Routing/metric/dhcp issues with VPN-server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
mrc
Posts: 12
Joined: Fri Feb 10, 2017 8:52 pm

Routing/metric/dhcp issues with VPN-server

Post by mrc » Sat Oct 20, 2018 3:52 pm

Hi,

I guess this is more of a issue with Linux itself, but when searching around, most of the information I find on configuring the routing is when I can target a ip-address og gateway for the route. In my case, I need that the priority is on the interface.

My SoftEther VPN-server runs on Ubuntu (18.04LTS) and have in total 5 network interfaces, Incomming connections comes to e.g. eno0 (will normally be "eth0" in a lot of installs I guess), so lets call this the "main" interface. In addition there is the ens3f0|1|2|3 on the network card acting as "sources" for different hubs (which had different purposes).

In addition to eno0, I the 4-port network card have a mix of connections:
ens3f0: A bridge to the same network as ETH0 and ens3f1 where the same router provides an IP (e.g. 192.168.1.x over DHCP)
ens3f1: A bridge to the same network as ETH0 and ens3f0 where the same router provides an IP (e.g. 192.168.1.x over DHCP)
ens3f2: Connected to a different network, which over dhcp delivers a public ip (so direct connection to the internet).
ens3f3: Connected to a different network, which over dhcp delivers a public ip (so direct connection to the internet).

So, I want incoming connections on eno0. Also, when the system itself access the internet, I want this connection to be used. When I first did the install, this was the only interface that had an connection.

ifconfig printout:
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.109 netmask 255.255.255.0 broadcast 192.168.1.255
ether 6c:0b:84:e2:7c:a6 txqueuelen 1000 (Ethernet)
RX packets 823457 bytes 66366883 (66.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 384757 bytes 36716871 (36.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xfb500000-fb520000

ens3f0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.1.191 netmask 255.255.255.0 broadcast 192.168.1.255
ether f4:ce:46:a6:ef:dc txqueuelen 1000 (Ethernet)
RX packets 2482593 bytes 385314548 (385.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1279581 bytes 66591362 (66.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfb280000-fb2fffff

ens3f1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.1.192 netmask 255.255.255.0 broadcast 192.168.1.255
ether f4:ce:46:a6:ef:dd txqueuelen 1000 (Ethernet)
RX packets 2480815 bytes 385172870 (385.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1277175 bytes 66492929 (66.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfb200000-fb27ffff

ens3f2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet XX.XX.XX.XX netmask 255.255.255.0 broadcast XX.XX.XX.255
ether f4:ce:46:a6:ef:de txqueuelen 1000 (Ethernet)
RX packets 184602 bytes 14416240 (14.4 MB)
RX errors 0 dropped 17 overruns 0 frame 0
TX packets 134340 bytes 11552772 (11.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfb180000-fb1fffff

ens3f3: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1986
inet XX.XX.XX.XX netmask 255.255.255.0 broadcast XX.XX.XX.255
ether f4:ce:46:a6:ef:df txqueuelen 1000 (Ethernet)
RX packets 636746 bytes 75801968 (75.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 736989 bytes 106662664 (106.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfb100000-fb17ffff

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 77061 bytes 7536918 (7.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 77061 bytes 7536918 (7.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Since ip-ranges/gateway etc. will be the same here on some networks, setting the routes will not help. So

route -n printout:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 XX.XX.XX.1 0.0.0.0 UG 100 0 0 ens3f3
0.0.0.0 192.168.1.1 0.0.0.0 UG 101 0 0 eno1
0.0.0.0 192.168.1.1 0.0.0.0 UG 102 0 0 ens3f0
0.0.0.0 192.168.1.1 0.0.0.0 UG 103 0 0 ens3f1
0.0.0.0 XX.XX.XX.1 0.0.0.0 UG 104 0 0 ens3f2
XX.XX.XX.0 0.0.0.0 255.255.255.0 U 100 0 0 ens3f3
XX.XX.XX.0 0.0.0.0 255.255.255.0 U 101 0 0 ens3f2
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ens3f3
192.168.1.0 0.0.0.0 255.255.255.0 U 99 0 0 eno1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 ens3f1
192.168.1.0 0.0.0.0 255.255.255.0 U 101 0 0 ens3f0
192.168.1.0 0.0.0.0 255.255.255.0 U 102 0 0 eno1
So i tried chaning the metric with 'ifmetric', which seems to help temporarily. E.g. for some reason ens3f3 get metric 100, but I want eno0 to have it. So e.g. I can set metric to 99 for eno1, and it works for a while before reverting to the old setting. I can see in syslog that this interface do a dhcp-request quite often - like just under every 10th minute. I seen the lease time is noted in syslog as 'lease time 1200', which is 20 minutes.

Example from syslog:
Oct 20 11:20:08 SE-L2-VPN NetworkManager[724]: <info> [1540027208.8204] dhcp4 (ens3f3): nameserver 'YYY.YYY.YY.253'
Oct 20 11:20:08 SE-L2-VPN NetworkManager[724]: <info> [1540027208.8204] dhcp4 (ens3f3): nameserver 'ZZZ.ZZZ.ZZ.253'
Oct 20 11:20:08 SE-L2-VPN NetworkManager[724]: <info> [1540027208.8204] dhcp4 (ens3f3): domain name 'QQQ.QQQQQQQQQ.com'
Oct 20 11:20:08 SE-L2-VPN NetworkManager[724]: <info> [1540027208.8205] dhcp4 (ens3f3): state changed bound -> bound
Oct 20 11:20:08 SE-L2-VPN systemd[1]: Starting Network Manager Script Dispatcher Service...
Oct 20 11:20:08 SE-L2-VPN dbus[709]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Oct 20 11:20:08 SE-L2-VPN systemd[1]: Started Network Manager Script Dispatcher Service.
Oct 20 11:20:08 SE-L2-VPN nm-dispatcher: req:1 'dhcp4-change' [ens3f3]: new request (1 scripts)
Oct 20 11:20:08 SE-L2-VPN nm-dispatcher: req:1 'dhcp4-change' [ens3f3]: start running ordered scripts...
Oct 20 11:20:08 SE-L2-VPN dhclient[22366]: bound to XX.XX.XX.22 -- renewal in 578 seconds.
Oct 20 11:29:46 SE-L2-VPN dhclient[22366]: DHCPREQUEST of XX.XX.XX.22 on ens3f3 to XX.XX.XX.1 port 67 (xid=0x3341cae3)
Oct 20 11:29:46 SE-L2-VPN dhclient[22366]: DHCPACK of XX.XX.XX.22 from XX.XX.XX.1
Oct 20 11:29:46 SE-L2-VPN NetworkManager[724]: <info> [1540027786.4694] dhcp4 (ens3f3): address XX.XX.XX.22
Oct 20 11:29:46 SE-L2-VPN NetworkManager[724]: <info> [1540027786.4694] dhcp4 (ens3f3): plen 24 (255.255.255.0)
Oct 20 11:29:46 SE-L2-VPN NetworkManager[724]: <info> [1540027786.4694] dhcp4 (ens3f3): gateway XX.XX.XX.1
Oct 20 11:29:46 SE-L2-VPN dbus[709]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatch
er.service'

Ideas?

cmd wh0ami
Posts: 107
Joined: Sun Jul 16, 2017 6:58 pm

Re: Routing/metric/dhcp issues with VPN-server

Post by cmd wh0ami » Sat Oct 20, 2018 6:54 pm

I read this 3 times and can't understand what your trying to do with routing... But when i'm in situations where the ip address changes but I know the interface I want to use I use this:

Code: Select all

route add -host 55.55.55.55 gw $(ip route list exact 0.0.0.0/0 | grep wlan0 | xargs | awk '{print $3}')
Where 55.55.55.55= the ip of the host i want to add a route to over interface wlan0.

You can run the command in a terminal to see the out put of the ip address for eno0 by:

Code: Select all

ip route list exact 0.0.0.0/0 | grep eno0 | xargs | awk '{print $3}'
I use this in my init script on the client since the local ip subnet is always changing depending on what wifi I'm connecting to.
VPN Discord invite: https://discord.gg/QByKXA9

cmd wh0ami
Posts: 107
Joined: Sun Jul 16, 2017 6:58 pm

Re: Routing/metric/dhcp issues with VPN-server

Post by cmd wh0ami » Sat Oct 20, 2018 7:05 pm

But if your server is run on Linux, what I'm thinking I would do is disable SecureNAT and bridge to eno0 or a tap_interface. The router should do dhcp for a connecting client on eno0 or you would have to use dnsmasq for dhcp on tap_interface. You would also have to use SNAT in iptables to forward traffic from tap_interface to eno0 or what ever your default interface to WAN is if using tap_interface... Bridge to eno0 would be easiest. But SoftEther might not be able to see eno0 in bridge settings. I'd give you an example of how to manually do it in the server config but I cant get in to my server atm because of the IP address Im on.
VPN Discord invite: https://discord.gg/QByKXA9

mrc
Posts: 12
Joined: Fri Feb 10, 2017 8:52 pm

Re: Routing/metric/dhcp issues with VPN-server

Post by mrc » Tue Oct 23, 2018 7:21 pm

I think I have overcome some of my problems. By editing /etc/network/interfaces, the interfaces now have the metric-order I wanted.

Also, I think I solved the dhcp-problem. I'm not sure what it was, but is was solved by reinstalling Ubuntu (found out system was running 17.10, which was not supported anymore - ran into some SecureBoot-issues trying to upgrade to 18.04LTS - after reinstall and setting metric in /etc/network/interface config seems "stable").

I might need to explain my issue a bit better, and what I'm trying to solve with this somewhat special setup.
- With SoftEther VPN, a "hub" seems to be quite closely related to a network-hub when it comes to L2-traffic at least. The problem I had when I had multiple users sharing a hub/bridge, was flooding of multicast. So multicast User1 have joined, would also be sent to User2. I tried to create separate hubs for User1 and User2, but still got multicast-flooding. My approach was then to use multiple interfaces and try to separate this on a lower level more. One user have its own hub, with it owns interface/bridge.

The usecase here is that I need the VPN-connections to provide L2-features to be able jo join the multicasts. But I have a few different usecases here, so in some cases it is OK that the router on my side delivers the routing etc., while in some cases I want to give the user a L2-access to a FTTH connection, and he can set up a router on his side.

Btw; I have not enabled SecureNAT, and from what I can understand, i don't have a tap-interface on the system the way I have set it up

I need to do some testing now, but not sure if I'm all out of the trouble; at least locally on the pc, I'm not able to get internet access when addressing the ens3f*-interfaces it seems. But I guess this could be because of routing-issues. So, these interfaces gets an IP over DHCP, but if I e.g. run 'curl --interface www.google.com' I get no reply - that is because of routing-issues even if I specify what interface it shall use?

Post Reply