Uncommon VPN topology... Is this doable?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
ubmike
Posts: 4
Joined: Mon Jul 04, 2022 12:52 am

Uncommon VPN topology... Is this doable?

Post by ubmike » Mon Jul 04, 2022 1:29 am

Hi there.

I'm trying to setup the VPN topology illustrated in the attachment. The key goal is to reach a network behind one of the "VPN clients" (... the mikrotik device) participating in the VPN.

- The mikrotik device (... sits behind a dynamic IP and private dynamic IP) establishes a permanent SSTP connection the SoftEther server. This works fine.
- The laptop connects to the SoftEther server, when needed. This also works fine.
- The laptop and the mikrotik router SSTP interface sit in the same VPN network (10.10.10.x).
- I can ping the Mikrotik's SSTP IP from the laptop.

So far, all good.

Now... I've tried to add the following routing entry to the laptop (Win 10) in order to reach the server (192.168.1.5) I want to reach:
route add 192.168.1.0 MASK 255.255.255.0 10.10.10.254. This correctly adds a route on the laptop (... I can see that in the routing table).

But if I now try to ping the target server, this doesn't work. I've tried to capture incoming pkts on the mikrotik router SSTP NIC (... I'd expect to see pkts with the server's destination address) no such pkts arrive. It is as if the SoftEther server is somehow filtering these pkts..

What I'm trying to do is even achievable? In theory it should be doable...

Any assistance will be much appreciated.
You do not have the required permissions to view the files attached to this post.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Uncommon VPN topology... Is this doable?

Post by eddiewu » Mon Jul 04, 2022 9:51 am

SSTP is layer-3 so your routing will not work. A layer-3 client can only choose to route the traffic to VPN or not. It can't specify the next host.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Uncommon VPN topology... Is this doable?

Post by solo » Mon Jul 04, 2022 2:30 pm

The routing will work if it is reciprocal. Specifically, on 192.168.1.5 server this route must be added:

route add 10.10.10.0 mask 255.255.255.0 192.168.1.x

where 192.168.1.x is presumably 192.168.1.1 on the Mikrotik's LAN NIC.
ubmike wrote:
Mon Jul 04, 2022 1:29 am
if I now try to ping the target server, this doesn't work. I've tried to capture incoming pkts on the mikrotik router SSTP NIC (... I'd expect to see pkts with the server's destination address) no such pkts arrive.
They can be captured at the Mikrotik's LAN NIC.

ozone
Posts: 65
Joined: Thu Sep 19, 2019 7:18 pm

Re: Uncommon VPN topology... Is this doable?

Post by ozone » Mon Jul 04, 2022 4:12 pm

The mikrotik, being a router, basically will let you do routing in a number of ways...

But personally, if I would need to tackle this scenario, I think I would make a "virtual server" on the mikrotik with nat rule(s).
Eg. add another fixed 10.10.10.x (eg 10.10.10.253) address on the mikrotik on the vpn-port, and forward its traffic (or maybe just a set of ports) towards 192.168.1.5.
This way you can access the server from any laptop (or other vpn client) on address 10.10.10.253.
No change needed on vpn clients.
If you want another server on 192.168.1.xxx to be reachable, just add another ip, and do the same again.

Btw, you do not actually NEED that extra address. This forwarding can be done on the address 10.10.10.254 as well.
But lets say you have 2 webservers serving 'plain vanilla https' (p443) on the 192.168.1.xxx network, and you want the both available via vpn on ip 10.10.10.254. Just adding an address per server/service is more convenient, than changing the access port to something else (eg 44300 for the second server) i.m.h.o.

This is just one example of how you can solve this problem.
I'm not claiming mine is the best solution... just how I would approach the problem.
With a properly set-up routing table (as mentioned earlier), it is also possible.
Just a matter of preference I guess.

Good luck,

Oz

/edit: re-read y post, port '80443' ofcourse is not possible... changed it for future readers....
Last edited by ozone on Sun Jul 10, 2022 11:44 am, edited 1 time in total.

ubmike
Posts: 4
Joined: Mon Jul 04, 2022 12:52 am

Re: Uncommon VPN topology... Is this doable?

Post by ubmike » Wed Jul 06, 2022 12:38 am

Thank you all for your responses.

The DSTNAT scenario mentioned by ozone works (... I actually had it working before posting my Q). My preference would have been to implement some sort of transparent routing, but I suspect that's simply not an option.

Thank you all for helping!

ubmike
Posts: 4
Joined: Mon Jul 04, 2022 12:52 am

Re: Uncommon VPN topology... Is this doable?

Post by ubmike » Wed Jul 06, 2022 12:51 am

solo wrote:
Mon Jul 04, 2022 2:30 pm
The routing will work if it is reciprocal. Specifically, on 192.168.1.5 server this route must be added:

route add 10.10.10.0 mask 255.255.255.0 192.168.1.x
Hi Solo, thanks. Reciprocal routing is configured (... I forgot to mention in my post). If I originate a connection from the laptop (... say an SSH connection) I can't see any pkts to dst port 22 transiting through the mikrotik router (... they never get there).

If I run wireshark on the laptop and sniff the SSTP adapter, I can see SYN pkts leaving the laptop...

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Uncommon VPN topology... Is this doable?

Post by solo » Wed Jul 06, 2022 1:16 am

Please review this post. It's like your setup, except you have the SE workaround for "behind a dynamic IP and private dynamic IP" which does not alter the concept at all.

- double-check reciprocal routing
- verify that IP forwarding is enabled on Mikrotik
- consider NAT on Mikrotik if "one-way" connections are acceptable

EDIT
Can you ping 192.168.1.1 on the Mikrotik's LAN NIC (or whatever the address is)?

ubmike
Posts: 4
Joined: Mon Jul 04, 2022 12:52 am

Re: Uncommon VPN topology... Is this doable?

Post by ubmike » Wed Jul 06, 2022 7:25 am

Hi Solo, routing wise all is good. I think that the issue is SoftEther server not forwarding the traffic for the network behind the MikroTik router.

Anyways, I've found a "creative" solution that works:

- I've configured a SSTP server on the MikroTik device. Listens on IP 10.10.10.254 (... see the diagram...)
- Then, on the SoftEther server I've exposed a random port (2444) which is forwarded to the SSTP server port on the MikroTik router using simpleproxy.
- I've had to configure a tap interface on the SoftEther server bridged to the VPN HUB... Took a while to get this working on FreeBSD...

So... now I can connect with the Windows SSTP client to the SoftEther server on port 1444, which exposes the MikroTik SSTP server (... via the SoftEther SSTP tunnel).

I know, there is a bit of overhead here but it's still decently fast. This VPN is to be used as a backup by a few users only in case the primary VPN is dead.

Thanks all!

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Uncommon VPN topology... Is this doable?

Post by solo » Wed Jul 13, 2022 10:28 am

I have successfully implemented ubmike's VPN topology, using only routing, but with Wireguard Layer-3 VPN as below:

Code: Select all

                               IP forwarding ON
                               VPN SERVER 192.168.22.1
                               +-----+
                        +----->| PC3 |<----+
                        |      +-----+     |
                        |                  |
                        |                  |
                ~ ~ ~ I ~ N ~ T ~ E ~ R ~ N ~ E ~ T ~ ~ ~
                        |                  |
                        |                  |
                        |VPN               |VPN
                        |192.168.22.3      |192.168.22.4
                        |                  |default gateway
    +-----+          +-----+            +-----+
    | PC1 |----------| PC2 |            | PC4 |
    +-----+          +-----+            +-----+
  192.168.55.3    192.168.55.5         10.0.2.15
                  192.168.8.141
                  IP forwarding ON     


PC1 - LAN NIC
route add 192.168.22.0 mask 255.255.255.0 192.168.55.5
ping OK to PC4

PC2 - LAN NIC + WiFi + Windows Wireguard client

PC3 - Linux Wireguard server
ip route add 192.168.55.0/24 via 192.168.22.3
WG server...
[Peer]
AllowedIPs = 192.168.22.3/32, 192.168.55.0/24

PC4 - remote Windows Wireguard client
ping OK to PC1


PC4 LOG

C:\Windows\system32>ping 192.168.55.3
Pinging 192.168.55.3 with 32 bytes of data:
Reply from 192.168.55.3: bytes=32 time=87ms TTL=126
Reply from 192.168.55.3: bytes=32 time=103ms TTL=126
Reply from 192.168.55.3: bytes=32 time=84ms TTL=126
Reply from 192.168.55.3: bytes=32 time=76ms TTL=126

C:\Windows\system32>tracert -d 192.168.55.3
Tracing route to 192.168.55.3 over a maximum of 30 hops
  1    61 ms    45 ms    42 ms  192.168.22.1
  2    87 ms    89 ms   107 ms  192.168.22.3
  3    87 ms    83 ms   111 ms  192.168.55.3
Trace complete.


PC1 LOG

C:\Windows\system32>ping 192.168.22.4
Pinging 192.168.22.4 with 32 bytes of data:
Reply from 192.168.22.4: bytes=32 time=104ms TTL=126
Reply from 192.168.22.4: bytes=32 time=105ms TTL=126
Reply from 192.168.22.4: bytes=32 time=97ms TTL=126
Reply from 192.168.22.4: bytes=32 time=99ms TTL=126

C:\Windows\system32>tracert -d 192.168.22.4
Tracing route to 192.168.22.4 over a maximum of 30 hops
  1    <1 ms     1 ms    <1 ms  192.168.55.5
  2   162 ms    37 ms    34 ms  192.168.22.1
  3   303 ms   136 ms    81 ms  192.168.22.4
Trace complete.

I can not make this VPN topology work with SoftEther's MS-SSTP "virtual L2/L3 layer-transformation adapter" as originally attempted by ubmike. I have tried both SE virtual L3 switch routing as well as routing on a bridged VPN server's host OS, but nothing works and I really hope that someone can demonstrate a working SE-SSTP solution. Until then I am inclined to confirm that ubmike's conclusion "SoftEther server not forwarding the traffic for the network behind the MikroTik router" is correct.

Post Reply