VPN client. Deny internet, allow lan.

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
vizary
Posts: 3
Joined: Tue Jul 26, 2016 12:20 pm

VPN client. Deny internet, allow lan.

Post by vizary » Tue Jul 26, 2016 12:42 pm

Hi, im not admin. Can some one help me?


I have vServer with SoftEther VPN server (SRV1).

User (PC) and remote office lan (hardware router with build-in vpn client) must connect to SRV1 and use local resources (shares, local web site, business apps etc).


SRV1 has 2 adapters. One with static white IP (name WAN) for accsess from internet, and one local (name LAN).

After setup and settings SoftEther VPN server :

One virtual hub with enabled secureNAT ( name HUB1)
One local bridge HUB1<--->LAN

VPN clients use build-in windows vpn and connect to server. They can use local res but all client's internet traffic routed by VPN server. Is bad because VPN server has limited bandwith.

1. I try disable "use remote gateway" option on client side connection's setting. But after it vpn-users cant accsess to LAN on server.
2. I try disable SecureNAT (only DHCP enabled). Same. LAN reses missed
3. I try full disable SecureNAT and use only local bridge with enabled third-part DHCP. But vpn clients dont get IPs from LAN DHCP. (dhcp work fine, SRV1 get IP on LAN adapter from him)

what wrong? How to allow vpn clients use only LAN resources, communicate between VPN clients and remoute lans and deny use VPN server for accsess to internet (they must use selfown internet)?

a.woll
Posts: 23
Joined: Tue Mar 25, 2014 8:29 pm

Re: VPN client. Deny internet, allow lan.

Post by a.woll » Tue Jul 26, 2016 1:38 pm

Use the access control list feature!
Set up a rule with low priority (a great number).
The rule should always be applied at last.

Then you need a rule with high priority (a small number) which allows access to your lan.
Attachments
Unbenannt.PNG

vizary
Posts: 3
Joined: Tue Jul 26, 2016 12:20 pm

Re: VPN client. Deny internet, allow lan.

Post by vizary » Tue Jul 26, 2016 1:46 pm

Solved.

1. Use local bridge only
2. Disable VPN-client option "Use remote gateway"
3!!!! Enable Promiscuous mode for virtual machine


P.S Maybe any solution for setting deny "use remote gateway" on server side. Is not easy task for more users change vpn settings on client side.

P.P.S Access list is not solution. Because vpn clients still route internet traffic to VPN server, but server start block - now user lose internet after he connect to server :)
Attachments
2016-07-26_132331.jpg

a.woll
Posts: 23
Joined: Tue Mar 25, 2014 8:29 pm

Re: VPN client. Deny internet, allow lan.

Post by a.woll » Wed Jul 27, 2016 8:48 am

vizary wrote:
> Solved.
OK.
>
> 1. Use local bridge only
> 2. Disable VPN-client option "Use remote gateway"
> 3!!!! Enable Promiscuous mode for virtual machine
I didn't get the server runs as a virtual machine.
>
>
> P.S Maybe any solution for setting deny "use remote gateway" on
> server side. Is not easy task for more users change vpn settings on client
> side.
>
> P.P.S Access list is not solution. Because vpn clients still route internet
> traffic to VPN server, but server start block - now user lose internet
> after he connect to server :)
IMHO I thought that was what you wanted to have. Only VPN access and no internet through VPN.
Then ACL seems to be the best solution at least for me. :-)

ggcarson
Posts: 1
Joined: Wed Sep 13, 2017 3:19 pm

Re: VPN client. Deny internet, allow lan.

Post by ggcarson » Wed Sep 13, 2017 3:25 pm

I know this is old....but this is how you have your users NOT go through VPN for internet access.

On the local machine, you must edit or set up the VPN like this
*In the networking tab, click IPv4 and Properties, click advanced, Uncheck "use default gateway on remote network"

Now your users will use there internet.

Post Reply