PC-to-LAN connection ok, but can't ping VPN server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Tue Apr 14, 2015 1:53 pm

Hello everyone, i have a problem i can't figure out.

I have a Lubuntu 12.04 32 bit server with this version
softether-vpnserver-v4.15-9546-beta-2015.04.05-linux-x86-32bit.tar.gz
of SoftEther installed, running as a service as root.
I have one private IP address assigned to the only network interface present (eth0:192.168.2.45).
I have configured a single virtual hub, and via "Local Bridge settings" i created a bridge on that Hub selecting
the virtual hub, "Bridge with Phisycal Existing Network adapter", and the eth0 network adapter.
There is a dhcp server on the 192.168.2.0 subnet that serves from 192.168.2.201 to .250

When a clients connect, it is assigned an IP address from the DHCP server; from the clients i can access almost all the 192.168.2.0 addresses and viceversa.
But i can't ping/access the vpn server IP (192.168.2.45), and i can't pings clients from the vpn server.

from the vpn server (192.168.2.45):
ping 192.168.2.240 (which is a connected client) returns

PING 192.168.2.240 (192.168.2.240) 56(84) bytes of data.
From 192.168.2.45 icmp_seq=3 Destination Host Unreachable


and from the client (192.168.2.240)
C:\Windows\system32>ping 192.168.2.45

Pinging 192.168.2.45 with 32 bytes of data:
Request timed out.
Request timed out.


Any other IP 192.168.2.x has no problems with clients, and the vpn server ha problem only with ping to clients, other ip of the subnet
can ping the vpn server.



I don't know why.

Can someone help me?
I've attached the configuration file.

Thank you.

Linux wmware 3.2.0-80-generic #116-Ubuntu SMP Mon Mar 23 17:11:32 UTC 2015 i686 i686 i386 GNU/Linux

eth0 Link encap:Ethernet HWaddr 00:d0:b7:75:51:86
inet addr:192.168.2.45 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:b7ff:fe75:5186/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1755617 errors:0 dropped:0 overruns:0 frame:0
TX packets:1875849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1095601272 (1.0 GB) TX bytes:737501151 (737.5 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6013 errors:0 dropped:0 overruns:0 frame:0
TX packets:6013 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:715164 (715.1 KB) TX bytes:715164 (715.1 KB)
You do not have the required permissions to view the files attached to this post.

ixlabs
Posts: 8
Joined: Thu Dec 04, 2014 11:43 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ixlabs » Tue Apr 14, 2015 5:18 pm

A good way to debug the problem is:

Run traceroute and check if it follows the right path
If yes, maybe the returning ACK is not well configured, in that case, try tcpdump on the side you are not receiving the ping because it is possible the packet reach the target but the ACK dont know how to come back yo you.

This is a good starting point.

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Tue Apr 14, 2015 5:55 pm

ixlabs wrote:
> A good way to debug the problem is:
>
> Run traceroute and check if it follows the right path
> If yes, maybe the returning ACK is not well configured, in that case, try
> tcpdump on the side you are not receiving the ping because it is possible
> the packet reach the target but the ACK dont know how to come back yo you.
>
> This is a good starting point.

Hello, and thank you for your answer. Unfortunately i've already tried this, but there is nothing to trace because there is no gateway involved, everything is on the same subnet.

Anyway, from vpn server (192.168.2.45) to client (192.168.2.240) the output is

traceroute to 192.168.2.240 (192.168.2.240), 30 hops max, 60 byte packets
1 192.168.2.45 (192.168.2.45) 2994.736 ms !H 2994.720 ms !H 2994.702 ms !H

From the windows client to the server is the same: the client replies telling he can't reach the vpn server ip address.
I can't understand why. Only with the vpn server address and the clients. Every other ping combination on the subnet works fine.. client to client, vpn server to other ip (not clients) on the subnet, client to any ip different from the vpn server.. a mistery?

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by qupfer » Wed Apr 15, 2015 5:25 pm

RTFM! (3.6.11)
https://www.softether.org/4-docs/1-manu ... al_Bridges


If you want to reach your "server" through the VPN, you need either two real network-interfaces or you bridge to a virtual tap-device.
If you are using a tap device, you need further steps to achieve connectiviy betweenn vpn-client and other local network device. For example a second bridge between eth0 and tap0 or use a second subnet for vpn-clients and route them or using NAT function of iptables

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Thu Apr 16, 2015 10:18 am

qupfer wrote:
> RTFM! (3.6.11)
>
> https://www.softether.org/4-docs/1-manu ... al_Bridges
>
>
> If you want to reach your "server" through the VPN, you need
> either two real network-interfaces or you bridge to a virtual tap-device.
> If you are using a tap device, you need further steps to achieve
> connectiviy betweenn vpn-client and other local network device. For example
> a second bridge between eth0 and tap0 or use a second subnet for
> vpn-clients and route them or using NAT function of iptables

Thank you for your reply.
I used the "NAT" solution you describe (but using a windows fake network adapter, not a tap device created by softheter) in another situation, where i have a windows vpn Server with softether, a real device with a pubblic IP and i created a dummy device in windows, with a local address 192.168.3.1. I put the windows dhcp serving the 192.168.3.1 and installed windows NAT service, allowing clients on 192.168.3.x to use the vpn server internet connection, and everything works fine.

But in this case i have problem with, i don't want NAT, i just want the clients pc to act as they where physically connected on the same subnet 192.168.2.x. And they almost are ( i do have a local bridge virtual hub - eth0). They can ping the other servers on the subnet, they can ping each other (ping client1->(vpnserver->)client2 works), the server can ping other servers (not vpn-connected) but clients can't reach the vpn server (and vice-versa), only the other servers and other clients (vpn connected from other locations) on the subnet. Is this i cant' understand. Why a client can ping everything on the network (other servers physically connected to the same switch the vpn server is attached to, clients), but not the vpn server himself? The server is on the same subnet, and in fact he can ping other servers who are reachable by the clients. No gateways involved in any way...
I guess i will have to create a new dummy interface 192.168.2.x and a bridge between the new dummy interface and the real eth0 as you said, (or a new local bridge between virtual hub and the dummy interface) but i still can't understand why i need two different IPs on the same server, and why one can't be reached from clients.

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by qupfer » Thu Apr 16, 2015 5:59 pm

on windows, you could "brigde" directly.

on linux, you have no other change than a "double" bridge if you want the same subnet.


SoftEther-Hub <-Bridge-> tap_soft <-Bridge-> eth0.

I would try it first "step by step".


get a "life insurance", like
- shutdown -r 30
(reboot in 30 minutes....just in cause of destroy all connectivity incl. ssh)

"Delete" bridge between sofether and eth0
use softether gui (from a remote windows) or vpncmd to create a bridge to a tap-device (named "tap_soft")
(take a look in this "nat" tutorial: http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/)

Then install bridgeutils:
- sudo apt-get install bridge-utils

create a "new" empty bridge:
- sudo brctl addbr br0

add eth0 to bridge
- sudo brctl addif br0 eth0

check vpnserver is running an tap_soft exists
- ip a

add tap_soft to bridge
- sudo brctl addif br0 tap_soft

let client connect
- should get dhcp-lease from local dhcp server


If working....read more about ubuntu networkconfig and bridges to start in automaticly. Many ways are possible.

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Fri Apr 17, 2015 2:28 pm

qupfer wrote:
> on windows, you could "brigde" directly.
>
> on linux, you have no other change than a "double" bridge if you want the
> same subnet.
>
>
> SoftEther-Hub <-Bridge-> tap_soft <-Bridge-> eth0.
>
> I would try it first "step by step".
>
>
> get a "life insurance", like
> - shutdown -r 30
> (reboot in 30 minutes....just in cause of destroy all connectivity incl. ssh)
>
> "Delete" bridge between sofether and eth0
> use softether gui (from a remote windows) or vpncmd to create a bridge to a
> tap-device (named "tap_soft")
> (take a look in this "nat" tutorial:
> http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/)
>
> Then install bridgeutils:
> - sudo apt-get install bridge-utils
>
> create a "new" empty bridge:
> - sudo brctl addbr br0
>
> add eth0 to bridge
> - sudo brctl addif br0 eth0
>
> check vpnserver is running an tap_soft exists
> - ip a
>
> add tap_soft to bridge
> - sudo brctl addif br0 tap_soft
>
> let client connect
> - should get dhcp-lease from local dhcp server
>
>
> If working....read more about ubuntu networkconfig and bridges to start in
> automaticly. Many ways are possible.

First of all, thank you for your replies.
Yesterday i've tried your first solution: adding a tap device from SoftEther and a new local bridge.

With a a tap device , two local bridges (virtual hub -eth0 and virtual hub tap0), as soon as i set an ip for the tap0 interface, i'm able to ping both tap0 ip and eth0 ip from clients, and everything seemed to work fine. From clients i can access all the network behind the vpn server, access internet via the gateway on the 192.168.2.0 subnet .. but... the server (vpn server) is missing internet connectivity. This i something else i can't understand. In this configuration everything works as i wanted, but the vpn server can't reach internet, but the clients connected to the vpn servers CAN. The routing table is as simple as this (on the vpn server)

Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.251 0.0.0.0 UG 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 1 0 0 tap_tap0

i can ping the gateway .251, but a traceroute http://www.google.it arrives just to the default gateway, then nothing.. with this routing table i expected to reach internet easily.

With this (giving higher metric to tap0, or deleting entirely the tap0 device route entry) i can go on internet (via the .251 gateway) from the vpn servers AND clients, but i can't ping client-server or server-client as "usual" ( as "usual "clients ping each other via the vpn server, and can ping any 192.168.2.0 server behind the vpn server, but NOT the vpn server itself.).
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.251 0.0.0.0 UG 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 1 1 0 tap_tap0
192.168.2.0 * 255.255.255.0 U 0 1 0 eth0

Any idea why the vpn server can't use the gateway when the tap device is the "route" for the 192.168.2.0 subnet?
I'm trying your last solution as soon as i can, and i'll let you know.

thisjun
Posts: 2277
Joined: Mon Feb 24, 2014 11:03 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by thisjun » Thu Apr 30, 2015 7:59 am

You should read qupfer's answer again .

machiavellino
Posts: 5
Joined: Tue Apr 14, 2015 1:11 pm

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by machiavellino » Wed May 06, 2015 11:39 am

thisjun wrote:
> You should read qupfer's answer again .
I did, that's why i wrote i was going to test his answer. Meanwhile i was asking myself why a simple route table such the one i used wasn't working.

I realized that i had to use a tap device, but i don't understand why.

At the end, the working solution for me was:
In interfaces file adding the following lines (don't assign eth0 an IP address, assign it to br0):
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
bridge_ports eth0
bridge_maxwait 0
address 192.168.2.45
gateway 192.168.2.251
network 192.168.2.0
netmask 255.255.255.0
broadcast 192.168.2.255
dns-nameservers 8.8.8.8

then starting the vpnserver server (in vpnserver configuration, create a local bridge with a new tap device first).
and finally adding the tap device to the bridge containing eth0.
sudo brctl addif br0 tap_tap0

in this way, at boot i have a br0 interface with IP 192.168.2.45, then when needed (at boot, or manulally) i run a script starting the vpn server (and thus creating the tap device) and adding the tap device to br0.

In this way everything works.

Thanks everyone for the suggestions.

ddoke
Posts: 6
Joined: Thu Dec 13, 2018 11:49 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ddoke » Thu Dec 13, 2018 12:11 pm

Hello!
Sorry to revive this, but I'm experiencing the same issue and the solution here isn't helping.
I've used Softether for a while now, I'm familiar with bridging and routing, I'm in love with the capabilities of this soft, but for the life of me, I can't understand the issue I'm facing here.

I'm using Softether to provide public IPs to VPN clients. I have a /27 netmask, and the gateway is provided by my ISP.
On the client side: I have a router that provides me a layer-2 connection over a dedicated VLAN which I use with a Wireless accesspoint. Anytime a client connects to the accesspoint, I get a public IP provided by the VPN server. I can ping everything, I can use the Internet, I can access other hosts of the subnet that are on the server side of the network (not only WiFi segment / client side), but I cannot ping the IP of the VPN server.
Looking at my ARP table on my client computer, I see it resolves the correct MAC address of my "bridge" interface on the VPN server.
A TCPDump on the VPN server doesn't see aany ICMP packets when I ping it from my client, and sees ICMP packets if I ping any other host.
Again, I have a layer-2 tunnel here, so it's not a question of routes on my client. (i.e.: client connects via tap, and need a static route to vPN server to not lose connectivity as soon as the default gateway is pushed by DHCP over TAP).
I tried setting up the bridge interface manually, adding and removing the Softether TAP interface, the server's IP is configured on the bridge interface and not on a member interface, etc...

How do you suggest debugging this?

Thanks!

davidebeatrici
Posts: 31
Joined: Tue Aug 28, 2018 6:44 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by davidebeatrici » Thu Dec 13, 2018 8:00 pm

Hello!

I assume you are on Linux. If that's the case, you have to use the local bridge function in order to be able to access your server from inside the VPN tunnel.

Are you using SecureNAT right now?

ddoke
Posts: 6
Joined: Thu Dec 13, 2018 11:49 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ddoke » Fri Dec 14, 2018 10:14 am

Hello!
Thank you for the reply. On Linux indeed.
I'm definitely using the local bridge.
Softether is bridged with a TAP device. The TAP device is a member of a bridge which also has my eth0 interface.
On the CLI: bridgecreate hubname /device:bridgedev /tap:yes
This subsequently created tap_bridgedev
I created a bridge interface in which I bridged eth0 and tap_bridgedev
My bridge interface is the only interface assigned with an IP
Hubname is replaced by the name of my virtual hub.

Clients can communicate with everything, inside or outside the subnet (no NAT and directly using the gateway of the ISP), so this lets me assume the bridge acts as intended.

Any suggestions welcome.

davidebeatrici
Posts: 31
Joined: Tue Aug 28, 2018 6:44 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by davidebeatrici » Sat Dec 15, 2018 4:28 am

You are trying to ping the server's VPN IP address and not the public one, right?

ddoke
Posts: 6
Joined: Thu Dec 13, 2018 11:49 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ddoke » Sat Dec 15, 2018 10:51 am

It's the same IP address.
The VPN server has 1 NIC, eth0, with an IP in a /28 range of public IP addresses. Softether has a tap interface bridged with eth0, so that clients can use other public addresses of the /28.
My router, based on Opnsense, connects to it, and bridges the client-side tap interface with a VLAN which has a WiFi accesspoint connected to it.
When a client connects to the accesspoint, they are directly bridged to the Softether server in layer-2, and can use public IP addresses, exit via the gateway of the /28 (which isn't the VPN server), and ping other hosts in the /28 range, local or not (i.e. other accesspoint users, or other hosts server side).
The only host that is unreachable is the VPN server itself.
x.x.x.160 - x.x.x.191 is my network. x.x.x.161 is the gateway. x.x.x.164 is the VPN server. x.x.x.170 is my client behind my accesspoint.
I can ping everything, use the gateway to access the Internet, ping x.x.x.163, 165, 166, etc, but cannot ping x.x.x.164.

Any suggestion?

ddoke
Posts: 6
Joined: Thu Dec 13, 2018 11:49 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ddoke » Tue Dec 18, 2018 6:35 pm

Hello,
this has been tested extensively from any possible angle. It's a very peculiar setup and hardly anybody would experience this issue.
I tried many different sequences of bridging, I tried from a different OS to remove my router out of the loop, and the issue remains the same.
The address of the VPN server becomes unreachable as soon as a session is established. The entire subnet is reachable except the VPN server.
The setup described in most cases is connecting to the VPN server via a public IP, and bridging to the LAN interface. In that scenario, I can ping the LAN IP of my VPN server.
In this case, I am connecting to the VPN server which bridges me to the same Interface, and hands me an IP in the same subnet of public IPs.
I can ping other servers and clients, just can't ping the VPN server itself after the session has been established.

thisjun
Posts: 2277
Joined: Mon Feb 24, 2014 11:03 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by thisjun » Thu Jan 24, 2019 6:47 am

Can you ping the public IP of the VPN server before connecting the VPN?

ddoke
Posts: 6
Joined: Thu Dec 13, 2018 11:49 am

Re: PC-to-LAN connection ok, but can't ping VPN server

Post by ddoke » Thu Jan 24, 2019 7:16 am

Yes, of course.
And a host, other than my vpn client, can ping the public IP after my client connects. In other words, the vpn server's public IP doesn't become unreachable after a client connects to the VPN. Only the client itself cannot ping the public IP after it connects, and it is not a route issue.

Post Reply