replacing SecureNAT with local bridge?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

replacing SecureNAT with local bridge?

Post by xodc » Sun Dec 13, 2015 10:35 pm

I have a Softether server setup on AWS, and everything works fine. It's all just the most basic installation with minimal configuration.

However, I am looking into replacing SecureNAT with a local bridge to improve performance. I duly disabled SecureNAT and then created a bridge between my only NIC and the virtual hub.

But now, I cant access the internet.

What is the right way to go about this? Thanks a lot!

mbrcomp
Posts: 25
Joined: Tue Dec 15, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by mbrcomp » Tue Dec 15, 2015 7:51 am

It looks like something is blocking the bridge. Maybe you have an "advanced" antivirus solution that has its own firewall and needs to be configured. Please try uninstalling (not only disabling) any vendor-specific firewall and update the forum.

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Tue Dec 15, 2015 1:10 pm

mbrcomp wrote:
> It looks like something is blocking the bridge. Maybe you have an
> "advanced" antivirus solution that has its own firewall and needs
> to be configured. Please try uninstalling (not only disabling) any
> vendor-specific firewall and update the forum.

Thanks for the reply!

Unfortunately, I don't have any anti-virus or firewall installed. I have also tried disabling the built in Windows firewall to no effect.

Not sure if this matters, but I am using Windows Server 2012 R2 hosted on Amazon AWS.

Please find an enclosed screenshot of the bridge I created
You do not have the required permissions to view the files attached to this post.

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: replacing SecureNAT with local bridge?

Post by qupfer » Tue Dec 15, 2015 1:42 pm

Softether is a so called "Layer-2-VPN" protocoll (Layer2 is for example Ethernet).
If you "bridge direct to your server NIC", its like you put a cable between your vpn-client and the (virtual) switchport of your server. I would say, amazon did not like that. From the view of amazon, its a bit like you plugin a seconed server next to yours.

So, you should instead bridge to a virtual device (tap device) and then doing NAT between the new virtual device and the "real" nic.
I have no idea, how to do it on a windows server. On normaler user windows (7,8,10) its called "Inernet sharing". Maybe this helps.

mbrcomp
Posts: 25
Joined: Tue Dec 15, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by mbrcomp » Tue Dec 15, 2015 3:19 pm

Technically, it should work. The bridge would make any computer that successfully connects to the VPN a LAN-connected computer. Except if you have made access list rules on the virtual hub that may interfere. If you did, try disabling any major blocking rules and see if it helps.

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Tue Dec 15, 2015 4:20 pm

qupfer wrote:
> Softether is a so called "Layer-2-VPN" protocoll (Layer2 is for
> example Ethernet).
> If you "bridge direct to your server NIC", its like you put a
> cable between your vpn-client and the (virtual) switchport of your server.
> I would say, amazon did not like that. From the view of amazon, its a bit
> like you plugin a seconed server next to yours.
>
> So, you should instead bridge to a virtual device (tap device) and then
> doing NAT between the new virtual device and the "real" nic.
> I have no idea, how to do it on a windows server. On normaler user windows
> (7,8,10) its called "Inernet sharing". Maybe this helps.


Thanks a lot for your post! That makes sense.

I have seen online guides with references to a "tap device", and was beginning to suspect that its absence in my configuration was to blame.

Do you happen to know how to create a tap device in Windows 7/8/10? I believe Internet Sharing is a fairly wide ranging windows service that covers a lot of ground.

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Tue Dec 15, 2015 4:26 pm

mbrcomp wrote:
> Technically, it should work. The bridge would make any computer that
> successfully connects to the VPN a LAN-connected computer. Except if you
> have made access list rules on the virtual hub that may interfere. If you
> did, try disabling any major blocking rules and see if it helps.

Thanks for getting back to me. I think the problem may be that Amazon won't assign me an IP address if they see my laptop/desktop connected to their LAN network.

One solution may be to bridge to an intermediate "tap device". Do you happen to know how to create such a device on Windows?

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: replacing SecureNAT with local bridge?

Post by qupfer » Tue Dec 15, 2015 6:23 pm

xodc wrote:
> I have seen online guides with references to a "tap device", and was beginning to
> suspect that its absence in my configuration was to blame.

The TAP-Device is easy to create :-)
https://usa.07q.de/tap.png

For enabling NAT, maybe this helps (I just forget the link in my first answer^^)
https://technet.microsoft.com/en-us/lib ... 69812.aspx
http://www.dell.com/support/article/us/ ... OW10169/EN

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Wed Dec 16, 2015 7:54 pm

qupfer wrote:
> xodc wrote:
> > I have seen online guides with references to a "tap device", and was
> beginning to
> > suspect that its absence in my configuration was to blame.
>
> The TAP-Device is easy to create :-)
> https://usa.07q.de/tap.png
>
> For enabling NAT, maybe this helps (I just forget the link in my first answer^^)
> https://technet.microsoft.com/en-us/lib ... 69812.aspx
> http://www.dell.com/support/article/us/ ... OW10169/EN
\

I just managed to get Softether installed on an Ubuntu server. I created a tap device to bridge the virtual hub with, and I followed this guide here for local bridging: http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/

Now, when I connect via VPN, I get an IP address. However, I am still unable to access the internet. Any ideas? Thanks!

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: replacing SecureNAT with local bridge?

Post by qupfer » Wed Dec 16, 2015 11:41 pm

please post the output of
"cat /proc/sys/net/ipv4/ip_forward"
and
"sudo iptables -t nat -L -v"

That you get an IP from dnsmasq is good sing, because that mean your VPN itself is working.

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Thu Dec 17, 2015 5:35 am

qupfer wrote:
> please post the output of
> "cat /proc/sys/net/ipv4/ip_forward"
> and
> "sudo iptables -t nat -L -v"
>
> That you get an IP from dnsmasq is good sing, because that mean your VPN
> itself is working.


cat /proc/sys/net/ipv4/ip_forward

1



sudo iptables -t nat -L -v


Chain PREROUTING (policy ACCEPT 383 packets, 57154 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 166 packets, 30507 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2694K packets, 555M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 2694K packets, 555M bytes)
pkts bytes target prot opt in out source destination
663 52321 SNAT all -- any any ip-192-168-7-0.ap-northeast-1.compute.internal/24 anywhere to:[VPN Server IP]
0 0 SNAT all -- any any ip-192-168-7-0.ap-northeast-1.compute.internal/24 anywhere to:[VPN Server IP]

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Thu Dec 17, 2015 6:20 am

I noticed something strange: the "public" IP address of my VPN server (i.e. the address I SSH to)

is different from the IP address of the ethernet adapter. In the screenshot, I SSH'd to the 127 IP, but for eth0, it was 217

Could this be the cause of connection issues?

---

UPDATE: tried both IPs using the command: iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [IP Address]

neither worked.
You do not have the required permissions to view the files attached to this post.

xodc
Posts: 25
Joined: Mon Nov 02, 2015 7:45 am

Re: replacing SecureNAT with local bridge?

Post by xodc » Thu Dec 17, 2015 6:46 am

Perhaps this post is instructive: viewtopic.php?t=3452&p=8210#p8210

But I'm not sure what he means by "using the built in softether DHCP server + iptables"

I thought the built in DHCP server also gets disabled if you disable SecureNAT?

thisjun
Posts: 2090
Joined: Mon Feb 24, 2014 11:03 am

Re: replacing SecureNAT with local bridge?

Post by thisjun » Thu Dec 24, 2015 7:46 am

In latest version of SoftEther, SecureNAT is faster than tap in Linux.

Post Reply