1st you install dnsmasq...
Then you change the dnsmasq.conf to dnsmasq.backup to get it out of the way.
Code: Select all
mv /etc/dnsmasq.conf /etc/dnsmasq.backup
Then you make a dnsmasq.conf like this.
Code: Select all
##################################################################################
# SoftEther VPN server dnsmasq.conf
################################################################################## Interface Settings
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=tap_soft
# If you want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces
################################################################################## Options
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.30.10,192.168.30.255,12h
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,192.168.30.1
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
no-poll
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv
# Disable re-use of the DHCP servername and filename fields as
# extra option space. This makes extra space available in the
# DHCP packet for options but can, rarely, confuse old or broken
# clients. This flag forces "simple and safe" behavior to avoid
# problems in such a case.
dhcp-no-override
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
enable-ra
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
dhcp-range=::100,::1ff,constructor:tap_soft, 64, 12h
################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests = Cloudflare
server=1.1.1.1
server=1.0.0.1
# Use these IPv6 DNS Servers for lookups = Cloudflare
server=2606:4700:4700::1111
server=2606:4700:4700::1001
#########################################
################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_soft
# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
dhcp-option=option6:dns-server,[fc00:0000:2ac:7af1::1],[2606:4700:4700::1111]
#########################################
Then you make a /etc/init.d/vpnserver init script like this.
Code: Select all
#!/bin/sh
### BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0:2ac:7af1::1
IPV6_SUBNET=fc00:0:2ac:7af1::/64
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
# Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq start
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
# Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Then you enable forwarding for IPv4 and IPv6 in sysctl.config
then add this to the config file.
Code: Select all
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
and load the changes by
Then you restart the vpnserver.
Then you finish it off with some NAT in iptables
Code: Select all
# NAT using Local Bridge
# 192.168.30.0/24 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 192.168.0.12 = SoftEther VPN Server's network interface (Local IP if behind NAT or Public IP of VPS)
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 192.168.0.12
# NAT using Local Bridge
# fc00:0000:2ac:7af1::/64 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 2603:6001:3c8a:700:596a:2ebc:472:7be6 = SoftEther VPN Server's network interface Global Unicast
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source 2603:6001:3c8a:700:596a:2ebc:472:7be6
If you can't figure it out from this... You might want to stick with SecureNAT and the virtual dhcp server function.