about UDP4500 and UDP 5000!

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
rain520com
Posts: 7
Joined: Thu Feb 07, 2019 3:20 am

about UDP4500 and UDP 5000!

Post by rain520com » Thu Feb 07, 2019 9:44 am

I can't connect to the server I set up on vps using ios built-in vpn. I use centos7, and I have closed the firewall. I read the forum and said "On the NAT, UDP 500 and 4500 should be transferred to the VPN Server." I know this is a very basic problem, but since I am a newbie, I have been unable to find out how to set it up. Does anyone want to say it in detail, thank you!

cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

Re: about UDP4500 and UDP 5000!

Post by cmd wh0ami » Thu Feb 07, 2019 10:53 pm

If this is for L2TP/IPsec, since you are running CentOS 7, I would disable and uninstall firewalld & install and enable iptables-services.

Code: Select all

systemctl disable firewalld 

Code: Select all

 systemctl stop firewalld 

Code: Select all

 yum remove firewalld -y 

Code: Select all

 yum install iptables-services -y 

Code: Select all

 systemctl enable iptables


Then you will make a iptables script like this...

Code: Select all

vi softether.fw

Code: Select all

#!/bin/bash
#
#######################################################################
#      iptables rules
#######################################################################
#
# Flush current V4 polices
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns
iptables -A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# Allow incoming SSH
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s YOUR_BACKUP_IP_ADDRESS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming HTTPS for SoftEther (default)
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming IPsec
iptables -A INPUT -p udp --dport 500 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming Network Speed tool (uncomment when needed)
#iptables -A INPUT -p tcp --dport 9821 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop null packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

# DROP syn-flood packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP XMAS packets
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP

##########################

# Save Changes
service iptables save

# Service
service iptables restart

#######################################################################
#      End of rules
#######################################################################

Code: Select all

 chmod +x softether.fw

Code: Select all

 ./softether.fw 
*MAKE SURE TO CHANGE YOUR_IP_ADDRESS AND YOUR_BACKUP_IP_ADDRESS FOR SSH OR YOU WILL GET LOCKED OUT OF YOUR SERVER... ALSO MAKE SURE SSH PORT IS CORRECT FOR SSH OR YOU WILL GET LOCKED OUT OF YOUR SERVER...
VPN Discord invite: https://discord.gg/QByKXA9

cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

Re: about UDP4500 and UDP 5000!

Post by cmd wh0ami » Fri Feb 08, 2019 11:18 am

Also if the client is behind a firewall you have to open ports 500 and 4500 on the firewall on your router.
VPN Discord invite: https://discord.gg/QByKXA9

rain520com
Posts: 7
Joined: Thu Feb 07, 2019 3:20 am

Re: about UDP4500 and UDP 5000!

Post by rain520com » Fri Feb 08, 2019 3:23 pm

Thank you very much!

rain520com
Posts: 7
Joined: Thu Feb 07, 2019 3:20 am

Re: about UDP4500 and UDP 5000!

Post by rain520com » Fri Feb 08, 2019 3:28 pm

Is this port forwarding? It seems like I only see some rules that allow it to pass through the firewall.

cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

Re: about UDP4500 and UDP 5000!

Post by cmd wh0ami » Sun Feb 10, 2019 3:02 am

Port Forwarding is done on the outside routers firewall... The set of firewall rules I provided is for CentOS 7 running on your box.

All routers are different, but the general idea is to open and forward ports 500 and 4500 on your router to ports 500 and 4500 of the local IP address of your Linux box.
VPN Discord invite: https://discord.gg/QByKXA9

Post Reply