SoftEther VPN Client Linux issue

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

SoftEther VPN Client Linux issue

Post by raymi » Thu Jun 21, 2018 7:49 am

Hello,

I've configured a SoftEther VPN server that also uses IPSec/L2TP. On the Virtual Hub I configured the SecureNAT for accessing behind systems that are in a specific subnet (172.10.*.*).

Connecting from native operating system client (MacOSX, Windows, iOS, Android), everything is working properly. Not from Linux (CentOS).

So I installed SoftEther VPN Client. On Windows, I can connect the VPN server and access behind NAT systems by just activating SE VPN Client. On Linux, I can connect the VPN server (via vpncmd), the dedicated virtual interface is well receiving an IP address from the VPN server (192.168.*.*) and a static route is defined to route all NAT subnet (172.10.*.*) through this virtual interface. However I cannot access behind NAT systems.

I feel a bit lost as on Windows the SE client was very easy to install, configure and run without any problem. But on Linux, with which I normally feel more comfortable, I'm struggling.

Any help would be much appreciated. Did someone already succeeded to run the SE client for Linux with NAT?

Thanks in advance
Raymi

thisjun
Posts: 2090
Joined: Mon Feb 24, 2014 11:03 am

Re: SoftEther VPN Client Linux issue

Post by thisjun » Thu Jun 28, 2018 6:24 am

Could you show routing table and ifconfig result and traceroute result of the Linux?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Thu Jun 28, 2018 10:45 am

Connecting to the server:
-------------------------------
# /usr/local/vpnclient/vpncmd localhost /client /CMD accountconnect con-SoftEther
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608 (English)
Compiled 2016/04/17 21:59:35 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.

Connected to VPN Client "localhost".

VPN Client>accountconnect con-SoftEther
AccountConnect command - Start Connection to VPN Server using VPN Connection Setting
The command completed successfully.

Route
-------
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_softether
172.10.0.0 192.168.30.10 255.255.0.0 UG 0 0 0 vpn_softether
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 vpn_softether
0.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0

ifconfig
----------
# ifconfig vpn_softether
vpn_softether Link encap:Ethernet HWaddr 00:AC:1F:B1:51:6A
inet addr:192.168.30.10 Bcast:192.168.30.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:1fff:feb1:516a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:163 errors:0 dropped:0 overruns:0 frame:0
TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:10410 (10.1 KiB) TX bytes:17358 (16.9 KiB)

traceroute
-------------
# traceroute 172.10.10.12
traceroute to 172.10.10.12 (172.10.10.12), 30 hops max, 60 byte packets
1 192.168.30.10 (192.168.30.10) 3000.483 ms !H 3000.481 ms !H 3000.476 ms !H

cmd wh0ami
Posts: 36
Joined: Sun Jul 16, 2017 6:58 pm

Re: SoftEther VPN Client Linux issue

Post by cmd wh0ami » Sat Jun 30, 2018 5:07 pm

#! /bin/sh
### BEGIN INIT INFO
# Provides: vpnclient
# Required-Start: $all
# Required-Stop: $network $local_fs $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# chkconfig: 345 44 56
# description: Start VPN Client at boot time.
# processname: vpnclient
### END INIT INFO

# /etc/init.d/vpnclient

case "$1" in
start)
echo "Starting VPN Client"
/usr/local/vpnclient/vpnclient start

sleep 1
if ifconfig -a | grep vpn_vpn >/dev/null
then
echo "Setting up vpn_vpn..."
else
sleep 1
ifdown vpn_vpn
sleep 1
ifup vpn_vpn
sleep 1
if ifconfig -a | grep vpn_vpn >/dev/null
then
echo "Setting up vpn_vpn..."
else
echo "Interface vpn_vpn not found" &1>2
exit 1
fi
route add -host 55.55.55.55 gw 192.168.0.1
#route del default
#route add default gw 192.168.30.1 dev vpn_vpn
#/usr/local/vpnclient/./vpncmd
;;

stop)
echo "Stopping VPN Client"
/usr/local/vpnclient/vpnclient stop
route del -host 55.55.55.55
route del default
route add default gw 192.168.0.1 dev wlan0


*)
echo "Usage: /etc/init.d/vpnclient {start|stop}"
exit 1
;;
esac

exit 0

cmd wh0ami
Posts: 36
Joined: Sun Jul 16, 2017 6:58 pm

Re: SoftEther VPN Client Linux issue

Post by cmd wh0ami » Sat Jun 30, 2018 5:09 pm

Im using a bash in /etc/init.d to set up routes with my server using NAT.

here is a link to my gist on Github. https://gist.github.com/cmdwhoami/77ebb ... d23baaeebe

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Tue Jul 03, 2018 7:55 am

Doubting it would solve my issue, I however adapted the proposed script to my IP addresses.

It does not solve the issue: ssh: connect to host port 22: No route to host

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Tue Jul 03, 2018 8:57 am

> # route -n
> Kernel IP routing table
> 172.10.0.0 192.168.30.10 255.255.0.0 UG 0 0 0 vpn_softether

In default setting, SecureNAT have IP address as 192.168.30.1.
This may be incorrect.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Tue Jul 03, 2018 9:15 am

You are right, this was my before configuration. I changed the route to force going through the local VPN dedicated interface IP address, none of them do allow connecting the 172.x NAT.

Still not route to host.

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Tue Jul 03, 2018 9:23 am

Please show latest configuration and traceroute result.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Tue Jul 03, 2018 10:09 am

VPN client config
---------------------
# Software Configuration File
# ---------------------------
#
# You may edit this file when the VPN Server / Client / Bridge program is not running.
#
# In prior to edit this file manually by your text editor,
# shutdown the VPN Server / Client / Bridge background service.
# Otherwise, all changes will be lost.
#
declare root
{
bool DisableRelayServer false
bool DontSavePassword false
bool EnableVPNGateService false
byte EncryptedPassword ************************
bool HideVPNGateServiceMessage false
bool PasswordRemoteOnly false
string UserAgent Mozilla/5.0$20(Windows$20NT$206.3;$20WOW64;$20rv:29.0)$20Gecko/20100101$20Firefox/29.0
uint UseSecureDeviceId 0

declare AccountDatabase
{
declare Account0
{
bool CheckServerCert false
uint64 CreateDateTime 1528344345662
uint64 LastConnectDateTime 1530576668295
string ShortcutKey D623AD9891814708DEC5378B607882E103449773
bool StartupAccount false
uint64 UpdateDateTime 1528346664357

declare ClientAuth
{
uint AuthType 1
byte HashedPassword ******************
string Username **************
}
declare ClientOption
{
string AccountName con-SoftEther
uint AdditionalConnectionInterval 1
uint ConnectionDisconnectSpan 0
string DeviceName SoftEther
bool DisableQoS false
bool HalfConnection false
bool HideNicInfoWindow false
bool HideStatusWindow false
string Hostname as-vpn.intern.net
string HubName VPN_Hub
uint MaxConnection 1
bool NoRoutingTracking false
bool NoTls1 false
bool NoUdpAcceleration false
uint NumRetry 4294967295
uint Port 443
uint PortUDP 0
string ProxyName $
byte ProxyPassword $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
bool RequireBridgeRoutingMode false
bool RequireMonitorMode false
uint RetryInterval 15
bool UseCompress false
bool UseEncrypt true
}
}
}
declare ClientManagerSetting
{
bool EasyMode false
bool LockMode false
}
declare CommonProxySetting
{
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare Config
{
bool AllowRemoteConfig false
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
string KeepConnectHost keepalive.softether.org
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 1
bool NoChangeWcmNetworkSettingOnWindows8 false
bool UseKeepConnect false
}
declare RootCA
{
}
declare UnixVLan
{
declare SoftEther
{
bool Enabled true
string MacAddress 00-AC-1F-B1-51-6A
}
}
}

route -n result (After [vpnclient start] and [vpncmd localhost /client /CMD accountconnect con-SoftEther]
-----------------------------------------------------------------------------------------------------------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_softether
172.10.0.0 192.168.30.1 255.255.0.0 UG 0 0 0 vpn_softether
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1006 0 0 vpn_softether
0.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0

traceroute result
---------------------
traceroute to 172.10.1.12 (172.10.1.12), 30 hops max, 60 byte packets
1 192.168.30.10 (192.168.30.10) 3000.178 ms !H 3000.143 ms !H 3000.135 ms !H

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Wed Jul 04, 2018 9:02 am

It seems SecureNAT is not responding.
Is SecureNAT working on 192.168.30.1 now?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Wed Jul 04, 2018 9:09 am

Yes, connection through 443 from SoftEther client on a Windows platform is working properly. Using the MacOSX native VPN client is also working, but for this last it is not the same ports as it is using IPSec/L2TP.

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Wed Jul 04, 2018 9:20 am

ping 192.168.30.1 works?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Wed Jul 04, 2018 9:48 am

No, but this is because the firewall will block icmp. But I don't see why 192.168.30.1 would not work since the VPN server is successfully connected from the Linux client, it is NAT behind that is not reachable. I attached a small diagram to ensure.

[attachment=0]SoftEtherDiagram.png[/attachment]
You do not have the required permissions to view the files attached to this post.

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Wed Jul 04, 2018 10:03 am

it's wrong understanding.

the client and securenat is on same segment virtually.
icmp is sent encupsulated.
firewall shouldn't recognize encrypted VPN payload.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Wed Jul 04, 2018 10:22 am

Ok, I understand now. However, ping is not working...

# ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
From 192.168.30.10 icmp_seq=2 Destination Host Unreachable

192.168.30.10 is the address received from SoftEther VPN server DHCP.

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Wed Jul 04, 2018 10:52 am

I think 'Destination Host Unreachable' error is due to lack of ARP response.

Is there any 192.168.30.* entry in 'arp -a' result?

I suspect that instability of the VPN of communication might be the cause of the problem.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Wed Jul 04, 2018 11:00 am

No there is no 192.168.30.* entry issuing "arp -a"...

Is there a way to workaround?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Mon Jul 09, 2018 10:28 am

Adding manually and statically the arp entry does not solve the issue.

Weird.

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Mon Jul 09, 2018 11:55 am

is there any client entries in MAC table or IP table of the virtual hub?
it seems VPN doesn't work completely.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Tue Jul 10, 2018 8:13 am

When connected, yes I can see the session and the machine's MAC in the SoftEther Admin console

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Tue Jul 10, 2018 8:54 am

Sometimes, communication by UDP is the cause of packet loss.
The symptom is that packets will not arrive after a few seconds from the start of connection.

Please try disabling NAT-T and UDP Acceleration.
To stop NAT-T, append '/tcp' to the connection destination host name.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Tue Jul 10, 2018 9:34 am

Do you mean changing in the config file the line "string Hostname as-vpn.intern.net" by "string Hostname as-vpn.intern.net/tcp"?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Fri Jul 13, 2018 12:21 pm

ok, have added /tcp to the hostname. I suppose it is going better, however did not succeed to connect behind machine.

SoftEther client is connected to the server, however trying to pass thru to connect behind machine in ssh does not succeed: Connection timed out after 30 seconds

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Fri Jul 13, 2018 12:27 pm

I obviously checked firewall settings to ensure ssh is allowed on behind machine.

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Fri Jul 13, 2018 7:19 pm

please try disable udp acceleration.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Thu Aug 02, 2018 10:04 am

Hostname as-vpn.intern.net/tcp
NoUdpAcceleration true

Doesn't work either.
Connection timeout

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Thu Aug 02, 2018 10:35 am

Timeout?
Is not your problem that a ping to SecureNAT does not reach?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Thu Aug 02, 2018 11:18 am

No, I don't think so. The route looks to be correct now since I manually update both static route and ARP table.

Why is it that I'm able to connect behind machines though the same SoftEther server when connecting from SoftEther on Windows and not from SoftEther on Linux?

On Windows I did not remove any UDP config...

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Thu Aug 02, 2018 11:33 am

With the VPN connected, is the route to the VPN server on the tap device?
On the Windows version client, add a route to the VPN server at the time of VPN connection to prevent overwrite the route.

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Thu Aug 02, 2018 12:20 pm

Looks that yes:

route -n before connecting
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

route -n after connecting
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_softether
172.10.0.0 192.168.30.1 255.255.0.0 UG 0 0 0 vpn_softether

cedar
Site Admin
Posts: 931
Joined: Sat Mar 09, 2013 5:37 am

Re: SoftEther VPN Client Linux issue

Post by cedar » Thu Aug 02, 2018 1:17 pm

Is there no default gateway?
Is the VPN server on 10.10.1.* network?

raymi
Posts: 18
Joined: Thu Jun 21, 2018 7:30 am

Re: SoftEther VPN Client Linux issue

Post by raymi » Thu Aug 02, 2018 1:33 pm

No the VPN server is 192.168.30.1 which is defined through vpn_softether interface as default gateway

thisjun
Posts: 2090
Joined: Mon Feb 24, 2014 11:03 am

Re: SoftEther VPN Client Linux issue

Post by thisjun » Wed Sep 05, 2018 7:06 am

Is there no default gateway?

Post Reply