SoftEther VPN User Forum

I have managed to connet to my VPN provider's Softether server on the command-line Mac version of softether. However, I can't get it to route traffic through the VPN. I have tried playing around with the routing tables using the route command but I can't get it to work.

Remove default gateway. Add route to your VPN server through normal exit IP (local or direct external). Add default gateway through VPN.

Nemesiz wrote:
> Remove default gateway. Add route to your VPN server through normal exit IP
> (local or direct external). Add default gateway through VPN.

This is what I did:
'sudo ipconfig set tap0 DHCP' to give my Virtual Network Adapater (tap0) an IP
sudo route add [VPN IP] [Router default gateway]
sudo route delete default
sudo route add default [VPN NIC gateway]

So I am effectively changing my default gateway to that of my Virtual adapter and then routing traffic to my VPN IP through the default gatway

Then my internet wouldn't work.

If you do not add route to your VPN server your network will be looped.

I`ll give you example on linux

Before

192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
default via 192.168.0.1 dev eth0

After (vpn server IP x.x.x.x)

192.168.30.0/24 dev tap_vpn proto kernel scope link src 192.168.30.10
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
x.x.x.x via 192.168.0.10 dev eth0
default via 192.168.30.1 dev tap_vpn

I hope I give you working example

Nemesiz wrote:
> I hope I give you working example

I'm not sure I understand what you're trying to show me. Here is an example of what I was trying to do and you can tell me if it is incorrect:

[tap0 is Virtual Network Adapter]
[xx.xxx.xxx.xx is VPN IP, yyy.yyy.yyy.y is Router gateway, zzz.zzz.zzz. is Virtual Network Adapter gateway]
1. sudo dhclient tap0 (to get virtual IP)
2. sudo ip route add xx.xxx.xxx.xx/32 via yyy.yyy.yyy.y dev en1
3. sudo ip route del default
4. sudo ip route add default via zzz.zzz.zzz.z dev tap0
Then it should work, except it doesn't so I'm doing something wrong

can you ping xx.xxx.xxx.xx after step 2 and after step 3 ?

Nemesiz wrote:
> can you ping xx.xxx.xxx.xx after step 2 and after step 3 ?

I tried pining then and got:
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
...and so on

Try to change step 2 to
sudo ip route add xx.xxx.xxx.xx/32 via [your PC IP of yyy.yyy.yyy.y network] dev en1

Nemesiz wrote:
> Try to change step 2 to
> sudo ip route add xx.xxx.xxx.xx/32 via [your PC IP of yyy.yyy.yyy.y
> network] dev en1

I changed that and tried pinging my VPN server again. It just said:

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
...but it didn't mention "ping: sendto: No route to host" which is a good sign I guess.

UPDATE:

This may be something to do with the fact that I am at college? When I got home I pinged my VPN server with all the steps done and it replied. However, I still couldn't use the internet and when I tried doing 'ping youtube.com' it said no route to host like before.

My test on linux:

# adding vpn ip route
1. ip r add [VPN IP] via [GATEWAY IP]
# removing defaul gateway
2. ip r del default

# connecting to vpn
# if success

# dhcp vpn client
4. dhclient [vpn network name]

5. ping 8.8.8.8

BTW is secureNat enabled and virtual nat function is turned on ?

Nemesiz wrote:
> BTW is secureNat enabled and virtual nat function is turned on ?

How can I check this?

I tried what you did and it still did the same thing; but bear in mind that I am on Mac OS X so I am using the OS X equivalent commands.

securenat is in server side. After all commands can you print routing table ?

Nemesiz wrote:
> securenat is in server side. After all commands can you print routing table

Here is a picture:
[removed]

For me its looks like OK. But we can start to check from the beginning. From point 1. Can you ping VPN after you add route record about him ?

Yes I could ping the VPN. However, I couldn't do, for example: ping youtube.com

Maybe it is DNS problem not network. Try to ping VPN gateway ip 10.0.0.3 then ping google DNS server IP 8.8.8.8

If both pings then you need only to change DNS server address.

If you can ping only VPN gateway but no others - try to check secureNat setting (or maybe you use other masquerade technique) http://www.softether.org/index.php?titl ... T_Function

I can only ping 10.0.0.3, when I ping 8.8.8.8 I get 'no route to host' again.

I don't have access to secureNAT since I am connecting to my VPN provider's SoftEther server. What is the masquerade thing you mentioned?

I have sent a ticket to my VPN provider asking whether they have SecureNAT enabled.

Resentic wrote:
> I can only ping 10.0.0.3, when I ping 8.8.8.8 I get 'no route to host'
> again.
>
> I don't have access to secureNAT since I am connecting to my VPN provider's
> SoftEther server. What is the masquerade thing you mentioned?

"masquerade" is linux iptables (firewall) method to share Internet access (NAT) to become like router.

>
> I have sent a ticket to my VPN provider asking whether they have SecureNAT
> enabled.

I guess VPN provider unchecked Virtual NAT function and did not remove default gateway from virtual DHCP server.

Nemesiz wrote:
> I guess VPN provider unchecked Virtual NAT function and did not remove default gateway from virtual DHCP server.

Is this only necessary for the linux/osx version of SoftEther, since I can connect fine to it on Windows?

Have you tried to connect to the same VPN on windows ?

Yes, the same VPN works perfectly fine with Windows.

UPDATE: They replied saying that SecureNAT is not enabled. If so, how come I am able to connect on Windows?

I just installed Ubuntu on a virtualbox to test it out and the VPN worked.

That means that there is something I am doing wrong on Mac OS X since it works fine on Linux; any ideas?

Have you looked at using L2TP/IPSec option?

https://www.softether.org/4-docs/2-howt ... ient_Setup

BoredAus wrote:
> Have you looked at using L2TP/IPSec option?
>
>
> https://www.softether.org/4-docs/2-howt ... ient_Setup

They are blocked on my network; SoftEther is the only solution I have found that works.

Resentic wrote:
> I just installed Ubuntu on a virtualbox to test it out and the VPN worked.
>
> That means that there is something I am doing wrong on Mac OS X since it
> works fine on Linux; any ideas?

If L2TP/IPSec is blocked, then I guess the commands mentioned by Nemesiz would not have been the equivalent under OS X or specifically BSD like shell. According to Google searches for instance, there are no references to ip as a program but rather as some programmer's documentation on writing programs to interface with it. The same ip program would have worked under linux but not for route via OS X.

I'd try comparing the two routing tables, the working one from within the linux virtualbox in which you have setup with versus the one on your OS X. It sounds like the 'via' part of the command is where a specific extra routing table was added in between. However I am not sure specifically as I do not have access to a Mac machine.

There are plenty of dirty hacks you can try, for instance setting up L2TP/IPSec server from within the virtualbox that is running linux with a working connection to your host via SoftEther VPN. Then using your Mac, connect to the L2TP server in virtualbox.

I`ll try to test on Mac. Just need to find time to install it in VPS.

BoredAus wrote:
> I'd try comparing the two routing tables, the working one from within the linux
> virtualbox in which you have setup with versus the one on your OS X. It sounds like
> the 'via' part of the command is where a specific extra routing table was added in
> between. However I am not sure specifically as I do not have access to a Mac machine.

The Linux routing table in VirtualBox has barely anything in compared to the OS X one, but the routes in there are also in the Mac one (after I add them). Here is a picture comparison of both tables after routing:

[removed]

>I guess the commands mentioned by Nemesiz would not have been the equivalent under OS X

These are the equivalent commands I used:

LINUX >> MAC OS X
sudo dhclient vpn_tap0 >> sudo ipconfig set vpn_tap0 DHCP
sudo ip route add [VPN IP] via [Router gateway IP] dev eth0 >> sudo route add -ifscope eth0 [VPN IP] [Router gateway IP]
sudo ip route del default >> sudo route delete default
sudo ip route add default via [VPN gateway IP] dev vpn_tap0 >> sudo route add -ifscope vpn_tap0 default [VPN gateway IP]

Nemesiz wrote:
>I`ll try to test on Mac. Just need to find time to install it in VPS.

Could you give us an update if you get round to doing this.

bump

Anyone got this to work in OS X?

Sorry cant get OS X to test.

I just can't get it to work. I can connect to my VPN fine with SoftEther but when it comes to routing it, it just doesn't work.

bump

Doing exact same steps except my commands look like this:

sudo ipconfig set tap0 DHCP
sudo route delete default [router ip]
sudo route add [server ip] [router ip]
sudo route add default [server ip in virtual network]

And mine as well does not work. However I tried to packet sniff and these are results

http://pastebin.com/E2EKBcnB

70.26.74.141 is my server
192.168.137.71 is my mac

As you can see it says Destination unreachable (Port unreachable) which means it does in fact get to the VPN but for some reason when going up the stack it can't find a program at the port? Atleast that is what my google search revealed.

If you look in the logs, atleast for me, it also actually does slowly connects and then instantly disconnects

Windows works as well perfectly fine for me o,O

also works with individual addresses
so like

sudo route add na.leagueoflegends.com [server ip in virtual network]

Here I made a video on the problem, its kind of long but watch it to see all i've found so far :)

http://youtu.be/gmksVtXIcak

Hopefully we can find a solution together.
Right now I think there is some other IP address that must be forwarded to the router to make it work. Not sure though, need to test this on linux.

If you want logs just ask, just please help fix this :D

Can you look at server side logs? UDP is not the primary connection method.

Will do sir, I am going to school right now but when I get there ill ssh in and see.

It must be something to do with OS X since I can get it to work fine on Linux using the equivalent commands.

they have written that the OS X version is actually experimental so yea

You would think that, at the very least, the experimental version would actually work though or why release it? Anyway, I hope they fix it soon since I really need it.

I googled to find way to resolve default gateway problem.
I found this page.
http://qiita.com/ask/items/9ff1529d228ec093aa07

This page said that after IP is assigned from DHCP, add default gateway manually.

We did do that but it won't work. Thats the problem. I don't really understand whats written on that page. :(

thisjun wrote:
> I googled to find way to resolve default gateway problem.
> I found this page.
> http://qiita.com/ask/items/9ff1529d228ec093aa07
>
> This page said that after IP is assigned from DHCP, add default gateway
> manually.

I tried using this guide (slightly different than the method I tried as you end up with two default routing rules). However, it still didn't work (resolving host, no internet access).

thisjun, did you get this working?

Sorry, I don't have Mac OS with SoftEther client.

Hoping someone has found a solution