SecureNAT for Remote Access help

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
sherbert
Posts: 3
Joined: Wed Jul 07, 2021 1:18 am

SecureNAT for Remote Access help

Post by sherbert » Wed Jul 07, 2021 1:55 am

Hi,

I've followed the 10.11 Exploit SecureNAT for Remote Access into Firewall without Any Permission example.

https://www.softether.org/4-docs/1-manu ... Permission

Is working fine in that the VPN client can connect to the SoftEther VPN Server, gets assigned the default DHCP IP of 192.168.30.10 and can access the services / IP address's of the private network through the cascade to VPN Bridge. (192.168.1.0/24 in the example).
I can browse web interfaces and ping computers on the 192.168.1.0/24 subnet from the VPN Client.

What I would like to do is route a UDP stream from a computer on the 192.168.1.0/24 subnet to the VPN Client.

I don't see any route from the 192.168.1.0/24 subnet to 192.168.30.10 (VPN Client). That is, I can't ping 192.168.30.10 from a computer on the 192.168.1.0/24 subnet. I tried adding a static route to 192.168.30.0/24 via 192.168.30.1 but that didn't work.

My 192.168.1.0/24 subnet does not have a DHCP server if that matters?

Or should I be looking at utilising another method? L3 routing for example bearing in mind the 192.168.1.0/24 subnet is behind a firewall.

Any help appreciated!

Thanks

nobody12
Posts: 55
Joined: Sat Feb 13, 2021 10:22 pm

Re: SecureNAT for Remote Access help

Post by nobody12 » Wed Jul 07, 2021 6:55 am

The nature of NAT is, that all devices behind the NAT device appearing as i they are the NAT Router. There is (besides of port forwarding) no way into the network hiding behind the NAT router.
You need to disable NAT, instead use routing. Also you will need to set the route to the 192.168.30.0 subnet on the PCs in the 192.168.1.0 network.

eddiewu
Posts: 81
Joined: Wed Nov 25, 2020 9:10 am

Re: SecureNAT for Remote Access help

Post by eddiewu » Wed Jul 07, 2021 12:29 pm

You can setup a local bridge with physical NIC on the server. Then the vpn client will be in the server side network (192.168.1.0). However that requires privileges.
If you don't have that and your server is Windows desktop (not server edition), you are out of luck. Windows desktop versions don't allow IPv4 forwarding.

sherbert
Posts: 3
Joined: Wed Jul 07, 2021 1:18 am

Re: SecureNAT for Remote Access help

Post by sherbert » Thu Jul 08, 2021 12:13 am

nobody12 wrote:
Wed Jul 07, 2021 6:55 am
The nature of NAT is, that all devices behind the NAT device appearing as i they are the NAT Router. There is (besides of port forwarding) no way into the network hiding behind the NAT router.
You need to disable NAT, instead use routing. Also you will need to set the route to the 192.168.30.0 subnet on the PCs in the 192.168.1.0 network.
Hey thanks for pointing out about NAT & the fact it will be blocking packets back to the 192.168.30.0 subnet. Makes sense. I play around a little more later when I get a chance.

sherbert
Posts: 3
Joined: Wed Jul 07, 2021 1:18 am

Re: SecureNAT for Remote Access help

Post by sherbert » Thu Jul 08, 2021 12:16 am

eddiewu wrote:
Wed Jul 07, 2021 12:29 pm
You can setup a local bridge with physical NIC on the server. Then the vpn client will be in the server side network (192.168.1.0). However that requires privileges.
If you don't have that and your server is Windows desktop (not server edition), you are out of luck. Windows desktop versions don't allow IPv4 forwarding.
Yeah I have privileges both sides and the server side is linux/ubuntu so can flip on local bridge to the physical NIC or create a tap device.

When I get a chance later I will have a play around and see if I have any luck.

Thanks

Post Reply