1
DNS Server Address 1           |192.168.40.1
DNS Server Address 2           |None
Domain Name                    |
Save NAT and DHCP Operation Log|Yes
Static Routing Table to Push   |
The command completed successfully.

even ip rule is

Code: Select all

ip rule show 
0:	from all lookup local
32765:	from 192.168.40.0/24 iif macvlan0 lookup 1000
32766:	from all lookup main
32767:	from all lookup default

and default gateway for table 1000 is

Code: Select all

ip route show table 1000
default via 192.168.100.1 dev gw4vpn onlink

yet dnsmasq query will go out via 192.168.1.1

here is a phone connected to the modem using WiFi

Code: Select all

~ $ ping youtube.com
PING youtube.com (10.10.34.35) 56(84) bytes of data.
^C
--- youtube.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7301ms

~ $ traceroute  youtube.com
traceroute to youtube.com (10.10.34.35), 30 hops max, 60 byte packets
 1  * * *
 2  192.168.100.1 (192.168.100.1)  199.598 ms  198.580 ms  197.227 ms
 3  a.b.c.d (a.b.c.d)  195.807 ms !N  194.275 ms !N  192.879 ms !N

"a.b.c.d" is next hop of SE remote server and traceroute fails at this point.

It is obvious here that DNS query to resolve youtube IP address wont go to the VPN gateway.

[solo]

here is a phone connected to the modem using WiFi

Well, then we need a "second opinion". Please connect your Windows laptop and post "netstat -r".

[shakibamoshiri]

Well, then we need a "second opinion". Please connect your Windows laptop and post "netstat -r".

Please ignore "persistent route for 192.168.100.1" which happened to be the same as VPN router default gateway.
It was for a test I did weeks ago and has nothing to do with the VPN Router

ipconfig /all

Code: Select all

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
   Physical Address. . . . . . . . . : 34-F3-9A-6B-DC-21
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7477:b58a:ce06:fce1%27(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.40.12(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, April 1, 2023 3:11:46 PM
   Lease Expires . . . . . . . . . . : Saturday, April 1, 2023 5:11:46 PM
   Default Gateway . . . . . . . . . : 192.168.40.1
   DHCP Server . . . . . . . . . . . : 192.168.40.2
   DHCPv6 IAID . . . . . . . . . . . : 389346202
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-7A-D2-12-34-F3-9A-6B-DC-21
   DNS Servers . . . . . . . . . . . : 192.168.40.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print 0.0.0.0

Code: Select all

===========================================================================
Interface List
 20...5e d4 f8 e0 4c ed ......VPN Client Adapter - VPN
  8...00 ff 41 ab c5 3b ......TAP-Windows Adapter V9 for OpenVPN Connect
 73...00 15 5d 83 2d 8d ......Hyper-V Virtual Ethernet Adapter
 37...34 f3 9a 6b dc 22 ......Microsoft Wi-Fi Direct Virtual Adapter
 23...36 f3 9a 6b dc 21 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 27...34 f3 9a 6b dc 21 ......Intel(R) Dual Band Wireless-AC 8260
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.40.1    192.168.40.12     50
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.100.1       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
  None
Persistent Routes:
  None

netstat -r

Code: Select all

===========================================================================
Interface List
 20...5e d4 f8 e0 4c ed ......VPN Client Adapter - VPN
  8...00 ff 41 ab c5 3b ......TAP-Windows Adapter V9 for OpenVPN Connect
 73...00 15 5d 83 2d 8d ......Hyper-V Virtual Ethernet Adapter
 37...34 f3 9a 6b dc 22 ......Microsoft Wi-Fi Direct Virtual Adapter
 23...36 f3 9a 6b dc 21 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 27...34 f3 9a 6b dc 21 ......Intel(R) Dual Band Wireless-AC 8260
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.40.1    192.168.40.12     50
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.20.144.0    255.255.240.0         On-link      172.20.144.1    271
     172.20.144.1  255.255.255.255         On-link      172.20.144.1    271
   172.20.159.255  255.255.255.255         On-link      172.20.144.1    271
     192.168.40.0    255.255.255.0         On-link     192.168.40.12    306
    192.168.40.12  255.255.255.255         On-link     192.168.40.12    306
   192.168.40.255  255.255.255.255         On-link     192.168.40.12    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.40.12    306
        224.0.0.0        240.0.0.0         On-link      172.20.144.1    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.40.12    306
  255.255.255.255  255.255.255.255         On-link      172.20.144.1    271
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.100.1       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 27    306 fe80::/64                On-link
 73    271 fe80::/64                On-link
 73    271 fe80::4fc3:2aff:f09e:fef9/128
                                    On-link
 27    306 fe80::7477:b58a:ce06:fce1/128
                                    On-link
  1    331 ff00::/8                 On-link
 27    306 ff00::/8                 On-link
 73    271 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Again ping to youtube will resolve to 10.10.34.35, Why ? because
- vDHCP is 192.168.40.1
- dnsmasq listens on 192.168.40.1 and forwards queries to 8.8.8.8 or 1.1.1.1
- default gateway of VPN router is 192.168.1.1
- so youtube.com will be resolved to 10.10.34.45
But if
1. vDHCP be set to 8.8.8.8, or
2. vDHCP be set to 192.168.100.1 or
3. ip route add 8.8.8.8 via 192.168.100.1
then works fine.
For #1 works since clients (nameserver= 8.8.8.8) sent queries to 8.8.8.8 which goes to 192.168.40.1 then to 192.168.100.1
For #2 works since clients (nameserver= 192.168.100.1) queries go to 192.168.40.1 then to 192.168.100.1
For #3 works since clients (nameserver= 192.168.40.1) quires go to 192.168.40.1 then dnsmasq forwards to 8.8.8.8 but 8.8.8.8 goes via 192.168.100.1

The main issue (DNS leaks) happens because dnsmasq forwarder : 8.8.8.8 or 1.1.1.1 will go to 192.168.1.1

[shakibamoshiri]

if no static route be added for DNS forwarders (e.g 8.8.8.8, 1.1.1.1)

Code: Select all

tcpdump -nnel  -i enp3s0  dst port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:09:53.606176 c8:cb:b8:14:4f:2c > 50:46:5d:ad:c3:f4, ethertype IPv4 (0x0800), length 71: 192.168.1.40.60384 > 1.1.1.1.53: 51646+ AAAA? youtube.com. (29)
16:09:53.606216 c8:cb:b8:14:4f:2c > 50:46:5d:ad:c3:f4, ethertype IPv4 (0x0800), length 71: 192.168.1.40.60384 > 8.8.8.8.53: 51646+ AAAA? youtube.com. (29)
16:09:58.610464 c8:cb:b8:14:4f:2c > 50:46:5d:ad:c3:f4, ethertype IPv4 (0x0800), length 71: 192.168.1.40.60384 > 1.1.1.1.53: 51646+ AAAA? youtube.com. (29)
16:09:58.610500 c8:cb:b8:14:4f:2c > 50:46:5d:ad:c3:f4, ethertype IPv4 (0x0800), length 71: 192.168.1.40.60384 > 8.8.8.8.53: 51646+ AAAA? youtube.com. (29)
16:10:03.614890 c8:cb:b8:14:4f:2c > 50:46:5d:ad:c3:f4, ethertype IPv4 (0x0800), length 71: 192.168.1.40.60384 > 1.1.1.1.53: 51646+ AAAA? youtube.com. (29)
16:10:03.614927 c8:cb:b8:14:4f:2c > 50:46:5d:ad:c3:f4, ethertype IPv4 (0x0800), length 71: 192.168.1.40.60384 > 8.8.8.8.53: 51646+ AAAA? youtube.com. (29)

if static route be added

Code: Select all

ip rule show 
0:	from all lookup local
32763:	from all to 1.1.1.1 lookup 1000
32764:	from all to 8.8.8.8 lookup 1000
32765:	from 192.168.40.0/24 iif macvlan0 lookup 1000
32766:	from all lookup main
32767:	from all lookup default

then

Code: Select all

tcpdump -nnel  -i enp3s0  dst port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:18:31.116575 34:f3:9a:6b:dc:21 > e2:d2:b6:c4:cc:59, ethertype IPv4 (0x0800), length 71: 192.168.40.12.61524 > 192.168.40.1.53: 46452+ A? youtube.com. (29)

[solo]

Add/uncomment in dnsmasq.conf:
no-resolv
?

[shakibamoshiri]

Add/uncomment in dnsmasq.conf:
no-resolv
?

Code: Select all

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv

No I did not add this option because "resolv.conf" contains 127.0.0.1 . here is it

Code: Select all

cat /etc/resolv.conf
nameserver ::1
nameserver 127.0.0.1

First it was 8.8.8.8 and 1.1.1.1 but I changed to 127.0.0.1 for ipv4 and ipv6. I guested that issue could be 'resolv.conf" configured with 8.8.8.8. So updated to 127.0.0.1 and yet did not solve the issue.

Already posted dnsmasq.conf, here is it again

Code: Select all

cat /etc/dnsmasq.conf
# To use this computer to listen on its LAN IP address for other computers on the network.
listen-address=::1,127.0.0.1,192.168.40.1

# Set the number of cached domain names
cache-size=1000

# Google's nameservers, for example
server=8.8.8.8
server=1.1.1.1

# Uncomment expand-hosts to add the custom domain to hosts entries:
expand-hosts

To me the cause is this part, the forwarders

Code: Select all

# Google's nameservers, for example
server=8.8.8.8
server=1.1.1.1

[solo]

Just do it. Then check if youtube.com still resolves to 10.10.34.35.

[shakibamoshiri]

Just do it. Then check if youtube.com still resolves to 10.10.34.35.

added

Code: Select all

# To use this computer to listen on its LAN IP address for other computers on the network.
listen-address=::1,127.0.0.1,192.168.40.1

# Set the number of cached domain names
cache-size=1000

# Google's nameservers, for example
server=8.8.8.8
server=1.1.1.1

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

# Uncomment expand-hosts to add the custom domain to hosts entries:
expand-hosts

yet

Code: Select all

ethertype IPv4 (0x0800), length 71: 192.168.40.12.53991 > 192.168.40.1.53: 49697+ A? youtube.com. (29)
ethertype IPv4 (0x0800), length 71: 192.168.1.40.42130 > 1.1.1.1.53: 48607+ A? youtube.com. (29)
ethertype IPv4 (0x0800), length 71: 192.168.1.40.42130 > 8.8.8.8.53: 48607+ A? youtube.com. (29)

client (192.168.40.12) > dnsmasq (192.168.40.1) > forwarder (1.1.1.1 or 8.8.8.8)
and youtube resolves to 10.10.34.35

[solo]

and youtube resolves to 10.10.34.35

A private IP range, interesting. I've recreated the setup to verify your observations using as usual a VPN Gate connection.

Code: Select all

Linux SE server

/usr/local/vpnclient/vpncmd /CLIENT localhost /CMD AccountConnect public-vpn-185
dhclient vpn_vpn
ip route add default via 10.245.254.254 dev vpn_vpn table 99
ip rule add iif tap_tap table 99
ifconfig tap_tap 192.168.9.1 netmask 255.255.255.0 promisc arp up
iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o vpn_vpn -j MASQUERADE

nano /etc/dnsmasq.conf
interface=tap_tap
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,192.168.9.1
server=8.8.8.8
server=1.1.1.1
no-resolv

route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.111.1   0.0.0.0         UG    0      0        0 eno1
10.245.0.0      0.0.0.0         255.255.0.0     U     0      0        0 vpn_vpn
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 tap_tap
192.168.111.0   0.0.0.0         255.255.255.0   U     0      0        0 eno1


Windows SE client

Ethernet adapter VPN - VPN Client:
        Description . . . . . . . . . . . : VPN Client Adapter - VPN
        Physical Address. . . . . . . . . : 5E-72-5C-E8-94-33
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.9.172
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.9.1
        DHCP Server . . . . . . . . . . . : 192.168.9.1
        DNS Servers . . . . . . . . . . . : 192.168.9.1

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.9.1   192.168.9.172       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    130.158.6.115  255.255.255.255    192.168.111.1  192.168.111.116      9
      192.168.9.0    255.255.255.0    192.168.9.172   192.168.9.172       1
    192.168.9.172  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.9.255  255.255.255.255    192.168.9.172   192.168.9.172       1
    192.168.111.0    255.255.255.0  192.168.111.116  192.168.111.116      9
  192.168.111.116  255.255.255.255        127.0.0.1       127.0.0.1       9
  192.168.111.149  255.255.255.255  192.168.111.116  192.168.111.116      1
  192.168.111.255  255.255.255.255  192.168.111.116  192.168.111.116      9
...
Default Gateway:       192.168.9.1


tracert 9.9.9.9
Tracing route to dns9.quad9.net [9.9.9.9] over a maximum of 30 hops:
  1     1 ms     1 ms     1 ms  192.168.9.1
  2   297 ms   259 ms   339 ms  10.245.254.254
  3   393 ms   480 ms   378 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   352 ms   360 ms   389 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   560 ms     *      567 ms  bgp3.openospf1.v4.open.ad.jp [202.222.12.33]
  6   280 ms   353 ms   259 ms  150.99.184.33
  7   338 ms   462 ms   327 ms  150.99.10.187
  8     *        *        *     Request timed out.
  9   496 ms   379 ms   582 ms  p200.hnd.ty8-cr1.gslnetworks.com [103.137.13.9]
 10   605 ms   409 ms   510 ms  203.10.98.35
 11   436 ms   431 ms   365 ms  dns9.quad9.net [9.9.9.9]


netsh interface ip show dns

Configuration for interface "VPN - VPN Client"
    DNS servers configured through DHCP:  192.168.9.1
    Register with which suffix:           Primary only
Configuration for interface "Wireless Network Connection"
    Statically Configured DNS Servers:    None
    Register with which suffix:           Primary only
Configuration for interface "Local Area Connection 2"
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only


ipconfig /flushdns


nslookup -debug youtube.com 192.168.9.1
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0
    QUESTIONS:
        1.9.168.192.in-addr.arpa, type = PTR, class = IN
------------
*** Can't find server name for address 192.168.9.1: Non-existent domain
Server:  UnKnown
Address:  192.168.9.1
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0
    QUESTIONS:
        youtube.com, type = A, class = IN
    ANSWERS:
    ->  youtube.com
        internet address = 172.217.24.46
        ttl = 198 (3 mins 18 secs)
------------
Non-authoritative answer:
Name:    youtube.com
Address:  172.217.24.46


tracert youtube.com
Tracing route to youtube.com [172.217.24.46] over a maximum of 30 hops:
  1     1 ms     2 ms     1 ms  192.168.9.1
  2   336 ms   272 ms     *     10.245.254.254
  3   381 ms   476 ms   499 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   392 ms   399 ms   289 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   555 ms   513 ms   567 ms  bgp4.openospf2.v4.open.ad.jp [202.222.12.41]
  6   822 ms   610 ms   799 ms  150.99.184.33
  7   747 ms   707 ms     *     150.99.10.187
  8   421 ms   458 ms   638 ms  as15169-2.ix.jpix.ad.jp [210.171.224.95]
  9   529 ms   555 ms   732 ms  108.170.242.146
 10     *      358 ms   639 ms  142.251.254.81
 11   669 ms   580 ms   538 ms  142.250.213.100
 12   705 ms   657 ms   720 ms  142.251.248.145
 13   703 ms   512 ms   518 ms  142.251.242.74
 14   508 ms   472 ms   470 ms  108.170.247.81
 15   449 ms   497 ms   499 ms  216.239.57.119
 16   809 ms   630 ms   809 ms  hkg07s23-in-f14.1e100.net [172.217.24.46]
Trace complete.


nslookup -debug youtube.com 1.1.1.1
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0
    QUESTIONS:
        1.1.1.1.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  1.1.1.1.in-addr.arpa
        name = one.one.one.one
        ttl = 525 (8 mins 45 secs)
------------
Server:  one.one.one.one
Address:  1.1.1.1
DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0
    QUESTIONS:
        youtube.com, type = A, class = IN
    ANSWERS:
    ->  youtube.com
        internet address = 142.251.222.14
        ttl = 43 (43 secs)
------------
Non-authoritative answer:
Name:    youtube.com
Address:  142.251.222.14


nslookup -debug youtube.com 8.8.8.8
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0
    QUESTIONS:
        8.8.8.8.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  8.8.8.8.in-addr.arpa
        name = dns.google
        ttl = 20364 (5 hours 39 mins 24 secs)
------------
Server:  dns.google
Address:  8.8.8.8
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0
    QUESTIONS:
        youtube.com, type = A, class = IN
    ANSWERS:
    ->  youtube.com
        internet address = 172.217.163.46
        ttl = 282 (4 mins 42 secs)
------------
Non-authoritative answer:
Name:    youtube.com
Address:  172.217.163.46

It works for me on an old Ubuntu server edition. Yes, there are shortcuts, but unless you can find something not essentially equivalent to your setup, then we must conclude that your Debian is messing it up. If I can't recreate the problem, I can't diagnose it.

[shakibamoshiri]

A private IP range, interesting. I've recreated the setup to verify your observations using as usual a VPN Gate connection.

10.10.34.35 is Iran domestic (and private) IP for domain names which have been blocked.

It works for me on an old Ubuntu server edition. Yes, there are shortcuts, but unless you can find something not essentially equivalent to your setup, then we must conclude that your Debian is messing it up. If I can't recreate the problem, I can't diagnose it.

Thank you for running a test.
I do not think the issue is Debian, but it is okay and I will check again .
First using dnsmasq for both DNS and DHCP.
Second using an Ubuntu server.

[shakibamoshiri]

It works for me on an old Ubuntu server edition. Yes, there are shortcuts, but unless you can find something not essentially equivalent to your setup, then we must conclude that your Debian is messing it up. If I can't recreate the problem, I can't diagnose it.

First I did not notice this part

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o vpn_vpn -j MASQUERADE

So you are using "vpn_vpn" which is a client with full-tunnel, but I am using cascade connection with a split-tunnel. The whole machine traffic does not go to the remote SE server gateway, I aimed to send only and only vDHCP (= 192.168.40.0/24) to the remote SE server gateway. This is the reason yours works, mine has DNS leak.

You may ask why I do not use a client connection with full tunnel mode and prefer CC with split mode? For two reasons
- here most protocols have been blocked, OpenVPN, L2TP, SSTP works but it is not as reliable as SoftEther protocol
- working with split tunnel is harder and trickier but it gives a chance of more flexible configuration

Also it is easy to use a CC split tunnel as default gateway for the host
1. add a static route for the remote SE server via the host default gateway (not blocked the remote SE server)
2. delete the host default gateway
3. add default gateway via remote SE server gateway
Then the whole machine traffic goes to remote SE server, no DNS leak, works fine.

I can consider "second issue -- DNS leak" as a solved one, and would like to know your idea about "Third issue -- repetitive routes".
Any experience do you have with iproute2 => VRF ?
- https://baturin.org/docs/iproute2/#ip-vrf

I tested and each VRF needs a default gateway and did not work after several tests. I think I was not able to do it correctly.

[solo]

would like to know your idea about "Third issue -- repetitive routes"

Third issue --> solution 1, since it's for a second VPN router.

[shakibamoshiri]

Third issue --> solution 1, since it's for a second VPN router.

It works of course but I am looking for a scalable solution. In software and IT world things that cannot scale will not last.
Anyway, I will search and try to find at least another solution for "third issue" using VRF.

Also what we did so far was making the LAN side work. Last night I was thinking of outside connection to the router and today tested it.
I prefect solution is using L3 Switch on a HUB that routers outside users to the remote SE server. Exactly what we solved here
- how to route default hub to another hub with L3 switch
this works too.

The project is almost complete
- LAN clients can connect
- WAN clients can connect
- I learned more about Networking

Code: Select all

                                |          |
                  +-----------> | <------> | =====> [ SE server ]
                  |             |          |
                  |             |          |
                  |             |          |
                  |         LAN | Firewall | Internet
                  |             |          |
                  |             |          |
                  |             |          |
[ VPN Router (SE server) ] <=== | <------> | <===== [ Clients ]
      ^                         |
      |                         |
      |                         |
      |                         |
      +--- [ LAN (users) ]      |          
                                |

It is time to optimize it

[shakibamoshiri]

Update

Taking the thin-client around for test purposes revealed it is a bit heavy :| and I was thinking of a much lighter system but could find
Then thinking of a live USB VPN Router appeared to be a good solution. Finally after a few weeks testing, yesterday I tested a live USB and worked perfectly.
So we can turn a 8G USB into a VPN Router just with $2 cost :)