OpenVpn clients access to local resources only, specific setup.

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Locked
mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Sun Nov 03, 2024 5:32 pm

Goodmorning.

I have a set up of two SE servers, server 1 is behind firewall. Server 2 is acting as a "gateway" for server 1, they are connected between with SE VPN cascade connection. I am planning to use OpenVPN connections to server, but i need them to have access only to specific network, but not internet through it. So i have to set up static routing. If i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win), i get an error. Then if i turn off Secure nat on server 1, and set it on server 2, with same static route, i can't access that network even when connecting with Softether VPN client. Technically there should not be any difference since cascade connection is layer 2... but there is...

What would be correct configuration in this case?
Screenshot 2024-11-03 183055.png
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Sun Nov 03, 2024 10:51 pm

Switch OpenVPN to TAP mode and forget scenario #2.

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Mon Nov 04, 2024 4:59 am

Screenshot 2024-11-04 055837.png
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Mon Nov 04, 2024 5:22 am

TAP works for me...

Code: Select all

Tue Apr 26 15:49:51 2022 MANAGEMENT: >STATE:1650952191,GET_CONFIG,,,
Tue Apr 26 15:49:52 2022 SENT CONTROL [vpn16647666.softether.net]: 'PUSH_REQUEST' (status=1)
Tue Apr 26 15:49:52 2022 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10'
Tue Apr 26 15:49:52 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 26 15:49:52 2022 open_tun, tt->ipv6=0
Tue Apr 26 15:49:52 2022 TAP-WIN32 device [Local Area Connection 6] opened: \\.\Global\{8B4A5AC1...}.tap
Tue Apr 26 15:49:52 2022 TAP-Windows Driver Version 9.9 
Tue Apr 26 15:49:52 2022 Successful ARP Flush on interface [65544] {8B4A5AC1-E4DF-4837-93E8-FA6949A564C4}
Tue Apr 26 15:49:57 2022 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Apr 26 15:49:57 2022 Initialization Sequence Completed
Tue Apr 26 15:49:57 2022 MANAGEMENT: >STATE:1650952197,CONNECTED,SUCCESS,,127.0.0.1

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Mon Nov 04, 2024 5:27 am

Is that OpenVpn windows client?

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Mon Nov 04, 2024 5:34 am

Is that log from 2022? I think there were a lot of updates for OpenVpn since then...

Code: Select all

Tue Apr 26 15:49:51 2022

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Mon Nov 04, 2024 5:36 am

Ok, that's why:
Screenshot 2024-11-04 063557.png
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Mon Nov 04, 2024 6:01 am

Yeah yours is v3. A fresh log from the latest v2...

Code: Select all

2024-11-04 16:51:06 OpenVPN 2.6.10 [git:v2.6.10/ba0f62fb950c56a0] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 20 2024
2024-11-04 16:51:06 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-11-04 16:51:06 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2024-11-04 16:51:06 DCO version: N/A
2024-11-04 16:51:06 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2024-11-04 16:51:06 Need hold release from management interface, waiting...
2024-11-04 16:51:07 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49693
2024-11-04 16:51:07 MANAGEMENT: CMD 'state on'
2024-11-04 16:51:07 MANAGEMENT: CMD 'log on all'
2024-11-04 16:51:07 MANAGEMENT: CMD 'echo on all'
2024-11-04 16:51:07 MANAGEMENT: CMD 'bytecount 5'
2024-11-04 16:51:07 MANAGEMENT: CMD 'state'
2024-11-04 16:51:07 MANAGEMENT: CMD 'hold off'
2024-11-04 16:51:07 MANAGEMENT: CMD 'hold release'
2024-11-04 16:51:07 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,RESOLVE,,,,,,
2024-11-04 16:51:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 Socket Buffers: R=[65536->65536] S=[65536->65536]
2024-11-04 16:51:07 UDPv4 link local: (not bound)
2024-11-04 16:51:07 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,WAIT,,,,,,
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,AUTH,,,,,,
2024-11-04 16:51:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=06c1e778 ec03fafc
2024-11-04 16:51:07 VERIFY OK: depth=1
2024-11-04 16:51:07 VERIFY OK: depth=0
2024-11-04 16:51:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-11-04 16:51:07 [xxx] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-11-04 16:51:07 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-11-04 16:51:08 MANAGEMENT: >STATE:1730699468,GET_CONFIG,,,,,,
2024-11-04 16:51:08 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
2024-11-04 16:51:08 PUSH: Received control message: 'PUSH_REPLY,route-gateway dhcp,ping 10,ping-restart 120,peer-id 1'
2024-11-04 16:51:08 OPTIONS IMPORT: route-related options modified
2024-11-04 16:51:08 Using peer cipher 'AES-256-CBC'
2024-11-04 16:51:08 interactive service msg_channel=652
2024-11-04 16:51:08 open_tun
2024-11-04 16:51:08 tap-windows6 device [Local Area Connection] opened
2024-11-04 16:51:08 TAP-Windows Driver Version 9.27 
2024-11-04 16:51:08 Successful ARP Flush on interface [3] {0CDCCA71-6399-4E26-9C4B-8916335A43C8}
2024-11-04 16:51:08 MANAGEMENT: >STATE:1730699468,ASSIGN_IP,,,,,,
2024-11-04 16:51:08 Data Channel: cipher 'AES-256-CBC', auth 'SHA1', peer-id: 1, compression: 'lzo'
2024-11-04 16:51:08 Timers: ping 10, ping-restart 120
2024-11-04 16:51:13 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
2024-11-04 16:51:13 Initialization Sequence Completed
2024-11-04 16:51:13 MANAGEMENT: >STATE:1730699473,CONNECTED,SUCCESS,,xxx.xxx.xxx.xxx:xxxx,,

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Mon Nov 04, 2024 9:00 pm

Ok, used OpenVpn 2.6.12 (latest), managed to connect... Sort of...

Client says "Connected", i can't reach the lan that i supposed to reach, and there is also no internet.

Also, where did i get this one from?:

Code: Select all

192.0.0.8/255.255.255.240

Code: Select all

2024-11-04 21:47:52 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
2024-11-04 21:47:52 OPTIONS IMPORT: --ifconfig/up options modified
2024-11-04 21:47:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-11-04 21:47:52 Using peer cipher 'AES-128-CBC'
2024-11-04 21:47:52 interactive service msg_channel=448
2024-11-04 21:47:52 open_tun
2024-11-04 21:47:52 tap-windows6 device [OpenVPN TAP-Windows6] opened
2024-11-04 21:47:52 TAP-Windows Driver Version 9.27 
2024-11-04 21:47:52 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.0.0.8/255.255.255.240 on interface {3C629F95-23F0-423D-BAA0-4880B0D7CF24} [DHCP-serv: 192.0.0.0, lease-time: 31536000]
2024-11-04 21:47:52 Successful ARP Flush on interface [83] {3C629F95-23F0-423D-BAA0-4880B0D7CF24}
2024-11-04 21:47:52 MANAGEMENT: >STATE:1730753272,ASSIGN_IP,,192.0.0.8,,,,
2024-11-04 21:47:52 IPv4 MTU set to 1500 on interface 83 using service
2024-11-04 21:47:52 Blocking outside dns using service succeeded.
2024-11-04 21:47:52 Data Channel: cipher 'AES-128-CBC', auth 'SHA1'
2024-11-04 21:47:52 Timers: ping 3, ping-restart 10
2024-11-04 21:47:57 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
2024-11-04 21:47:57 Initialization Sequence Completed
2024-11-04 21:47:57 MANAGEMENT: >STATE:1730753277,CONNECTED,SUCCESS,192.0.0.8,xxx.xxx.xxx.xxx,xxx,,

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Tue Nov 05, 2024 12:47 am

mendoza_lt wrote:
Mon Nov 04, 2024 9:00 pm

Code: Select all

...PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
You have not switched to TAP mode yet. Correct it and while at it, add to .ovpn config "route-nopull" and "route xxx..." for the remote LAN.

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Tue Nov 05, 2024 6:50 am

You have not switched to TAP mode yet
I'm a little bit confused here... isn't it if i use "blabla_openvpn_site_to_site_bridge_l2.ovpn" generated by SE vpn server manager, and there is "dev tap" entry in the file it should automatically switch to TAP?

How else can i switch to TAP?

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Tue Nov 05, 2024 8:35 am

mendoza_lt wrote:
Sun Nov 03, 2024 5:32 pm
If i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win)
Start the VPN and post AS CODE the output of:

Code: Select all

VPN server #1:
-----------------
netstat -r
ipconfig /all
vpncmd localhost:port /server /password:*** /cmd ServerInfoGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd StatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd NatGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
//replace: port with number; *** with SE admin password; @@@ with hub name

SoftEther VPN client:
------------------------
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx  //address from the remote LAN
Next, disconnect the SoftEther VPN client and from the same PC start OpenVPN and post AS CODE the output of:

Code: Select all

netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx  //address from the remote LAN
+ the contents of your .ovpn file
+ a fresh OpenVPN log of only the "...PUSH_REPLY..." line

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Tue Nov 05, 2024 8:51 am

I have added this:

route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1

which should be same as this:
Capture.PNG
but i have this:

2024-11-05 09:26:24 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:25 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:25 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:26 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:26 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:27 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:27 MANAGEMENT: >STATE:1730795187,ADD_ROUTES,,,,,,
2024-11-05 09:26:27 C:\WINDOWS\system32\route.exe ADD 192.168.12.0 MASK 255.255.255.0 192.168.120.1
2024-11-05 09:26:27 Warning: route gateway is not reachable on any active network adapters: 192.168.120.1
SYSTEM ROUTING TABLE




Yes, 192.168.12.0 and 192.168.120.1 is correct, that is not typo.
You do not have the required permissions to view the files attached to this post.

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Tue Nov 05, 2024 9:09 am

Server #1:

Code: Select all

Edit: At the request of the original poster, this post has been modified to remove sensitive information.


mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Tue Nov 05, 2024 9:25 am

Client PC with SE VPN Connected:

Code: Select all

rs\mailt\kaka> netstat -r
Edit: At the request of the original poster, this post has been modified to remove sensitive information.

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Tue Nov 05, 2024 10:32 am

mendoza_lt wrote:
Tue Nov 05, 2024 8:51 am
I have added this:
route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1
Please remove those, start OpenVPN and post AS CODE the output of:

Code: Select all

netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx  //address from the remote LAN
+ the contents of your .ovpn file
+ a fresh OpenVPN log of only the "...PUSH_REPLY..." line

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Tue Nov 05, 2024 10:49 am

ok i will, but i will have to do that later, i am away from that PC, have only remote access... and if i connect with OpenVpn, i will loose conection...

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Tue Nov 05, 2024 1:06 pm

While waiting for your log note that if you see "PUSH_REPLY ... ifconfig" in it, then it is not TAP mode. Your SE server is properly set up and all you have to do is use the default L2/TAP ovpn config - no need to change anything else (apart from data-ciphers, tcp/udp, etc).
"I'm a little bit confused here... isn't it if i use "blabla_openvpn_site_to_site_bridge_l2.ovpn" generated by SE vpn server manager, and there is "dev tap" entry in the file it should automatically switch to TAP? How else can i switch to TAP?"
You're making a basic mistake somewhere. You had imported configs first in v3 then in v2 and something got mixed up. OpenVPN keeps configs in a few places - fix it.

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Tue Nov 05, 2024 3:12 pm

if you see "PUSH_REPLY ... ifconfig" in it

Code: Select all

2024-11-05 15:54:46 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
Exactly what it is... trying to look where the issue might be...

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Wed Nov 06, 2024 2:15 am

mendoza_lt wrote:
Tue Nov 05, 2024 3:12 pm

Code: Select all

...'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
I've checked SE v4.42 source code and see no "block-outside-dns" statement in it. It is deployed by the original OpenVPN server and you are not connecting to SoftEther.

This forum topic is such a waste of time, lol.

mendoza_lt
Posts: 29
Joined: Fri Jul 05, 2024 8:37 pm

Re: OpenVpn clients access to local resources only, specific setup.

Post by mendoza_lt » Wed Nov 06, 2024 6:07 am

Oh... ok, i am very sorry about that...

Openvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.

But anyway, thanks for your help :)

solo
Posts: 1519
Joined: Sun Feb 14, 2021 10:31 am

Re: OpenVpn clients access to local resources only, specific setup.

Post by solo » Wed Nov 06, 2024 11:25 am

mendoza_lt wrote:
Wed Nov 06, 2024 6:07 am
Openvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.
Do double-check because according to your log that server is not on Debian but Windows.

Code: Select all

Product Name                    |SoftEther VPN Server (64 bit)
Version                         |Version 4.42 Build 9798   (English)
Type of Operating System        |Windows NT
Product Name of Operating System|Windows 10

Locked