Page 1 of 1

SOLVED! connecting over real internet does not work

Posted: Fri Oct 19, 2018 1:47 pm
by sky59
After experiencing great happiness imnplementing SE into three different platforms (PC, mipsel, cortexA7) I suddelny got a shock...

I use site-to-site Level2 connection between server and bridge, playing just with two devices

When I connect both to the same access point (wifi or cable) it works (the bridge can find server with his vpnxxxx.softether.net address) as they are on the same access point they are in the same subnet differing IP only on the last 4th position (given by DHCP from AP)

the moment I connect to two different access points (different providers, they get different IPs, domains) the bridge can not find server !?

What I am doing wrong? How to test if internet connection is suitable for SE? is there any tool?

Re: connecting over real internet dose not work

Posted: Fri Oct 19, 2018 2:30 pm
by cmd wh0ami
The way it sounds your getting blocked from WAN by a firewall or something and not using SecureNAT. If I'm understanding what you wrote correctly, I'd open up port forwarding on your router/firewall on tcp/udp 443 to the local ip of your server. As far as I know you can't enable SecureNAT with a Layer-2 bridge. If your running the server software on Linux you might need to open up incoming and outgoing 443 with iptables.

Code: Select all

# Allow incoming HTTPS for SoftEther (default)
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Re: connecting over real internet dose not work

Posted: Fri Oct 19, 2018 3:33 pm
by sky59
I admit i do not understand what to do with port forwarding

I use openwrt and i attached info how i enabled all i could... but nothing with port forwarding

Is this forwarding missing?

Re: connecting over real internet dose not work

Posted: Sat Oct 20, 2018 3:12 pm
by cmd wh0ami
Yea, you cant open anymore than that.... You opened everything.... The port forwarding is in your bottom picture. If you were only using port 443 with SoftEther you would forward ports like this. Name = SoftEther Protocol = TCP/UDP (both) (altho I only use TCP but I try to hide my VPN) External Zone = WAN External Port = 443 Internal IP Address = local IP of your server running SoftEther Internal Port = 443...

Now say you were using OpenVPN and you had OVPN server listening on TCP/UDP 1194 and you wanted to hide the fact that you were using OpenVPN.... You would have OpenVPN client listen on 443, Then you would set the External Port = 443 and the Internal Port = 1194.... It would forward traffic for OVPN from 443 to 1194, and VPN detection couldnt see that your server was listening on TCP 1194...

I've never downloaded or used the SoftEther bridge software.... I only use the server and client. I bridge to eth0 or a tap interface with the server. Not sure if that's what you did or if you used the software I dont have experience with

Re: connecting over real internet dose not work

Posted: Sat Oct 20, 2018 7:45 pm
by sky59
wh0ami,
first of all i want to thank you for your patience with me /i am 60 yrs old :) /

I checked OpenWrt /i use it/ and by default all ports are closed except port declared for SSH , no even need to open it in firewall file

I think there are 2 possibilities:
- open port, i understand it that 'message' coming this port from wan can be processed internally by openwrt, otherwise it is only handled further without any port opening, just goes through in 'router regime'

- what you write as port forwarding, if no port number changed it is like first option, but you can change even port number, something like 'faking' port number

Am I right?

Now i need to check Ubuntu how ti is with ports, default state....

Re: connecting over real internet does not work

Posted: Sat Oct 20, 2018 9:18 pm
by cmd wh0ami
From your Pics of your OpenWRT settings, it looks to me you have a default INPUT, FORWARD, OUTPUT - ACCEPT policy. So if I'm correct OpenWRT isnt blocking anything.

If your using the original default firewall settings in Ubuntu, that's what is probably blocking you. I prefer to use CentOS Linux distro to run my VPN servers. CentOS blocks the VPN server with the default firewall rules so I would imagine Ubuntu does too.

Here is an example of my iptables rules... I make this file executable with

Code: Select all

chmod +x softether.fw

Code: Select all

#!/bin/bash
#
#######################################################################
#      iptables rules
#######################################################################
#
# Flush current V4 polices
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Set default chain policies
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP

# Drop null packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

# DROP syn-flood packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP XMAS packets
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept on local network (optional)
iptables -A INPUT -s 192.168.0.1/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.1/24 -j ACCEPT

# Accept incoming SSH (default)
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# Accept incoming SSH
iptables -A INPUT -p tcp -s 55.55.55.55 -m tcp --dport 19780 -j ACCEPT
iptables -A INPUT -p tcp -s 55.55.55.55 -m tcp --dport 19780 -j ACCEPT

# Accept incoming HTTPS for SoftEther (default)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Accept incoming OpenVPN (optional)
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

# Accept incoming IPsec (optional)
#iptables -A INPUT -p udp --dport 500 -j ACCEPT
#iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#########################################
###      End of rules
#########################################

# Save Changes
service iptables save

# Service
systemctl restart iptables
systemctl status iptables
above is only a basic example with default OUTPUT, FORWARD - ACCEPT policy.

Re: connecting over real internet does not work

Posted: Sun Oct 21, 2018 7:04 am
by sky59
Thanx again!,

but in my pictures you can see I have not done anything for port 443 yet. Is not it missing or is it already overruled by my enabling everything?

In your attached file it is line commented it is for SoftEther, i read it and it really opens port on machine used to run SE.

I have a feeling this my overruling does not open 443 port..?

in my case it is iptables -P INPUT ACCEPT

I will continue testing next week

Idea: if i run SE on one computer, is there any way using another computer running something /what?/ to check if 443 is accessible on first computer? Computers would be connected with eth cable

I think this might be usefull also for others as diagnostic tool when setting up vpn while having problems not knowing which side causes the problems

Re: connecting over real internet does not work

Posted: Sun Oct 21, 2018 12:06 pm
by cmd wh0ami
iptables -P INPUT ACCEPT is the default ACCEPT policy, it's the same as you have on openwrt. with a default ACCEPT policy there is no need to open anything else since everything is already open.

you can try to test with ping or tracert or the linux equvlient.

now it's sounding like your missing a cert or something with user credentials isn't right if all firewall is off and still can't connect.

Re: connecting over real internet does not work

Posted: Sun Oct 21, 2018 3:42 pm
by sky59
Is it possible to ping particular port? Like ping 192.168.1.1:443 ?

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 7:31 am
by sky59
I just realized I can not ping translated address vpn.......softether.net 37.75.138.130

the geolocation says it is not in Japan it is in Wien Austria where I sit

I can ping this address from whatever wired internet connection, but I can not ping it from internet provided over SIM card by mobile phone operator
I tried it also by using tethering on Apple mobile phone - also not pinging

Can this be a problem why SE is not working over mobile phone operator internet??

here are some test results:

OK: OrangePi Zero connected to factory WIFI network
-------------------------------------------------------------------------------

root@OpenWrt:/etc/config# ping vpn97....629.softether.net
PING vpn97....629.softether.net (37.75.138.130): 56 data bytes
64 bytes from 37.75.138.130: seq=0 ttl=63 time=3.396 ms
64 bytes from 37.75.138.130: seq=1 ttl=63 time=13.690 ms
64 bytes from 37.75.138.130: seq=2 ttl=63 time=5.010 ms
64 bytes from 37.75.138.130: seq=3 ttl=63 time=5.675 ms
64 bytes from 37.75.138.130: seq=4 ttl=63 time=56.795 ms

wlan1 Link encap:Ethernet HWaddr 68:..:..:6A:62:31
inet addr:192.168.92.118 Bcast:192.168.92.255 Mask:255.255.255.0
inet6 addr: fe80::6ad7:19ff:fe6a:6231/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3564 errors:0 dropped:0 overruns:0 frame:0
TX packets:3781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:994072 (970.7 KiB) TX bytes:1071756 (1.0 MiB)
*****************************************************************************




BAD: OrangePi Zero connected to mobile (SIM card) router WIFI
(internet normally works except my vpn address)
(also www.softether.org pings normally!!?? )
-------------------------------------------------------------------
root@OpenWrt:~# ping vpn97....629.softether.net
PING vpn97....629.softether.net (37.75.138.130): 56 data bytes

^C
--- vpn97....629.softether.net ping statistics ---
550 packets transmitted, 0 packets received, 100% packet loss

wlan1 Link encap:Ethernet HWaddr 68:..:..:6A:62:31
inet addr:192.168.8.100 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fe80::6ad7:19ff:fe6a:6231/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:167 errors:0 dropped:0 overruns:0 frame:0
TX packets:8928 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20654 (20.1 KiB) TX bytes:1238334 (1.1 MiB)

*********************************************************************************




BAD: attempt to ping my vpn address from windows PC connected to mobile WIFI router
(when connected to factory network normally pings)
------------------------------------------------------------------------------------

C:\Windows\system32>ping vpn97....629.softether.net

Ping wird ausgeführt für vpn97....629.softether.net [37.75.138.130] mit 32 Bytes
Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 37.75.138.130:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
(100% Verlust),

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 9:42 am
by sky59
REading SE pages for 1000th time I just found with surprise that server must NOT be behind the NAT router?

It means 99% of all home internet connection will not work? I think it is quite difficult to have internet with though not fixed but at any
moment unique IP public address?

I am not aware that it is even possible? I do not want to pay for static public address.

Then the bridge/client can be behind NAT?

Do I understand it correct or not?

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 9:46 am
by fenice
Where did you read the (do you have a link?) nformation about SE VPN not being behind a NAT router? FWIW, I have my server behind a NAT router and it works without problems but it does have a static IP address.Although there shouldn't be any problems in using a DHCP allocated IP for your connection, if that's what you're implying.

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 10:33 am
by sky59
If your home network is assigned a private IP address (which is converted into a global IP address by the ISP's NAT) then unfortunately you will not be able to access your VPN Server at home from the Internet. The only solution in this situation is to either change ISPs or consult with your ISP's system administrator.


link:
https://www.softether.org/4-docs/1-manu ... WiFi_Using

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 10:37 am
by fenice
Ah, you're talking about carrier grade NAT and not a user's NAT router that's on a fixed or dynamic IP - the two are different. Yes, that's a problem for lots of users these days.

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 11:33 am
by cmd wh0ami
If you can enable SecureNAT and virtual dhcp server in Virtual Hub settings instead of bridging to an interface, the dnns server will reach outside through the hole punched through the fire wall. I was able to connect to the vpnserver which had a dynamic local ip address behind NAT from a router which had the public IP. ( i didnt have control over the network to be able to open up any holes in the firewall)

If your really tech savvy and can root an Android cell phone, you could install the app Linux Deploy, and the app Busy Box (UNIX tools). Install Debian Streatch, SSH into Debian running on the Android cell phone and install the arm7 version of SoftEther VPN Server onto the phone its self.

I cant wrap my mind around if that would work for you, I'm just letting you know its a possibility.... I did it to be able to spoof my Public IP address using the Cellular IP's remotely without being able to teather to the cell phone or use the moble hot spot.

I used SecureNAT and the virtual dhcp server instead of bridge to interface.

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 2:20 pm
by sky59
Thanx for help.

That SecureNat will not work without DHCP or could I try it?

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Mon Oct 22, 2018 2:35 pm
by cmd wh0ami
SoftEther SecureNAT has a built in dhcp function. I don't see why it wouldnt work... Remember tho, it takes a little while for SoftEther's remote server to update the ip address after it changes, I think it takes around 1 minute or so.

Just delete your local bridge to eth0 (or what ever your default interface is you bridged to). Go into Manage Virtual Hub... Virtual NAT and Virtual DHCP Server (SecureNAT) and enable SecureNAT... You shouldn't need to change any settings, unless you don't want your connecting clients getting a 192.168.30.x address...

If your trying to get on LAN for RDP or something similar, sometimes you have to connect, disconnect reconnect from the VPN before other devices on the LAN are found. (at least I have with Windows client).

Re: MOBILE OPERATOR PROBLEM? connecting over real internet does not work

Posted: Tue Oct 23, 2018 11:19 am
by sky59
I tried this SecurelNAT (no idea what it is) but I still could not connect to server from SIM internet (client)

i used for this test server running on PC Ubuntu connected to factory network behind NAT

as a client I used PC Windows with software SE client

when I connected PC Windows on factory network I could connect

when I connected to my SIM card based internet AP I could not connect, I tried all possibilities and combinantion even with this SecureNAT but
no success

I found out, SIM provider offers dynamic public address, one od them even for free (?!) so I will try it, but it takes time, maybe next week
I will post some results over here, have a nice weekend! (I take some free days...)

Re: SOLVED! connecting over real internet does not work

Posted: Wed Oct 24, 2018 8:20 am
by sky59
HERE is the solution:

THIS IS AN ABSOLUT MUST FOR THE SE SERVER:
-----------------------------------------------------------
I changed my mobile operator setting so now I have dynamic PUBLIC IP address, I use T-mobile in Austria, it is for free
So my 3G modem gets address like 78.xx.xx.xx, as modem I use A5V11 router with OpenWrt

in router I made DHCP for connected PC limit to 1 device so I know my PC will get address 192.168.2.100 (DHCP setting)
if I had more devices available then I do not know what IP will PC get from the router, may be it is possible to use MAC or even static setting
but this is the best for me I do not have to care which PC I connect to router, it will always get xx.xx.xx.100

then I made 4 rules to port forward "anything from wan port 443 forward to lan 192.168.2.100 port 443", the same for all 4 needed ports
also I opened all ports everywhere, everything is ACCEPT (I am already tired did not want to spend more time now)

So all this means that SERVER must be "sitting" on public internet address !!! In my case it is addreess of 3G SIM modem
As it is still behind NAT inside my router the portforwarding is needed


THE CLIENT/BRIDGE can be on whatever connection, behind 100X NAT, no problem, because client/bridge initializes the connection
no need any ports opening (I am not sure I opened everywhere everything) but port forwards and public IP is not needed

SO MY IDEA IS THIS:
leave somewhere on public IP running server... (home?)
then you can make connection with two bridges to this server and then you get SoftEther cable between two bridges connected to whatever internet

Re: SOLVED! connecting over real internet does not work

Posted: Mon Nov 05, 2018 10:26 am
by VishalMittal
Might be there is a IP issue. Because some time what happens the all things are connected well but due to some software issues it creates problem like that which you are facing.