Hosting other services on SoftetherVPN server machine

[CyprusSocialite]

Here is my current setup:

• Machine connected to internet via `enp14s0` interface
• SoftEther virtual hub (SecureNAT disabled) bridged to `tap_softether` interface created in VPN Server Manager, and further configured by systemd-networkd:

  Code: Select all

  [Match]
  Name=tap_softether
  
  [Network]
  Address=192.168.100.1
  

• dnsmasq running with the following configuration:

  Code: Select all

  bind-interfaces
  interface=tap_softether
  listen-address=::,0.0.0.0
  dhcp-range=192.168.100.11,192.168.100.250,255.255.255.0,12h
  dhcp-option=3,192.168.100.254
  

This works and I can connect to the VPN successfully, and dnsmasq assigns the client an IP as expected.

My goal is to host other services (web server, etc.) on the same machine where SoftEther VPN server is running, and have them listen on the `tap_softether` interface like dnsmasq seems to do.

This does not work, and when connected to the VPN I cannot even telnet anything on the server (via 192.168.100.1).

Moreover, I cannot figure out how dnsmasq is listening to the connections. I have tried stopping it and using netcat and socat to listen on port 53 (both tcp and udp), but I never get anything.


Please advise!

[solo]

"Bridge not working as expected"

[CyprusSocialite]

"Bridge not working as expected"

I am not bridging to the physical ethernet interface, however - only to the tap interface, and it seems that dnsmasq is able to listen on it somehow...

[solo]

For a test disable iptables/firewall and try again.

[CyprusSocialite]

I am using nftables and I have tried the following:

Code: Select all

systemctl stop nftables
systemctl stop dnsmasq
nc -l 0 53
*connect to VPN from another device*

Server log has

Code: Select all

Trying to request an IP address from the DHCP server.
Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to. If you do not have a DHCP server, you can use the Virtual DHCP function of the SecureNAT on the Virtual Hub instead.

But there is no output from nc. Same with `nc -lu 0 53`.

[solo]

So you had disabled the DHCP server for some inexplicable reason, started listening on DNS port, and then wonder why netcat shows nothing and "Acquiring an IP address from the DHCP server failed".

It's hopeless, ask on a Linux forum. Nothing to do with SoftEther.

[CyprusSocialite]

Yes, my apologies, I meant to listen on the DHCP port 67 instead. Indeed this works, and in fact it looks like UDP works in general: I can `nc -lu 0 1234` or any other port, and then `nc -u 192.168.100.1 1234` from the client to get the expected output.

However, it seems that TCP does not work. So `nc -l 0 1234` / `nc 192.168.100.1 1234` (without -u) do not produce any output.

Perhaps SoftEther is filtering the TCP packets somehow?

My client is connecting via L2TP by the way - in case this is relevant.

[CyprusSocialite]

It seems the issue was caused by incorrect routing of outbound packets (my client was never receiving SYN-ACK).

Fixed by running:

Code: Select all

ip rule add from 192.168.100.1 lookup main
ip route add 192.168.100.0/24 dev tap_softether

Gonna try and incorporate this into the systemd-networkd config