I am trying to setup a vpn server that is hosted on a HA vSphere cluster. The cluster sits behind a Nat Firewall. I can connect to the vpn server with the port forwards I have in place but can't get outside the virtual hub to the rest of the network. I have tried using a localbridge but it seems like it does not work on a virtual nic interface.
VM is Debian Wheezy 64bit
Lan network: 10.2.0.0/24
Nic on VPN VM Server: 10.2.0.7
IPs in Virtual Hub 10.2.5.0/24 Secure Nat setup and .1 being the virtual interface ip and gateway sent to L2TP/IPSEC clients.
I have routing in place on 10.2.0.0 gw that directs all 10.2.5.0/24 to 10.2.0.7. I don't want to nat the 10.2.5.0/24 ips on the network. I was hoping to just simply route from the 10.2.0.0 network to the 10.2.5.0 network. I don't really want to put an interface into promiscuous mode as this network has a lot of data flowing across it. There should be a routed model that can handle this right?
Wayne
Vpn Sever behind Nat Firewall hosted on Vmware vSphere HA
-
Praetorian
- Posts: 2
- Joined: Thu Feb 19, 2015 10:14 pm
-
dajhorn
- Posts: 137
- Joined: Mon Mar 24, 2014 3:59 am
Re: Vpn Sever behind Nat Firewall hosted on Vmware vSphere H
Praetorian wrote:
> I have tried using a localbridge but it
> seems like it does not work on a virtual nic interface.
Right, L2 bridging is incompatible with VMware and most other virtual NIC implementations.
> I don't really want to put an interface into promiscuous mode as
> this network has a lot of data flowing across it.
SoftEther maintains a MAC table and only carries broadcast traffic and direct traffic across bridge sessions. SoftEther bridging is efficient even for large LANs with hundreds of active nodes.
Remember that a working promiscuous mode is strictly required for SoftEther bridging in any case.
> There should be a routed model that can handle this right?
The `ufw` and `dnsmasq` packages in Debian can both do what you want through a bridged TAP interface with just a few lines in the appropriate configuration file. Read the documentation and configure your favorite firewall package to route everything.
> I have tried using a localbridge but it
> seems like it does not work on a virtual nic interface.
Right, L2 bridging is incompatible with VMware and most other virtual NIC implementations.
> I don't really want to put an interface into promiscuous mode as
> this network has a lot of data flowing across it.
SoftEther maintains a MAC table and only carries broadcast traffic and direct traffic across bridge sessions. SoftEther bridging is efficient even for large LANs with hundreds of active nodes.
Remember that a working promiscuous mode is strictly required for SoftEther bridging in any case.
> There should be a routed model that can handle this right?
The `ufw` and `dnsmasq` packages in Debian can both do what you want through a bridged TAP interface with just a few lines in the appropriate configuration file. Read the documentation and configure your favorite firewall package to route everything.
-
Praetorian
- Posts: 2
- Joined: Thu Feb 19, 2015 10:14 pm
Re: Vpn Sever behind Nat Firewall hosted on Vmware vSphere H
I got this working by doing the following.
Setup a tap type local bridge in softether. Once the vpn server starts up with the tap type local bridge a tap device is created. So I added a sleep 3 and ifconfig tap_vpn xxx.xxx.xxx.xxx net mask 255.255.255.0 to the startup script for the vpnserver. That way my tap interface has an ip in the servers kernel routing table. Then I installed udhcpd and configured it to handle the dhcp for the vpn users on 10.2.5.0 network on the tap_vpn interface only. I also added a line to the start script for the vpnserver to restart the udhcpd service when the vpnserver starts up. So that just incase the tap_vpn interface was not there when it started that now that the interface should be there it will restart on that interface.
I used the following webpage for ideas on how to do this on Debian: http://wp.secretnest.info/archives/1529
Remember I am not natting the vpn users inside the network. I have a upstream firewall that handle all natting to the internet. Once they vpn in I can see their 10.2.5.0/24 address in all server logs and such. For my setup I wanted to be able to see the vpn users for troubleshooting issues.
Hope this helps someone else.
Setup a tap type local bridge in softether. Once the vpn server starts up with the tap type local bridge a tap device is created. So I added a sleep 3 and ifconfig tap_vpn xxx.xxx.xxx.xxx net mask 255.255.255.0 to the startup script for the vpnserver. That way my tap interface has an ip in the servers kernel routing table. Then I installed udhcpd and configured it to handle the dhcp for the vpn users on 10.2.5.0 network on the tap_vpn interface only. I also added a line to the start script for the vpnserver to restart the udhcpd service when the vpnserver starts up. So that just incase the tap_vpn interface was not there when it started that now that the interface should be there it will restart on that interface.
I used the following webpage for ideas on how to do this on Debian: http://wp.secretnest.info/archives/1529
Remember I am not natting the vpn users inside the network. I have a upstream firewall that handle all natting to the internet. Once they vpn in I can see their 10.2.5.0/24 address in all server logs and such. For my setup I wanted to be able to see the vpn users for troubleshooting issues.
Hope this helps someone else.