Is it possible to setup softether with dnsmasq on ec2 server

[markhorrocks]

Is it at all possible to set up softether in bridge mode with dnsmasq on an Amazon ec2 server?
I have followed this guide http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/ to set up a softether server in bridge mode with dnsmasq. On a Digital Ocean instance this works fine. However, when I try to install this on an Amazon ec2 instance I can't get a route back from dnsmasq. The ec2 instance is using the amazon dns server at 172.16.0.23 and the server is part of a lan.

The resolv.conf file in the digital ocean server is just
nameserver 127.0.0.1

In the ec2 instance resolv.conf is
domain mydomain.com
search mydomain.com
nameserver 172.16.0.23

resolv.conf is set to readonly on ec2 and if I force add nameserver 127.0.0.1 and reboot I can no longer ssh into the server.

My dnsmasq.conf file looks like this.
interface=tap_soft
dhcp-range=tap_soft,192.168.217.50,192.168.217.200,12h
dhcp-option=tap_soft,121,10.0.0.0/8,192.168.217.1

Server is Ubuntu 14.04, Amazon ec2.
Softether server version is 4.08.9449-4~trusty installed from a repo at https://launchpad.net/~dajhorn/+archive ... /softether
I have used the package version here because I am configuring the server with puppet.

ifconfig tap_soft

tap_soft Link encap:Ethernet HWaddr 00:ac:3b:08:55:2a
inet addr:192.168.217.1 Bcast:192.168.217.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:3bff:fe08:552a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:151 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:13205 (13.2 KB) TX bytes:6936 (6.9 KB)

My vpn_server.conf file is here

# Software Configuration File
# ---------------------------
#
# You may edit this file when the VPN Server / Client / Bridge program is not running.
#
# In prior to edit this file manually by your text editor,
# shutdown the VPN Server / Client / Bridge background service.
# Otherwise, all changes will be lost.
#
declare root
{
uint ConfigRevision 14
bool IPsecMessageDisplayed true
string Region US

declare DDnsClient
{
bool Disabled false
byte Key XlczsRQws3E+P3lCbdz6PP+Ny60=
string LocalHostname myvpnserver
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare IPsec
{
bool EtherIP_IPsec false
string IPsec_Secret vpn
string L2TP_DefaultHub VPN
bool L2TP_IPsec true
bool L2TP_Raw false

declare EtherIP_IDSettingsList
{
}
}
declare ListenerList
{
declare Listener0
{
bool DisableDos false
bool Enabled false
uint Port 443
}
declare Listener1
{
bool DisableDos false
bool Enabled true
uint Port 992
}
declare Listener2
{
bool DisableDos false
bool Enabled true
uint Port 1194
}
declare Listener3
{
bool DisableDos false
bool Enabled true
uint Port 5555
}
}
declare LocalBridgeList
{
declare LocalBridge0
{
string DeviceName soft
string HubName VPN
bool LimitBroadcast false
bool MonitorMode false
bool NoPromiscuousMode false
string TapMacAddress 00-AC-3B-08-55-2A
bool TapMode true
}
}
declare ServerConfiguration
{
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
uint AutoSaveConfigSpan 300
bool BackupConfigOnlyWhenModified true
string CipherName RC4-MD5
uint CurrentBuild 9449
bool DisableDeadLockCheck false
bool DisableDosProction false
bool DisableIntelAesAcceleration false
bool DisableIPv6Listener false
bool DisableNatTraversal false
bool DisableOpenVPNServer false
bool DisableSSTPServer false
bool DontBackupConfig false
bool EnableVpnAzure false
bool EnableVpnOverDns false
bool EnableVpnOverIcmp false
byte HashedPassword redacted
string KeepConnectHost keepalive.softether.org
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 1
uint MaxConnectionsPerIP 256
uint MaxUnestablishedConnections 1000
bool NoHighPriorityProcess false
bool NoLinuxArpFilter false
bool NoSendSignature false
string OpenVPN_UdpPortList 1194
bool SaveDebugLog false
byte ServerCert redacted
byte ServerKey redacted
uint ServerType 0
bool UseKeepConnect true
bool UseWebTimePage false
bool UseWebUI false

declare ServerTraffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 506412
uint64 BroadcastCount 3539
uint64 UnicastBytes 13934927
uint64 UnicastCount 153499
}
declare SendTraffic
{
uint64 BroadcastBytes 605754
uint64 BroadcastCount 4088
uint64 UnicastBytes 8309360
uint64 UnicastCount 85474
}
}
declare SyslogSettings
{
string HostName $
uint Port 514
uint SaveType 0
}
}
declare VirtualHUB
{
declare VPN
{
uint64 CreatedTime 1446005408369
byte HashedPassword redacted
uint64 LastCommTime 1446602751857
uint64 LastLoginTime 1446602713073
uint NumLogin 30
bool Online true
uint RadiusRetryInterval 0
uint RadiusServerPort 1812
string RadiusSuffixFilter $
byte SecurePassword redacted
uint Type 0

declare AccessList
{
}
declare AdminOption
{
uint allow_hub_admin_change_option 0
uint deny_bridge 0
uint deny_change_user_password 0
uint deny_empty_password 0
uint deny_hub_admin_change_ext_option 0
uint deny_qos 0
uint deny_routing 0
uint max_accesslists 0
uint max_bitrates_download 0
uint max_bitrates_upload 0
uint max_groups 0
uint max_multilogins_per_user 0
uint max_sessions 0
uint max_sessions_bridge 0
uint max_sessions_client 0
uint max_sessions_client_bridge_apply 0
uint max_users 0
uint no_access_list_include_file 0
uint no_cascade 0
uint no_change_access_control_list 0
uint no_change_access_list 0
uint no_change_admin_password 0
uint no_change_cert_list 0
uint no_change_crl_list 0
uint no_change_groups 0
uint no_change_log_config 0
uint no_change_log_switch_type 0
uint no_change_msg 0
uint no_change_users 0
uint no_delay_jitter_packet_loss 0
uint no_delete_iptable 0
uint no_delete_mactable 0
uint no_disconnect_session 0
uint no_enum_session 0
uint no_offline 0
uint no_online 0
uint no_query_session 0
uint no_read_log_file 0
uint no_securenat 0
uint no_securenat_enabledhcp 0
uint no_securenat_enablenat 0
}
declare CascadeList
{
}
declare LogSetting
{
uint PacketLogSwitchType 4
uint PACKET_LOG_ARP 0
uint PACKET_LOG_DHCP 1
uint PACKET_LOG_ETHERNET 0
uint PACKET_LOG_ICMP 0
uint PACKET_LOG_IP 0
uint PACKET_LOG_TCP 0
uint PACKET_LOG_TCP_CONN 1
uint PACKET_LOG_UDP 0
bool SavePacketLog true
bool SaveSecurityLog true
uint SecurityLogSwitchType 4
}
declare Message
{
}
declare Option
{
uint AccessListIncludeFileCacheLifetime 30
uint AdjustTcpMssValue 0
bool ApplyIPv4AccessListOnArpPacket false
bool BroadcastLimiterStrictMode false
uint BroadcastStormDetectionThreshold 0
uint ClientMinimumRequiredBuild 0
bool DisableAdjustTcpMss false
bool DisableCheckMacOnLocalBridge false
bool DisableCorrectIpOffloadChecksum false
bool DisableHttpParsing false
bool DisableIPParsing false
bool DisableKernelModeSecureNAT false
bool DisableUdpAcceleration false
bool DisableUdpFilterForLocalBridgeNic false
bool DisableUserModeSecureNAT false
bool DoNotSaveHeavySecurityLogs false
bool DropArpInPrivacyFilterMode true
bool DropBroadcastsInPrivacyFilterMode true
bool FilterBPDU false
bool FilterIPv4 false
bool FilterIPv6 false
bool FilterNonIP false
bool FilterOSPF false
bool FilterPPPoE false
bool ManageOnlyLocalUnicastIPv6 true
bool ManageOnlyPrivateIP true
uint MaxLoggedPacketsPerMinute 0
uint MaxSession 0
bool NoArpPolling false
bool NoDhcpPacketLogOutsideHub true
bool NoEnum false
bool NoIpTable false
bool NoIPv4PacketLog false
bool NoIPv6AddrPolling false
bool NoIPv6DefaultRouterInRAWhenIPv6 true
bool NoIPv6PacketLog false
bool NoLookBPDUBridgeId false
bool NoMacAddressLog true
bool NoManageVlanId false
bool NoSpinLockForPacketDelay false
bool RemoveDefGwOnDhcpForLocalhost true
uint RequiredClientId 0
uint SecureNAT_MaxDnsSessionsPerIp 0
uint SecureNAT_MaxIcmpSessionsPerIp 0
uint SecureNAT_MaxTcpSessionsPerIp 0
uint SecureNAT_MaxTcpSynSentPerIp 0
uint SecureNAT_MaxUdpSessionsPerIp 0
string VlanTypeId 0x8100
bool YieldAfterStorePacket false
}
declare SecureNAT
{
bool Disabled true
bool SaveLog true

declare VirtualDhcpServer
{
string DhcpDnsServerAddress 192.168.30.1
string DhcpDnsServerAddress2 0.0.0.0
string DhcpDomainName $
bool DhcpEnabled true
uint DhcpExpireTimeSpan 7200
string DhcpGatewayAddress 192.168.30.1
string DhcpLeaseIPEnd 192.168.30.200
string DhcpLeaseIPStart 192.168.30.10
string DhcpPushRoutes $
string DhcpSubnetMask 255.255.255.0
}
declare VirtualHost
{
string VirtualHostIp 192.168.30.1
string VirtualHostIpSubnetMask 255.255.255.0
string VirtualHostMacAddress 00-AC-30-CD-E0-03
}
declare VirtualRouter
{
bool NatEnabled true
uint NatMtu 1500
uint NatTcpTimeout 1800
uint NatUdpTimeout 60
}
}
declare SecurityAccountDatabase
{
declare CertList
{
}
declare CrlList
{
}
declare GroupList
{
}
declare IPAccessControlList
{
}
declare UserList
{
declare mark
{
byte AuthNtLmSecureHash EKJat5oCi2Q1vN5HMaNQIg==
byte AuthPassword redacted
uint AuthType 1
uint64 CreatedTime 1446602670278
uint64 ExpireTime 0
uint64 LastLoginTime 1446602713073
string Note $
uint NumLogin 1
string RealName mark$20horrocks
uint64 UpdatedTime 1446602670278

declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 8863
uint64 BroadcastCount 100
uint64 UnicastBytes 852
uint64 UnicastCount 14
}
declare SendTraffic
{
uint64 BroadcastBytes 19121
uint64 BroadcastCount 210
uint64 UnicastBytes 298
uint64 UnicastCount 5
}
}
}
}
}
declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 506412
uint64 BroadcastCount 3539
uint64 UnicastBytes 13934927
uint64 UnicastCount 153499
}
declare SendTraffic
{
uint64 BroadcastBytes 605754
uint64 BroadcastCount 4088
uint64 UnicastBytes 8309360
uint64 UnicastCount 85474
}
}
}
}
declare VirtualLayer3SwitchList
{
}
}

[thisjun]

Did client get a valid IP address?

[kh_tsang]

I would suggest you use the SoftEther built-in SecureNAT because it has the DNS forwarding already. However, point the default gateway to the tap device instead of using the SecureNAT gateway. Therefore, the setup can be simple.

[markhorrocks]

kh_tsang wrote:
> I would suggest you use the SoftEther built-in SecureNAT because it has the
> DNS forwarding already. However, point the default gateway to the tap
> device instead of using the SecureNAT gateway. Therefore, the setup can be
> simple.

I read that using bridge mode tap device and secureNAT would result in 100% CPU usage. Is this no longer true?

[thisjun]

If you configure properly, the problem will not happen.
The default gateway shouldn't point to SecureNAT.