Need suggestion - Nat in softether cluster

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
acampeau
Posts: 32
Joined: Mon Dec 01, 2014 2:09 am

Need suggestion - Nat in softether cluster

Post by acampeau » Sun Nov 26, 2017 12:52 am

Hi,

I have a setup that's working quite well for translating other language to softether to use softether's flexibility as it uses an ethernet adapter module for the client.

As of now, my client is 192.168.3.6 connecting to vpn server 192.168.3.10 which has a default gateway in a provider's vpn (45.X.X.X).

As of now, I always used securenat for the nat and dhcp which resulted in my client having 192.168.30.10 as local ip and 45.x.x.x on the internet.

I wanted to upgrade my setup to have 4 more server, essentially 1 cluster controller and 3 members.

Everything went quite well changing the setup except when I found out the Virtual NAT feature of SecureNAT isn't compatible with a cluster.

I tried everything I knew to "make the member server nat" for the client to connect to, I can't figure out a way to make this.

Here's my question : Is there a way to make my server nat without securenat so that I could replicate this change on the 3 cluster member.

Here's a text diagram of what I tought originally :

client 192.168.3.6 --> Cluster Controller 192.168.3.11
then connects to one of the following :
--> Cluster Member 192.168.3.12 lan, 45.x.x.x WAN /// (Client would receive a NAT IP)
or
--> Cluster Member 192.168.3.13 lan, 206.x.x.x WAN /// (Client would receive a NAT IP)
or
--> Cluster Member 192.168.3.12 lan, 75.x.x.x WAN /// (Client would receive a NAT IP)

Do I need to use a TAP adapter on Cluster Members for it to work? I'm quite lost here as I don't know a ton about nat ouside of a router environnement.

Thank you a lot!

acampeau
Posts: 32
Joined: Mon Dec 01, 2014 2:09 am

Re: Need suggestion - Nat in softether cluster

Post by acampeau » Wed Nov 29, 2017 11:17 pm

bump plz

hkg.cnn
Posts: 15
Joined: Thu Aug 03, 2017 9:38 am

Re: Need suggestion - Nat in softether cluster

Post by hkg.cnn » Sun Dec 03, 2017 3:03 pm

Hey! Do you work this out already? Cluster + SecureNAT co-exist in the same network. Thanks!

Jet

acampeau
Posts: 32
Joined: Mon Dec 01, 2014 2:09 am

Re: Need suggestion - Nat in softether cluster

Post by acampeau » Mon Dec 04, 2017 1:29 am

Still awaiting for someone's idea to make it work. I'm sure this would be doable with iptables nat, just need confirmation before I try

hkg.cnn
Posts: 15
Joined: Thu Aug 03, 2017 9:38 am

Re: Need suggestion - Nat in softether cluster

Post by hkg.cnn » Mon Dec 04, 2017 6:00 am


acampeau
Posts: 32
Joined: Mon Dec 01, 2014 2:09 am

Re: Need suggestion - Nat in softether cluster

Post by acampeau » Sat Dec 09, 2017 7:05 pm

Thanks a lot for this article. It seemed as something I would need, but it wansn't the case after all. What this guy's doing is more for an entreprise setup with dedicated vpn pool.

After all, I finally managed to make it happenned. It's not bulletproof, but it will do the job nicely.

I removed every cluster feature of my project and went with a different point of view.

I have setup 4 vm who "translates" the provider's vpn and have securenat enabled with nat and dhcp.

As my client who needs the servers will always be inside my network, I have setup a dns round robin pointing on the ip of the servers.

Example :

vpn.domain.com will redirect to one of :
192.168.3.10 (206.x.x.x, country 1, securenat pool 192.168.0.x/24)
192.168.3.11 (45.x.x.x, country 2, securenat pool 192.168.10.x/24)
192.168.3.12 (104.x.x.x, country 3, securenat pool 192.168.20.x/24)
192.168.3.13 (172.x.x.x, country 4, securenat pool 192.168.30.x/24)

The only limitation for me using this technique is if a VM is not accessible but the address is reacheable by the client, it will still try to connect to that non-working server. If the faulty server is powered off completely or it's 192.x.x.x network can't be seen by the client, it will automatically take the next one on the dns round-robin list!

I have found that while dns round-robin isn't a really bulletproof implementation, it was still a lot easier to setup because all the vm aren't on the same IP segment externally and because the clustering feature of softether isn't compatible with securenat. It does the job great for what I needed.

If you have any questions, feel free to ask!

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Need suggestion - Nat in softether cluster

Post by thisjun » Wed Dec 20, 2017 5:11 am

How about controlling the client by some script?

DjMohsen
Posts: 4
Joined: Wed Jun 06, 2018 9:00 am

Re: Need suggestion - Nat in softether cluster

Post by DjMohsen » Wed Jun 06, 2018 9:44 am

acampeau wrote:
> If you have any questions, feel free to ask!

actualy im using the round robin too + nat, and the problem is when a client connects to ip after 5 sec disconnect and stucks reconnect..
its because the ip is changing and need to specify connected ip at the time and dont check for new ip for name server.
i really appreciate if one of you guys help me with this

i can provide you details to test and connect ..
email: Dj.Moh3n@gmail.com
skype: Dj.Moh3n

Post Reply