How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a bridge?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a bridge?

Post by MyronSz » Mon Sep 30, 2019 8:59 am

Apologies if this this a duplicate question as I can't find a similar question asked here and I am stuck. Been trying for ages to find a solution and have thrown in the towel. Please can anyone help.

For purpose of this, a Chromecast is on IP 192.168.0.7.

I have set-up two SoftEther VPN servers at home of which the back-up which is a Windows 10 installation I'm having to use as it works really well, but it consumes extra power as this Windows based SoftEther server is the access to the local network which also hosts a NAS. The configuration of this is on an old laptop so only one wored LAN port and I have a virtual hub bridged to that LAN port. I can access ALL the resources on the laptop as well as the LAN. For purpose of this the LAN address is 192.168.0.1. I can ping this IP address from the VPN client and access all other IP based services operating on the the computer.

So . . .
PING 192.168.0.1 - WORKS
PING 192.168.0.2 - WORKS
PING 192.168.0.7 - WORKS

The problem is the SoftEther server installed on the NAS with an IP address of 192.168.0.2. When I connect to with the client to this Linux hosted SoftEther server the client can access everything on the LAN except the IP address of the NAS. So, I can ping IP address of the the chromecast on the LAN, but the NAS's IP it fails.

So . . .
PING 192.168.0.1 - WORKS
PING 192.168.0.2 - FAILS
PING 192.168.0.7 - WORKS

So, the VPN does work, but all IP based services on the Linux OS hosting the SoftEther fail. The VPN client can't reach the LAN IP affress of 192.168.0.2. Trying not to bridge the virtual hub to the LAN adapter, but using SecureNAT didn't seem to work. Same problem. The SoftEther server can't see or reach it's hosts LAN IP address.

What do I need to do to make the Linux OS behave like the Windows 10 OS regarding bridging to the physical Ethernet adapter.

I have feeling many people would like to know the answer to this puzzle.

PS: On the NAS that his hosting SoftEther, with I've installed via. Entware, the OS is in a protected area. I can not change the OS's boot-up configuration. I could possibly insert a script that would reconfigure things on boot-up, but I would rather not as I don't want to brick the NAS.
Last edited by MyronSz on Sun Oct 06, 2019 4:50 pm, edited 1 time in total.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: How do I access resources on Linux host hosting SoftEther service

Post by ozone » Tue Oct 01, 2019 7:29 pm

Hi,

Had the same problem few years ago.
At that time there was a website that explained this behavior in Linux, as it had changed in comparison to older linux distros, or the windows flavours of that time. Needless to say, today this website is no longer traceable by google. I couldn't easily find it. (although it is probably still there)

Long story short: You cannot host services on the same ip-address as the vpnserver you are connected on. At least not by default.

There are some things you can do:
-use localhost (lo) or 127.0.0.1 instead. (only on same device)
-Create a tap-device, give it an fixed ip, bridge it in SE, and use THAT ip. (that is what I did, but it worked only behind securenat. Why????)
-(edit: actually the securenat gateway-ip ping worked too, but nothing else)
-allow forwarding (eg in sysctl.conf in debian), so that it IS allowed. (but this maybe unwise in your case, on a nas)

Good luck.

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access resources on Linux host hosting SoftEther service

Post by MyronSz » Wed Oct 02, 2019 9:32 am

It is a flvout of Debian on the NAS. The system area is protected which means I can't make any boot-time configuration changes, but run-time changes I can make.

I think you'll know what the question will be now. :-) I will try and look it up, but I've never created a tap device and I am, at the moment, not sure how to. If this is possible then this tap device will need to be set-up in some script that gets executed when the NAS start. Why that may be mossible is that the scripts that run when the NAS boots is under root.

Any help and advice, or signposting would be welcomed with many thanks. :-)

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: How do I access resources on Linux host hosting SoftEther service

Post by ozone » Wed Oct 02, 2019 1:15 pm

Hi,

I created the tap-device I mentioned with the Softether Server manager gui tool.
Bridging too... Al in the same swoop.

No script needed.

-Connect to your SE server with the "Softether VPN server Manager" gui tool;
-Near the bottom, click "local bridge setting" botton;
-New window appears .About half way down, select the hub you like;
-Below that, select "Bridge with new tapdevice";
-A bit below that, you can (and must) enter the name of the tap device;
-Click "Create local Bridge", and exit.

Basically that is all....

However, you DO need to assign a fixed ip to it in Linux. Softether does not do that for you.
(but I suspect this will not be an issue for you, since the tap is now also visible there too)
Also, DO NOT give tap the same address as the Securenat gateway-address you chose. Maybe one higher.
(so eg. gateway 192.168.2.1, tap 192.168.2.2)

As mentioned, for me it ONLY worked as securenat was on.
However, I had preferred not to enable securenat, as it wasn't needed for anything else, and it is slower. (extra overhead)
Also, this way the VPN clients aren't directly visable from the rest of the LAN, since they are behind NAT.
(this could also be considered a pro)

Connected as VPNclient, a resource (eg. webserver) should now be accessible on 192.168.2.2 in my example.

I hope this helps to get you started.

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access resources on Linux host hosting SoftEther service

Post by MyronSz » Sat Oct 05, 2019 10:48 pm

Creating the bridge worked. Seems also that applying a static IP to the tap device seemed to work.

root@ZEUS root # ifconfig tap_t0 192.168.200.1 netmask 255.255.255.0
root@ZEUS root # ifconfig tap_t0
tap_t0 Link encap:Ethernet HWaddr 5E:D5:74:6B:B2:62
inet addr:192.168.200.1 Bcast:192.168.200.255 Mask:255.255.255.0
inet6 addr: fe80::5cd5:74ff:fe6b:b262/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3686 errors:0 dropped:0 overruns:0 frame:0
TX packets:1503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:943547 (921.4 KiB) TX bytes:145775 (142.3 KiB)

When I try to ping the egig0 interface's IP address, that fails. What does work is being to access everything that's not on the NAS, so I can ping the ChromeCast on the LAN. USing SecureNAT as you mentioned.

These bits on Linux are quite new to me. IP networks is not. It's how to correctly configure the Linux OS.

Any more advice? Examples of commands that have worked for you? (I'm one of those who learn quicker from examples.)

(edit: Changed IP to 192.168.30.160 and could ping that through SecureNAT VPN. DHCP allocates between 192.168.30.10 and 192.168.30.100)

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access resources on Linux host hosting SoftEther service

Post by MyronSz » Sun Oct 06, 2019 11:09 am

I got it to work. Thank you for your help. So the static IP address of the tap has to be in the same local address space as the the SecureNAT? This has worked. I can currently, through the VPN access

You're a life safer for me here. It's a little inconvenient having to use the NAS from another IP address, but it's not really a problem. I'm impressed that this works especially with a device, for obvious reasons, will not allow (easily) for the user to update the Linux OS. Until I create a serial interface for the NAS so I can log.in into the console, should Lunix fail to start, this is a better option as it's not changing the manufacturer's configuration.

The only thing I need to live with, I guess, when the NAS loses power or reboots I guess SoftEther will re-create the tap device it initially created, but the static IP address will have to be manually reassigned, unless I can find some way of creating the tap device and configure it in some script before SoftEther starts. I am wondering of that can be done here? Where the tap device can be created, few seconds wait before starting the SoftEther and then to destroy the tap a few seconds after SoftEther stops.

I am using Entware to make the NAS to more than it's designed. I tweaked it so to be sure that all Entware services are shut-down and /opt is returned to it's original state before the Manufacturer's reboot/shutdown scripts fire.

In a nutshell. on a NAS reboot or start-up the only part of the directory tree that persists is /share/Volume_1. Everything else is lost. A little like a sandbox that's programmed to forget everything once what it is hosting is shut-down. That's why I can't, without great risk, make any Linux boot-time configurations persist. All configurations need to be done at run-time and in a way that will not prevent the NAS from booting.

Code: Select all

root@ZEUS init.d # pwd
/opt/etc/init.d
root@ZEUS init.d # cat S05vpnserver
#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export GCONV_PATH=/opt/lib/gconv

case $1 in
        start)
        logger "Starting softether vpnserver service."
        LANG=en_US.UTF-8 /opt/libexec/softethervpn/vpnserver start
        sleep 5
        logger "Assigning 192.168.30.160 to tap_t0."
        ifconfig tap_t0 192.168.30.160
        ;;
        stop)
        logger "Stopping softether vpnserver service."
        LANG=en_US.UTF-8 /opt/libexec/softethervpn/vpnserver stop
        ;;
        restart)
        logger "Starting softether vpnserver service."
        LANG=en_US.UTF-8 /opt/libexec/softethervpn/vpnserver stop
        sleep 5
        logger "Stopping softether vpnserver service."
        LANG=en_US.UTF-8 /opt/libexec/softethervpn/vpnserver start
        sleep 5
        logger "Assigning 192.168.30.160 to tap_t0."
        ifconfig tap_t0 192.168.30.160
        ;;
        *)
        echo "Usage: $0 {start|stop|restart}"
        ;;
esac
I just tried the modified script after I discovered that stopping SoftEther or the virtual hub that has the bridge defines destroys the virtual adapter and starting SoftEther or the virtual hub re-creates it. I spent some time figuring out why it stopped working correctly when I put the virtual hub offline and then back online and then lost contact with SoftEther's host Linux OS.
ozone wrote:
Wed Oct 02, 2019 1:15 pm
Hi,

I created the tap-device I mentioned with the Softether Server manager gui tool.
Bridging too... Al in the same swoop.

No script needed.

-Connect to your SE server with the "Softether VPN server Manager" gui tool;
-Near the bottom, click "local bridge setting" botton;
-New window appears .About half way down, select the hub you like;
-Below that, select "Bridge with new tapdevice";
-A bit below that, you can (and must) enter the name of the tap device;
-Click "Create local Bridge", and exit.

Basically that is all....

However, you DO need to assign a fixed ip to it in Linux. Softether does not do that for you.
(but I suspect this will not be an issue for you, since the tap is now also visible there too)
Also, DO NOT give tap the same address as the Securenat gateway-address you chose. Maybe one higher.
(so eg. gateway 192.168.2.1, tap 192.168.2.2)

As mentioned, for me it ONLY worked as securenat was on.
However, I had preferred not to enable securenat, as it wasn't needed for anything else, and it is slower. (extra overhead)
Also, this way the VPN clients aren't directly visable from the rest of the LAN, since they are behind NAT.
(this could also be considered a pro)

Connected as VPNclient, a resource (eg. webserver) should now be accessible on 192.168.2.2 in my example.

I hope this helps to get you started.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by ozone » Tue Oct 08, 2019 12:05 am

Hi,

Good to hear that you got it to work.
It is true that the tap device should be on the same subnet as the securenat gateway address.
Securenat-function acts like a normal home nat-router, albeit a very simple one. The Lan-side devices should all be on the same ip-range and on the same range as the router gateway-ip.

The idea is that you connect to other home/Lan devices with their own ip, but the items on the Nas with the tap ip. (when on vpn)

I'm not really familiar with Entware. I usually do a baremetal or vm deploy of a normal linux.
I only installed debian-chroot on a syno maybe twice. And there settings were retained over reboots just fine.

Also, and I will probably get some flak from real linux-guru's, I simply put my fixed ip's in /etc/dhcpd.conf
On baremetal or vm this makes the Ip remain the same even if the hub or SE-service is stopped and restarted.
It will look something like this:

interface tap_lan
static ip_address=192.168.0.90/24
static routers=192.168.0.1

(where "routers" is the securenat address in my case)

But I see no reason why your script shouldn't work too.... And I'm not sure if you even have a dhcpd deamon in Entware.
Just wanted to share that.

Good luck,

Oz

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by MyronSz » Tue Oct 08, 2019 9:33 am

It's boot time configurations I can't make, so settings that get applied while Linux us initialising, but I have figured out how to make configuration changes using a script placed in /opt/etc/init.d. So, is that configuration changes I can make to, hopefully, solve the issue of a normal bridge configuration to be used. This is where, unfortunately, Microsoft Windows wins. The same physical adapter can be used for normal operation and a fully functional bridge. A puzzle to solve after Linux becomes fully operational as at the time the scripts in /opt/etc/init.d, the Debian Linux if fully initialised.

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by MyronSz » Wed Oct 23, 2019 11:47 am

ozone wrote:
Tue Oct 08, 2019 12:05 am
But I see no reason why your script shouldn't work too.... And I'm not sure if you even have a dhcpd deamon in Entware.
Just revisiting this topic. Ok.. Entware.. It's a sort of app that installs on the NAS and allows installation of many other application pre-compiled to operate assuming /opt is the root. /opt is symlinked to a directory on the RAID array so when the NAS shuts down, the Entware installed packages are lot lost. Or..... Entware is like a container application for other applications.

It's sort of a good idea for a NAS because the NAS's OS and configuration is not changed or altered in any way. Disadvantage is that of the Linux kernel need to be changed for support a feature then that can't be done. It's all got to be done after the NAS's Debian Linux OS has fully started up.

As mentioned and on this thanks for your help, I tweaked SoftEther's service control script to assign an IP address to the tap interface 5 seconds after SoftEther is started and that has worked like a charm. I access the NAS using a mDNS or NetBios name so I don't have to change anything on any of the other devices. For me, I don't actually need to have a fully bridged connection, for now.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by ozone » Wed Oct 23, 2019 6:34 pm

Hi,

Thank you for letting us know that it works for you now.
Glad that I could be of assistance.

Entware sounds to be a really good idea in some scenarios. I hadn't worked with it, so for me it was difficult to guess what you "could" and "couldn't" from within Entware. So I tried to explain with my "bare-metal-install-linux" Softether-knowledge how I would try to fix it.

Going off-topic here, but doesn't Entware suffer from datacorruption if that environment is terminated by the shut-down process of the NAS??
In other words: Is everything brought down somewhat nicely?
(I know SE isn't writing a lot, but others might....)

Oz

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by MyronSz » Wed Oct 23, 2019 7:34 pm

Yes. On shutdown the Entware app is sent a signal to shut-down and Entware's script runs scripts in /opt/etc/init.d with the stop parameter to halt all the tasks. Entware's app script then takes a copy of the account's home directory Entware is running under, unmounts /opt to restore the NAS's original /opt directory. If that fails because processes are operating under /opt then those processes are terminated and then another unmount of /opt is attempted.

At that point during the shut-down procedure everything started by Entware is stopped, forced to terminate if a normal end is not achieved, /opt directory put back as was and the remainder of the NAS shut-down procedure continues.

It's a very elegant solution. Any NAS firmware updates are handled correctly.

I did check the scripts that make-up Entware to make sure they do what's necessary. Even used Entware to fix a broken symlink to a directory within the NAS's OS image.

Saves me dedicating a Rasberry Pi to hosting SoftEther server.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by ozone » Thu Oct 24, 2019 8:48 pm

I certainly will look into that further. Very interesting.
And probably even faster on a decent NAS then a PI.

Thx for the explanation.

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by MyronSz » Fri Oct 25, 2019 6:04 pm

It's not the fastest thing on the planet, but yes. The one SoftEther is running on has 6Gb installed of which the Linux OS naturally uses any unallocated RAM to be a disk cache. The processor is an Intel Atom at 1.6Ghz on this particular NAS.

I guess running SoftEther server on hardware dedicated to the one task, on a security standpoint, makes sense.

I can see that the only issue here is if some device needs to initiate communications talk to the VPN client's IP address. It won't see it because there is no route from 192.168.0.0/255.255.255.0 to 192.168.30.0/255.255.255.0 and SoftEther's securenat does not implement any form of port forwarding in it's current form.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by ozone » Sun Nov 03, 2019 12:36 am

Hi,

Sorry for the late reply. I was out of town this week.


Wouldn't you be able to use something like "iptables" in Entware??

You can use that in stead of the Softether Securenat, and that will let you do the natting (SRCnat/masquerade) and portforward (DSTnat).
A little more cumbersome to manage, while not gui-based, but with more options related to nat and firewall.
Mind that to replace the Securenat-dhcp-functions, you would also need "dnsmasq" or similar. Again, txt-based, but with more options.

I guess that you could make it as "complicated" as you wish :)
As long as it can be implemented on Entware.

Oz

MyronSz
Posts: 13
Joined: Mon Sep 16, 2019 7:34 pm

Re: How do I access TCP ports on IP assigned to egiga0 on Linux hosting SoftEther service from VH using egiga0 as a brid

Post by MyronSz » Sun Nov 03, 2019 10:26 am

When I get time I will try and have a look at that. For me that's advanced Linux stuff as, unfortunately, I'm more of a Windows person.

With Entware any program will work, but they just need to be re-compiled with a simple change. That change is that that the root for EntWare apps is /opt.

So /etc becomes /opt/etc, /bin becomes /opt/bin, /libexec becomes /opt/libexec, etc.....

The Entware repository is just that. Programs recompiled so they live and operate under /opt as and not /.

Post Reply