Network Connectivity Challenge with Multilple VPN Clients Connecting to Azure

[valant98]

Hello Everyone.

I have encountered a network configuration challenge that requires your expertise. Here's the scenario: I have two VPN clients, each situated in different geographical locations, both connecting to a VPN server hosted on Microsoft Azure.

Client 1: This is a Linux-based device configured to support both OpenVPN and L2TP/IPsec as a client.

Client 2: Operates on a Windows 10 PC

The primary objective I aim to achieve is to enable Client 2, when connected to the VPN server in Azure, to access the entire network associated with Client 1.

I've made attempts to address this challenge by forwarding all traffic from the 'eth0' interface of the Linux device to the 'tun/tap' virtual adapter. However I didn't find much success with this method.

Currently, my VPN setup involves using SoftEther as the server, hosted on Azure. Client 1 connects via OpenVPN, while Client 2 uses the SoftEther client. I am open to considering alternative VPN server options or methods if they can help resolve this issue.

Given my limited experience in this domain, I kindly request a comprehensive explanation of any potential solutions. If further details are required to better understand the problem, please do not hesitate to let me know.

[solo]

Client 1: This is a Linux-based device configured to support both OpenVPN and...

The above device has to support L2/TAP (Ethernet Bridging) or else it will not work. Here is the exact net topology I tested a while ago...

Code: Select all

                       SE VPN SERVER VHUB 192.168.22.1
                               +-----+
                        +----->| PC3 |<----+
                        |      +-----+     |
                        |                  |
                        |                  |
                ~ ~ ~ I ~ N ~ T ~ E ~ R ~ N ~ E ~ T ~ ~ ~
                        |                  |
                        |                  |
                        |OpenVPN           |SE VPN
                        |192.168.22.11     |192.168.22.10
                        |                  |
                     +-----+            +-----+
                     | PC2 |            | PC4 |
                     +-----+            +-----+
             LAN  192.168.55.5         10.0.2.15
             WiFi 192.168.8.141
             IP forwarding ON     


PC2 OpenVPN L3 TUN

PC4
route add 192.168.55.0 mask 255.255.255.0 192.168.22.11

ping 192.168.55.5
Pinging 192.168.55.5 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.


PC2 OpenVPN L2 TAP

PC4 
route add 192.168.55.0 mask 255.255.255.0 192.168.22.11

ping 192.168.55.5
Pinging 192.168.55.5 with 32 bytes of data:
Reply from 192.168.55.5: bytes=32 time=60ms TTL=127
Reply from 192.168.55.5: bytes=32 time=110ms TTL=127
Reply from 192.168.55.5: bytes=32 time=89ms TTL=127
Reply from 192.168.55.5: bytes=32 time=93ms TTL=127

[valant98]

@Solo thanks for the reply.

Based on your diagram, this is my configuration

PC3 (SE Server VHUB): 192.168.22.1
PC2 LAN : 192.168.3.74
PC4 LAN : 192.168.2.10

Softether Server (PC3) VM that it is located in Azure, has this configuration:
OpenVPN is enabled
2 Users are created in the Virtual Hub "x" with SecuredNAT enabled
SecureNAT Configuration:
Virtual Host Network Interface Settings: IP(192.168.22.1/24)
Virtual NAT Function: Enabled
Virtual DHCP Server Functions: 192.168.22.10 - 192.168.22.100
Default Gateway: None
DNS Server Address 1: 8.8.8.8

Linux Device (PC2) that supports OpenVPN Client has the following configuration:
LAN IP : 192.168.3.74
Server IP/Domain: Hostname generated by Softether Sample File Generating Tool for OpenVPN Clients.
Server Port: 1194
Protocol: TCP
Cipher: AES-128-CBC
Network Name: TAP0
LZO Compression: Disabled
TLS Authentication: Disabled

Only when the Linux Device establishes connection with the VPN Server, i can see tap0 interface.
Then i add 192.168.22.2 to it with the command "ip addr add 192.168.22.2/24 dev tap0
and then i am routing it with eth0 with command "192.168.3.0/24 via 192.168.22.2"

command "route -n" output:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.3.1 0.0.0.0 UG 5 0 0 eth0
192.168.3.0 192.168.22.2 255.255.255.0 UG 0 0 0 tap0
192.168.22.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0

Softether Client (PC4) has the following configuration:
WIFI: 192.168.2.60
Softether Virtual Adapter:
IP: 192.168.22.20/24
Gateway: 192.168.22.1
Advanced IP settings: Added 192.168.3.79
Interface metric:100

Next thing i did was add the route you mentioned above.
route add 192.168.3.0 mask 255.255.255.0 192.168.22.2

I enabled IP forwarding with : echo 1 > /proc/sys/net/ipv4/ip_forward
I added " iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT " , "iptables -A FORWARD -eth0 -o tap0 -j ACCEPT"
Lastly i forwarded all traffic through the VPN with "iptables -t nat -A POSTROUTING -s 192.168.22.0/24 -o eth0 -j MASQUERADE" which i noticed in OpenVPN HOWTO "Routing all client traffic (including web-traffic) through the VPN" site.



Now when both OpenVPN Client and Softether Client are connected to the Softether Server in Azure. I go to the one Virtual Hub i have and look into "Manage Sessions". I can see SID-OpenvpnUSER-[OPENVPN_L2]-809 and SID-SoftetherUSER-814. In IP address Table List i can see :
SID-OpenvpnUSER with 3 IP Addresses, 192.168.3.74,192.168.22.2 and the tap0 mac address.
SID-SoftetherUSER with 3 IP Addresses, 192.168.3.79,192.168.22.60, and the Virtual adapter mac address.


I can ping all of those IP addresses from PC4 but i cannot ping anything else in the 192.168.3.0 Linux device network.

Is there any wrong with my configuration?
Do i need to use the Local Bridge Setting in Softether Server?
Do i need any specific configuration about Softether Client settings?

[solo]

I can ping all of those IP addresses from PC4 but i cannot ping anything else in the 192.168.3.0 Linux device network.

There are useless components in the setup and this is missing:

Code: Select all

on LAN2's router add static route:
ip route add 192.168.22.0/24 via 192.168.111.105
- if the router does not support static routes, add persistent static route to every PC which needs to cross-connect:
route -p add 192.168.22.0 mask 255.255.255.0 192.168.111.105

We've discussed it before, https://www.vpnusers.com/viewtopic.php? ... 837#p98759

[valant98]

The linux-based device can work as a router too, so i can add routing tables to it to forward traffic from it's tap network to it's eth network.
However i cant seem to make it work. I remember that i asked you again, and we found a solution but after months it doesn't seem to work for an unknown reason..
Can you tell me based on my configuration what i should do in the linux device to forward traffic from tap0 to eth0?

[solo]

Please put aside your assumptions, leave Linux alone, and implement the static routes.

[valant98]

I am sorry i missed out some certain information that i thought was useless.

We are using as OpenVPN Client an Industrial IOT Gateway device which can also work as a router. This device has eth0 and eth1.

The scenario is that we install that device in our client's network and support our devices without having access to client's network.
OpenVPN Device establishes connection to internet through eth0. Connects to VPN Server with tap0.
eth1 is where we connect our industrial devices.
So what i want is to forward all traffic from eth1 to tap0.

If i understand correctly what you are saying is to " ip route add 192.168.22.0/24 via 'eth0-ip' " from the client's router. Which doesn't help me because i don't to do anything with any of client's router.

[solo]

The scenario is that we install that device in our client's network and support our devices without having access to client's network.

In this case consider bridging instead of routing. Static IPs everywhere and simple network topology.

[valant98]

The bridging was the solution, thank you very much for your time and sorry for my lack of knowledge on this matter.

After succeeding the communication between 2 clients, i still have one question.
While i am now able to see the Network that OpenVPN client is at this moment, i cant directly ping or access in any way possible the OpenVPN Client.

Is it possible to also support the device that runs OpenVPN client through Softether:?

[solo]

"change the IP address and subnet mask to a static IP you want to assign to the bridge"

[valant98]

Everything has a static IP and static subnet. I don't get how this link will help me.
All i want is my Softether Client to be able to ping my OpenVPN Client.
I am not sure if it has to do with OpenVPN since i have experienced the same problem with SoftetherVPN Client/Server.

[solo]

It has nothing to do with SoftEther nor OpenVPN, and is as simple as iptables/firewall issue.

[valant98]

I stopped the firewall both from Linux(OpenVPN Client) & Windows10(Softether Client) and i also did iptables --flush on Linux.
From the computer that runs Softether Client, I can ping anything but the Linux device that runs OpenVPN.

Something interesting i noticed is that i can " ping -I br1 'SoftetherClient-Static-IP-Address' " from the Linux device with a response but not vice-versa.

In Softether Server -> Virtual Hub -> Manage Sessions -> IP Address Table, i can see that the IP Address of the linux device exists.
From SoftetherClient Computer using Network scanner i can also see the Linux Device IP but i cannot ping it.

[solo]

Code: Select all

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

[valant98]

I followed your commands but with no success. The problem persists.
Is there a chance that it is something i need to add in Postrouting chain rules?

[solo]

Connect the VPN and post as code:

Code: Select all

the Linux Gateway
-----------------
ifconfig
ip link show
ip addr
route -n
ip route
ping -n 2 [Win SE VPN client]
traceroute [Win SE VPN client]
arp
iptables -t nat -L
iptables -S
ufw status
brctl show

Win SE VPN client
-----------------
netstat -r
ipconfig /all
arp -a
ping [the Linux Gateway]
tracert -d [the Linux Gateway]
ping [an industrial device behind the Linux Gateway]
tracert -d [an industrial device behind the Linux Gateway]

[valant98]

@solo thank you so much for your time. I found the problem and it had to do something with the Linux Device, i contacted the corresponding company and they let me know of a setting responsible of blocking incoming traffic.