Problem: no DHCP IP obtained from server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Problem: no DHCP IP obtained from server

Post by robertroos » Wed Feb 01, 2017 1:41 pm

Hi,

I've just setup SoftEther and I'm trying to obtain a DHCP IP adress from the server. The client is able to logon succesfully but it's stuck at the stage: "Requesting an IP address to the DHCP server in the VPN"
The connection is established but my computer has generated an APIPA address. It seems that I'm unable to receive DHCP packets. The log also doesn't show anything particular.

What I did:

- Installed version 4.21
- OS; Ubuntu 16.04 Xenial
- I've enabled and configured SecureNAT and DHCP
- Created a local bridge which is bound to eth0, the internal interface of the VPN server.
- Disabled all firewalls (to be sure that this isn't an obstruction)

I
Anyone an idea?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Wed Feb 01, 2017 2:01 pm

Please disable the local bridge for now.

Also look at the server_logs and see whether SE is trying to assign an IP to the client

Also use version 4.22

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Fri Feb 03, 2017 10:05 am

I've just reinstalled the entire server with the 4.22. I'm able to establish a connection right now. However I can't get on the network. I'm able to ping the internal interface of the VPN server but I can't access other systems on the internal network.

What is the best way to access the local network? I'm having a weird issue right now that I can't add a local bridge. I'm getting a pop-up error message that says: No physical network adapters suitable for Local Bridge were found on the VPN server computer"

I do have an internal interface which I can access remotely.

Or do I need to configure it differently without bridging?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Fri Feb 03, 2017 10:53 am

Where is SE installed? Is this a bare metal, AWS, VPS, etc..?

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Fri Feb 03, 2017 11:02 am

The server runs on a VPS instance based on LXD/LXC virtualization. I think it has issues bridging the virtual nic.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Fri Feb 03, 2017 11:44 am

Two ideas:

- Have a look at the server_log of SE when trying to create a local bridge for a more detailed error description.
- Try a different Hoster for your SE server, I use digitalocean for example. Sometimes the VPS providers do weird stuff to their linux images to get them running on their lame hypervisors

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Fri Feb 03, 2017 4:02 pm

Can't find any relevant information in the logfiles, so I'm stuck. I've tried to setup a tun /tap but that didn't work either. So I have to try another architecture.
Currently I'm trying to use SecureNAT only without bridging. I've managed to setup a connection and I'm able to ping the SecureNAT gateway including the internal interface eth0 of the SE. So the IP traffic seems to get through the NAT connection. But I'm unable to connect to other hosts on the network. Any suggestions to enable this traffic?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Fri Feb 03, 2017 4:31 pm

ok. One more idea:

- Do a tcptraceroute from the SE Host machine to some other machine X in the same subnet. This should work and you get the route
- Do a tcptraceroute from an SE client to the machine X. This won't work, but at least you'll see the first node(s) hiy
- Compare the routes. Anything weird?

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Fri Feb 03, 2017 4:51 pm

Trace from the SE server:
tcptraceroute 192.168.0.9
traceroute to 192.168.0.9 (192.168.0.9), 30 hops max, 44 byte packets
1 192.168.0.9 (192.168.0.9) <rst,ack> 0.076 ms 0.035 ms 0.016 ms

Trace rrom the SE client:

Tracing route to 192.168.0.9 over a maximum of 30 hops

1 29 ms 27 ms 27 ms 192.168.30.1 << this is the SecureNAT gateway address
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.

Tracing route to 192.168.0.3 over a maximum of 30 hops

1 28 ms 28 ms 29 ms 192.168.30.1 << this is the SecureNAT gateway address
2 28 ms 29 ms 29 ms 192.168.0.3 << This is the internal eth0 of the SE server

So in summary I'm able to reach system X from the SE server. From the client I'm able to reach the SE Server gateway address including the internal IP. But it isn't able to hop further than the SE server itself.

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Fri Feb 03, 2017 5:23 pm

If I look at my client I see a security policy that disables routing (Deny routing operation), could this be the issue?
You do not have the required permissions to view the files attached to this post.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Sun Feb 05, 2017 5:56 pm

Deny Bridge Operations, Deny Routing Operations are definitely wrong. Please remove both

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Mon Feb 06, 2017 3:13 pm

Weird, I've checked the security policy on the server. But it seems it isn't set (see attachment). Maybe this is the culprit that packages aren't forwarded though nat. I've setup multiple VPN clients but all receive the same settings from the server. So I'm able to reproduce the problem. I've also tried to enable and disable these settings on the server but it seems to have no effect.

Not sure if the SecureNAT function works the same way as a regular network NAT. In theory I should be able to access the whole internal network with SecureNAT, correct?
You do not have the required permissions to view the files attached to this post.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Mon Feb 06, 2017 3:51 pm

robertroos wrote:
> Weird, I've checked the security policy on the server. But it seems it
> isn't set (see attachment). Maybe this is the culprit that packages aren't
> forwarded though nat. I've setup multiple VPN clients but all receive the
> same settings from the server. So I'm able to reproduce the problem. I've
> also tried to enable and disable these settings on the server but it seems
> to have no effect.
>
> Not sure if the SecureNAT function works the same way as a regular network
> NAT. In theory I should be able to access the whole internal network with
> SecureNAT, correct?
SecureNAT is a bit more than a nat. It contains:
- A gateway
- Virtual NAT (alternative to local bridging, if you don't have enough privileges)
- DHCP

So use either VIRTUALNAT or local bridge. SecureNAT may still be turned on without VirtualNAT. If either of (VirtualNAT or local bridging) is enabled, then you should be able to access internal resources

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Mon Feb 06, 2017 4:18 pm

OK, SecureNAT is the way to go then since bridging doesn't work.
So the remaining issue is that I can't access the internal network now. Only the internal interface of SE server.
This could be related to the Deny Routing policy settings that seems to be enforced on the clients. But I'm currently stuck because altering these settings on the server won't change the settings on the client.
Is there another option to alter these settings or force these policies to the client?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Mon Feb 06, 2017 5:34 pm

What if you use a different protocol. Say OpenVPN or L2TP. Can you then access internal resources?

And what if you push static routes explicitly to other internal resources, via the SecureNAT window?
Say 192.168.0.9 is the machine you want to reach and 192.168.0.3 is the Gateway of the SE server, then static route lookes like the following:

192.168.0.3/255.255.255.255/192.168.0.9

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Tue Feb 07, 2017 5:29 am

Unfortunately all didn't help.
I just checked the logs and found a strange entry. I don't recognize these IP addresses. Is this normal behaviour? It's a private network, but I didn't configure it.

2017-02-07 05:24:00.436 [HUB "VPN"] SecureNAT: It has been detected that the Kernel-mode NAT for SecureNAT can be run on the interface "ipv4_rawsocket_virtual_router". The Kernel-mode NAT is starting. The TCP, UDP and ICMP NAT processings will be performed with high-performance via Kernel-Mode hereafter. The parameters of Kernel-mode NAT: IP Address = "10.171.7.254", Subnet Mask = "255.255.255.252", Default Gateway = "10.171.7.253", Broadcast Address = "10.171.7.255", Virtual MAC Address: "DA-34-D3-76-1C-40", DHCP Server Address: "10.171.7.253", DNS Server Address: "213.186.33.99"

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Tue Feb 07, 2017 9:17 am

No. Se can not come up by itself with some random gateway/IP

Do you have a second NIC attached to machine hosting SE. A NIC with a private IP
Alot of VPS/Cloud providers attach two NICs to each machine, one with a public, the other with a private IP

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Tue Feb 07, 2017 9:38 am

I only see three nics, I think that the subnet belongs to an internal network interface on SE.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
268: eth0@if269: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:05:ab:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0
270: eth1@if271: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:0c:82:95 brd ff:ff:ff:ff:ff:ff link-netnsid 0

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Tue Feb 07, 2017 10:15 am

Where are the IPs of these NICs? Did you run ifconfig?

Yes it is possible that SE is using that mentioned IP. But no way that SE just came up with it, it must have been configured somewhere by the user.

run:
"grep -n "10.171.7" vpn_server.conf"
Inside the directory where SE is installed to see if this IP is defined in your configuration

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Tue Feb 07, 2017 1:38 pm

The IP adresses don't exist in the config file:-)

I've also made a ifconfig dump:

root@vpn:/usr/local/vpnserver# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:05:ab:bb
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe05:abbb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:976 (976.0 B) TX bytes:648 (648.0 B)

eth1 Link encap:Ethernet HWaddr 00:16:3e:0c:82:95
inet addr:91.x.x.x Bcast:91.134.2.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe0c:8295/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123448 errors:0 dropped:0 overruns:0 frame:0
TX packets:8591 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8221364 (8.2 MB) TX bytes:648894 (648.8 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Thu Feb 09, 2017 3:42 pm

I finally found the solution for my problem. I've altered the following setting from false to true.

bool DisableIpRawModeSecureNAT true

I'm able to access the internal network now. It works like a charm!

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Problem: no DHCP IP obtained from server

Post by moatazelmasry » Thu Feb 09, 2017 10:31 pm

Cool. Glad that it worked

robertroos
Posts: 18
Joined: Fri Jun 17, 2016 7:55 am

Re: Problem: no DHCP IP obtained from server

Post by robertroos » Fri Feb 10, 2017 6:01 am

and many thanks for your support moatazelmasry! Really appreciated.

Cheers,

Robert

gparedes
Posts: 2
Joined: Thu Jan 10, 2019 2:56 pm

Re: Problem: no DHCP IP obtained from server

Post by gparedes » Thu Jan 10, 2019 3:22 pm

Hello, I assume that there is already a solution to this problem, however, using Ubuntu 16 server (over KVM) and softether found the same problem, although using SecureNAT I managed to connect, this solution I do not like because the VPN clients are behind the nat. So I found this solution:

1. On the server running softether add a new network interface, and confgure to boot but without IP (as recommended by the manual softether)
2. Connect this network card to the same virtual switch where the dhcp and the vpn machine are.
3. Set up a local bridge between this new non-IP network card and the virtual hub where VPN users connect.
After this all users connect and take IP address from DHCP server successfully, clients use SSTP, L2TP (windows, mac, adndroid, iOS and vpn client from sothether for windows.
I hope this setup can help future users.

Post Reply