more two hubs in softether with local bridge

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
mario franco
Posts: 1
Joined: Sun Dec 06, 2020 5:46 pm

more two hubs in softether with local bridge

Post by mario franco » Mon Jan 11, 2021 11:50 pm

I tried to make two bridges for two hubs in a nat vps without success, only one connects to the internet. Range 10.0.13.10,10.0.13.100 (connects); range 10.0.14.10,10.0.14.100 (does not connect); the second hub uses the range of the first and does not change.

configuration:

dnsmasq.config

# Listen to interface
# In this case it is the Softether bridge
interface=tap_softether
interface=tap_softether2

# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=venet0

# In case you have bind on your server and doesn't want dnsmasq to use the default dns port #53:
# port=5353
listen-address=10.0.13.1
listen-address=10.0.14.1
bind-interfaces
################################################################################## Options

#tap 1#

# Let's give the connecting clients an internal IP
dhcp-range=tap_softether,10.0.13.13,10.0.13.213,720h

# Default route and dns
dhcp-option=tap_softether,3,10.0.13.1

#tap 2#

# Let's give the connecting clients an internal IP
dhcp-range=tap_softether2,10.0.14.14,10.0.14.214,720h

# Default route and dns
dhcp-option=tap_softether2,3,10.0.14.1

####################################################################################

# enable dhcp
dhcp-authoritative

# enable IPv6 Route Advertisements
enable-ra

# have your simple hosts expanded to domain
expand-hosts

# Let dnsmasq use the dns servers in the order you chose.
strict-order

# Let's try not giving the same IP to all, right?
dhcp-no-override

# Let's assign a unique and real IPv6 address to all clients.
# Here, we are using the IPv6 addresses from the he-ipv6 interface (Hurricane Electric ipv6 tunnel)
# You should replace it with your own IP range.
# This way even if you have only 1 shared IPv4
# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless in case you have trouble connecting
dhcp-range=tap_softether,2001:470:1f07:4d5:10f:0000:0000:0032,2001:470:1f07:4d5:10f:0000:0000:ffff,ra-advrouter,slaac,64,infinite

# For tunnelbroker, assign your 1f14 ip address to the tunnel interface and use 1f15 routable addresses in softether and dnsmasq
#dhcp-range=tap_softether,2001:0470:1f15:XXXX:0000:0000:000:0011,2001:0470:1f15:XXXX:0000:0000:0000:ffff,slaac,ra-stateless,64,2d


# Let's advertise ourself as a DNSSec server.
# Since we're running in the VPN network this shouldn't be any problem.
# Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.
# This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network
# between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
proxy-dnssec

# The following directives prevent dnsmasq from forwarding plain names (without any dots)
# or addresses in the non-routed address space to the parent nameservers.
domain-needed

# Never forward addresses in the non-routed address spaces
bogus-priv


# blocks probe-machines attack
stop-dns-rebind
rebind-localhost-ok

# Set the maximum number of concurrent DNS queries. The default value is 150. Adjust to your needs.
dns-forward-max=300

# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
# but from below
no-resolv
no-poll

# Prevent Windows 7 DHCPDISCOVER floods
# http://brielle.sosdg.org/archives/522-W ... sages.html
dhcp-option=252,"\n"

################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=208.67.222.222
server=208.67.220.220
server=8.8.4.4

# Use these IPv6 DNS Servers for lookups/ Google and OpenDNS
server=2620:0:ccd::2
server=2001:4860:4860::8888
server=2001:4860:4860::8844
#########################################


################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 and IPv6 addresses that are already assigned to the tap_softether
# So that everything runs through us.
# This is good for caching and adblocking.

#dns tap1#

# Set IPv4 DNS server for client machines # option:6
dhcp-option=option:dns-server,10.0.13.1,208.67.222.222

#dns tap2#

# Set IPv4 DNS server for client machines # option:6
dhcp-option=option:dns-server,10.0.14.1,208.67.222.222

# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_softether if you
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2620:0:ccd::2],[2001:4860:4860::8844]
#########################################



######################################### TTL & Caching options

# How many DNS queries should we cache? By defaults this is 150
# Can go up to 10k.
cache-size=10000

# Negative caching allows dnsmasq to remember 'no such domain' answers from the parent nameservers,
# so it does not query for the same non-existent hostnames again and again.
# This is probably useful for spam filters or MTA services.
#no-negcache

# The neg-ttl directive sets a default TTL value to add to negative replies from the parent nameservers,
# in case these replies do not contain TTL information.
# If neg-ttl is not set and a negative reply from a parent DNS server does not contain TTL information,
# then dnsmasq will not cache the reply.
neg-ttl=80000
local-ttl=3600

# TTL
dhcp-option=23,64
#########################################


################################################################################## MISC
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
dhcp-option=vendor:MSFT,2,1i

#########################################
## 44-47 NetBIOS #tap 1#
dhcp-option=44,10.0.13.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,10.0.13.1 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
dhcp-option=47

## 44-47 NetBIOS #tap 2#
dhcp-option=44,10.0.14.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,10.0.14.1 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
dhcp-option=47

# IF you want to give clients the same static internal IP,
# you should create and use use /etc/ethers for static hosts;
# same format as --dhcp-host
# <hwaddr> [<hostname>] <ipaddr>
#read-ethers


# Additional hosts, for adblocking.
# You can create that file yourself or just download and run:
# https://github.com/nomadturk/vpn-adbloc ... teHosts.sh
addn-hosts=/etc/hosts.supp

log-facility=/var/log/dnsmasq.log
log-async=5


################################################################################## Experimental
log-dhcp
quiet-dhcp6
#dhcp-option=option:router,10.0.13.1
#dhcp-option=option:ntp-server,10.0.13.1

# With settings below, you can ping other clients on your lan.
#dhcp-option=option:domain-search,lan
#dhcp-option=option6:domain-search,lan
#domain=YOURDOMAINHERE
# Gateway #tap 1#
dhcp-option=3,10.0.13.1
# Gateway #tap 2#
dhcp-option=3,10.0.14.1

initd.config

#!/bin/sh
### BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable Softether by daemon.
### END INIT INFO

##########################################################################################################################################
### Configuration
#############################

DAEMON=/usr/local/vpnserver/vpnserver # Change this only if you have installed the vpnserver to an alternate location.
LOCK=/var/lock/vpnserver # No need to edit this.
TAP_ADDR=10.0.13.1
TAP_ADDR_2=10.0.14.1 # Main IP of your TAP interface
TAP_INTERFACE=tap_softether
TAP_INTERFACE_2=tap_softether2 # The name of your TAP interface.
VPN_SUBNET=10.0.13.0/24
VPN_SUBNET_2=10.0.14.0/24 # Virtual IP subnet you want to use within your VPN
NET_INTERFACE=venet0 # Your network adapter that connects you to the world.In OpenVZ this is venet0 for example.
IPV6_ADDR=2001:470:1f07:4d5:110:110:110:110 # You can also assign this as DNS server in dnsmasq config.
IPV6_SUBNET=2001:2001:470:1f07:4d5:10f::/80 # Used to assign IPv6 to connecting clients. Remember to use the same subnet in dnsmasq.conf
YOUREXTERNALIP=10.10.81.119 # Your machines external IPv4 address.
# Write down you IP or one of the IP adresses if you have more than one.
# Warning! NAT Machine users, here write the local IP address of your VPS instead of the external IP.

#############################
### End of Configuration
##########################################################################################################################################


test -x $DAEMON || exit 0
case "$1" in
start)
###################################### START
$DAEMON start
touch $LOCK
sleep 4

#######################################################################################
# Rules for IPTables. You can remove and use these iptables-persistent if you want
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# Assign $TAP_ADDR_2 to our tap interface
/sbin/ifconfig $TAP_INTERFACE_2 $TAP_ADDR_2
#
# Forward all VPN traffic that comes from VPN_SUBNET through $NET_INTERFACE interface for outgoing packets.
iptables -t nat -A POSTROUTING -s $VPN_SUBNET -j SNAT --to-source $YOUREXTERNALIP
# Alternate rule if your server has dynamic IP
#iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
#
# Forward all VPN traffic that comes from VPN_SUBNET through $NET_INTERFACE interface for outgoing packets.
iptables -t nat -A POSTROUTING -s $VPN_SUBNET_2 -j SNAT --to-source $YOUREXTERNALIP
# Alternate rule if your server has dynamic IP
#iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
#
# Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT
#
#
iptables -A INPUT -s $VPN_SUBNET_2 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $VPN_SUBNET_2 -m state --state NEW -j ACCEPT
iptables -A FORWARD -s $VPN_SUBNET_2 -m state --state NEW -j ACCEPT
#
# IPv6
# This is the IP we use to reply DNS requests.
ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
# Let's define forwarding rules for IPv6 as well...
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

# You can enable this for kernels 3.13 and up
# ip6tables -t nat -A POSTROUTING -o $TAP_INTERFACE -j MASQUERADE
#######################################################################################
# End of IPTables Rules
#######################################################################################


/etc/init.d/dnsmasq restart
;;

###################################### STOP
stop)
$DAEMON stop
rm $LOCK
;;


###################################### RESTART
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3

#######################################################################################
# Rules for IPTables.
# I used these here as well since sometimes the IP addresses tend to disappear
# So now at least we ensure they exist whilst we restart
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# Assign $TAP_ADDR_2 to our tap interface
/sbin/ifconfig $TAP_INTERFACE_2 $TAP_ADDR_2
#
# IPv6
# This is the IP we use to reply DNS requests.
ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# End of IPTables Rules
#######################################################################################


/etc/init.d/dnsmasq restart
;;
*)

echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Post Reply