Question about SE's DNS function

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Rouzah

Question about SE's DNS function

Post by Rouzah » Sun Jan 29, 2023 1:01 am

Hello all,

i have the problem that clients can't connect to/find my server. So i guess i misunderstood something. I thought that the DNS function in SE already somehow did this.. but i think i have to register the xxyyxx.softether.net with a domain name service? And then i have to download and keep the DNS software running?

If i'm on the right track here, maybe you can suggest me the most used free dns provider service.

Thanks

solo
Posts: 1195
Joined: Sun Feb 14, 2021 10:31 am

Re: Question about SE's DNS function

Post by solo » Sun Jan 29, 2023 2:45 am

You don't have to register anything. If you can't connect to the xxyyxx.softether.net address, you will to this one:
VPN Azure Setting
Enable VPN Azure
Status: Connected
Now connect to vpnXYZXYZXYZ.vpnazure.net

Rouzah

Re: Question about SE's DNS function

Post by Rouzah » Sun Jan 29, 2023 7:33 am

Thanks for your reply.

I tried it. The result is the same.

What i'm trying to do:


I have created a SE VPN server with L2TP + L2TP/IPsec enabled, in order for a person to connect with their mobile (iphone) to the VPN server on my mashine.

They can't connect. They get the error message: "The L2TP-VPN server did not respond. Try reconnecting.. Contact your Administrator.. "

In the router i have forwarded the following ports:


TCP 1701 (for L2TP)
UDP 500 (for IPsec)

In windows firewall i have opened the same port types and the same port numbers.

So i have done everything in the book. I have Win 10. The people who are supposed to connect are all on mobile.

Do i need to create certificates if the user authentication is via L2TP / L2TP+IPsec via mobile phone?
Do i have to add "security policy"? PS: If i check the box, then the OK button greys out.
grey.png


PS: I left the blow setting at default. I did not change the port number (443) in the below setting and also i did neither forward 443 in the router nor open it in windows firewall. Might this be the issue?
local443.png

What did i forget?
You do not have the required permissions to view the files attached to this post.

shakibamoshiri
Posts: 284
Joined: Wed Dec 28, 2022 9:10 pm

Re: Question about SE's DNS function

Post by shakibamoshiri » Sun Jan 29, 2023 9:52 am

Rouzah wrote:
Sun Jan 29, 2023 1:01 am
Hello all,

i have the problem that clients can't connect to/find my server. So i guess i misunderstood something. I thought that the DNS function in SE already somehow did this.. but i think i have to register the xxyyxx.softether.net with a domain name service? And then i have to download and keep the DNS software running?

If i'm on the right track here, maybe you can suggest me the most used free dns provider service.

Thanks
First
the thing you are mentioning is called DDNS (=Dynamic DNS) not DNS

Second
- create a hub or use DEFAUTL hob
- add a user to that hub
- enable L2TP and add pre shared key as well
- on server side enable SecureNAT (if you cannot use a local bridge + DHCP server)

Third
if you want to give your users WAN access, you need to enable/apply NAT

When the SE server is up and running, then answer to these questions should be YES for using L2TP
- can a client ping the server or no
- does L2TP protocol work in client network or no

At this point L2TP client should be able to connect.
You do not need a domain name (e.g vpn.example.com) for using L2TP, just use your SE server IP address.

NOTE
- of course a domain name is better and simple if you plan to have more clients.
- you do not need to specify a port for L2TP client unless you have used other ports

Rouzah

Re: Question about SE's DNS function

Post by Rouzah » Sun Jan 29, 2023 1:39 pm

Hello,

thanks a lot for your help! I appreciate it!

Regarding: "- on server side enable SecureNAT (if you cannot use a local bridge + DHCP server)" :
I did not have a Local bridge running in SE. I do now. I am not sure where to set up the DCHP server though.


Regarding enabling NAT:
I am trying to figure out where to enable NAT. I don't see anything about NAT in the router settings.
In my router the 'UPnP' option in Not activated. Since i have forwarded ports, i should leave it like this?
I know that in Win 10 there is an option for "Turn on network discovery".


Thanks!

edit:

While i wait for an answer, i did try:

i did enable SecureNat (+its DCHP server) in SE. Server is still unreachable. Unfortunately i myself cannot test connectivity. I have to ask the other person.

Also after a bit of research i came across conflicting information. I had opened/forwarded TCP 1701 in SE and in router, as i stated in above post. For L2TP the 1701 is maybe UDP. I just changed this and now i am waiting for the other person to retry and reconnect.

edit2:

Seems to not work, either! In my router settings, i had forwarded the ports from localhost. Should i forward the ports from the SecureNAT that appears in LAN after you enable SecureNAT?

shakibamoshiri
Posts: 284
Joined: Wed Dec 28, 2022 9:10 pm

Re: Question about SE's DNS function

Post by shakibamoshiri » Sun Jan 29, 2023 5:01 pm

Rouzah wrote:
Sun Jan 29, 2023 1:39 pm
Hello,

thanks a lot for your help! I appreciate it!

Regarding: "- on server side enable SecureNAT (if you cannot use a local bridge + DHCP server)" :
I did not have a Local bridge running in SE. I do now. I am not sure where to set up the DCHP server though.


Regarding enabling NAT:
I am trying to figure out where to enable NAT. I don't see anything about NAT in the router settings.
In my router the 'UPnP' option in Not activated. Since i have forwarded ports, i should leave it like this?
I know that in Win 10 there is an option for "Turn on network discovery".


Thanks!
SE server has built-in Virtual NAT and DHCP server
if you enable Secure NAT, then you have both and do not need others.

In SE server manager GUI, after connecting
- select the hub
- click "Manage Virtual Hub"
- then click "Virtual NAT and virtual DHCP server ..." on bottom left side
- the click on "Enable Secure NAT"

This is just SE server configuration and has nothing to do with you Win or home router.

here is the SecureNAt
Image

or in CLI with vpncmd
- ./vpncmd
- select 1 and hit Enter 2 times if this is first time to login
- SecureNatEnable

Rouzah

Re: Question about SE's DNS function

Post by Rouzah » Thu Feb 02, 2023 2:28 pm

Thanks shakibamoshiri,

In my LAN i see the internal IP of my PC and the internal IP of the SecNat.

1. When i forward ports in my router settings, should i forward ports to my PC-IP or to the SecureNat-IP?

2. The SecNat IP in my router settings is 192.168.178.XX but the SecNat IP in the SecNat configs window is 192.168.30.XX. Is that a problem, or should they be the same IP?

SecNat IP in SE:
SecNat.png
SecNat IP in router:
rtr.png

3. The person trying to connect to server gets this error:
berror.png
- ports are forwarded successfully. I tested them.

Thanks

edit

The problem seems to be with iphones. I went through all possibilities, as can be seen above but it is a problem pertaining to iphones.
You do not have the required permissions to view the files attached to this post.

shakibamoshiri
Posts: 284
Joined: Wed Dec 28, 2022 9:10 pm

Re: Question about SE's DNS function

Post by shakibamoshiri » Fri Feb 03, 2023 8:51 pm

Rouzah wrote:
Thu Feb 02, 2023 2:28 pm
Thanks shakibamoshiri,

In my LAN i see the internal IP of my PC and the internal IP of the SecNat.

1. When i forward ports in my router settings, should i forward ports to my PC-IP or to the SecureNat-IP?

2. The SecNat IP in my router settings is 192.168.178.XX but the SecNat IP in the SecNat configs window is 192.168.30.XX. Is that a problem, or should they be the same IP?

SecNat IP in SE:
SecNat.png

SecNat IP in router:
rtr.png


3. The person trying to connect to server gets this error:

berror.png

- ports are forwarded successfully. I tested them.

Thanks

edit

The problem seems to be with iphones. I went through all possibilities, as can be seen above but it is a problem pertaining to iphones.

if you run a SE server on your local machine (LAN)
-> you do not need to touch your home router
-> you do not need to open ports, etc

What you need
-> your LAN IP address (assuming it is 192.168.1.100 or could be 192.168.178.100)
-> run SE server on LAN
--> enable L2TPs functionality
--> add a user a a hub and that hub is the default one (can be seen on L2TP setting which hub is the default one)
---> e.g user you added is: "vpn" and password is "vpn"
--> enable SecureNAT
-> connect your iPhone to your Home LAN WiFi (do not use cellar network)
-> go to iPhone > Setting > General > Add VPN
--> type: L2TP
--> server address is your local LAN IP ==> 192.168.1.100 or 192.168.178.XXX
--> username and password: vpn && vpn

At this point your should be able to connect from your iPhone (Connected to LAN) to your LAN (running SE server)
YES if you think this is pointless.
This is just for testing SE and L2TP functionality if you can connect successfully or not

with my LAN IP 192.168.1.254

Image


Next Test
Connecting to SE server running on your LAN via your public IP address
I think you are looking for this one. So you want to connect from everywhere to your local machine running SE server via L2TP

You should
-> sign in to your home router and find your public IP address
-> enable / add port forwarding for
--> 443
--> 992
--> 1194
--> 500 (l2tp)
--> 4500 (l2tp)
--> 5555
-> make sure ports are open
-> in your iPhone (do not use cellar network -- still WifI -- this is for testing of opening ports)
--> update your L2TP server address and add your "public IP address"
-> try it if you can connect or not (it should connect

with my public IP address: X.X.X.X
Image


Final Test
-> in your iPhone (use cellar network)
--> update your L2TP server address and add your "public IP address"
-> try it if you can connect or not (I sometime could, sometimes did not work)

with cellar network this time did not work for me, sometime works.

Image

Is this end of the story and there is no way to connect ?
No, we can run a local bridge , connecting it to a public IP and then from everywhere conning to that public IP == connecting to your home network

Rouzah

Re: Question about SE's DNS function

Post by Rouzah » Fri Feb 03, 2023 10:07 pm

Hello shakibamoshiri,

thanks a lot for your reply and help,

i read carefully what you said.

Unfortunately i have only android. Android has no L2TP:
andr-no-l2tp.png

So i cannot perform Test1 and Test2,

but i will later try "Final Test" again, with a user who is far away and has an iphone.

And i will go read about "local bridge", and watch also Youtube videos about it.

If you have discord, i can add you to friends. Maybe i can help you in future.

Thanks for your effort.
You do not have the required permissions to view the files attached to this post.

Post Reply