SoftEther VPN server not reachable for clients

[fancy22]

Hello,

I have setup a VPN server with SoftEther and can successfully connect from my Windows clients via L2TP/IPSec. I have a Raspberry Pi running the server, and want to be able to connect clients to it so I can access my home LAN. To achieve this, I created a virtual hub and bridged it with my eth0 ("Bridge with physical existing network adapter" option on GUI). Routing works in so far as that I have internet access through the VPN and can reach all internal LAN devices -- that is, all BUT the VPN server itself.

Now, I read in the FAQ:
11.1.2 I am unable to communicate with the IP address of the Virtual Network Adapter used for local bridging from within the VPN.
(https://www.softether.org/4-docs/1-manu ... leshooting)

There it says:
"This is a restriction imposed by the Linux kernel. For more information please refer to 3.6 Local Bridges."


So I looked at 3.6 Local Bridges and found in section 3.6.11 the following sentence:
"When wishing to communicate in any form with a UNIX computer used for local bridging from the VPN side (Virtual Hub side), (for instance, when running both the VPN Server / VPN Bridge service & the HTTP Server service and wishing to grant access to the server service from the VPN side as well), prepare and connect a local bridge network adapter and physically connect both it and the existing network adapter to the same segment (as explained in 3.6 Local Bridges, it is recommended to prepare a network adapter for exclusive use in local bridging for this and other situations)."

Forgive me, but I do not understand what this is trying to tell me. Does that mean that I need a second physical network adapter to be able to reach my VPN server through the VPN? This would be unfeasible, and unlikely, since I don't have that problem with other VPN software (StrongSwan).

Should I try "Bridging with a new Tap Device"?
How would you set up what I'm trying to achieve?

Thanks!

[kh_tsang]

There are two methods.

1. Get a new ethernet adapter and bridge to it. For example, the vpn server IP is at eth0, the virtual hub should be bridged to eth1.
2. Add a tap device, add the tap device and eth0 to a linux bridge. After that, assign the IP of the server on the linux bridge.

[fancy22]

Thank you for your answer.
Option 1 is not possible for me.

I did try Option 2, but it was not successful. To create the tap device and bridge, I used:

~ $ ip tuntap add tap0 mode tap user root
~ $ ip link set tap0 up
~ $ ip link add br0 type bridge
~ $ ip link set tap0 master br0
~ $ ip link set dev eth0 down
~ $ ip addr flush dev eth0
~ $ ip link set dev eth0 up
~ $ ip link set eth0 master br0
~ $ ip link set dev br0 up
~ $ ifconfig br0 <LAN-IP-Address>

The result was that eth0 got some weird autoconfig-IP, but the Raspberry remained reachable via the new br0 IP.
I then manually set another LAN IP on eth0, hoping to be able to reach either br0 or eth0's IP address through the tunnel. I also created a new Local Bridge in the SoftEther config GUI, and user br0 for bridging.

But unfortunately, the situation remains the same; I can neither reach br0 nor eth0 through the tunnel.

Did I misunderstand your advice or do you maybe have some idea what I did wrong?
Thanks again!

[kh_tsang]

The tap device should be added in the local bridge settings. The softether vpn server will add it automatically for you, the prefix should be "tap_", not using tap0.

[fancy22]

That did the trick, thanks!
In case anyone has the same problem, here is exactly what I did:

1. Prerequisites:
- An installed SoftEther VPN server and one configured Virtual Hub on it
- The server is running on a system with ONE physical network interface (eth0) -- in my case a Raspberry Pi
- eth0 is configured with static IP address 172.16.0.10
- Windows client to perform SoftEther configuration on GUI

2. SoftEther configuration
- On your Virtual Hub, delete any existing Local Bridges (at 'Local Bridge Setting')
- Create a new local bridge for your existing Virtual Hub, under "Type to Create" select "Bridge with new Tap Device". The prefix "tap_" will be added automatically, so if you specify "0" as the "New Tap Device Name", the newly created tap device will be called "tap_0". NOTE: There will be a warning that what you're trying to to is "unusual", asking if you really want to proceed. Yes, you really want to proceed. I found that a bit misleading.
(By the way, I originally tried adding the tap device myself (see commands above, but with "tap_0" as device name), and then wanted to create the Local Bridge in SoftEther using the "Bridge with Physical Existing Network Adapter" - but my tap_0 device didn't show up in the drop-down menu (even after a server reboot). So I took the route described here, which worked.)
- Now you should have a tap_0 device, but with an arbitrary IP address. Check that on the shell (ssh or whatever you use). The SoftEther configuration is finished at this point.

3. Create a "Linux Bridge" between eth0 and tap_0
- I created a little script that executes all the necessary commands:
ip link add br0 type bridge
ip link set tap_0 master br0
ip link set dev eth0 down
ip addr flush dev eth0
ip link set dev eth0 up
ip link set eth0 master br0
ip link set dev br0 up
ifconfig br0 172.16.0.110/24
ifconfig eth0 172.16.0.10
ifconfig tap_0 172.16.0.111

- I had a SSH connection (and only that) to my Raspberry, so I put those commands in a file, made it executable and started it via SSH (with sudo). Before you execute that, stop the VPN server (/etc/init.d/vpnserver stop). The SSH connection still worked afterwards (as the eth0 address is configured to the same it was before in the script). Then start the VPN server again (/etc/init.d/vpnserver start)

4. Configure port forwarding on your router (if applicable)
I have the typical home setup, so I have my entire network behind a home router. i configured UDP ports 500 and 4500 to be forwarded to 172.16.0.110 (the "linux bridge" device br0).

And then it worked - I could connect from the outside with my Windows client and was able to reach everything INCLUDING my Raspberry Pi using the 172.16.0.10 address (eth0).

One thing is still missing here: This configuration won't survive a reboot. I guess if you save the little script above to, say, "/home/user/mkbridge.sh", and add the following to /etc/rc.local, it *could* work (bear in mind, this is specific to Debian/Raspbian):

/etc/init.d/vpnserver stop
/home/user/mkbridge.sh
/etc/init.d/vpnserver start


It was quite the adventure. I still don't fully understand why all the fuss is necessary, provocatively speaking, "strongswan can do it without manually creating tap devices and bridges". But, the installation and configuration of SoftEther is just that much better...this is really just a minor inconvenience, and I hope that my little guide will help other people who run into the same issue.

Thanks again!

[kh_tsang]

The vpnserver process must start before adding the tap device to the bridge.

You may edit /etc/init.d/vpnserver. After starting the vpnserver, add a line "sleep 4" to allow the tap device to be created. Then, add your own script after "sleep 4".

[fancy22]

Yes, thanks, I also realized that it wouldn't work like that :-)
But I took another approach to solve the problem - I let my script wait until the tap device is created (by SoftEther), then some more, and then configure the bridge. This script gets started in /etc/rc.local. This way, I don't have to modify any files belonging to SoftEther.

The script (I saved it as /home/user/mkbridge.sh):
[code]
#!/bin/bash

# wait until tap_0 device comes up
while [ -z "`ifconfig | grep tap_0`" ]
do
sleep 5
done

# once we found it, give it some more time to settle
sleep 20

# set up bridge
ip link add br0 type bridge
ip link set tap_0 master br0
ip link set dev eth0 down
ip addr flush dev eth0
ip link set dev eth0 up
ip link set eth0 master br0
ip link set dev br0 up
ifconfig br0 172.16.0.110/24
ifconfig eth0 172.16.0.10
ifconfig tap_0 172.16.0.111
[/code]

This script gets called in /etc/rc.local like this:
bash -c "/home/user/mkbridge.sh"

I can confirm that this survives a reboot.

[thisjun]

Why do you configure proxy on DDNS setting?

[moriose]

@fancy22's step is really helpful. I am able to access the VPN server itself when remote VPN into the network.
However, the stopping and starting Softether step is unnecessary for my case. Actually, if I stop Softether, the tap_0 will disappear, resulting error when running the script.

I am new to Linux and I have a question. After I follow @fancy22's step, the VPN server can't access internet anymore. Is this a limitation for bridge? or is there a workaround?

----- Update ------
'dhclient -v br0' solved my problem. My VPN server got back internet access after this.
Reference: http://superuser.com/questions/694661/l ... or-openvpn