Remote access VPN failing

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Remote access VPN failing

Post by dickfister » Wed Dec 08, 2021 6:33 am

Hi everyone, I recently installed SoftEther VPN server so that I can remotely access my home PC. I've got it up and running, with OpenVPN client on my iPhone. I'm able to connect to the VPN with no issues, and route to my local resources. However, after some time (which seems to be about 2 days or so), I will not be able to login to the VPN. Checking the server log:

Code: Select all

2021-12-08 17:00:42.111 OpenVPN Session 55 (120.18.99.195:2001 -> 192.168.4.36:1194) Channel 0: Option Strings Received: "V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client"
2021-12-08 17:00:42.111 OpenVPN Session 55 (120.18.99.195:2001 -> 192.168.4.36:1194) Channel 0: Client certificate is not provided, will use password authentication.
2021-12-08 17:00:42.111 OpenVPN Session 55 (120.18.99.195:2001 -> 192.168.4.36:1194) Channel 0: Option Strings to Send: "V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server"
2021-12-08 17:00:42.795 On the TCP Listener (Port 0), a Client (IP address 120.18.99.195, Host name "120.18.99.195", Port number 2001) has connected.
2021-12-08 17:00:42.795 For the client (IP address: 120.18.99.195, host name: "120.18.99.195", port number: 2001), connection "CID-24-EBA1C6B05A" has been created.
2021-12-08 17:00:42.795 SSL communication for connection "CID-24-EBA1C6B05A" has been started. The encryption algorithm name is "(null)".
2021-12-08 17:00:42.797 [HUB "my-vpn"] The connection "CID-24-EBA1C6B05A" (IP address: 120.18.99.195, Host name: 120.18.99.195, Port number: 2001, Client name: "OpenVPN Client", Version: 4.38, Build: 9760) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "username".
2021-12-08 17:00:42.797 [HUB "my-vpn"] Connection "CID-24-EBA1C6B05A": Successfully authenticated as user "username".
2021-12-08 17:00:42.797 [HUB "my-vpn"] Connection "CID-24-EBA1C6B05A": The new session "SID-username-[OPENVPN_L3]-25" has been created. (IP address: 120.18.99.195, Port number: 2001, Physical underlying protocol: "Legacy VPN - OPENVPN_L3")
2021-12-08 17:00:42.798 [HUB "my-vpn"] Session "SID-username-[OPENVPN_L3]-25": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2021-12-08 17:00:42.800 [HUB "my-vpn"] Session "SID-username-[OPENVPN_L3]-25": VPN Client details: (Client product name: "OpenVPN Client", Client version: 438, Client build number: 9760, Server product name: "SoftEther VPN Server (64 bit)", Server version: 438, Server build number: 9760, Client OS name: "OpenVPN Client", Client OS version: "-", Client product ID: "-", Client host name: "", Client IP address: "120.18.99.195", Client port number: 2001, Server host name: "192.168.4.36", Server IP address: "192.168.4.36", Server port number: 1194, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "my-vpn", Client unique ID: "E467DB37CF32A1D57E5033B3E30F1EB7")
2021-12-08 17:00:55.166 [HUB "my-vpn"] Session "SID-username-[OPENVPN_L3]-25": The session has been terminated. The statistical information is as follows: Total outgoing data size: 23248 bytes, Total incoming data size: 35114 bytes.
2021-12-08 17:00:55.166 OpenVPN Session 55 (120.18.99.195:2001 -> 192.168.4.36:1194) Channel 0: Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to. If you do not have a DHCP server, you can use the Virtual DHCP function of the SecureNAT on the Virtual Hub instead.
2021-12-08 17:00:55.166 OpenVPN Session 55 (120.18.99.195:2001 -> 192.168.4.36:1194) Channel 0: Failed to connect a channel.
2021-12-08 17:00:55.205 Connection "CID-24-EBA1C6B05A" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2021-12-08 17:00:55.205 Connection "CID-24-EBA1C6B05A" has been terminated.
2021-12-08 17:00:55.205 The connection with the client (IP address 120.18.99.195, Port number 2001) has been disconnected.
We can see the error above. For some reason, the VPN is unable to get an IP address via DHCP. DHCP on my PC is set to my router. Keep in mind that this issue only starts to occur after some time (~2 days) has passed. Simply rebooting my computer resolves the issue.

Does anyone know what could be causing SoftEther to not be able to get an IP via DHCP, after a certain amount of time of the VPN being up?

Note: I have Hyper-V server running on my PC, and my SoftEther local bridge is bound to a Hyper-V virtual switch. My wi-fi adapter is part of a Windows network bridge due to Hyper-V network configuration (which means the physical wi-fi adapter itself doesn't show up in SoftEther because it's part of a bridge). I found that I need to bind my SoftEther local bridge to my Hyper-V virtual switch to get the VPN to work. Setting the local bridge binding to the Windows network bridge interface didn't allow VPN clients to connect.
Last edited by dickfister on Wed Dec 15, 2021 7:24 am, edited 1 time in total.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Wed Dec 08, 2021 1:51 pm

Check if the DHCP pool of the DHCP server has enough free leases available.

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Wed Dec 08, 2021 11:38 pm

I don’t have complete visibility over this due to limited functionality on my router (Amazon Eero 6), but my LAN subnet is 192.168.4.0/22 and there are only around 10 devices on the network. So I am doubting that DHCP lease exhaustion is the cause of the issue.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Thu Dec 09, 2021 8:25 am

Which PC do you have to reboot to fix the problem? SE server or VPN Client PC?
Where is the hyper-v running, on the client or the Server?

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Fri Dec 10, 2021 1:31 am

I have to reboot the VPN server. No issues with the client (OpenVPN on iphone).

The VPN server (my PC) is also the hyper-v server.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Fri Dec 10, 2021 8:48 am

Does the SE PRocess run inside the VM or on the VM host machine?

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Fri Dec 10, 2021 11:35 pm

SE is running on the host, it’s not running on a VM.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Sat Dec 11, 2021 12:28 pm

I have no instant Idea, but let me try to understand your netwok configuration:
You have two physical network cards, one of these is a wifi adatper. you have made a bridge out of these using windows built in methods.
You have installed hyper-V on this computer.
Installed a hyper-v virtual switch using the virtual network card (the brigde) as a the "external network" in the hyper-V new virtual switch dialog.
you selected the checkbox: "allow managment operating system to thare this network adapter"
you installed the SE server on the host operating system, and bound the SE bridge to the hyper-v shared network adapter.

I suggest to install the SE server inside a VM. To make this work you have to enable the "Enable MAC spoofing" option in the hyper-v Guest advanced features network card settings. I dont know if this will help, but it will make the configuration less complex. In your config, the hyper-V and the Host OS will both add fake MAC addresses to the virtual network card, maybe this is not a good idea. I also would try to get rid of the bridge but that could be done in the next step.

Also, what Is the IP Range your Client PC uses in its local LAN, does is overlap with the 192.168.4.0/22 network of the Network where the server is located? If yes, then fix this first.

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Wed Dec 15, 2021 6:03 am

Networking:

Physical wi-fi card connected to the internet
Hyper-V virtual switch adapter
Microsoft Network Bridge (this was created by Hyper-V, I'm assuming it's the bridge between the physical and virtual adapters)

Hyper-V:

Virtual switch is set to External, bound to the wi-fi card. "Allow management operating..." is checked.

Hyper-V is not used for SE and is just for my unrelated projects involving VMs.

SoftEther:

Installed on the host operating system (Windows 10 Pro).

Local bridge is bound to the Hyper-V virtual switch. I originally tried binding it to the Network Bridge, but my VPN client couldn't connect. I didn't bother investigating why, because setting the local bridge to the virtual switch resolved the issue.

Then, after 2-3 (I think) of the VPN running, no issues with client connections, suddenly my VPN client can't connect, and I see the DHCP error in the VPN server log.

My LAN is 192.168.4.0/22. My client is on my iPhone, so it connects from a public IP (cellular connection). When the VPN is working, my phone is given an IP in the 192.168.4.0/22 range and I can access my LAN resources with no issues.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Wed Dec 15, 2021 8:42 am

My experience with hyper-v (only on server OS) is, there is never a bridge which is made by the hyper-v installation.However I never tried ot use a Wifi network card for hyper-v.
Remove all hyer-n network confgurations, get rid of the bridge, recreate the hyper-v network cards. Then try again.
Most cellular network do not use a public ip, but an ip out of the 10.0.0.0/8 network. So this will be ok most likely.

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Wed Dec 15, 2021 10:13 am

Good idea. Here’s what I’m going to try:

Remove all Hyper-V networking and bind my SE local bridge to the wi-fi NIC.

Then I’ll see if the issue is still occurs. If it stops, then I can continue the investigation at the Hyper-V end.

I’ll let you know how it goes. Your support so far is much appreciated, thanks a lot!

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Wed Dec 15, 2021 12:38 pm

Okay so my first finding, here’s what I’ve done:

Reset windows network settings
Disable Hyper-V entirely

Only my Realtek Ethernet adapter (not plugged in) is showing up in the list for SE local bridge settings. The intel wifi adapter is missing.

Possibly related to the DHCP issue. Any ideas why the wifi adapter isn’t showing in SE?

Note: the wifi adapter also wasn’t visibly previously. I figured this was because of Hyper-V networking.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Wed Dec 15, 2021 12:55 pm

I never tried SE server with Wifi, but I check this out later - maybe the software knows it does not work using wifi, therefore it only shows the Lan adapter?

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Remote access VPN failing

Post by nobody12 » Wed Dec 15, 2021 2:04 pm

No, I am also no able to choose a wireless adapter.
So, by creating a bridge you may be able to run the SE Server with a WiFi card. But maybe there are good reasons why the card is not showing up?
I dont know, but maybe there is somehting in the documentation?

Yes, there is:
3.6.6 Use of network adapters not supporting Promiscuous Mode
And this includes as example wireless adapters.
I dont know if any wireless adapter is excluded by default or if the program does a test if the adapter supports promiscous mode.
I think some WiFif adapters support promiscous mode.
There is an option to override the behaviour and use your wifi adapter anyway. Same chapter.

Give it a try.

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Wed Dec 15, 2021 10:58 pm

Good find. I've ran the following command on my PC:

>netsh wlan show wirelesscapabilities

It shows promiscuous mode is not supported. I will try the workaround. Thanks again!

Edit: I've tried the workaround, no luck. The local bridge is in error state.

Moving forward, I'll try a few options:

- Create the local bridge on the Hyper-V switch and continue looking into the DHCP error.
- Run SE in a VM. Or I might try something like PfSense.
- Install ethernet patching in my apartment so I can actually use the ethernet interface xD

Anyway, I think we can wrap this one up for now. Thanks a lot for your help!

dickfister
Posts: 9
Joined: Wed Dec 08, 2021 6:15 am

Re: Remote access VPN failing

Post by dickfister » Mon Dec 20, 2021 4:04 am

Update: I’ve connected my PC to my modem via Ethernet. I’ve bound the SE local bridge to my physical Ethernet interface, and have continued to leave Hyper-V disabled. The VPN is currently working. I’ll leave it up and check in a few days to see if the DHCP issue occurs.

Post Reply