(SOLVED) VPN Client Problem on AWS Linux

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
pmontelo
Posts: 5
Joined: Wed Oct 27, 2021 8:12 pm

(SOLVED) VPN Client Problem on AWS Linux

Post by pmontelo » Wed Oct 27, 2021 8:51 pm

Hello all!

I am looking for some help getting the SoftEther Linux VPN Client to work connecting to a SoftEther VPN server running on a Windows 10 computer at my home.

My home network is behind a dynamic IP and NAT, so I'm using vpnazure.net.

I am successful at connecting to the VPN Server running on my Windows 10 computer, using the SSTP app on my iPhone, from a different network than the server is on. So I have proven the VPN Server is working, and an iPhone client can connect and access my local network from a different network.

I can also connect successfully to the VPN Server using the SoftEther VPN Client running on the same Windows 10 computer.

The problem that I have is that when I connect to the VPN from my AWS EC2 linux instance, I do not get an IP address on the EC2 instance's vpn_vpn interface.

When I issue an ifconfig command, I do not see an inet addr, or mask.

When I run the vpncmd tool on the instance, and go into the VPN Client, and type AccountList, it shows status of "Connected".

But when I go to Manage Sessions on the Virtual Hub of the VPN server, I see that there are 0 Outgoing packets.
The session appears to be establish, but no data is flowing back to the VPN client running on EC2 because the vpn_vpn interface doesn't have an IP.

Any ideas on how to resolve this problem?

Thank you
Last edited by pmontelo on Wed Nov 03, 2021 5:56 pm, edited 4 times in total.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: VPN Client Problem on AWS Linux

Post by eddiewu » Thu Oct 28, 2021 1:52 am

On Linux you need to manually setup everything, which includes,
1. Add a static route to the server
2. Use dhclient to achieve DHCP configuration

pmontelo
Posts: 5
Joined: Wed Oct 27, 2021 8:12 pm

Re: VPN Client Problem on AWS Linux

Post by pmontelo » Mon Nov 01, 2021 4:13 am

Thank you for your comments @eddiewu

I am still struggling to get this to work.

Upon rebooting the EC2 instance I do the following:
1. sudo /usr/local/vpnclient/vpnclient start
vpn_vpn interface is now present without IP address, ifconfig shows:
vpn_vpn Link encap:Ethernet HWaddr 5E:90:21:08:86:A0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:113 errors:0 dropped:8 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39290 (38.3 KiB) TX bytes:0 (0.0 b)

2. sudo /usr/local/vpnclient/vpncmd localhost /CLIENT /CMD AccountConnect MY-CONNECTION-NAME
my connection is now connected, vpncmd AccountList reports:
AccountList command - Get List of VPN Connection Settings
Item |Value
----------------------------+--------------------------------------------------------
VPN Connection Setting Name | MY-CONNECTION-NAME
Status |Connected
VPN Server Hostname |vpnXXXXXXXXX.vpnazure.net:443 (Direct TCP/IP Connection)
Virtual Hub |MY-VIRTUAL-HUB-NAME
Virtual Network Adapter Name|VPN

3a. sudo dhclient -v vpn_vpn
dhclient displays the following before all communication is lost:
Internet Systems Consortium DHCP Client 4.1.1-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/vpn_vpn/5e:90:21:08:86:a0
Sending on LPF/vpn_vpn/5e:90:21:08:86:a0
Sending on Socket/fallback
DHCPREQUEST on vpn_vpn to 255.255.255.255 port 67 (xid=0x5f3b24fd)
DHCPACK from 192.168.1.1 (xid=0x5f3b24fd)

After the dhclient command runs, all communication with the EC2 instance is lost requiring a reboot.

I can see that my DHCP server running in my router did issue an IP address lease on the 192.168.1.x subnet to the MAC address of the vpn_vpn interface, so this shows me that the request was received and processed by my local network where my VPN server is running.

Since I could not communicate with the EC2 instance after running the dhclient command, I rebooted the instance, and tried another approach by assigning a static ip to the vpn_vpn interface.

With that approach, the first 2 steps were the same, but for step #3 I used:
3b. sudo ifconfig vpn_vpn 192.168.1.2 netmask 255.255.255.0 up
After the ifconfig command runs, the vpn_vpn has 192.168.1.2 for its interface, but I can't ping any other hosts on the 192.168.1.x subnet.

Before setting the static ip, netstat -rn shows:
[ec2-user@ip-172-31-43-242 ~]$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 0 0 0 eth0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

After setting the static IP it shows:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 0 0 0 eth0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn_vpn

I'm unsure what I would need to do to change the routing table to get it to work with the static IP.

A) Does anyone have any insight on the correct ip route add and del commands I would need to get this working with the static 192.168.1.2 address?

B) Does anyone have any insight on why all communication with the EC2 instance breaks after dhclient talks with the DHCP server to get an IP lease for the vpn_vpn interface?

Any help would be greatly appreciated.
Thank you

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN Client Problem on AWS Linux

Post by solo » Mon Nov 01, 2021 9:38 pm

You need to enable IP forwarding: net.ipv4.ip_forward=1

pmontelo
Posts: 5
Joined: Wed Oct 27, 2021 8:12 pm

Re: VPN Client Problem on AWS Linux

Post by pmontelo » Mon Nov 01, 2021 9:47 pm

Thanks @solo, I have already done that but forgot to mention it. It did not help.

The problems I'm having still occur with ip forwarding enabled.

[ec2-user@ip-172-31-43-242 ~]$ cat /proc/sys/net/ipv4/ip_forward
1
[ec2-user@ip-172-31-43-242 ~]$ sudo sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.vpn_vpn.forwarding = 1
net.ipv4.conf.vpn_vpn.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0

I'm still looking for help on this, if someone has any ideas on how to solve the problems, they would be appreciated.
Thank you

pmontelo
Posts: 5
Joined: Wed Oct 27, 2021 8:12 pm

Re: VPN Client Problem on AWS Linux

Post by pmontelo » Wed Nov 03, 2021 2:25 pm

I've almost got this working with the static IP address assignment.

For some reason that I still haven't figure out, the Windows 10 firewall appears to be blocking the traffic from the Linux VPN client on the 192.168.1.x subnet.

If I turn off the Windows firewall, everything is working nicely with a static IP assignment to the vpn_vpn interface on the Linux client side.

When I connect with the SSTP client on iPhone, I'm not having any problems with the Windows 10 firewall blocking traffic.

Still trying to determine what's different between the two clients.

pmontelo
Posts: 5
Joined: Wed Oct 27, 2021 8:12 pm

Re: (SOLVED) VPN Client Problem on AWS Linux

Post by pmontelo » Wed Nov 03, 2021 6:07 pm

Sharing for anyone else who may be struggling to get this to work:

In the end, setting a static IP address on the vpn_vpn interface was all I needed to do to get this working.
It was not necessary to do anything with the routing table.

On boot of my EC2 instance I execute a script that does the following:

sudo /usr/local/vpnclient/vpnclient start
sudo /usr/local/vpnclient/vpncmd localhost /CLIENT /CMD AccountConnect MY-CONNECTION-NAME
sleep 1
sudo ifconfig vpn_vpn 192.168.1.2 netmask 255.255.255.0 up

After this runs, I have connectivity to my 192.168.1.x subnet.
I'll work on trying to make this work via init.d in the future.

I thought that it wasn't working because the firewall on Windows 10 blocks ICMP on the local subnet by default, so when I did a ping test from my EC2 instance to my Windows 10 host on the 192.168.1.x subnet, the pings failed.

I felt old and stupid when I realized that, but was so happy just to have everything working.

I still don't have an answer as to why communication to the EC2 instance is lost when using dhclient, but the static IP route suits my needs just fine.

I hope this helps someone else.
Thanks for the suggestions and responses that led to a solution.

Post Reply