the way to force softether cconnect ICMP

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

the way to force softether cconnect ICMP

Post by freeiran » Tue May 14, 2013 6:46 am

in google search this software for your client OS

wipfw

and after that you use it in 2 way for XP and 7-32 bit.


you should copy this configuration replace the default file. and in the place that i wrote you server ip address locate your server ip number. this are data in this file wipfw.conf

# First flush the firewall rules
-f flush

# Localhost rules
add 100 allow all from any to any via lo*

# Prevent any traffic to 127.0.0.1, common in localhost spoofing
add 110 deny log all from any to 127.0.0.0/8 in
add 110 deny log all from 127.0.0.0/8 to any in

#Testing rules, to find ports used by services if we aren't sure. These rules allow ALL traffic to pass through the firewall, disabling any subsequent rules
add 140 deny log logamount 500 tcp from any to ( your server ip address )
add 150 deny log logamount 500 udp from any to ( your server ip address )

add check-state
add pass all from me to any out keep-state
add count log ip from any to any


after that you should disable all of your firewalls such as kasper ,a nd, ...

also your windows firewall

this is an expert firewall linuxbased on windows. so you block all of your TCP and UDP traffic to your server and then it connect trough ICMP.

for work on XP after you disable all of firewall you press install. and then connect, in your client both parameters in andvanced mode sofether client encrypt with SSL and data compression should have tik.

after you surf internet free and disconnect from softether press uninstall.

now your firewall stop. every time you should do it.

but in windows 7 you should have service pack 1.

for installation, you should go to your intenet connection status ( wireless, or lan )
then press install. then select service and press add, and install service wipfw on your network card.

then go to search and search UAC, after found that change it to minimum.

then go to folder you downloaded, and right click and install as administrator.

disable all of your firewalls

now connect with softether, every thing is ok. but every time that you want to disable this firewall you should go to control panle, administrative tools, services and stop wipfw service. if you see this it isnt start , start that again and stop to really stop the firewall

have a free internet with good speed

be success.

thanks alot again from softether team with powerfull software

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Wed May 15, 2013 12:54 pm

thanks for the guide, unfortunately there is no way to getting this work with 64 bit windows nor getting it work with win 8.

but if this is the case a firewall rule blocking all TCP / UDP traffic to a specific address should work too. I will try it.

Edit:

firewall rule is in place and confirmed working, but softether client still tries to establish a TCP tunnel, guess our friend freeiran already tried this and the only way is a kernel level ip filter / firewall like wipfw.

itachi
Posts: 13
Joined: Tue Mar 12, 2013 2:19 pm

Re: the way to force softether cconnect ICMP

Post by itachi » Wed May 15, 2013 6:03 pm

freeiran wrote:
> in google search this software for your client OS
>
> wipfw
>
> and after that you use it in 2 way for XP and 7-32 bit.
>
>
> you should copy this configuration replace the default file. and in the
> place that i wrote you server ip address locate your server ip number. this
> are data in this file wipfw.conf
>
>
>
>
> after that you should disable all of your firewalls such as kasper ,a nd,
> ...
>
> also your windows firewall
>
> this is an expert firewall linuxbased on windows. so you block all of your
> TCP and UDP traffic to your server and then it connect trough ICMP.
>
> for work on XP after you disable all of firewall you press install. and
> then connect, in your client both parameters in andvanced mode sofether
> client encrypt with SSL and data compression should have tik.
>
> after you surf internet free and disconnect from softether press uninstall.
>
> now your firewall stop. every time you should do it.
>
>
>
> have a free internet with good speed
>
> be success.
>
> thanks alot again from softether team with powerfull software
Thank you for your help,
but I get this error after run of install_svc.cmd:
current roles:
my_socket failed 2, cannot talk to kernel module
ipfw: socket

my system is 32Bit runs Win XP
I disabled firewall and antivirus before I run the command file.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Thu May 16, 2013 11:31 am

please change your client TCP port , set a port that your server doesnt listen to that. please report me about that.
Last edited by freeiran on Thu May 16, 2013 11:47 am, edited 4 times in total.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Thu May 16, 2013 11:31 am

maybe your OS has problem, i installed that and has no problem.

again chek the config file for wipfw.conf please

i think you downloade winxp for 64 bit, you should download 32 bit version for your computer
Last edited by freeiran on Fri May 17, 2013 4:52 am, edited 1 time in total.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Thu May 16, 2013 1:43 pm

new good news for all

in win 7- 32 or 64 go to start, control panel , windows firewall, advanced settings, outband ruls, new rule and please block these 2 UDP ports: 18746 and 2805

please write 2 rules.

and then connect vpn over DNS and surf the internet easily,

in win 7 yo dont need do other work

thanks

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Thu May 16, 2013 2:56 pm

freeiran wrote:
> new good news for all
>
> in win 7- 32 or 64 go to start, control panel , windows firewall, advanced
> settings, outband ruls, new rule and please block these 2 UDP ports: 18746
> and 2805
>
> please write 2 rules.
>
> and then connect vpn over DNS and surf the internet easily,
>
> in win 7 yo dont need do other work
>
> thanks

18746 and 2805 Local ports?

by the way should it display as Direct TCP/IP Connection in softether client?

can you provide a screenshot of your win7 firewall rule window please?

Edit:

Managed to get DNS Tunnel working by blocking all TCP traffic to my server's IP Address and using a random port during connection, the speed is awful. :|

need a way to use ICMP tunnel instead of this.
You do not have the required permissions to view the files attached to this post.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 4:50 am

hi

i found you block these with your firewall software, please add your rules in your windows firewall, such as before i said, may be it has difference, also i think you didnt mark (use data compression ) on your client

in win 7- 32 or 64 go to start, control panel , windows firewall, advanced settings, outband ruls, new rule and please block these 2 UDP ports: 18746 and 2805 ( client local ports )

also more than 3 times i said use a port on your client that your server doesnt listen that. ok? so you dont need to block TCP port.

for using ICMP , i should say softether uses protocols with this rules:
1- TCP
2- UDP
3- ICMP
4- DNS port

so every protocol that blocked it uses another with this line number.

if you open icmp from your server in inband and ouutband in your client it works on ICMP. you should check opened ICMP both in your windows firewall and your software firewall such as kasper, ....

for ICMP you should only have closed all UDP and TCP port and an ICMP open.

but i dont know do you know how protocols work? DNS uses an UDP port, so your speed should be more than both TCP and ICMP tunnel, it is broadcast!!!

with these tests you can find that your ISP really has bandwidth or only gives you web and download with huge cache servers!!!!

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 5:30 am

another thing is they blocked with this hard way only for USA and europe AS numbers.

if you have a server such in korea or japan or china you find all of vpn works good and easily.

miximixi
Posts: 6
Joined: Tue May 14, 2013 5:39 am

Re: the way to force softether cconnect ICMP

Post by miximixi » Fri May 17, 2013 8:15 am

Dear free iran,

Does OpenVpn works at iran?

mori
Posts: 8
Joined: Sat May 11, 2013 5:41 pm

Re: the way to force softether cconnect ICMP

Post by mori » Fri May 17, 2013 10:11 am

freeiran wrote:

> but in windows 7 you should have service pack 1.
>
> for installation, you should go to your intenet connection status (
> wireless, or lan )
> then press install. then select service and press add, and install service
> wipfw on your network card.
>
> then go to search and search UAC, after found that change it to minimum.
>
> then go to folder you downloaded, and right click and install as
> administrator.
>
> disable all of your firewalls
>
> now connect with softether, every thing is ok. but every time that you want
> to disable this firewall you should go to control panle, administrative
> tools, services and stop wipfw service. if you see this it isnt start ,
> start that again and stop to really stop the firewall
>
> have a free internet with good speed
>
> be success.
>
> thanks alot again from softether team with powerfull software

Hi Freeiran,

Can you pass through the new Iran's firewall using the method you've described? Is the speed adequate?

Thanks,
Mori

itachi
Posts: 13
Joined: Tue Mar 12, 2013 2:19 pm

Re: the way to force softether cconnect ICMP

Post by itachi » Fri May 17, 2013 10:39 am

freeiran wrote:
> maybe your OS has problem, i installed that and has no problem.
>
> again chek the config file for wipfw.conf please
>
> i think you downloade winxp for 64 bit, you should download 32 bit version
> for your computer
Ok I done, my mistake was I had not installed this service before I run command file.
please check my state if all ok because my traffic still drops by Iran's firewall.
You do not have the required permissions to view the files attached to this post.

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Fri May 17, 2013 3:08 pm

freeiran wrote:
> hi
>
> i found you block these with your firewall software, please add your rules
> in your windows firewall, such as before i said, may be it has difference,
> also i think you didnt mark (use data compression ) on your client

Hi,

my windows firewall is disabled of course, as you can see I have KIS installed and it gives me much more functionality over windows firewall, anyway I will test your setting on a system with only windows firewall enabled, if you can please provide a screenshot of your rule window in win firewall, it would be very appreciated.

> in win 7- 32 or 64 go to start, control panel , windows firewall, advanced
> settings, outband ruls, new rule and please block these 2 UDP ports: 18746
> and 2805 ( client local ports )

done that with Kaspersky, the result is softether connected with: NAT-T UDP VPN tunnel not ICMP that I hoped for.

> also more than 3 times i said use a port on your client that your server
> doesnt listen that. ok? so you dont need to block TCP port.

done this too.

> for using ICMP , i should say softether uses protocols with this rules:
> 1- TCP
> 2- UDP
> 3- ICMP
> 4- DNS port
>
> so every protocol that blocked it uses another with this line number.

what? how's dns going to connect without TCP and UDP? dns is not a protocol and it can't transport with pure IP like ICMP, it needs TCP or UDP and an open port (53 mostly) if you block both TCP and UDP no way you can use the DNS tunnel.

> if you open icmp from your server in inband and ouutband in your client it
> works on ICMP. you should check opened ICMP both in your windows firewall
> and your software firewall such as kasper, ....

it is opened, I can ping my server's public IP from client and my client's public IP from server.

> for ICMP you should only have closed all UDP and TCP port and an ICMP open.

ICMP is a protocol, it does not have any ports to open. it is allowed in my firewall (echo request, ping, etc), still, with both TCP and UDP blocked, softether will not use the ICMP tunnel method.

> but i dont know do you know how protocols work? DNS uses an UDP port, so
> your speed should be more than both TCP and ICMP tunnel, it is broadcast!!!

maybe I don't, but I know broadcast is actually slower not faster, most network admins do their best to reduce broadcast delay or stopping it from making a mess in their network, anyway this is not the point.

dns (specially on port 53) is being heavily watched, shaped and used for surveillance of general network activity. and it's not created for speed, you can found that in many dns tunnel server's documentations that speed is not the strong point of dns tunnel, it's ability to work when nothing else working is.

on the other hand ICMP is transported with IP and can transport very reasonable amount of payload and very hard to block or counter. so it is preferable to dns tunnel in many cases.

> with these tests you can find that your ISP really has bandwidth or only
> gives you web and download with huge cache servers!!!!

My ISP is TCI itself (ADSL Mokhaberat), so it has huge cache servers. yes.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 4:10 pm

no, openvpn doesnt work

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 4:15 pm

itachi wrote:
> freeiran wrote:
> > maybe your OS has problem, i installed that and has no problem.
> >
> > again chek the config file for wipfw.conf please
> >
> > i think you downloade winxp for 64 bit, you should download 32 bit version
> > for your computer
> Ok I done, my mistake was I had not installed this service before I run command file.
> please check my state if all ok because my traffic still drops by Iran's firewall.

i think you run install without change wipfw.conf file!!!!

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 4:19 pm

Lord Farhad wrote:
> freeiran wrote:
> > hi
> >
> > i found you block these with your firewall software, please add your rules
> > in your windows firewall, such as before i said, may be it has difference,
> > also i think you didnt mark (use data compression ) on your client
>
> Hi,
>
> my windows firewall is disabled of course, as you can see I have KIS installed and it
> gives me much more functionality over windows firewall, anyway I will test your
> setting on a system with only windows firewall enabled, if you can please provide a
> screenshot of your rule window in win firewall, it would be very appreciated.
>
> > in win 7- 32 or 64 go to start, control panel , windows firewall, advanced
> > settings, outband ruls, new rule and please block these 2 UDP ports: 18746
> > and 2805 ( client local ports )
>
> done that with Kaspersky, the result is softether connected with: NAT-T UDP VPN
> tunnel not ICMP that I hoped for.
>
> > also more than 3 times i said use a port on your client that your server
> > doesnt listen that. ok? so you dont need to block TCP port.
>
> done this too.
>
> > for using ICMP , i should say softether uses protocols with this rules:
> > 1- TCP
> > 2- UDP
> > 3- ICMP
> > 4- DNS port
> >
> > so every protocol that blocked it uses another with this line number.
>
> what? how's dns going to connect without TCP and UDP? dns is not a protocol and it
> can't transport with pure IP like ICMP, it needs TCP or UDP and an open port (53
> mostly) if you block both TCP and UDP no way you can use the DNS tunnel.
>
> > if you open icmp from your server in inband and ouutband in your client it
> > works on ICMP. you should check opened ICMP both in your windows firewall
> > and your software firewall such as kasper, ....
>
> it is opened, I can ping my server's public IP from client and my client's public IP
> from server.
>
> > for ICMP you should only have closed all UDP and TCP port and an ICMP open.
>
> ICMP is a protocol, it does not have any ports to open. it is allowed in my firewall
> (echo request, ping, etc), still, with both TCP and UDP blocked, softether will not
> use the ICMP tunnel method.
>
> > but i dont know do you know how protocols work? DNS uses an UDP port, so
> > your speed should be more than both TCP and ICMP tunnel, it is broadcast!!!
>
> maybe I don't, but I know broadcast is actually slower not faster, most network
> admins do their best to reduce broadcast delay or stopping it from making a mess in
> their network, anyway this is not the point.
>
> dns (specially on port 53) is being heavily watched, shaped and used for surveillance
> of general network activity. and it's not created for speed, you can found that in
> many dns tunnel server's documentations that speed is not the strong point of dns
> tunnel, it's ability to work when nothing else working is.
>
> on the other hand ICMP is transported with IP and can transport very reasonable
> amount of payload and very hard to block or counter. so it is preferable to dns
> tunnel in many cases.
>
> > with these tests you can find that your ISP really has bandwidth or only
> > gives you web and download with huge cache servers!!!!
>
> My ISP is TCI itself (ADSL Mokhaberat), so it has huge cache servers. yes.

to connect ICMP block TCP and UDP both , and for connect UDP only close 2 ports i said before by your system firewall. or with wipfw block ICMP, TCP and All UDP exept 53, i said these 2 ports because of wipfw wasnt for 7- 64 bit and windows 8

myself doesnt have win7, but i tested one place and worked

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 5:19 pm

mori wrote:
> freeiran wrote:
>
> > but in windows 7 you should have service pack 1.
> >
> > for installation, you should go to your intenet connection status (
> > wireless, or lan )
> > then press install. then select service and press add, and install service
> > wipfw on your network card.
> >
> > then go to search and search UAC, after found that change it to minimum.
> >
> > then go to folder you downloaded, and right click and install as
> > administrator.
> >
> > disable all of your firewalls
> >
> > now connect with softether, every thing is ok. but every time that you want
> > to disable this firewall you should go to control panle, administrative
> > tools, services and stop wipfw service. if you see this it isnt start ,
> > start that again and stop to really stop the firewall
> >
> > have a free internet with good speed
> >
> > be success.
> >
> > thanks alot again from softether team with powerfull software
>
> Hi Freeiran,
>
> Can you pass through the new Iran's firewall using the method you've described? Is
> the speed adequate?
>
> Thanks,
> Mori

i am not in iran, but one of my friend wanted to use his credit card from iran, and if he used that with iran ip, so the bank block his card.

he said that need too my help about that, so i checked the network and advise him remotely.

thanks

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Fri May 17, 2013 5:51 pm

My friend freeiran, are you using wipfw for ICMP or you managed to done it with windows firewall?

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Fri May 17, 2013 6:05 pm

miximixi wrote:
> Dear free iran,
>
> Does OpenVpn works at iran?

Not directly, only works when connecting with a proxy server.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 7:46 pm

Lord Farhad wrote:
> My friend freeiran, are you using wipfw for ICMP or you managed to done it
> with windows firewall?

your ICMP tunnel block by windows firewall, you should disable that, so you should block your TCP and UDP protocol by wipfw or other good firewall

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Fri May 17, 2013 7:47 pm

Lord Farhad wrote:
> miximixi wrote:
> > Dear free iran,
> >
> > Does OpenVpn works at iran?
>
> Not directly, only works when connecting with a proxy server.

trough proxy also you can connect standard TCP connection

itachi
Posts: 13
Joined: Tue Mar 12, 2013 2:19 pm

Re: the way to force softether cconnect ICMP

Post by itachi » Sat May 18, 2013 8:04 am

freeiran wrote:
> i think you run install without change wipfw.conf file!!!!

yes, you were right. I changed the config file. but still no way to connect. meanwhile I use vpngate servers with use compression on my client checked.
You do not have the required permissions to view the files attached to this post.

miximixi
Posts: 6
Joined: Tue May 14, 2013 5:39 am

Re: the way to force softether cconnect ICMP

Post by miximixi » Sat May 18, 2013 12:51 pm

Dear Lord Farhad,

As I heard A proxy server with 443 listen port is still work in Iran.
So I just installed ccproxy and configed that to work with 443 port and installed proxifier on a client but when i test proxy via proxifier it could not be connect.
I suspect that the problem is that the softether and ccproxy is installed on the same server and port 443 already reserved by softether.
I have no chance with disabling softehther vpn server service on windows.
do you or any one has a clue!?

Lord Farhad wrote:
> miximixi wrote:
> > Dear free iran,
> >
> > Does OpenVpn works at iran?
>
> Not directly, only works when connecting with a proxy server.

freeiran
Posts: 48
Joined: Fri Apr 05, 2013 8:17 pm

Re: the way to force softether cconnect ICMP

Post by freeiran » Sat May 18, 2013 1:52 pm

you should have server yourself, you cant use vpngate servers, because maybe they didnt configure ICMP or DNS on their systems

mori
Posts: 8
Joined: Sat May 11, 2013 5:41 pm

Re: the way to force softether cconnect ICMP

Post by mori » Sun May 19, 2013 5:08 am

mori wrote:
> > Hi Freeiran,
> >
> > Can you pass through the new Iran's firewall using the method you've described?
> Is
> > the speed adequate?
> >
> > Thanks,
> > Mori
>
> i am not in iran, but one of my friend wanted to use his credit card from iran, and
> if he used that with iran ip, so the bank block his card.
>
> he said that need too my help about that, so i checked the network and advise him
> remotely.
>
> thanks

Freeiran,
Hello again.

Has your friend been successful with passing through the new firewall? Could you please advise me remotely , as well? Really appreciate your help since everyting is blocked here. I mainly need help to bypass the new firewall for SKYPE (only messaging) and not really for browsing.

Thanks,
Mori

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Sun May 19, 2013 6:25 pm

miximixi wrote:
> Dear Lord Farhad,
>
> As I heard A proxy server with 443 listen port is still work in Iran.
> So I just installed ccproxy and configed that to work with 443 port and installed
> proxifier on a client but when i test proxy via proxifier it could not be connect.
> I suspect that the problem is that the softether and ccproxy is installed on the same
> server and port 443 already reserved by softether.
> I have no chance with disabling softehther vpn server service on windows.
> do you or any one has a clue!?
>
> Lord Farhad wrote:
> > miximixi wrote:
> > > Dear free iran,
> > >
> > > Does OpenVpn works at iran?
> >
> > Not directly, only works when connecting with a proxy server.

indeed, you need 2 public IP (or 2 servers) to be able to do this, or else ccproxy and softether will have port conflict.

Lord Farhad
Posts: 22
Joined: Mon May 06, 2013 3:37 am

Re: the way to force softether cconnect ICMP

Post by Lord Farhad » Sat May 25, 2013 8:54 am

is there any news regarding successful cases of using ICMP tunnel? did it work for anybody here specially on a 64 bit win7 or win8?

if so please provide us with steps you made to make it work and better, if possible some screenshots of your firewall, network or generally any modification you made to windows itself or with a 3rd party program.

thanks.

Post Reply