setting up a partial vpn connection

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
ieronymous
Posts: 9
Joined: Thu Mar 04, 2021 9:27 am

setting up a partial vpn connection

Post by ieronymous » Thu Mar 04, 2021 10:07 am

Hello everyone

I am using softether for about a year now, connecting up to 14 clients to the server in order to be able to remote then to each individual machine in the office and access a locally server based sql base ERP program. Tried of course bypass the remote access and just have the shortcut of the ERP program to their remote machines but mostly all they are having is sql connection problems (time out ...etc.) or very slow interaction with the program (though with remote desktop access the sped is quite well)

Probably all the above are irrelevant since the only thing I am trying to find out is how I could establish a partial vpn connection from the client side in order to use both softether to access the program and his connection also in order to be able to have his net activities (youtube, tabs..etc) passing through his router. If you could be more specific about the options I have to setup and check afterwards I would be grateful

Thank you in advance


PS Our connection to the office is 100mbit down / 10upload
Server specs where softether is established is an it-2400 with 8gb with 1gb card (so pretty mediocre setup I know)

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: setting up a partial vpn connection

Post by eddiewu » Thu Mar 04, 2021 2:28 pm

I assume your clients are using Windows and SoftEther client.
If you are trying to do split routing on the client side, use a large metric on the virtual network adapter (IPv4 settings -> advanced -> uncheck automatic metric). So that the default route won't change.
Route to your ERP should still be OK if the DHCP is setup correctly.
Do a test and compare the routing table before and after.

ieronymous
Posts: 9
Joined: Thu Mar 04, 2021 9:27 am

Re: setting up a partial vpn connection

Post by ieronymous » Sat Mar 06, 2021 11:16 am

eddiewu wrote:
Thu Mar 04, 2021 2:28 pm
I assume your clients are using Windows and SoftEther client.
If you are trying to do split routing on the client side, use a large metric on the virtual network adapter (IPv4 settings -> advanced -> uncheck automatic metric). So that the default route won't change.
Route to your ERP should still be OK if the DHCP is setup correctly.
Do a test and compare the routing table before and after.
Hello and thank you for your answer.
Clients are using Win and softether client app
I am trying to do a split routing indeed but what do you mean on the client side. What would be the purpose to accomplish that on the server side?
Also cant find the menu to the option for ipv4 settings. Do you mean from the client side?

New Edit: Probably found it It has nothing to do with the client softether app at all. You meant the virtual adapter that has been created during app installation. Ok if I uncheck the automatic from the metric option I need to specify a value. Don t know what the default is in order to put a larger number there. I think I ve seen somewhere a value of 200 (which is the default though)

Sorry for asking too much but I need to build a basic understanding of these and then if its needed to experiment any further options. For now I need to know if split tunnel would be the best scenario for the clients (speed-connection)

<<Do a test and compare the routing table before and after.>> I dont know how this can be done.

PS1 I also found on the clients sided a Network traffic sped tool and I get to choose server or client to test the speed for. On the same tab arent 32 tcp connections for one client only too much?

PS2 At softether vpn client manager / properties of the vpn connection /advanced settings, would increasing the tcp connections from 1 to a bigger number would help increase the speed but then again is there a formula to compute how that number affects the network conjunction of the machine serving as softether server? Maybe increase the tcp connections to one client reduces the total number of clients that can connect simultaneously or something.

Thank you once more

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: setting up a partial vpn connection

Post by eddiewu » Mon Mar 08, 2021 8:33 am

You are right. The metric has nothing to do with the SoftEther client. It is assigned to the virtual network adapter in order to determine which would become the default route is two are available (the underlying LAN/WiFi and the VPN).

Run "route print" in the command line to check out the routing table. A line with destination 0.0.0.0 and mask 0.0.0.0 is a default route.
So if you are connected to VPN, you should find two default routes here. The one with a lower metric will be the actual default route.
Therefore, the number you put into metric should be larger than the metric of the LAN/WiFi adapter. Normally 1000 should be enough.

After that you connect and check the routing table again, you should see now there are still two default routes but the VPN has a higher metric, so that internet traffic will not go to VPN.
Also in the table there should be a route to your VPN subnet (192.168.200.0 for example). This is automatically added by the DHCP. This line makes sure the client can still connect to ERP under such split tunnel.

ieronymous
Posts: 9
Joined: Thu Mar 04, 2021 9:27 am

Re: setting up a partial vpn connection

Post by ieronymous » Mon Mar 08, 2021 9:30 am

Thank you @eddiewu for your time.
...... and that ladies and gentleman is considered to be an answer. I ll try that and come up with results.

Thanks once more.

PS By the way do you happen to know anything about the other subjects I discussed in my previous answer? (PS1 and PS2)

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: setting up a partial vpn connection

Post by eddiewu » Mon Mar 08, 2021 3:00 pm

As far as I know, more TCP connections may help with the stability but may or may not improve the speed. That's something you need to test for different network.
But as a rough guide, like the hint message in the client, 8 is recommended for broadband, 1 for really slow network. So I guess usually you don't need to go all the way to 32.

Increasing this number (number of connections) does not limit the dial-in from other users (number of sessions). But that is only true from the SoftEther Server's point of view. It has not considered the limitation from the firewall, for example.

ieronymous
Posts: 9
Joined: Thu Mar 04, 2021 9:27 am

Re: setting up a partial vpn connection

Post by ieronymous » Tue Mar 09, 2021 10:36 pm

eddiewu wrote:
Mon Mar 08, 2021 8:33 am
You are right. The metric has nothing to do with the SoftEther client. It is assigned to the virtual network adapter in order to determine which would become the default route is two are available (the underlying LAN/WiFi and the VPN).

Run "route print" in the command line to check out the routing table. A line with destination 0.0.0.0 and mask 0.0.0.0 is a default route.
So if you are connected to VPN, you should find two default routes here. The one with a lower metric will be the actual default route.
Therefore, the number you put into metric should be larger than the metric of the LAN/WiFi adapter. Normally 1000 should be enough.

After that you connect and check the routing table again, you should see now there are still two default routes but the VPN has a higher metric, so that internet traffic will not go to VPN.
Also in the table there should be a route to your VPN subnet (192.168.200.0 for example). This is automatically added by the DHCP. This line makes sure the client can still connect to ERP under such split tunnel.
So it took me a while to find time to check it but weird thing is, it seems to be already as you mentioned it should be done. What I mean is with route print without being connected to the vpn I have at Active Routes
Network Destination 0.0.0.0
Netmask 0.0.0.0
Gateway My routers ip at home
Interface An internal home ip
Metric 25

When i connect via vpn I have two extra lines
Line1
Network Destination 0.0.0.0
Netmask 0.0.0.0
Gateway Work's router's ip
Interface A work's internal ip
Metric 35

Line2
Network Destination Work's Public-Static IP
Netmask 255.255.255.255
Gateway My routers ip at home (not work's???)
Interface An internal home ip(same as without vpn)
Metric 25

As you can see it already has a bigger number 35 the vpn route from the default which is 25. Or do I miss something and interpret it wrong
Is the split tunnel the default way softether sets up the clients?

About the <<Also in the table there should be a route to your VPN subnet (192.168.200.0 for example). This is automatically added by the DHCP. This line makes sure the client can still connect to ERP under such split tunnel.>> ... the only extra line I can see while being connected via vpn is

Network Destination Softether's IP
Netmask 255.255.255.255
Gateway My router's ip at home
Interface An internal home ip(same as without vpn)
Metric 25

Is the above the one you are talking about?
Last edited by ieronymous on Wed Mar 10, 2021 12:29 pm, edited 1 time in total.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: setting up a partial vpn connection

Post by eddiewu » Wed Mar 10, 2021 5:59 am

No. Softether does not setup split tunnel automatically. You probably have checked "no adjustment to routing table".
That option does not mean split tunnel. Its result is actually unspecified. You may or may not get a split tunnel. (depending on the preference order of the network adapters)
Anyway, you should have split tunnel working now, even your approach is wrong.

The answer to your second question is also no.
The 255.255.255.255 is just a route to your VPN's external address, not to the VPN subnet.

You didn't say anything about the connectivity. That's important. DOES THE SPLIT TUNNEL WORK NOW?
Does the client have access to internet without going through the VPN?
Does the ERP work?

ieronymous
Posts: 9
Joined: Thu Mar 04, 2021 9:27 am

Re: setting up a partial vpn connection

Post by ieronymous » Wed Mar 10, 2021 12:01 pm

eddiewu wrote:
Wed Mar 10, 2021 5:59 am
You probably have checked "no adjustment to routing table".
Since I ll be for 4 more hours at work and I can check directly the vpn server, where is that option you mentioned located?
eddiewu wrote:
Wed Mar 10, 2021 5:59 am
You didn't say anything about the connectivity. That's important. DOES THE SPLIT TUNNEL WORK NOW?
Does the client have access to internet without going through the VPN?
Does the ERP work?.
I dont know since I havent changed the metric from 35 which corresponds to the vpn adapter to anything else since 35 is greater than 25 which is for the default route. Ok I can call a client remote to him and change the setting to his virtual adapter then what else do you want to check except if he still can access the erp (by the way he access it via remote desktop connection to another pc existing at work. They play one on one. Didnt have time to build a VM remote infrastructure or have Windows 16 / 19 server with multiple remote access since it is more costly this way)

New Edit1:....so I checked with route print in a client and the default route was one only 0.0.0.0
I connected with vpn and checked again and there were 2 default routes 0.0.0.0 and once again the metric in the vpn route was higher 55
(automatically)
I went to the v.adapter ipv4 properties and noticed that the automatic metric was unchecked and set to 1 by itself. Changed that to 100 saved
and checked again with router print and now the vpn route instead of having the 100 (static change I made) had 200 for a reason I cant get.
The client could connect as previously to the remote machine where the ERP can be accessed.

Still dont get if the split tunnel works or no.

New Edit 2:..... Setup a static metric to a second client with a number of 200 and after connecting again to the vpn and checking the vpn route
metric I noticed it changed it to 400. So judging from both clients 100 became automatically 200 and 200 became 400. It is like it multiplies my static value by a factor of 2 each time.

PS Sorry for the misalignment of the stats on my previous answer but they got messed up after posting and couldn t see it because the answer had to be approved first. Just saw it.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: setting up a partial vpn connection

Post by eddiewu » Wed Mar 10, 2021 1:47 pm

You are still not answering my question. Do you have split tunnel working? It's not a technical question at all.
Check the IP address on the internet and if that IP is the same as before connecting to VPN, that means the tunnel is split.

ieronymous
Posts: 9
Joined: Thu Mar 04, 2021 9:27 am

Re: setting up a partial vpn connection

Post by ieronymous » Wed Mar 10, 2021 2:16 pm

eddiewu wrote:
Wed Mar 10, 2021 1:47 pm
You are still not answering my question. Do you have split tunnel working? It's not a technical question at all.
Check the IP address on the internet and if that IP is the same as before connecting to VPN, that means the tunnel is split.
Didnt answer because now you mentioned exactly what you want me to do. In all previous messages you were telling me I have to see 2 routes and the vpn one has to have the bigger metric. I ve done that and then asked you again how to check if split tunnel is working. Now you were more specific and you can have the answer. Check a client and has before and after the same ip address.

It is not a matter of technical or not. Didnt cross my mind to check that and that is why since my first post mentioned what exactly have to do in order to be sure split is working, Dont try to make a point here. Thanks for your patience of course but I Clearly stated... what exactly to do.

So for softether to work as a split vpn service you need from the client side the virtual adapter to have a bigger number than the default one and you can check the result with the route of course again and on top of that the public ip to stay the same before and after connection.

Is is weird though that it doesnt keep my static metric and multiplies it by 2?

Post Reply