Internet through SE

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
cmpts_cpeacock
Posts: 13
Joined: Sun Aug 05, 2018 11:38 am

Internet through SE

Post by cmpts_cpeacock » Fri Jan 18, 2019 9:35 am

Hi,

I've created a local bridge on Ubuntu using these sites as a guide:

http://blog.lincoln.hk/blog/2013/03/19/ ... er-on-vps/
http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/

When I connect from Android using VPN Client Pro over SSTP the VPN connects fine, but all Internet is routed through SE too.

I think it's the nat tables, but when they weren't there there was no Intenet at all.

iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 192.168.0.1
apt-get install -y iptables-persistent


How can I allow VPN clients to connect, but not route Internet through SE and only use their local network for Internet?

Cheers

elmoghazy.omar
Posts: 4
Joined: Thu Jan 17, 2019 10:30 am

Re: Internet through SE

Post by elmoghazy.omar » Fri Jan 18, 2019 1:13 pm

Hi, what you are trying to achieve is called "split tunneling" there's already a good guide on how to implement it on the forum:
viewtopic.php?f=7&t=59975&p=77412&hilit ... ide#p77412
cheers

cmpts_cpeacock
Posts: 13
Joined: Sun Aug 05, 2018 11:38 am

Re: Internet through SE

Post by cmpts_cpeacock » Fri Jan 18, 2019 1:19 pm

Thanks. That's Windows focussed, whereas I'm using Ubuntu.

I'll see if I can find any posts specific to Ubuntu / Linux and split tunnelling.

Cheers

thisjun
Posts: 2454
Joined: Mon Feb 24, 2014 11:03 am

Re: Internet through SE

Post by thisjun » Thu Feb 21, 2019 6:07 am

You can use static route pushing feature.
This is the description of PUSHROUTE option of dhcpset command of vpncmd.

Specify the static routing table to push.
Example: "192.168.5.0/255.255.255.0/192.168.4.254, 10.0.0.0/255.0.0.0/192.168.4.253"
Split multiple entries (maximum: 64 entries) by comma or space characters. Each entry must be specified
in the "IP network address/subnet mask/gateway IP address" format.
This Virtual DHCP Server can push the classless static routes (RFC 3442) with DHCP reply messages to
VPN clients.
Whether or not a VPN client can recognize the classless static routes (RFC 3442) depends on the target
VPN client software. SoftEther VPN Client and OpenVPN Client are supporting the classless static
routes. On L2TP/IPsec and MS-SSTP protocols, the compatibility depends on the implementation of the
client software. You can realize the split tunneling if you clear the default gateway field on the
Virtual DHCP Server options. On the client side, L2TP/IPsec and MS-SSTP clients need to be configured
not to set up the default gateway for the split tunneling usage.
You can also push the classless static routes (RFC 3442) by your existing external DHCP server. In that
case, disable the Virtual DHCP Server function on SecureNAT, and you need not to set up the classless
routes on this command.

cmpts_cpeacock
Posts: 13
Joined: Sun Aug 05, 2018 11:38 am

Re: Internet through SE

Post by cmpts_cpeacock » Thu Feb 21, 2019 9:25 am

Thanks. Will check it out. I've not got round to sorting it yet, but that will help

That said, I am using DNSMASQ for the DHCP element so would it work the same was as you suggest, or do I need to use DNSMASQ and PUSHROUTE together?

gg_user
Posts: 10
Joined: Sat May 13, 2017 6:39 pm

Re: Internet through SE

Post by gg_user » Tue Mar 05, 2019 11:07 am

Hi,
Setting up for dnsmasq.

Example:

Code: Select all

interface=tap_soft
dhcp-range=tap_soft,192.168.200.10,192.168.200.254,255.255.255.0,12h
dhcp-option=tap_soft,3

cmpts_cpeacock
Posts: 13
Joined: Sun Aug 05, 2018 11:38 am

Re: Internet through SE

Post by cmpts_cpeacock » Sat Apr 20, 2019 7:29 pm

gg_user wrote:
Tue Mar 05, 2019 11:07 am
Hi,
Setting up for dnsmasq.

Example:

Code: Select all

interface=tap_soft
dhcp-range=tap_soft,192.168.200.10,192.168.200.254,255.255.255.0,12h
dhcp-option=tap_soft,3
Tried this, but same issue. I get connected and assigned an IP set by the dnsmasq as per dhcp-range but no route to the internet.

I've tried dhcp-option with as you put and also:

dhcp-option=tap_soft,3,192.168.200.1

Nothing works.

any other input?

Cheers

cmpts_cpeacock
Posts: 13
Joined: Sun Aug 05, 2018 11:38 am

Re: Internet through SE

Post by cmpts_cpeacock » Sun Apr 21, 2019 11:30 pm

Ok, a bit of perseverance this evening and I've not changed anything on my original config but worked out the VPN Client (Android - VPN Client Pro) is trying to route web traffic through it. If I add an exclusion route of the IP Address of the destination website it works; I can access the local VPN Server IP and anything on the same local network, and can access the website. No other web pages are loading unless I add another exclusion in.

I've tried the usual 0.0.0.0/0 and 0.0.0.0/1 as exclusions as I saw in the routes in the app but still nothing.

I've contacted the app owner to see if there's some other way of doing this.

Getting close now!

Chris

cmpts_cpeacock
Posts: 13
Joined: Sun Aug 05, 2018 11:38 am

Re: Internet through SE

Post by cmpts_cpeacock » Mon Apr 22, 2019 2:32 pm

Ok, this is now working.

I don't think I changed much at all with my config but the VPN Client has been changed a little.

- Using VPN Client Pro (on Android)
- Using SSTP
- Under Routing / IPv4 routes deselected "gateway redirect"
- Under Routing / IPv4 routes deselected added the SE VPN Server's local subnet and also any networks that network was associated with too (i.e. which may provide internet access, etc)


I also added dhcp-option=option:dns-server to the dnsmasq.config:


interface=tap_tapint1
dhcp-range=tap_tapint1,192.168.7.10,192.168.7.100,12h
dhcp-option=tap_tapint1,3,192.168.7.1
dhcp-option=option:dns-server,8.8.8.8,8.8.4.4
server=8.8.8.8
server=8.8.4.4

The latter two server are so SE VPN Server can resolve DNS itself, but the dns-server as so the VPN clients get a DNS server when connecting.

Thanks all for your help.

Chris

Post Reply