SoftEther VPN Server and Teltonika IoT routers

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Widi2021
Posts: 3
Joined: Thu Sep 23, 2021 7:51 am

SoftEther VPN Server and Teltonika IoT routers

Post by Widi2021 » Fri Nov 01, 2024 1:27 pm

Has anyone had any experience with setting up VPN connections from Teltonika routers to the SoftEther VPN server?

We operate several webcams in remote locations. The data connection to the Internet is provided by Teltonika 3G/4G routers (RUT240, RUT955, ...). Each of these “webcams” is a small, independent network consisting of a smart Teltonika router, a network-based webcam and possibly other devices. For on-site maintenance, the Teltonika routers provide a DHCP service and a WLAN so that you can connect directly to the network via a laptop.

Now I want to set up remote management for the devices. I know there is Teltonika RMS for this - but for us as a non-profit organization, this is prohibitively expensive.

So far I have:
  • a SoftEther VPN server as a Docker container on a virtual server on the Internet (IONOS, Germany),
    OpenVPN, L2TP/IPsec and L2TPv3/IPsec activated
  • a virtual hub ("users") with SecureNAT+DHCP (IP subnet: 192.168.144.1/24) for RAS connections of maintenance workstations
  • several Windows workstations (Win10, Win11) that can connect to the VPN server via L2TP/IPsec and log on to the virtual hub “users”.
Now I want to integrate the external networks of the webcams into my VPN network. I want the subnets of the webcams (192.168.153.0/24, 192.168.154.0/24, ...) to be accessible from the maintenance workstations via the VPN server (at least: ssh, https).
As the webcams are connected to the Internet via (relatively expensive) 3G/4G connections, the data throughput should be as low as possible. I would therefore prefer IPsec connections, as I have the impression that their protocol-specific overhead is somewhat lower than with OpenVPN.

However, I can't set up these VPN connections so that it works. I have already tried many settings using various examples and community pages ... but it doesn't work.

So far I have:
  • an IPsec connection from the external device to the VPN server
  • here I can specify different IP subnets as local and remote subnet
  • local identifier (IPsec phase 1 id) set to “burgcam”, as I want to use it to identify my device on the VPN server
  • remote identifier set to "*" (or %any), because the identification (IP address) of the VPN server may change
  • The status information on the device claims that the IPsec connection to the VPN server has been set up successfully.

    Code: Select all

    root@burgcam:~# ipsec statusall
    Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.4.259, mips):
      uptime: 93 minutes, since Nov 01 11:24:00 2024
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
      loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp pem openssl pkcs8 xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
    Listening IP addresses:
      192.168.18.46         // WAN connection
      2001:....
      192.168.154.1         // LAN connection
      fda8:....
    Connections:
    t04rut1-t04rut1_c:  %any...VPN.FQDN  IKEv1
    t04rut1-t04rut1_c:   local:  [burgcam] uses pre-shared key authentication
    t04rut1-t04rut1_c:   remote: uses pre-shared key authentication
    t04rut1-t04rut1_c:   child:  10.2.154.0/24 === 10.1.154.0/24 TUNNEL
    Security Associations (1 up, 0 connecting):
    t04rut1-t04rut1_c[1]: ESTABLISHED 93 minutes ago, 192.168.18.46[burgcam]...xx.xxx.xxx.xxx[172.19.0.76]
    t04rut1-t04rut1_c[1]: IKEv1 SPIs: XXXX_i* XXXX_r, pre-shared key reauthentication in 10 hours
    t04rut1-t04rut1_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    t04rut1-t04rut1_c{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: YYYY_i YYYY_o
    t04rut1-t04rut1_c{2}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 10 hours
    t04rut1-t04rut1_c{2}:   10.2.154.0/24 === 10.1.154.0/24
    root@burgcam:~#
    
  • I can also see that there is a keep-a-live protocol between my device and the VPN server. The logging of my device shows the following sequence every 10 seconds:

    Code: Select all

    Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[NET] <t04rut1-t04rut1_c|1> received packet: from VPN-SERVER-IP[4500] to 192.168.18.46[4500] (92 bytes)
    Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[ENC] <t04rut1-t04rut1_c|1> parsed INFORMATIONAL_V1 request 125700624 [ HASH N(DPD) ]
    Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[ENC] <t04rut1-t04rut1_c|1> generating INFORMATIONAL_V1 request 2378061043 [ HASH N(DPD_ACK) ]
    Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[NET] <t04rut1-t04rut1_c|1> sending packet: from 192.168.18.46[4500] to VPN-SERVER-IP[4500] (92 bytes)
    
  • I can also see these protocol messages in the network tracing of my device, using "tcpdump":

    Code: Select all

    14:17:34.470529 IP VPN-SERVER-IP.4500 > 192.168.18.46.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
    14:17:34.479939 IP 192.168.18.46.4500 > VPN-SERVER-IP.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
    14:17:40.615530 IP VPN-SERVER-IP.4500 > 192.168.18.46.4500: isakmp-nat-keep-alive
    
  • and in the network tracing of my VPN server:

    Code: Select all

    13:17:34.456242 IP 172.19.0.76.4500 > DEVICE-WAN-IP.62350: NONESP-encap: isakmp: phase 2/others ? inf[E]
    13:17:34.491457 IP DEVICE-WAN-IP.62350 > 172.19.0.76.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
    13:17:40.601248 IP 172.19.0.76.4500 > DEVICE-WAN-IP.62350: isakmp-nat-keep-alive
    
But I can't send any payload over this tunnel (see "0 bytes_i, 0 bytes_o" above).

Can someone help me, to finally get this up and running?
  • How should I configure the virtual hubs in the VPN server? Do I need separate hubs for each external device/subnet or does it make more sense to register all external devices via a common hub?
  • What type of IPsec connection should the remote devices use? bare IPsec, L2TP/IPsec, L2TPv3/IPsec?
  • What kind of routing is required on the VPN server?`
  • What kind of routing do I need on the devices?
  • ...
Thanks and regards
Friedbert

solo
Posts: 1518
Joined: Sun Feb 14, 2021 10:31 am

Re: SoftEther VPN Server and Teltonika IoT routers

Post by solo » Sat Nov 02, 2024 2:01 am

Widi2021 wrote:
Fri Nov 01, 2024 1:27 pm
  • ...Do I need separate hubs for each external device/subnet...
  • What type of IPsec connection should the remote devices use? bare IPsec, L2TP/IPsec, L2TPv3/IPsec?
  • What kind of routing is required on the VPN server?`
  • What kind of routing do I need on the devices?
1. yes
2. L2TPv3/IPsec
3. none, install also SE client and connect with a preset, static, remote LAN IP to vhubs on "localhost" address
4. none, connect with a static local LAN IP

Widi2021
Posts: 3
Joined: Thu Sep 23, 2021 7:51 am

Re: SoftEther VPN Server and Teltonika IoT routers

Post by Widi2021 » Sat Nov 02, 2024 11:03 am

Thank you for these tips. That already shows me the direction in which I need to think or search.

But now I have a small problem. The firmware of the Teltonika routers is based on a slightly older version of OpenWRT - currently V21.02.0 is used. Unfortunately, the SE client is not yet included in the software repository.
And I don't feel like creating the client in the RUT SDK myself with cross-compilers - especially since I would probably need several versions for different routers with different processors.

Is there also a way to use the standard client for L2TPv3/IPsec? (currently: Linux strongSwan U5.9.6/K5.4.259)

Regards,
Friedbert

solo
Posts: 1518
Joined: Sun Feb 14, 2021 10:31 am

Re: SoftEther VPN Server and Teltonika IoT routers

Post by solo » Sat Nov 02, 2024 1:10 pm

Yes, on SE server enable the "EtherIP / L2TPv3 over IPsec Server Function".
The next best is "L2TP Server Function (L2TP over IPsec)".
For minimal overhead, go "L2TP Server Function (Raw L2TP with No Encryption)".
SE client is only needed on SE server, while a remote network connects via IPsec/L2TP to the same hub.

Incidentally, SE doc...
Note
Disable any IPsec/L2TP function on the server computer which might conflict with SoftEther VPN Server's IPsec/L2TP function. If the UDP ports (500, 4500 and 1701) conflicts with other programs, IPsec communication will not work well.

mendoza_lt
Posts: 28
Joined: Fri Jul 05, 2024 8:37 pm

Re: SoftEther VPN Server and Teltonika IoT routers

Post by mendoza_lt » Sun Nov 03, 2024 5:00 pm

Yes. I managed to make it work with RUT 200, also with RUTX09. On RUT 240 i have used OpenVpn, On RUTX09 you can install SE VPN server/bridge.

Post Reply