SoftEtherVPN LAN to Cloud Connection

qorgh529 · Post by **qorgh529** » Mon Mar 25, 2024 7:25 am

Hello.
I want to connect between the company (main) and the cloud (site) with SoftEther VPN.
We have nine sites.
Currently, a SoftEtherVPN server for each site was created and configured for remote access, which required the client to create multiple connections.

VM <---> Cloud VPN Server or VPN Bridge (site) <==Cascade Connection==>company VPN Server(Main-Virtual hub "CLOUD") <==L3==> company VPN Server(Main-Virtual Hub "OFFICE")<--->Client

I want the Client to access VPNServer and configure it to be remotely accessible to the VM.

IP Setting
OFFICE - 10.0.10.0/24
CLOUD - 10.0.20.0/24
Main - 10.10.4.0/24
Site - 10.23.0.0/16

L3 Setting - OFFICE
Virtual interfaces:
OFFICE - 10.0.10.1 / 255.255.255.0
CLOUD - 10.0.20.1 / 255.255.255.0

Routing Table:
Network address/ Subnet Mask / Gateway Address / Metric
10.0.10.0 / 255.255.255.0 / 10.0.10.1 / 1
10.0.20.0 / 255.255.255.0 / 10.0.20.1 / 1

Virtual Hub SecureNAT Setting - OFFICE
Edit the static routing table to push
10.10.4.0/255.255.255.0/10.0.10.1

Virtual Hub SecureNAT Setting - CLOUD
Edit the static routing table to push
10.23.0.0/255.255.0.0/10.0.20.1

VPN Bridge - Site
Cascade Connetion

I would like to ask for your help on what is the problem in the above content.

solo · Post by **solo** » Mon Mar 25, 2024 9:01 am

The L3 is dysfunctional https://www.vpnusers.com/viewtopic.php? ... 688#p96682
Consider an alternative approach https://www.vpnusers.com/viewtopic.php? ... 17#p101191

qorgh529 · Post by **qorgh529** » Wed Mar 27, 2024 8:16 am

Hi solo.

2024-03-27 16 56 15.png

I would like to have remote access to the VM (10.20.X.XX) server on the Bridge when I connect to the Virtual Hub "OFFICE" by proceeding with the following configuration.

I looked at the link you gave me and tried to organize it as below, but it was not connected.

Main L3

2024-03-27 17 04 07.png

OFFICE SecureNAT

2024-03-27 17 06 03.png

static routing table to push
10.10.2.0/255.255.255.0/10.0.10.1

CLOUD SecureNAT
IP Address : 10.0.20.1
Subnet Mask : 255.255.255.0

Virtual DHCP Server Setting
not use

static routing table to push
10.20.0.0/255.255.255.0/10.0.20.1, 10.0.20.0/255.255.255.0/10.0.10.200

Bridge
local Bridge Setting
status operating

BRIDGE SecureNAT
Disable SecureNAT

solo · Post by **solo** » Wed Mar 27, 2024 1:12 pm

There are too many errors and omissions in your config. Let's simplify it:

- remove the L3
- disable SecureNAT on "CLOUD"
- install Microsoft Loopback Adapter and reboot it
- set a static IP on the MLA to 10.20.0.254 mask 255.255.0.0 - DG/DNS irrelevant
- bridge "CLOUD" to the MLA

In "OFFICE" change the "Static Routing Table to Push" to: 10.20.0.0/255.255.0.0/10.0.10.1
If your VPS is on Linux, use a soft tap bridge instead of MLA of course.

qorgh529 · Post by **qorgh529** » Thu Mar 28, 2024 3:13 am

hi solo

I did it in the order you told me to do it. Can you check the settings?

<Main>
Server IP Setting
IP : 10.10.2.39
Subnet Mask : 255.255.255.0
DG : 10.10.2.1

Local Bridge Setting
OFFICE -->ethernet
CLOUD-01(Same to CLOUD) --> Loopback driver Adapter

L3 is disable

Virtual Hub "OFFICE"
SecureNAT inable
Virtual Host's Network Interface Settings
IP : 10.0.10.1
Subnet Mask : 255.255.255.0

Virtual DHCP Server Settings
inable DHCP
Distributes IP Address : 10.0.10.3 to 10.0.10.200
Subnet Mask : 255.255.255.0
DNS Server address : 8.8.8.8, 8.8.4.4

Static Routing table
10.10.2.0/255.255.255.0/10.0.10.1, 10.20.0.0/255.255.0.0/10.0.10.1

Virtual Hub "CLOUD-01"
SecureNAT disable

<Bridge>
Server IP Setting
IP : 10.20.0.3
Subnet : 255.255.255.240
DG : 10.20.0.1

Local Bridge Setting
BRIDGE --> Loopback driver Adapter

SecureNAT disable

Manage Cascade Connections
connect to <Main>-Virtual Hub "CLOUD-01"

After proceeding with the above setting, I tried to remotely access 10.10.2.39 and 10.20.0.3 on the external band PC (10.30.0.75) through OFFICE.
10.10.2.39, remote access was possible,
Remote access was not possible at 10.20.0.3.
Please let me know if there is anything I need to modify or add.

solo · Post by **solo** » Thu Mar 28, 2024 8:09 am

Hi qorgh529, note...

qorgh529 wrote: ↑
Thu Mar 28, 2024 3:13 am
<Main>
...
Local Bridge Setting
OFFICE -->ethernet

...you can't have both sNAT and a bridge.
- delete the bridge

You have forgotten <Main> MLA
- set a static IP on the MLA to 10.20.0.254 mask 255.255.0.0 - DG/DNS irrelevant

Next, on <Main>:
- set to "auto" and start the "Routing and Remote Access" service (if not running already by default)
- run: netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes
- on "OFFICE" click "Edit Virtual Hub Extended Option List" and set DisableKernelModeSecureNAT = 1
- reboot

<Bridge>
...
Local Bridge Setting
BRIDGE --> Loopback driver Adapter

Why? I did not specify 2x MLAs!
- remove the MLA
- this is only a bridge to NIC 10.20.0.3

Also on <Bridge>:
- run: netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

Then on <Bridge> LAN DG: 10.20.0.1 - on the router add a static route:
ip route add 10.10.2.0/24 via 10.20.0.254
- if the router does not support static routes, add persistent static route to every PC/VM which needs to cross-connect:
route -p add 10.10.2.0 mask 255.255.255.0 10.20.0.254

Test pings:
from 10.10.2.39 to 10.20.0.3
...and vice-versa

qorgh529 · Post by **qorgh529** » Wed Apr 03, 2024 6:58 am

hello, solo.

The VPN Bridge was configured in the way you told me last time.

In addition, may I ask if the current VPN Bridge can be configured as follows?

For example, is there a way for a 10.10.2.45 PC to have remote access to a 10.20.0.3 PC or 10.20.0.0/24 band PC without using the SoftEtherVPN Client program?

Is there a way to remotely access 10.20.0.3 and check the situation where 10.10.2.45PC has remote access on the record with netstat?

I'll be waiting for your help. Thank you.

solo · Post by **solo** » Wed Apr 03, 2024 11:30 am

qorgh529 wrote: ↑
Wed Apr 03, 2024 6:58 am
is there a way for a 10.10.2.45 PC to have remote access to a 10.20.0.3 PC or 10.20.0.0/24 band PC without using the SoftEtherVPN Client program?

Yes, of course, in fact it is so by design, no client necessary, note my previous post...

Test pings:
from 10.10.2.39 to 10.20.0.3
...and vice-versa

qorgh529 · Post by **qorgh529** » Thu Apr 04, 2024 2:18 am

Hello. Solo

I changed the internal IP of each server because the conditions were confusing for myself. And I reorganized the contents below by referring to the answer you posted before.

<Main>
Private IP : 192.168.0.40/255.255.255.0/192.168.0.1

Virtual Hub
not use "Office"
Use Only "CLOUD-01"
Local Bridge connect : MS Loopback(172.20.10.254) <-->CLOUD-01
CLOUD-01 not use SecureNAT
DisableKernelModeSecureNAT=1

<Bridge>
Private : 172.20.10.2/255.255.255.0/172.20.10.1
Cascadeconnection : CLOUD-01
Local Bridge : default nic <-->BRIDGE
Route -p add 192.168.0.0 mask 255.255.255.0 172.20.10.254
"File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

<test1>
IP : 192.168.0.201/255.255.255.0/192.168.0.1

<ping test>
Main ---> Bridge

2024-04-04 11 15 21.png

Bridge --> Main

2024-04-04 11 17 21.png

solo · Post by **solo** » Thu Apr 04, 2024 3:43 am

That "cloud" is only 2ms away. If you're testing it all on a LAN or VMs, you will most likely fail without prior networking experience. Furthermore, as you keep moving the goalposts and changing configuration, it becomes convoluted, inconsistent and no longer interesting.

SoftEtherVPN LAN to Cloud Connection

SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection

Re: SoftEtherVPN LAN to Cloud Connection