Linux always-on VPN client (starting dhclient automatically)

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
riny
Posts: 5
Joined: Tue Jul 02, 2019 3:12 pm

Linux always-on VPN client (starting dhclient automatically)

Post by riny » Wed Jun 17, 2020 7:10 pm

I just want to share a configuration for a Linux host with an always-on SoftEther client. As everyone knows, the Windows client automatically handles DHCP and routing, but the Linux client does not. The documentation recommends that you manually start dhclient and make the necessary routing table changes after connecting. But this clearly doesn't work for non-interactive startup.

I'm doing this on an Ubuntu server and I spent a long time trying to get netplan (and/or NetworkManager directly) to own the SoftEther interface, but I just couldn't get it to work. So instead I created a systemd unit file to start dhclient automatically with SoftEther. Then I made my VPN connection a "startup connection" in the VPN client config. Now SoftEther automatically connects on startup, and dhclient starts right after.

This depends on using the bundled softether-vpnclient.service in the latest releases on github. Use make -C tmp && make -C tmp package to build an OS-specific package (rpm or deb) which includes this, and systemd enable softether-vpnclient.service so it always starts on reboot.

Here's the unit file for dhclient. Install this as /lib/systemd/system/dhclient-vpn.service and then use systemd enable dhclient-vpn.service to enable it.

Code: Select all

[Unit]
Description=DHCP Client for SoftEther VPN
After=softether-vpnclient.service
Requires=softether-vpnclient.service
PartOf=softether-vpnclient.service

[Service]
Type=forking
ExecStart=/sbin/dhclient -v vpn # <--- Use the name of your VPN interface here
ExecStop=/sbin/dhclient -v -r vpn
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target
Now there's the question of the routing table modifications. Personally I did this in my DHCP server using DHCP option 121, so clients automatically get the routes they need and manual routing table entries are never needed. This setup is a little more complex but I can post more details if anyone is interested.

AleXSR700
Posts: 19
Joined: Wed Oct 16, 2019 7:35 am

Re: Linux always-on VPN client (starting dhclient automatically)

Post by AleXSR700 » Tue Jun 23, 2020 6:51 am

Hello @riny

I would really be interested in this.

I am currently away on business and was once again reminded how good it would be to have a proper VPN server at home.
So when I get back I will build a SoftEther server on a Raspberry Pi 4 B and then also a SoftEther client, again on a RasPi 4 B.

Both should auto-start after reboot. And the client one should also automatically start an AP as well. So it acts as an AP with permanent VPN connection.

Your approach, I believe, will help achieve this :-)

riny
Posts: 5
Joined: Tue Jul 02, 2019 3:12 pm

Re: Linux always-on VPN client (starting dhclient automatically)

Post by riny » Thu Jun 25, 2020 10:41 pm

That's a clever idea! Well this gives you the client side of things. For the server side, see this link. Make sure you read and understand that, because this builds on it.

The only thing not covered there is the routing. Once you start DHCP, you still need to manually add routes through the VPN. I use dnsmasq for DNS on my home network with this setup:
  • Main network: 10.0.0.0/16, default gateway 10.0.1.2; VPN server running on 10.0.0.111
  • VPN network: 10.1.1.0/24, default gateway 10.1.1.1 (the inside address in the VPN namespace)
Inside the VPN namespace, I use dhcrelay to forward DHCP out to my main network. dhcrelay is started with this command-line:

Code: Select all

/usr/sbin/ip netns exec vpn /usr/sbin/dhcrelay 10.0.0.3 -a
10.0.0.3 is the address of my DHCP server running dnsmasq, and the "-a" option is important so dnsmasq can identify requests from VPN clients.

Here's the relevant snippet from my dnsmasq config:

Code: Select all

dhcp-match=set:vpn,option:agent-id
tag-if=set:int,tag:!vpn

dhcp-range=tag:int,10.0.0.80,10.0.0.99,4h
dhcp-option=tag:int,121,10.1.1.0/24,10.0.0.111
dhcp-option=tag:int,249,10.1.1.0/24,10.0.0.111
dhcp-option=tag:int,option:router,10.0.1.2

dhcp-range=tag:vpn,10.1.1.50,10.1.1.200,255.255.255.0,2h
dhcp-option=tag:vpn,121,10.0.0.0/16,10.1.1.1
dhcp-option=tag:vpn,249,10.0.0.0/16,10.1.1.1
dhcp-option=tag:vpn,option:router,10.1.1.1
The first block says to look at the agent-id option (set by dhcrelay -a) and tag requests as either "int" or "vpn" based on whether that option is set. Internal clients get classless static routes into the VPN through SoftEther, and VPN clients get routes into the main network.

I'm only routing local traffic so there's no default gateway set. If you want ALL traffic to go through the VPN, then you could add a 0.0.0.0/0 route to the tag:vpn section.

Post Reply