I cannot access a VPN client computer from other LAN clients

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Mon Feb 06, 2023 8:14 am

Hi all,
I am running a LAN in the 192.168.0.x IP range and a SoftEther VPN in the 192.168.30.x IP range.
Now I am trying to ping a VPN client (192.168.30.10) from my OPSI server (software distribution) in the LAN (192.168.0.239).

However it cannot reach the VPN client. Whenever I run the OPSI client software on the client machine, it registers at the OPSI server with IP 192.168.0.230. This is the IP of SoftEther server - which of course is not the IP of the VPN client machine.

Thus all subsequent communication from the OPSI server to the client fails because the OPSI server uses the SE server's IP address as the VPN client's IP address. How can I a) make the OPSI server (or any local client for that matter) see the 192.168.30.x subnet and b) make the VPN client report its correct IP address to anyone that might be asking (such as the OPSI server)?

Best regards
mf_2

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Mon Feb 06, 2023 10:54 am

Hello,

to access a VPN client computer from other LAN clients, do:

on 192.168.0.230
- install MLA https://learn.microsoft.com/en-us/troub ... ck-adapter
- bridge SoftEther's hub to it
- assign a static IP to it, presumably the vacant 192.168.30.2
- start the "Routing and Remote Access" service
- run: netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

on 192.168.0.1
- add a static route equivalent of: ip route add 192.168.30.0/24 via 192.168.0.230

on every 192.168.30.x client PC
- run: netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

Test ping from any 192.168.0.x to any 192.168.30.x

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Mon Feb 06, 2023 12:47 pm

Thank you for the quick help.
I tried all steps but the ping won't go through:

Code: Select all

ping 192.168.30.10

Pinging 192.168.30.10 with 32 bytes of data:
Reply from 192.168.30.2: Destination host unreachable.
Reply from 192.168.0.230: TTL expired in transit.
Reply from 192.168.0.230: TTL expired in transit.
Reply from 192.168.0.230: TTL expired in transit.

Ping statistics for 192.168.30.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Interestingly enough the first packet caused a different message than the three following packets.

Do you know what is going wrong?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Mon Feb 06, 2023 1:55 pm

Yes, one more step :-)
PC needs a reboot after installing MLA.
Also double-check MLA-to-vHUB bridge status in SE.

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Mon Feb 06, 2023 2:07 pm

Thank you, it works now!

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Mon Feb 06, 2023 7:43 pm

Now I am running into another issue and I am not sure if this should be a new thread or it will be okay in this one.
Now I am trying to ping my OPSI server (192.168.0.230 or opsiserver.contoso.int) from my VPN client but the ping fails.
The ping works like a charm from a client of the 192.168.0.x range (ie. 192.168.0.230).
What do I have to set up where to make the client a) see the OPSI server by its IP address and b) make it able to resolve the DNS name for the server as well? The server is properly joined to the contoso.int domain.

A tracert of 192.168.0.239 already times out at the first hop.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Mon Feb 06, 2023 10:32 pm

Let's continue in this thread. It sounds like the same-lan-subnet issue (not all VPN clients would be affected by it).

Fix it from SE "Edit the static routing table to push" with this entry:

Code: Select all

192.168.0.239/255.255.255.255/192.168.30.1

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Tue Feb 07, 2023 7:56 am

Thank you, now the client can see the server!

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Tue Feb 07, 2023 8:16 am

And the next one (sorry):
From my OPSI server (192.168.0.239) I cannot ping the VPN client (192.168.30.10).
I can ping the VPN server (192.168.30.1) and the MLA (192.168.30.2) just fine.
How come I cannot ping the VPN client?

Other clients such as my Windows machine 192.168.0.232 is also unable to ping 192.168.30.10.

My domain controller / SE server can ping 192.168.0.30.10. just fine.
What am I missing here?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Tue Feb 07, 2023 10:35 am

So 192.168.30.10 can ping 192.168.0.239 but does not respond to a reciprocal ping?
Please make the VPN connection and post as code:

from 192.168.30.10

Code: Select all

ipconfig /all
netstat -r
tracert 192.168.0.239
from 192.168.0.239

Code: Select all

netstat -r
tracert 192.168.30.10

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Tue Feb 07, 2023 2:15 pm

Yes, it does not respond to a reciprocal ping.

The output (in German, but the information should still be extractable)

ipconfig /all

Code: Select all

C:\Users\MAF>ipconfig /all

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : MFLAPTOP2-CONTOSO
   Primäres DNS-Suffix . . . . . . . : CONTOSO-CORP.INT
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : CONTOSO-CORP.INT

Drahtlos-LAN-Adapter WLAN:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Intel(R) Wi-Fi 6E AX211 160MHz
   Physische Adresse . . . . . . . . : 28-6B-35-34-E6-0D
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

PPP-Adapter ICCS:

   Verbindungsspezifisches DNS-Suffix: CONTOSO-CORP.INT
   Beschreibung. . . . . . . . . . . : ICCS
   Physische Adresse . . . . . . . . :
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.30.10(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.255
   Standardgateway . . . . . . . . . : 0.0.0.0
   DNS-Server  . . . . . . . . . . . : 192.168.30.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Mobiler Breitbandadapter Mobilfunk:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Generic Mobile Broadband Adapter
   Physische Adresse . . . . . . . . : 8C-85-94-43-5F-55
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv6-Adresse. . . . . . . . . . . : 2a01:598:9090:bea1:8ee4:6420:b62e:8a41(Bevorzugt)
   Temporäre IPv6-Adresse. . . . . . : 2a01:598:9090:bea1:4dcb:bc69:f4df:1111(Bevorzugt)
   Verbindungslokale IPv6-Adresse  . : fe80::1:2:b746:bd9c%35(Bevorzugt)
   Verbindungslokale IPv6-Adresse  . : fe80::9165:d83a:7988:6531%35(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 10.42.0.250(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : fe80::1:2:b746:bd01%35
                                       fe80::5%35
                                       10.42.0.1
   DNS-Server  . . . . . . . . . . . : 2a01:598:7ff:0:10:74:210:210
                                       2a01:598:7ff:0:10:74:210:211
                                       10.74.210.211
                                       10.74.210.210
   NetBIOS über TCP/IP . . . . . . . : Aktiviert
netstat -r

Code: Select all

C:\Users\MAF>netstat -r
===========================================================================
Schnittstellenliste
 13...28 6b 35 34 e6 0d ......Intel(R) Wi-Fi 6E AX211 160MHz
 36...28 6b 35 34 e6 0e ......Microsoft Wi-Fi Direct Virtual Adapter
 22...2a 6b 35 34 e6 0d ......Microsoft Wi-Fi Direct Virtual Adapter #2
 27...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 73...........................ICCS
 35...8c 85 94 43 5f 55 ......Generic Mobile Broadband Adapter
 19...28 6b 35 34 e6 11 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0        10.42.0.1      10.42.0.250   4531
          0.0.0.0          0.0.0.0   Auf Verbindung     192.168.30.10     36
        10.42.0.0    255.255.255.0   Auf Verbindung       10.42.0.250   4531
      10.42.0.250  255.255.255.255   Auf Verbindung       10.42.0.250   4531
      10.42.0.255  255.255.255.255   Auf Verbindung       10.42.0.250   4531
    93.195.210.48  255.255.255.255        10.42.0.1      10.42.0.250   4276
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1   4556
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1   4556
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1   4556
    192.168.0.239  255.255.255.255   Auf Verbindung     192.168.30.10     36
     192.168.30.0    255.255.255.0   Auf Verbindung     192.168.30.10     36
    192.168.30.10  255.255.255.255   Auf Verbindung     192.168.30.10    291
   192.168.30.255  255.255.255.255   Auf Verbindung     192.168.30.10    291
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1   4556
        224.0.0.0        240.0.0.0   Auf Verbindung       10.42.0.250   4531
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.30.10     36
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1   4556
  255.255.255.255  255.255.255.255   Auf Verbindung       10.42.0.250   4531
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.30.10    291
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0      192.168.0.1  Standard
===========================================================================

IPv6-Routentabelle
===========================================================================
Aktive Routen:
 If Metrik Netzwerkziel             Gateway
 35    306 ::/0                     fe80::1:2:b746:bd01
 35    306 ::/0                     fe80::5
  1    331 ::1/128                  Auf Verbindung
 35    306 2a01:598:9090:bea1:4dcb:bc69:f4df:1111/128
                                    Auf Verbindung
 35    306 2a01:598:9090:bea1:8ee4:6420:b62e:8a41/128
                                    Auf Verbindung
 35    306 fe80::/64                Auf Verbindung
 35    306 fe80::1:2:b746:bd9c/128  Auf Verbindung
 35    306 fe80::9165:d83a:7988:6531/128
                                    Auf Verbindung
  1    331 ff00::/8                 Auf Verbindung
 35    306 ff00::/8                 Auf Verbindung
===========================================================================
Ständige Routen:
  Keine

tracert 192.168.0.239

Code: Select all

C:\Users\MAF>tracert 192.168.0.239

Routenverfolgung zu opsiserver.contoso-corp.int [192.168.0.239]
über maximal 30 Hops:

  1   210 ms   188 ms   187 ms  192.168.30.1
  2   190 ms   200 ms   186 ms  opsiserver.contoso-corp.int [192.168.0.239]

Ablaufverfolgung beendet.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Tue Feb 07, 2023 2:36 pm

You've forgotten "..., tracert 192.168.30.10"
While at it, install SE client and re-test both ping ways.

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Tue Feb 07, 2023 4:30 pm

tracert 192.168.30.10 will not work as 192.168.0.239 is a linux client.
But I did a traceroute 192.168.30.10 instead and this was the result:

Code: Select all

adminuser@opsiserver:~$ traceroute 192.168.30.10
traceroute to 192.168.30.10 (192.168.30.10), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  0.780 ms  0.999 ms  1.020 ms
 2  iccs-dc01.contoso-corp.int (192.168.0.230)  1.200 ms * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Also netstat -r from 192.168.0.239:

Code: Select all

adminuser@opsiserver:~$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 ens36
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 ens36
Installing SE client on the client machine will take some time, I will reply once this is done.
However even if it worked with the SE client this will not be viable for my VPN as a specifically chose SE VPN because it works with the native Windows VPN. But I will install it for testing purposes.

mf_2
Posts: 16
Joined: Wed Oct 05, 2022 9:38 pm

Re: I cannot access a VPN client computer from other LAN clients

Post by mf_2 » Tue Feb 07, 2023 5:21 pm

Looks like my second reply disappeared so here let my try again.
netstat -r from 192.168.0.239

Code: Select all

adminuser@opsiserver:~$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 ens36
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 ens36
traceroute (tracert does not exist on this box as it is a linux box) 192.168.30.10

Code: Select all

adminuser@opsiserver:~$ traceroute 192.168.30.10
traceroute to 192.168.30.10 (192.168.30.10), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  0.780 ms  0.999 ms  1.020 ms
 2  contoso-dc01.contoso-corp.int (192.168.0.230)  1.200 ms * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
I will install the SE client later and then report back.

Edit: I tried the SE client but that won't even connect to the VPN server.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Tue Feb 07, 2023 9:21 pm

mf_2 wrote:
Tue Feb 07, 2023 5:21 pm
traceroute to 192.168.30.10 (192.168.30.10), 30 hops max, 60 byte packets
1 _gateway (192.168.0.1) 0.780 ms 0.999 ms 1.020 ms
2 contoso-dc01.contoso-corp.int (192.168.0.230) 1.200 ms * *
3 * * *
* * *
I will install the SE client later and then report back.
Edit: I tried the SE client but that won't even connect to the VPN server.
The "Routing and Remote Access" service appears not running after .230 reboot, change it to auto, start it and retest the ping.
SE client is always better than OS builtins - it has to work :-)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: I cannot access a VPN client computer from other LAN clients

Post by solo » Thu Feb 09, 2023 12:19 am

mf_2 wrote:
Tue Feb 07, 2023 2:15 pm
The output (in German, but the information should still be extractable)
Also, ist alles in Ordnung?
;-)

Post Reply