GigaCube openvpn Securenat Setup

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

GigaCube openvpn Securenat Setup

Post by maggus » Sat Aug 28, 2021 12:22 pm

Hi,

i tried to set up sth like described here:

https://www.softether.org/4-docs/1-manu ... Permission

Image

basically i would like to have access to a small webserver in my LAN via the internet.

My router(GigaCube)/provider does not allow to open any ports (which is not good practice anyways) and that includes setting up a vpn server at home.
So i found that openvpn cloud has a small vpn (3 clients) for free.

My idea is to setup a raspberry pi to run the vpn bridge with SecureNAT.

Since my pi does not have a monitor, i am trying to setup everything via vpncmd.

The goal is to basically have a pi that needs the vpn connection and can be installed at any lan and is ready to go.
So dhcp and all the local stuff is setup dynamically.

Did anyone do this before?

I get confused with the different terms that openvpn and softether uses.
Sorry for that!

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Mon Aug 30, 2021 5:26 am

so, just for completeness:
i installed softether on my raspberry.

i opened a openvpn account and can connect via openvpn app with my cellphone.

my LAN has 192.168.178.1 as gateway with a 192.168.178.0/24 network
later the network would be 192.168.2.0/24 with 192.168.2.1 as GW and the webserver i want to access is running on 192.168.2.201 and 192.168.2.202. Mainly access this with a mobile phone.


these are the settings i set by now.
but i dont know how to track that further down.

my guess is:
- connection to openvpn is not set up correctly yet
- nat is not setup correctly yet
- is there more to set?

the description in the original article is for the GUI, and the corresponding CLI command is hard to guess.
even the defaults might differ... but also hard to guess.

it would be great to have someone point me to the right direction.

thank you!!

Code: Select all

VPN Server>Hub BRIDGE
Hub command - Select Virtual Hub to Manage
The Virtual Hub "BRIDGE" has been selected.
The command completed successfully.

VPN Server/BRIDGE>AccessList
AccessList command - Get Access List Rule List
Error occurred. (Error code: 33)
Unsupported.
VPN Server/BRIDGE>CascadeList
CascadeList command - Get List of Cascade Connections
Item                  |Value
----------------------+---------------------------------------------------------------------------------
Setting Name          |CASCADE
Status                |Error 2: Protocol error occurred. Error was returned from the destination server.
Established at        |(None)
Destination VPN Server|maggusvpn.openvpn.com
Virtual Hub           |
The command completed successfully.

VPN Server/BRIDGE>CascadeStatusGet
CascadeStatusGet command - Get Current Cascade Connection Status
Cascade Connection Name: CASCADE

Item                                    |Value
----------------------------------------+-------------------------
VPN Connection Setting Name             |CASCADE
Session Status                          |Retrying
Connection Started at                   |2021-08-28 (Sat) 12:43:49
First Session has been Established since|-
Number of Established Sessions          |0 Times
The command completed successfully.

VPN Server/BRIDGE>CascadeGet
CascadeGet command - Get the Cascade Connection Setting
Cascade Connection Name: CASCADE

Item                                                 |Value
-----------------------------------------------------+--------------------------------
VPN Connection Setting Name                          |CASCADE
Destination VPN Server Host Name                     |maggusvpn.openvpn.com
Destination VPN Server Port Number                   |443
Destination VPN Server Virtual Hub Name              |VHUB
Proxy Server Type                                    |Direct TCP/IP Connection
Verify Server Certificate                            |Disable
Device Name Used for Connection                      |_SEHUBLINKCLI_
Authentication Type                                  |Standard Password Authentication
User Name                                            |maggus@weggefoehnt.de
Number of TCP Connections to Use in VPN Communication|8
Interval between Establishing Each TCP Connection    |1
Connection Life of Each TCP Connection               |Infinite
Use Half Duplex Mode                                 |Disable
Encryption by SSL                                    |Enable
Data Compression                                     |Disable
Connect by Bridge / Router Mode                      |Enable
Connect by Monitoring Mode                           |Disable
No Adjustment for Routing Table                      |Enable
Do not Use QoS Control Function                      |Disable

[Cascade Session Security Policy Setting Value]
Policy name            |Simple description of policy                   |Setting value
-----------------------+-----------------------------------------------+-------------
DHCPFilter             |Filter DHCP Packets (IPv4)                     |No
DHCPNoServer           |Disallow DHCP Server Operation (IPv4)          |No
DHCPForce              |Enforce DHCP Allocated IP Addresses (IPv4)     |No
CheckMac               |Deny MAC Addresses Duplication                 |No
CheckIP                |Deny IP Address Duplication (IPv4)             |No
ArpDhcpOnly            |Deny Non-ARP / Non-DHCP / Non-ICMPv6 broadcasts|No
PrivacyFilter          |Privacy Filter Mode                            |No
NoServer               |Deny Operation as TCP/IP Server (IPv4)         |No
NoBroadcastLimiter     |Unlimited Number of Broadcasts                 |No
MaxMac                 |Maximum Number of MAC Addresses                |-
MaxIP                  |Maximum Number of IP Addresses (IPv4)          |-
MaxUpload              |Upload Bandwidth                               |-
MaxDownload            |Download Bandwidth                             |-
RSandRAFilter          |Filter RS / RA Packets (IPv6)                  |No
RAFilter               |Filter RA Packets (IPv6)                       |No
DHCPv6Filter           |Filter DHCP Packets (IPv6)                     |No
DHCPv6NoServer         |Disallow DHCP Server Operation (IPv6)          |No
CheckIPv6              |Deny IP Address Duplication (IPv6)             |No
NoServerV6             |Deny Operation as TCP/IP Server (IPv6)         |No
MaxIPv6                |Maximum Number of IP Addresses (IPv6)          |-
FilterIPv4             |Filter All IPv4 Packets                        |No
FilterIPv6             |Filter All IPv6 Packets                        |No
FilterNonIP            |Filter All Non-IP Packets                      |No
NoIPv6DefaultRouterInRA|No Default-Router on IPv6 RA                   |No
VLanId                 |VLAN ID (IEEE802.1Q)                           |-
The command completed successfully.

VPN Server/BRIDGE>SecureNatStatusGet
SecureNatStatusGet command - Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function)
Item                     |Value
-------------------------+---------
Virtual Hub Name         |BRIDGE
NAT TCP/IP Sessions      |0 Session
NAT UDP/IP Sessions      |0 Session
NAT ICMP Sessions        |0 Session
NAT DNS Sessions         |0 Session
Allocated DHCP Clients   |0 Client
Kernel-mode NAT is Active|No
Raw IP mode NAT is Active|No
The command completed successfully.

VPN Server/BRIDGE>SecureNatHostGet
SecureNatHostGet command - Get Network Interface Setting of Virtual Host of SecureNAT Function
Item       |Value
-----------+-----------------
MAC Address|5E-BD-D6-63-E4-30
IP Address |192.168.30.1
Subnet Mask|255.255.255.0
The command completed successfully.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Mon Aug 30, 2021 1:02 pm

You need OpenVPN to use with OpenVPN cloud. Softether client only works with softether servers.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Mon Aug 30, 2021 1:56 pm

bummer.

but thank you for the answer!!


is there a way to host a softether server in my lan without opening any ports?
the providers firewall, blocks everything, so i do not have the chance to change anything here.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Mon Aug 30, 2021 2:45 pm

You have two built-in options.
1. Use NAT traversal (NAT-T)
Pro: Direct connection, good speed
Con: Client must run softether client (no mobile version), server can't be under symmetric NAT

2. Use VPN azure (free relay service)
Pro: Almost always work
Con: Slow (relayed via Japan), only two protocols available (SoftEther / SSTP)

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Mon Aug 30, 2021 6:08 pm

1. if there is no mobile version for the connecting client, this is not an option.

2. i will read through vpn azure.
maybe this is an option.

the rest is the same as the scenario i posted?
slow is not a problem, since there is almost no traffic.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Mon Aug 30, 2021 8:09 pm

I shortly had a look at azure.

So compared to the picture....

Softether server will be the azure server.
The vpn bridge will be installed on the raspi.
And it should basically work?

All the setting is described for the gui. That means i still struggle with the setup. Since i only have the cli.

i will look at that tomorrow. Maybe i find a more detailed howto.

I will keep you posted!

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Tue Aug 31, 2021 1:47 am

Enable vpn azure on the server. (Vpnazureset)
Note down the azure hostname it is assigned. (Vpnazureget)
Connect to the hostname from the client. Only softether or SSTP. There is no built in support so you need a third party app.
It’s that simple.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Tue Aug 31, 2021 6:11 am

i guess i am confused.

here my setup:

Image

my assumption is:
- raspberry runs vnpbridge (or vpnserver?!) and connects to azure vpn
- raspberry runs dhcp to be able to adjust to any network
- vpnbridge needs to know how to route packages (secureNAT?)
- azure needs to be setup to route requests to 192.168.2.201
- mobile phone (android) can connect to vpn if on mobile network (third party app?)

do i need vpnbridge or vpnserver?
where do i sign up for azure vpn? or is that done with vpnazureset?

as soon as i get back home from work i will try the steps... maybe i am thinking too complicated :-)
You do not have the required permissions to view the files attached to this post.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Tue Aug 31, 2021 6:47 am

You need vpnserver.
Android has several SSTP clients available, paid or free.
Turning on azure on the server is really simple. If you still can’t do that, learn from google.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Tue Aug 31, 2021 8:26 pm

Hi,

I tried to set azure vpn (vpnazureset vpnazuresetenable VpnAzureSetEnable) but vpncmd always gives me an error.

Google came up with 1 result... this thread.

Attached is the cmd output.

so i am stuck at the first step... what am i doing wrong here?
You do not have the required permissions to view the files attached to this post.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Wed Sep 01, 2021 1:48 am

You need to say yes.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Wed Sep 01, 2021 4:35 am

I guess i dont get it...

Sorry :-(
You do not have the required permissions to view the files attached to this post.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Wed Sep 01, 2021 5:59 am

Did you disable DDNS? Azure requires DDNS to work.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Wed Sep 01, 2021 9:37 am

not that i know of.

ok. i will reset all settings and try again.
so with parameter "yes" this should have worked?

is DDNS the only thing thing that is needed?

You mean the DDNS property in softether, right? (not the router)

again... i will check tonight... i have no access to my raspi from work.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Wed Sep 01, 2021 9:53 am

You don't need to use cmd. You can use the GUI tools as long as you have a windows computer. It connects to any softether servers.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Wed Sep 01, 2021 11:51 am

hm.

i do not have a windows computer at home.
I use my android to connect to the raspberry. and sometimes a linux laptop.

so you mean to connect a softether client to this softether server to configure it?

i thought due to security (and so on) issues it would be easier to connect a local client.

or do i mix some things up here?


sorry, i guess i am thinking to complicated sometimes.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Wed Sep 01, 2021 3:57 pm

After a reset i was able to perform the commands successfully.

I will work through the stuff now!

Thank you for now!!

I am sure i will be back soon ;-)
You do not have the required permissions to view the files attached to this post.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Wed Sep 01, 2021 4:12 pm

eddiewu wrote:
Tue Aug 31, 2021 1:47 am
Enable vpn azure on the server. (Vpnazureset)
Note down the azure hostname it is assigned. (Vpnazureget)
Connect to the hostname from the client. Only softether or SSTP. There is no built in support so you need a third party app.
It’s that simple.
I read through the documentation.
There is nowhere mentioned which username/password to use or how to setup.

Is any account reused for this connection?

The status also says that the vpnazure is not connected. I guess that is also not supposed to be that way?!

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Wed Sep 01, 2021 4:29 pm

The service is anonymous and the registration is auto handled by the server.
The azure server is at 130.x.x.x and it should be reachable from your server. If it does not work you may want to do some packet sniffing with tcpdump.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Wed Sep 01, 2021 6:30 pm

my mobile phone is running a sstp client.
Which server do i use to connect? And which username/password? Where do i get it from? It does not let me connect zo the server stated by vpnazuregetstatus.

The vpnserver connects to the azure how? There is no "connect" command (or at least i dont see it)

How is the network setup? How does the client know to which network to connect? How is the route setup?

I also dont understand what 130.x.x.x ip that should be. Where do i get "x" from?

I guess there is too much to setup to not worry about how this is traced and/or logged. So i dont know what zo look for in a tcpdump.

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Thu Sep 02, 2021 1:14 am

First, you need to create an account and can be connected locally.
Then use the azure hostname to connect from external.
I won't help you beyond this point. There are tons of tutorials available.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Thu Sep 02, 2021 3:37 am

Hi,

Sorry if i made you feel you need to walk me through!
eddiewu wrote:
Tue Aug 31, 2021 1:47 am
Enable vpn azure on the server. (Vpnazureset)
Note down the azure hostname it is assigned. (Vpnazureget)
Connect to the hostname from the client. Only softether or SSTP. There is no built in support so you need a third party app.
It’s that simple.
From your answer i was thinking that i should be done.
But i just could not see how.

If you tell me that i am not done and the rest of the setup is covered by other parts of the documentation. Then i am fine.

I would post all my steps (summarized here) when i am done.

Maybe somebody in the future csn use it.

My apologies again!!

eddiewu
Posts: 128
Joined: Wed Nov 25, 2020 9:10 am

Re: GigaCube openvpn Securenat Setup

Post by eddiewu » Thu Sep 02, 2021 4:26 am

Installing a server, creating accounts and getting connected from clients is covered in most tutorials that I won't repeat it here. Just do it.
The only thing worth to mention in your case is the use of vpnazure since you can't make your server visible to outside.
I was focusing on the vpnazure part. I didn't know you haven't completed the trivial part yet. Connecting via a vpnazure hostname with the same credentials you created locally. It's that simple.

nobody12
Posts: 67
Joined: Sat Feb 13, 2021 10:22 pm

Re: GigaCube openvpn Securenat Setup

Post by nobody12 » Thu Sep 02, 2021 12:19 pm

I did not read this thread thoroughly.
However a maybe important note:
The "GigaCube" is afaik a brand name for a Vodafone Germany supplied mobile network (and landline) blackbox.
Like many other mobile network operators Vodafone will most likely put you behind a NAT jail if the mobile network is used. Not only your router does NAT but the router itself is located in a 10.0.0.0/8 private network sharing one external IP with many other customers.
I dont know this for sure, but if it happens it will not make establishing a VPN connection easier.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Thu Sep 02, 2021 4:38 pm

You are completely right.
Thats why i was looking for a relay server and the securenat/traversal nat.

Just got home from work.... will try the setup now ;-)

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Thu Sep 02, 2021 9:23 pm

I did some reading and configuring.
At least it feels like i am on the right track.

Just logging/tracing is a little hard.

https://www.digitalocean.com/community/ ... -softether

This is what i tried... but no luck yet.
At least i found that commands are not case sensitive in vpncmd ;-)

Good night!

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Tue Sep 14, 2021 12:13 pm

Hey,

i found this walkthrough:
https://www.youtube.com/watch?v=mxyDLkA4Rzc&t=1248s

after deciding to go with the windows client (i took my work laptop home), i was able to perform all the steps.

i guess i will have to tweek a little here and there.
But basically i was able to make my first connection.

i will keep you posted if some minor things come up that might be a little tricky for a noob (like me).


sorry that it took me so long, but i was on vacation for a week... with no internet access at all.

maggus
Posts: 18
Joined: Sat Aug 28, 2021 11:58 am

Re: GigaCube openvpn Securenat Setup

Post by maggus » Thu Sep 16, 2021 6:26 pm

so yesterday i was trying to grab the pi and just plug in the "backdoor" to my friends router.

My assumption was that the connection would just work.

But the command

Code: Select all

/usr/local/vpnserver/vpncmd localhost:5555 /SERVER /PASSWORD:XXXXXXX /CMD VpnAzureGetStatus
always showed:

Code: Select all

Connection to VPN Azure Cloud Server is Established|No
is there an info anywhere on how fast this should reconnect or is there a trigger needed?
Or is that just not meant to work this way?

is there a log entry somewhere that corresponds to that reconnection?

nobody12
Posts: 67
Joined: Sat Feb 13, 2021 10:22 pm

Re: GigaCube openvpn Securenat Setup

Post by nobody12 » Fri Sep 17, 2021 12:19 pm

I do not have experience with azure, but there are two users who also dont have connectivty to azure after a recent update:
viewtopic.php?f=7&t=67116

Post Reply