Selective Routing for VPN - Remote PC to LAN Configuration

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Elik
Posts: 4
Joined: Wed Aug 13, 2014 6:32 pm

Selective Routing for VPN - Remote PC to LAN Configuration

Post by Elik » Wed Aug 13, 2014 6:55 pm

Hello all,

I have started looking into this as a replacement for the OpenVPN, and I am still learning on the adminstration of the SoftEther VPN. However, our existing OpenVPN is configured for corporate network, and I am trying to figure out how to apply the selective routing so it is routed over VPN, and everything else is not routed though VPN.

So I am having little difficult time trying to figure out how to apply this kind of network setup for SoftEther for it. Here is the example routing that is setup on our OpenVPN, so you can see the general idea:

push "route 199.223.118.0 255.255.255.0 vpn_gateway"
push "route 199.223.119.0 255.255.255.0 vpn_gateway"
push "route 192.200.20.0 255.255.255.0 vpn_gateway"
push "route 192.200.21.0 255.255.255.0 vpn_gateway"
push "route 66.211.169.0 255.255.255.0 vpn_gateway"
push "route 173.0.88.0 255.255.255.0 vpn_gateway"
push "route 173.0.84.0 255.255.255.0 vpn_gateway"
## Ebay Network IP
push "route 216.113.188.89 255.255.255.255 vpn_gateway"
## Client one Website IP
push "route 165.87.93.142 255.255.255.255 vpn_gateway"
## Client Two Website IP
push "route 210.168.118.132 255.255.255.255 vpn_gateway"
## Ciient Three Website IP
push "route 122.135.67.34 255.255.255.255 vpn_gateway"
## Client Four Website IP
push "route 138.73.126.145 255.255.255.255 vpn_gateway"
push "route remote_host 255.255.255.255 net_gateway"

This is the example routing that is pushed so any traffic that fits those network are routed though the VPN, and everything else is routed though regular internet connection from the computer. So how so I exactly accomplish this similar setup. Since I am looking to move away from OpenVPN to L2TP network network instead of OpenVPN.

Elik
Posts: 4
Joined: Wed Aug 13, 2014 6:32 pm

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by Elik » Fri Aug 15, 2014 3:08 pm

Comeon..someone should know how this can be applied. Since the documentation, while good is not really clear nd concise enough with examples to explain how some stuff works, and require lot of trial and error to figure this out. I really do appreciate if someone can respond on this.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by thisjun » Wed Sep 03, 2014 6:23 am

SoftEther VPN is L2 emulated Ethernet.
So, SoftEther doesn't route IP packets usually.
However, virtual DHCP function of SoftEther has static routing table pushing function.

Elik
Posts: 4
Joined: Wed Aug 13, 2014 6:32 pm

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by Elik » Wed Sep 03, 2014 9:25 am

Hello,

I have it all figured out by having it done though DHCP to push the split tunneling though the Softether over the weekend. Just the documentations is not there to show how it is done, but it was accomplished to do it without using the SecureNAT functionality with the bridge tap.

I do recommend that the howto is posted and added to the documentations for this, and to add clarification about the radius authentication with the * for the user to pass the authentication to the RADIUS server. There was lot of confusion on that topic til one poster pointed it out how it is accomplished, which was not clearly explained in the documentation for it as well.

maddangerous
Posts: 4
Joined: Tue Oct 07, 2014 3:59 am

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by maddangerous » Fri Oct 10, 2014 12:54 am

Could you post the steps for this please? i currently am looking into this as well, i do not want my friends internet traffic going through my VPN, only games.

mashuser
Posts: 5
Joined: Sat Jan 17, 2015 1:18 am

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by mashuser » Sat Jan 17, 2015 1:33 am

I use one virtual hub for game only VPN, and another for all traffic routed thru VPN.
Internet packets could be filtered via Access Lists on the VPN Hub configuration.
If you know the IP Addresses of your destination server (e.g. game servers)
Then you could specify them in the access lists as destination IP Addresses...

This is how i do it:
I got acls on the destination servers with priority 100+.
Then an ACL denying all other traffic with prority 200.
Then I push static routes via the Push routes function of the SecureNAT and DHCP.

First ACL: (many more like this, since game servers uses diff ips for channels and updates)
Memo: GameServer
Action: Pass
Priority: 101
Source Name: Users ---> i got my users groups into the users group.
Destination IP Address: Game Server IP /SM: 255.255.255.255 (single host)

keep on cloning this til you got all IP address covered

Deny ACL:
Memo: Deny all traffic
Action: Deny
Priority: 200
Source Name: Users ---> i got my users groups into the users group.

Then onto SecureNAT and Virtual DHCP:
IP ADD: 172.16.0.1
SM: 255.255.0.0
use vnat function: check
use virtual dhcp fuction: check
distributes ip add: 172.16.1.1 to 172.16.2.254
sm: 255.255.0.0
lease 7200
DEFAULT GW ADDRESS: EMPTY --> important. no def gateway, no other traffic goes thru your vpn

static table to push:
203.116.154.46/255.255.255.255/172.16.0.1, 203.116.155.2/255.255.255.255/172.16.0.1, 203.116.255.12/255.255.255.255/172.16.0.1, 203.116.185.132/255.255.255.255/172.16.0.1, 203.116.185.141/255.255.255.255/172.16.0.1, 203.116.0.0/255.255.0.0/172.16.0.1
(yes this are the actual entries. just change it to suite your config, this is for DNSEA btw).

qupfer
Posts: 202
Joined: Wed Jul 10, 2013 2:07 pm

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by qupfer » Sun Jan 18, 2015 10:53 am

maybe, you clould run a "dnsmasq" or alternaitve dhcp server on server-side, listen only on the bridge-deivce.
(take a look at this tutorial, if you know what i mean^^ http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/ )


With the following modifications (for dnsmasq.conf), you should get what you want. (or to be exactly. You should get, what I think, you want):

dhcp-option=3 # send "no" default route...so general traffic will not use the vpn
dhcp-option=6,10.10.10.10 # send "dns-address 10.10.10.10" to clients (replace with your "corporate dns")
dhcp-option=121,199.223.118.0/24,10.10.20.1,199.223.119.0/24,10.10.20.1 [...] #send "routes" as part of the dhcp-message to clients. 10.10.20.1 is the IP address of the virtuall bridge device. Manuel assigned on the server.

With this changes, all dns-queries and all traffic with destionation-addresses in the 199.223.118.0/24 and 199.223.119.0/24 range are routed through the vpn.

mashuser
Posts: 5
Joined: Sat Jan 17, 2015 1:18 am

Re: Selective Routing for VPN - Remote PC to LAN Configurati

Post by mashuser » Fri Feb 13, 2015 8:05 am

qupfer wrote:
> maybe, you clould run a "dnsmasq" or alternaitve dhcp server on
> server-side, listen only on the bridge-deivce.
> (take a look at this tutorial, if you know what i mean^^
> http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/
> )
>
>
> With the following modifications (for dnsmasq.conf), you should get what
> you want. (or to be exactly. You should get, what I think, you want):
>
> dhcp-option=3 # send "no" default
> route...so general traffic will not use the vpn
> dhcp-option=6,10.10.10.10 # send "dns-address
> 10.10.10.10" to clients (replace with your "corporate dns")
> dhcp-option=121,199.223.118.0/24,10.10.20.1,199.223.119.0/24,10.10.20.1
> [...] #send "routes" as part of the dhcp-message to clients.
> 10.10.20.1 is the IP address of the virtuall bridge device. Manuel assigned
> on the server.
>
> With this changes, all dns-queries and all traffic with
> destionation-addresses in the 199.223.118.0/24 and 199.223.119.0/24 range
> are routed through the vpn.

actually i modified my config to do this..
everything now done with dnsmasq and that config.
works like a charm and no wasted processor usage on SecureNAT/DHCP

Post Reply