Use DHCP allocation for VPN client but hide from LAN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
TPK
Posts: 5
Joined: Wed Dec 23, 2015 5:21 pm

Use DHCP allocation for VPN client but hide from LAN

Post by TPK » Wed Dec 23, 2015 5:48 pm

Hello,

I am trying to build a simple external client to LAN vpn solution, so folks at home can access a corporate LAN. IT seems that I got it working with SoftEther quite easily, and the home users can easily install the client and connect to our servers here on the corporate LAN..

For now I am running SoftEther on a windows server, but I would like to move this whole configuration to some sort of embedded and dedicated system running Linux or similar.

I found that I needed to enable SecureNAT to get the virtual DHCP function to work, so I can allocate IPs out to the clients (I have a specific subnet/range of IPs within our corporate subnet I am allowed to use for VPN users). I also use the virtual DHCP server to assign the LAN DNS server(s) and DNS prefix. I specifically I do NOT assign out the default gateway address, since I need the users to NOT pass their internet traffic through our corporate LAN, but instead I need them to use their local internet connections for their local internet traffic.

I do NOT enable virtual-NAT in the SecureNAT configuration, as I only need this configuration to set up the DHCP services, so connecting clients can obtain their IP address allocations. Instead I use a local bridge to bridge the virtual hub to my physical network.

Anyhow, all of this works out quite well.. The DHCP server allocates out an IP address on our VPN subnet, and the client machines can access our corporate LAN including some database services, and other services I need to allow.... Additionally, I like the fact that I can somewhat control what the VPN clients have access to, since I can choose to block or allow the VPN clients from services using the access lists with the VPN allocated subnet (the VPN address allocations are are on a smaller subnet within the larger corporate subnet, etc).

There is only just one problem, however. It seems that the DHCP server I set up within SoftEther is also attempting to allocate addresses on our corporate LAN as well.. I can easily check this using a DHCP detection tool (like odhcploc) somewhere on the corporate LAN. I find that both the corporate DHCP server on the LAN, as well as the SoftEther DHCP server are answering DHCP requests, which sets up a dangerous situation on our corporate LAN...

I need the VPN server to only allocate DHCP addresses to VPN connecting clients, not to non-VPN clients within our corporate LAN (we have a windows DHCP server for that)..

I have tried to filter DHCP by blocking or allowing UDP ports 67 and 68 within the SoftEther access list rules, but no matter what I try I cannot get the SoftEther DHCP server to limit itself to just allocating addresses to VPN clients. Either I block DHCP from the LAN along with VPN clients, or I allow DHCP from both, but I cannot get it to block DHCP from the LAN while also allowing it for VPN connecting clients...

I am sure there must be an easy way to do this, but the general solution eludes me...

I did (sort of) find a work-around to this, but it requires the VPN server to reside on a Hyper-V server virtual machine, since I can employ the "DHCP guard" option on the interface within the VM. That does seem to work, but I really do not want to run the SoftEther VPN server in a Hyper-V VM permanently, and so I need a better (more universal) solution than that...

Anyhow, I hope I explained my situation well enough (if more clarification is needed, please ask)...

Can someone tell me how I can get the DHCP server to block from the corporate LAN, while still remaining available for use by the connecting VPN clients?

Thanks so much, and I look forward to hearing your suggestions.

thomasrw
Posts: 7
Joined: Wed Jun 03, 2015 9:30 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thomasrw » Thu Dec 24, 2015 2:04 pm

I have the same problem and would also like an answer.
The annoying thing is that I setup a server with softether earlier in the year and I had the same issue, and fixed it somehow, but can't remember how!
I have compared the configs but can't work out any difference.

Any ideas anyone?

thomasrw
Posts: 7
Joined: Wed Jun 03, 2015 9:30 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thomasrw » Tue Dec 29, 2015 12:47 pm

I think I fixed my problem, I think it was because we'd enabled routing on the Windows server hosting Softether - HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter should = 0 and not 1
Or else your problem may be something else doing routing like the Routing and Remote access service.

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by qupfer » Tue Dec 29, 2015 4:09 pm

Yeah....i'm not sure I understand your problem correctly, but just some comments :-)

I would recommend you switch first to linux, because even if you find a nice solution, you will get this problems again. It's related to the kind of VPN that softether creates.
Its a virtual Layer-2 ("Ethernet") connection, so its more or less a virtual cable between client and vpn-server, there you can send all kinds of ethernet traffic (incl. arp, DHCP and so on).
When you create a bridge between VPN-Hub and phys. device, your server works now like a switch between corporate lan and the vpn-clients (old Mnemonic: "A switch is a multiport bridge").
In difference to pure IPsec (not L2TP/IPsec) its like they are pyhsical connected to your corporate lan. And if you run anywhere a DHCP, he can "reach" every device, no difference between local computers and remote computers.
So, you have two possibilities.
1) do not run a second DHCP
2) do not brdige vpn and phys. device directly
2.5) a dirty filtering/firewall solution)

The first depens of your corporate DHCP server possibilities.
Afaik SoftEther use its "own" MAC-Address prefix. If you can configure a IP-Range for a given MAC-Prefix, it should work.

For the second "solution", you bridge your VPN to a tap-device. Now you can bind your second DHCP-Server only to this tap/vpn bridge. --> will not answer to DHCP Packets from corp. lan
The Problem is now: How to get the "Traffic" from the tap-device to your phys. device and vice versa.
Also at least two solutions:
- routing
- NAT

Routing: You have to send routing information to every client, where the "VPN-Clients" are (use corporate DHCP to send this information or add this route to your default gateway) and also send routing information to your vpn-Clients, where your corporate Network is (use your VPN-DHCP))

NAT: Needs only configuration on the VPN-Server, but every VPN-Client will use the VPN-Server IP inside your company. The given Subnet is more or less useless, because you could use any (private) IP for the VPN Part.

For a linux based NAT-Solution, I can recommend these two tutorials:
http://blog.lincoln.hk/blog/2013/03/19/ ... er-on-vps/
http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/

Edit: Softether works great on a Raspberry PI 2

TPK
Posts: 5
Joined: Wed Dec 23, 2015 5:21 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by TPK » Tue Dec 29, 2015 7:34 pm

qupfer wrote:
> Yeah....i'm not sure I understand your problem correctly, but just some comments :-)

Hello Qupfer,

First, thank you so much for responding to my post....

Basically all I want to do is assign IP addresses to clients connecting to the VPN (so they can connect to the corporate LAN), while at the same time NOT assigning IP addresses to the rest of the corporate LAN.. I have a IP range to use for VPN connecting clients..

I do not want the VPN clients to use the corporate DHCP server for IP assignements. This is so I can stick to the IP range for these VPN clients, and at the same time I do not want to assign the corporate LAN's default gateway (so clients wont end up routing their internet traffic via our limited internet connection for their video streaming or whatever else they are doing)..

... I have tried to muck with the interface metric on the client side in an attempt to keep unwanted traffic from routing through our corporate LAN, and that doesnt seem to work (sometimes traffic still does flow through our corporate gateway, even with a higher metric on the interface)... We have a very limited internet service here (quite slow, with 1 IP address) and so to have connecting VPN PC clients routing their internet traffic through our corporate LAN does not really work for us...

In a nutshell, all I want to do is have softehter assign IP addresses to VPN clients without having it interfere with the rest of our corporate network.

>
> I would recommend you switch first to linux, because even if you find a nice
> solution, you will get this problems again. It's related to the kind of VPN that
> softether creates.

Yep, I agree.

> Its a virtual Layer-2 ("Ethernet") connection, so its more or less a
> virtual cable between client and vpn-server, there you can send all kinds of ethernet
> traffic (incl. arp, DHCP and so on).

Yep, I get it, however it would be nice if there was a way to configure softether to assign IP addresses to clients without having it interfere with the corporate LAN, even when using ethernet bridge. Seems to me that should be possible.

I am trying to use this to replace an OpenVPN solution I was using earlier and that didn't seem to have this problem. I don't believe it was setting up a full fledged DHCP server on the interface that you cannot really control, but instead was only offering a service up to the connecting clients for IP address assignment. Perhaps it was using a non-standard DHCP server that only the OpenVPN client software could talk to (I don't know)..

Also, to get part-way there, I was indeed able to hide the corporate DHCP server from the VPN clients. This is the converse of what I was asking for, but also may be necessary. I do not want the corporate LAN from getting IP addresses from the SoftEther DHCP server (that would be a really big problem), but I also would not want the VPN clients from getting IP address from the corporate DHCP server either (a smaller problem, but still a problem). Anyhow, I was able to achieve this by using the access lists and setting up a deny rule for UDP ports 67 and 68 for the IP address of my corporate DHCP server. After I did that, the VPN clients were no longer able to see the corporate DHCP server.

Problem is, I do not know how to form an access list rule (or if that is even possible) to prevent the DHCP server built into SoftEther from serving the rest of the LAN, without also cutting off the DHCP service from the connecting VPN clients..

> When you create a bridge between VPN-Hub and phys. device, your server works now like
> a switch between corporate lan and the vpn-clients (old Mnemonic: "A switch is a
> multiport bridge").
> In difference to pure IPsec (not L2TP/IPsec) its like they are pyhsical connected to
> your corporate lan. And if you run anywhere a DHCP, he can "reach" every
> device, no difference between local computers and remote computers.
> So, you have two possibilities.
> 1) do not run a second DHCP
> 2) do not brdige vpn and phys. device directly
> 2.5) a dirty filtering/firewall solution)
>
> The first depens of your corporate DHCP server possibilities.
> Afaik SoftEther use its "own" MAC-Address prefix. If you can configure a
> IP-Range for a given MAC-Prefix, it should work.

I don't think I can stop or change the corporate DHCP service. That is tied into our Windows domain environment and integrates with windows DNS, etc...

>
> For the second "solution", you bridge your VPN to a tap-device. Now you can
> bind your second DHCP-Server only to this tap/vpn bridge. --> will not answer to
> DHCP Packets from corp. lan
> The Problem is now: How to get the "Traffic" from the tap-device to your
> phys. device and vice versa.
> Also at least two solutions:
> - routing
> - NAT
>
> Routing: You have to send routing information to every client, where the
> "VPN-Clients" are (use corporate DHCP to send this information or add this
> route to your default gateway) and also send routing information to your vpn-Clients,
> where your corporate Network is (use your VPN-DHCP))
>

I suppose doing this you are suggesting that we put the VPN clients on an entirely different subnet than our corporate LAN. Perhaps we can do this, but if we have to maintain these routes for every server and PC on our corporate network the overhead will be unwieldy. Perhaps we can create a routing rule (forwarder) in our corporate gateway to deal with off subnet traffic routing back to VPN clients for the VPN subnet.

I am not quite sure how to set this up within SoftEther (perhaps we will need to utilize that layer-3 switch option, or a cascade virtual hub, not sure). I will need to look into this further. It will complicate our VPN setup for sure, but it also isolates the VPN clients and keeps them separate from our cooperate LAN which may have some other advantages/disadvantages...

> NAT: Needs only configuration on the VPN-Server, but every VPN-Client will use the
> VPN-Server IP inside your company. The given Subnet is more or less useless, because
> you could use any (private) IP for the VPN Part.
>

NAT is probably not going to work for us, since windows services (like windows file shares, or integrated logins) will fail under NAT.

Also it seems that this solution will again forward off-subnet traffic (including their regular internet traffic) through the VPN interface and our corporate internet, which I would like to avoid...

> For a linux based NAT-Solution, I can recommend these two tutorials:
> http://blog.lincoln.hk/blog/2013/03/19/ ... er-on-vps/
> http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/
>
> Edit: Softether works great on a Raspberry PI 2

Yep, I actually tried this (on a RaspBerry PI 2, actually) and it worked beautifully. That said, it did take some doing to get it set up and working on the default raspberrian OS installation, but I did get that working eventually. I especially like that I can use a windows based GUI to connect to it and configure it. Of course I still have the same DHCP problem, though...

I think the "dirty" method of just filtering out the DHCP packets somehow would be the easiest and simplest way to get this working for me (outside of just using the DHCP guard in Hyper-V). I know that it is not ideal, and perhaps I could re-configure our entire corporate network or somehow set up a seperate routable subnet for VPN clients, or ditch DHCP entirely and figure out how to statically assign client IP addresses, but it seems that I shouldn't need to do that...

I sort of know what I want to do (dont allow UDP ports 67 and/or 68 from reaching the SoftEther software) but I am just not quite sure how to do it without also blocking it from the softether VPN client. If I can just get SoftEther to only serve DHCP to VPN clients (and not anything else), then I think we are golden...

qupfer
Posts: 198
Joined: Wed Jul 10, 2013 2:07 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by qupfer » Tue Dec 29, 2015 9:52 pm

in this case, i would:

- install a linux server ;-)
- bridge vpn-hub to phys. device *1
- use iptables on "eth0" to block dhcp reply (dhcpoffer/dhcpnak) packages from "your" dhcp (on windows, use windows firewall or somethin similar. DHCP reply packets have destination port 68 and source port 67.)
- use softether access list to block dhcp reply from your company dhcp (somethin like source IP=blabla and dest port =68 --> block)
- make sure, your "vpn-IP-range" does not include any IP from the company dhcp-IP-range (but this is obvious)

With this setup (and if I have not have an error in reasoning) all DHCP try to answer, but the answer from the wrong server will not reach the destination. And because a dhcpoffer needs a acknowledge, nothing bad should happen.


*1
on linux systems, "direct" bridging of vpn-hub and eth0 works great, but you can't reach any other servies on the vpn-server itself through vpn (for example ssh). To "avoid" this problem, you can use two interfaces (and two cables to switch or VLAN stuff....) or:
bridge vpn-hub to a tap-device and create a second bridge between the tap-device and the real device. Sounds awkward, but works :-)

thomasrw
Posts: 7
Joined: Wed Jun 03, 2015 9:30 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thomasrw » Wed Dec 30, 2015 12:20 am

Hi TPK,

There should not be a problem doing this all fine on a Windows server, I have a few servers setup in the way you want. I didn't mention a few things about how I have done it all though. So basically:
-Do not bridge networks at all in softether
-Make sure Microsoft RRAS is disabled/not installed and that EnableIPRouting registry key is off (and reboot if you have changed it)
-Enable SecureNAT in softether with a completely different IP range to the office network, and do not specify a default gateway if you don't want VPN clients to go through the VPN to get internet. But do specify your Windows DNS server and domain name in there, even though it is a different range.
-In secure NAT enable a static route to push to the clients e.g. I have an office network of 10.0.96.x and the securenat range is 192.168.225.1 so my push table is: "10.0.96.0/255.255.255.0/192.168.225.1"

Therefore Softether does DHCP but only on it's network and not on the servers main network card/rest of the network. VPN Clients get a IP from a different range, but also get a route pushed to them so they know how to access the office network range still. Softher does NAT to route traffic between the two networks.
I have clients using RDP, file sharing, printing, etc over it all fine, the NAT should not cause an issue. Although I haven't tried VoIP which is a little more likely to have issues with NAT.

I think this is actually a fairly common type of setup for some VPNs, I've seen a Cisco setup like this before. And it means you don't have to run a separate linux server, just use an existing window server. And you don't have to try to set filtering for DHCP packets, etc which is a bit messy.

Also if you have multiple subnets in the office you can have the VPN clients talk to any or all of them by just adding extra routes to the list. Otherwise if you give VPN clients a LAN IP and no gateway they would only be able to talk to that subnet.

thisjun
Posts: 2090
Joined: Mon Feb 24, 2014 11:03 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thisjun » Fri Jan 15, 2016 6:53 am

Please create two virtual hubs.

One hub for VPN. Another hub for localbridge.
And, please create cascade connection between both hubs.
After that, please enable "Filter DHCP packet" in security policy of cascade connection.

Rayt
Posts: 3
Joined: Wed Feb 17, 2016 10:05 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by Rayt » Wed Feb 17, 2016 10:33 pm

Wow, thanks Thomas.

I've been going in circles for a couple of days now. I could connect OK but not be able to get anywhere on the LAN.

Following your suggestion, I got rid of bridging, used secureNAT for DHCP with a static route and Win DNS server IP and "hey presto" it works!

Now I just need to tweak everything to make sure its all stable before rolling out to the users :)

(running on a CentOS 7 VM on Hyper-V with a single NIC, so no H/W or licence costs. Brilliant!)

Ray

TPK
Posts: 5
Joined: Wed Dec 23, 2015 5:21 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by TPK » Thu Feb 18, 2016 2:24 am

Sorry for the lateness of my reply, but yes, I followed what Thomas was saying and I too got the VPN to work via NAT...

Also it seems that the file shares work (with active directory credentials), which I was not expecting over NAT.

So all that works, with NAT translating to the VPN host on the corporate side...

Next I am going to try to use SoftEther to try to set up a site-to-site VPN with routing, so hopefully I wont get stuck with that (we will see)

Thank you much for your help....

Rayt
Posts: 3
Joined: Wed Feb 17, 2016 10:05 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by Rayt » Thu Feb 18, 2016 2:35 am

Haha.

Yep, I'm in the same boat TPK. Now that I've got the "basics" working, the fun really starts ;)

I'll keep an eye out for your posts and I'll post updates on how I get along with it too.

Cheers
Ray

rkmuralikrishnan
Posts: 2
Joined: Tue Mar 08, 2016 3:56 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by rkmuralikrishnan » Tue Mar 08, 2016 3:59 pm

This works great, thanks so much. Although thomas idea works I don't want NAT and moreover I have second NIC connected to my office LAN so I can't use his method.

But SoftEther should have option to stop this DHCP leak to bridged network natively.

thisjun wrote:
> Please create two virtual hubs.
>
> One hub for VPN. Another hub for localbridge.
> And, please create cascade connection between both hubs.
> After that, please enable "Filter DHCP packet" in security policy
> of cascade connection.

mark.barl
Posts: 7
Joined: Thu Mar 17, 2016 2:28 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by mark.barl » Thu Mar 17, 2016 2:44 pm

I have a very similar problem. In my scenario, I was creating a virtual server that users connected to via VPN but I didn't want their internet traffic to come across the VPN link. I think that is similar to your issue. (I used virtual NAT and DHCP as well)

Even though I selected not to modify the routing table within the VPN server, it still put a default route through the VPN adaptor. I simply went and changed the Interface Metric in the advances TCP/IP setting of the VPN adapter. This weights the default traffic to go through the physical NIC and only sends VPN traffic down the VPN adapter. For your setup, you will probably have to specify a static route set for the VPN clients, but if you weight the Interface metric, you should be able to have 0.0.0.0 route traffic go out of the physical NIC.

hope that is useful

thomasrw
Posts: 7
Joined: Wed Jun 03, 2015 9:30 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thomasrw » Fri Mar 18, 2016 3:15 am

I'd suggest that you've got a default gateway address in the secureNat settings. Remove it and leave it blank and the clients won't have a default gateway on that interface so won't try to use internet through it. Much better than editing metrics on the PCs.

datswd
Posts: 7
Joined: Wed Aug 03, 2016 11:44 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by datswd » Thu Aug 04, 2016 2:31 pm

Removing or setting default gateway in dhcp settings of softether gives nothing. On every connection client sets vpn server as a default gateway.
This forum is full of similar questins but i still can't find anything to solve it.

thomasrw
Posts: 7
Joined: Wed Jun 03, 2015 9:30 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thomasrw » Thu Aug 04, 2016 2:37 pm

I'm not sure but that isn't my expereince at a number of site where I've used SoftEther. I've added in other details in the DHCP server area but left the gateway blank and then it doesn't give the client a gateway when it connects.

If you'd like further help then post your DHCP config screen and the results of IPconfig on a PC to confirm what is happening.

thisjun
Posts: 2090
Joined: Mon Feb 24, 2014 11:03 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by thisjun » Mon Aug 29, 2016 5:21 am

Try to increase virtual NIC metric value.

cmulk
Posts: 3
Joined: Wed Jan 25, 2017 3:02 pm

Re: Use DHCP allocation for VPN client but hide from LAN

Post by cmulk » Wed Jan 25, 2017 7:37 pm

thisjun wrote:
> Please create two virtual hubs.
>
> One hub for VPN. Another hub for localbridge.
> And, please create cascade connection between both hubs.
> After that, please enable "Filter DHCP packet" in security policy
> of cascade connection.


This workaround works perfectly. Its not exactly pretty but it does keep your DHCP servers separated as the OP wanted while still keeping everything on the same subnet.

rwebb616
Posts: 6
Joined: Tue Apr 28, 2015 2:36 am

Re: Use DHCP allocation for VPN client but hide from LAN

Post by rwebb616 » Wed Apr 25, 2018 2:47 pm

I know this is an old post but I found it because I was in the same situation - DHCP handing out address to internal LAN. This IS possible to set up properly and keep it from handing to LAN.

Qupfer had the solution correct and that is not to use a Bridge but a tap device. This requires running the server on Linux as (according to the Server Manager) it is unable to create a tap device unless running on a linux/unix type environment.

So basically it is this:
1) Set up your bridge using a TAP device
2) Use the SecureNAT function and turn on NAT and the DHCP server functions
.. This uses routing instead of bridging so DHCP stays on the subnet for the VPN clients
3) Use a different subnet for your vpn clients - I used 192.168.30.x / 24
4) Set the Virtual Host's Network Interface Settings to an address on the client subnet (I used 192.168.30.1)
5) Set the dhcp server to distribute it's IPs from that same subnet (I used .10 - .20)
6) Set the options applied to clients - default gateway same as your virtual host's Network Interface (192.168.30.1)
.. DNS server to your internal LAN dns server (if you want clients to be able to locate resources on your lan by name)
.. Domain Name to your internal LAN domain name (again if you want clients to be able to locate resources on your lan by name)

Some Notes:
- No need to set any static routing unless you need these clients to reach other subnets on your corporate lan that are via another router
- The NAT and routing happen automatically using the IP address of your VPN server (which is on your corporate lan) - no need to specify the routing
- Only port 443 needs to be open on your corporate firewall to the vpn server.
- All clients should be using the SoftEther vpn client
- I have not tested if this all works with L2TP / IPSec or not - possible it will and you can use built in windows client.
- I tested this in a network that does not operate a DHCP server on their corporate LAN by setting up a virtual machine on the internal LAN to use DHCP and it was not able to obtain an address from the VPN server so that validated that the DHCP server is isolated from the internal LAN.
- If you are running your VPN server in a virtual environment make sure that you enable promiscuous mode on your virtual networking (in vmware it's on the virtual switch) or none of this will work.

I hope this helps someone - took me a little bit to figure all this out but as always SoftEther never fails to amaze me. It has so many options and works for so many scenarios - absolutely awesome!

Rich

Post Reply