PC-to-LAN connection ok, but can't ping VPN server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Tue Apr 14, 2015 1:53 pm

Hello everyone, i have a problem i can't figure out.

I have a Lubuntu 12.04 32 bit server with this version
softether-vpnserver-v4.15-9546-beta-2015.04.05-linux-x86-32bit.tar.gz
of SoftEther installed, running as a service as root.
I have one private IP address assigned to the only network interface present (eth0:192.168.2.45).
I have configured a single virtual hub, and via "Local Bridge settings" i created a bridge on that Hub selecting
the virtual hub, "Bridge with Phisycal Existing Network adapter", and the eth0 network adapter.
There is a dhcp server on the 192.168.2.0 subnet that serves from 192.168.2.201 to .250

When a clients connect, it is assigned an IP address from the DHCP server; from the clients i can access almost all the 192.168.2.0 addresses and viceversa.
But i can't ping/access the vpn server IP (192.168.2.45), and i can't pings clients from the vpn server.

from the vpn server (192.168.2.45):
ping 192.168.2.240 (which is a connected client) returns

PING 192.168.2.240 (192.168.2.240) 56(84) bytes of data.
From 192.168.2.45 icmp_seq=3 Destination Host Unreachable


and from the client (192.168.2.240)
C:\Windows\system32>ping 192.168.2.45

Pinging 192.168.2.45 with 32 bytes of data:
Request timed out.
Request timed out.


Any other IP 192.168.2.x has no problems with clients, and the vpn server ha problem only with ping to clients, other ip of the subnet
can ping the vpn server.



I don't know why.

Can someone help me?
I've attached the configuration file.

Thank you.

Linux wmware 3.2.0-80-generic #116-Ubuntu SMP Mon Mar 23 17:11:32 UTC 2015 i686 i686 i386 GNU/Linux

eth0 Link encap:Ethernet HWaddr 00:d0:b7:75:51:86
inet addr:192.168.2.45 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:b7ff:fe75:5186/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1755617 errors:0 dropped:0 overruns:0 frame:0
TX packets:1875849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1095601272 (1.0 GB) TX bytes:737501151 (737.5 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6013 errors:0 dropped:0 overruns:0 frame:0
TX packets:6013 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:715164 (715.1 KB) TX bytes:715164 (715.1 KB)
You do not have the required permissions to view the files attached to this post.

ixlabs
Posts: 8
Joined: Thu Dec 04, 2014 11:43 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ixlabs » Tue Apr 14, 2015 5:18 pm

A good way to debug the problem is:

Run traceroute and check if it follows the right path
If yes, maybe the returning ACK is not well configured, in that case, try tcpdump on the side you are not receiving the ping because it is possible the packet reach the target but the ACK dont know how to come back yo you.

This is a good starting point.

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Tue Apr 14, 2015 5:55 pm

ixlabs wrote:
> A good way to debug the problem is:
>
> Run traceroute and check if it follows the right path
> If yes, maybe the returning ACK is not well configured, in that case, try
> tcpdump on the side you are not receiving the ping because it is possible
> the packet reach the target but the ACK dont know how to come back yo you.
>
> This is a good starting point.

Hello, and thank you for your answer. Unfortunately i've already tried this, but there is nothing to trace because there is no gateway involved, everything is on the same subnet.

Anyway, from vpn server (192.168.2.45) to client (192.168.2.240) the output is

traceroute to 192.168.2.240 (192.168.2.240), 30 hops max, 60 byte packets
1 192.168.2.45 (192.168.2.45) 2994.736 ms !H 2994.720 ms !H 2994.702 ms !H

From the windows client to the server is the same: the client replies telling he can't reach the vpn server ip address.
I can't understand why. Only with the vpn server address and the clients. Every other ping combination on the subnet works fine.. client to client, vpn server to other ip (not clients) on the subnet, client to any ip different from the vpn server.. a mistery?

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by qupfer » Wed Apr 15, 2015 5:25 pm

RTFM! (3.6.11)
https://www.softether.org/4-docs/1-manu ... al_Bridges


If you want to reach your "server" through the VPN, you need either two real network-interfaces or you bridge to a virtual tap-device.
If you are using a tap device, you need further steps to achieve connectiviy betweenn vpn-client and other local network device. For example a second bridge between eth0 and tap0 or use a second subnet for vpn-clients and route them or using NAT function of iptables

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Thu Apr 16, 2015 10:18 am

qupfer wrote:
> RTFM! (3.6.11)
>
> https://www.softether.org/4-docs/1-manu ... al_Bridges
>
>
> If you want to reach your "server" through the VPN, you need
> either two real network-interfaces or you bridge to a virtual tap-device.
> If you are using a tap device, you need further steps to achieve
> connectiviy betweenn vpn-client and other local network device. For example
> a second bridge between eth0 and tap0 or use a second subnet for
> vpn-clients and route them or using NAT function of iptables

Thank you for your reply.
I used the "NAT" solution you describe (but using a windows fake network adapter, not a tap device created by softheter) in another situation, where i have a windows vpn Server with softether, a real device with a pubblic IP and i created a dummy device in windows, with a local address 192.168.3.1. I put the windows dhcp serving the 192.168.3.1 and installed windows NAT service, allowing clients on 192.168.3.x to use the vpn server internet connection, and everything works fine.

But in this case i have problem with, i don't want NAT, i just want the clients pc to act as they where physically connected on the same subnet 192.168.2.x. And they almost are ( i do have a local bridge virtual hub - eth0). They can ping the other servers on the subnet, they can ping each other (ping client1->(vpnserver->)client2 works), the server can ping other servers (not vpn-connected) but clients can't reach the vpn server (and vice-versa), only the other servers and other clients (vpn connected from other locations) on the subnet. Is this i cant' understand. Why a client can ping everything on the network (other servers physically connected to the same switch the vpn server is attached to, clients), but not the vpn server himself? The server is on the same subnet, and in fact he can ping other servers who are reachable by the clients. No gateways involved in any way...
I guess i will have to create a new dummy interface 192.168.2.x and a bridge between the new dummy interface and the real eth0 as you said, (or a new local bridge between virtual hub and the dummy interface) but i still can't understand why i need two different IPs on the same server, and why one can't be reached from clients.

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by qupfer » Thu Apr 16, 2015 5:59 pm

on windows, you could "brigde" directly.

on linux, you have no other change than a "double" bridge if you want the same subnet.


SoftEther-Hub <-Bridge-> tap_soft <-Bridge-> eth0.

I would try it first "step by step".


get a "life insurance", like
- shutdown -r 30
(reboot in 30 minutes....just in cause of destroy all connectivity incl. ssh)

"Delete" bridge between sofether and eth0
use softether gui (from a remote windows) or vpncmd to create a bridge to a tap-device (named "tap_soft")
(take a look in this "nat" tutorial: http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/)

Then install bridgeutils:
- sudo apt-get install bridge-utils

create a "new" empty bridge:
- sudo brctl addbr br0

add eth0 to bridge
- sudo brctl addif br0 eth0

check vpnserver is running an tap_soft exists
- ip a

add tap_soft to bridge
- sudo brctl addif br0 tap_soft

let client connect
- should get dhcp-lease from local dhcp server


If working....read more about ubuntu networkconfig and bridges to start in automaticly. Many ways are possible.

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Fri Apr 17, 2015 2:28 pm

qupfer wrote:
> on windows, you could "brigde" directly.
>
> on linux, you have no other change than a "double" bridge if you want the
> same subnet.
>
>
> SoftEther-Hub <-Bridge-> tap_soft <-Bridge-> eth0.
>
> I would try it first "step by step".
>
>
> get a "life insurance", like
> - shutdown -r 30
> (reboot in 30 minutes....just in cause of destroy all connectivity incl. ssh)
>
> "Delete" bridge between sofether and eth0
> use softether gui (from a remote windows) or vpncmd to create a bridge to a
> tap-device (named "tap_soft")
> (take a look in this "nat" tutorial:
> http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/)
>
> Then install bridgeutils:
> - sudo apt-get install bridge-utils
>
> create a "new" empty bridge:
> - sudo brctl addbr br0
>
> add eth0 to bridge
> - sudo brctl addif br0 eth0
>
> check vpnserver is running an tap_soft exists
> - ip a
>
> add tap_soft to bridge
> - sudo brctl addif br0 tap_soft
>
> let client connect
> - should get dhcp-lease from local dhcp server
>
>
> If working....read more about ubuntu networkconfig and bridges to start in
> automaticly. Many ways are possible.

First of all, thank you for your replies.
Yesterday i've tried your first solution: adding a tap device from SoftEther and a new local bridge.

With a a tap device , two local bridges (virtual hub -eth0 and virtual hub tap0), as soon as i set an ip for the tap0 interface, i'm able to ping both tap0 ip and eth0 ip from clients, and everything seemed to work fine. From clients i can access all the network behind the vpn server, access internet via the gateway on the 192.168.2.0 subnet .. but... the server (vpn server) is missing internet connectivity. This i something else i can't understand. In this configuration everything works as i wanted, but the vpn server can't reach internet, but the clients connected to the vpn servers CAN. The routing table is as simple as this (on the vpn server)

Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.251 0.0.0.0 UG 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 1 0 0 tap_tap0

i can ping the gateway .251, but a traceroute http://www.google.it arrives just to the default gateway, then nothing.. with this routing table i expected to reach internet easily.

With this (giving higher metric to tap0, or deleting entirely the tap0 device route entry) i can go on internet (via the .251 gateway) from the vpn servers AND clients, but i can't ping client-server or server-client as "usual" ( as "usual "clients ping each other via the vpn server, and can ping any 192.168.2.0 server behind the vpn server, but NOT the vpn server itself.).
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.251 0.0.0.0 UG 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 1 1 0 tap_tap0
192.168.2.0 * 255.255.255.0 U 0 1 0 eth0

Any idea why the vpn server can't use the gateway when the tap device is the "route" for the 192.168.2.0 subnet?
I'm trying your last solution as soon as i can, and i'll let you know.

thisjun
Posts: 2200
Joined: Mon Feb 24, 2014 11:03 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by thisjun » Thu Apr 30, 2015 7:59 am

You should read qupfer's answer again .

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Wed May 06, 2015 11:39 am

thisjun wrote:
> You should read qupfer's answer again .
I did, that's why i wrote i was going to test his answer. Meanwhile i was asking myself why a simple route table such the one i used wasn't working.

I realized that i had to use a tap device, but i don't understand why.

At the end, the working solution for me was:
In interfaces file adding the following lines (don't assign eth0 an IP address, assign it to br0):
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
bridge_ports eth0
bridge_maxwait 0
address 192.168.2.45
gateway 192.168.2.251
network 192.168.2.0
netmask 255.255.255.0
broadcast 192.168.2.255
dns-nameservers 8.8.8.8

then starting the vpnserver server (in vpnserver configuration, create a local bridge with a new tap device first).
and finally adding the tap device to the bridge containing eth0.
sudo brctl addif br0 tap_tap0

in this way, at boot i have a br0 interface with IP 192.168.2.45, then when needed (at boot, or manulally) i run a script starting the vpn server (and thus creating the tap device) and adding the tap device to br0.

In this way everything works.

Thanks everyone for the suggestions.

Post Reply