Route only SoftEther server traffic through OpenVPN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Fri Jan 27, 2023 1:26 am

Hello everyone
I'm running a softether server on debian 11 and I would like to only route the traffic of the softether (not my whole OS) through the openvpn client, from my other server.
Any Idea on how I'll be able to achieve this?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Fri Jan 27, 2023 2:44 am

The same way like routing through VPN Gate client https://www.vpnusers.com/viewtopic.php? ... 926#p97433

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Sun Jan 29, 2023 6:38 pm

Thanks a lot man @solo
The thing is I don't want any traffic other than Softether to go through OpenVPN that's why I used "pull-filter ignore redirect-gateway" in my OpenVPN client config file but will this line your method is not working anymore.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Sun Jan 29, 2023 8:14 pm

Go back to the above link and scroll down to "policy-based routing variant".

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Mon Jan 30, 2023 12:07 am

Thanks a lot @solo
What is 10.245.254.254 representing in that code? should I change it? Also any other part?
I'm wondering how this is gonna help because if I don't include "pull-filter ignore redirect-gateway" in my OpenVPN client config file VPS is gonna be inaccessible and I'll no longer be able to SSH into that, and I'm connecting to openvpn on that with openvpn that I install with "apt install openvpn" I don't know if you had any other way in mind.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Mon Jan 30, 2023 1:00 am

10.245.254.254 is a default gateway on the remote (client) connection - adjust accordingly for your OVPN.

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Mon Jan 30, 2023 12:27 pm

So if I understand correctly it's the OVPN server public IP right? or it's the gateway? mine is like:
Public IP of VPS: 155.155.155.155
Public IP of OVPN server: 199.199.199.199
OVPN gateway: 172.25.0.1
OVPN client IP (DHCP): 172.25.0.14




What about "pull-filter ignore redirect-gateway" in my OpenVPN client config file?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Mon Jan 30, 2023 1:16 pm

  • replace 10.245.254.254 with 172.25.0.1
  • "pull-filter ignore redirect-gateway" is completely irrelevant in the context of SE-OVPN routing

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Mon Jan 30, 2023 2:34 pm

solo wrote:
Mon Jan 30, 2023 1:16 pm
  • replace 10.245.254.254 with 172.25.0.1
Thanks man
solo wrote:
Mon Jan 30, 2023 1:16 pm
  • replace 10.245.254.254 with 172.25.0.1
  • "pull-filter ignore redirect-gateway" is completely irrelevant in the context of SE-OVPN routing
But if I don't include this in the config file and connect to the OpenVPN client, VPS becomes inaccessible and if I do, VPS softether won't route the traffic through the OpenVPN client.

I think I should explain the situation again:

I got an OPENVPN client config file from a server which got access to the internet. We call it "OVPNfree".
And I also got a Linux VPS which doesn't have access to the internet but can connect to "OVPNfree".
On VPS, I installed Softether and turned on the OPENVPN server so I could connect to it with my phone and PC, which is called "OVPNdomestic".

Now what I want to achieve is to connect softether server which is running on my VPS to "OVPNfree" in a way that doesn't effect anything else on that VPS and doesn't make the SSH and other services on that VPS inaccessible via the public IP of the VPS. So this way if I connect to "OVPNdomestic" with my phone it will have access to the internet. **I cannot directly connect to "OVPNfree" on my phone or PC**


MY PC <=> "OVPNdomestic" VPS (Softether <=> "OVPNfree") <=> "OVPNfree" <=> Internet

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Tue Jan 31, 2023 5:20 am

a.saneie wrote:
Mon Jan 30, 2023 2:34 pm
...if I do, VPS softether won't route the traffic through the OpenVPN client.
If you are absolutely sure that you have adapted the VPN Gate method precisely, and SE server is running, do as follows:
- start OVPN with "pull-filter ignore redirect-gateway"
- from the VPS verify that eg ping 1.1.1.1 is OK
- post as code the output of:

Code: Select all

ifconfig
route -n
ip route
ip rule
ip route show table all
iptables -t nat -L
iptables -S
cat /proc/sys/net/ipv4/ip_forward
brctl show
netstat -tapn

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Wed Feb 01, 2023 10:10 pm

solo wrote:
Tue Jan 31, 2023 5:20 am
- post as code the output of:
Here you go man:

ifconfig:

Code: Select all

root@Gamora:~# ifconfig
docker0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:dbff:fed9:3647  prefixlen 64  scopeid 0x20<link>
        ether 02:42:db:d9:36:47  txqueuelen 0  (Ethernet)
        RX packets 51097  bytes 4786726 (4.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43394  bytes 72691554 (69.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens192: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet VPS_Public_IP  netmask 255.255.255.248  broadcast VPS_Gateway
        inet6 fe80::20c:29ff:fe4c:33c5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:4c:33:c5  txqueuelen 1000  (Ethernet)
        RX packets 241689  bytes 36633431 (34.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 217314  bytes 31118006 (29.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 706947  bytes 97328768 (92.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 706947  bytes 97328768 (92.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap_tap: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5c10:beff:fe44:47a7  prefixlen 64  scopeid 0x20<link>
        ether 5e:10:be:44:47:a7  txqueuelen 1000  (Ethernet)
        RX packets 220  bytes 16426 (16.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 314  bytes 25924 (25.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.25.0.24  netmask 255.255.255.0  destination 172.25.0.24
        inet6 fe80::419d:4821:9441:8e9  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 16905  bytes 2940662 (2.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 44  bytes 8580 (8.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth42fa998: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::9c14:e1ff:feb4:f16d  prefixlen 64  scopeid 0x20<link>
        ether 9e:14:e1:b4:f1:6d  txqueuelen 0  (Ethernet)
        RX packets 36949  bytes 3977938 (3.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31585  bytes 69235311 (66.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth58ab83d: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::8482:65ff:fef3:ce3d  prefixlen 64  scopeid 0x20<link>
        ether 86:82:65:f3:ce:3d  txqueuelen 0  (Ethernet)
        RX packets 84  bytes 54990 (53.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 177  bytes 21393 (20.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethbb689a3: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::1023:61ff:fe8a:39c4  prefixlen 64  scopeid 0x20<link>
        ether 12:23:61:8a:39:c4  txqueuelen 0  (Ethernet)
        RX packets 14064  bytes 1469156 (1.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11873  bytes 3464895 (3.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vetheedda44: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::606d:c1ff:fe27:c7d4  prefixlen 64  scopeid 0x20<link>
        ether 62:6d:c1:27:c7:d4  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 90  bytes 11944 (11.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


route -n:

Code: Select all

root@Gamora:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         -------------  0.0.0.0         UG    0      0        0 ens192
-------------      0.0.0.0         255.255.255.248 U     0      0        0 ens192
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.25.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
ip route:

Code: Select all

root@Gamora:~# ip route
default via ----------- dev ens192 onlink
-------------/29 dev ens192 proto kernel scope link src ---------------
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.25.0.0/24 dev tun0 proto kernel scope link src 172.25.0.24
ip rule:

Code: Select all

root@Gamora:~# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
ip route show table all:

Code: Select all

root@Gamora:~# ip route show table all
default via --------------- dev ens192 onlink
---------------/29 dev ens192 proto kernel scope link src ---------------
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.25.0.0/24 dev tun0 proto kernel scope link src 172.25.0.24
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast --------------- dev ens192 table local proto kernel scope link src ---------------
local --------------- dev ens192 table local proto kernel scope host src ---------------
broadcast --------------- dev ens192 table local proto kernel scope link src ---------------
broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1
broadcast 172.25.0.0 dev tun0 table local proto kernel scope link src 172.25.0.24
local 172.25.0.24 dev tun0 table local proto kernel scope host src 172.25.0.24
broadcast 172.25.0.255 dev tun0 table local proto kernel scope link src 172.25.0.24
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens192 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev vethbb689a3 proto kernel metric 256 pref medium
fe80::/64 dev vetheedda44 proto kernel metric 256 pref medium
fe80::/64 dev veth58ab83d proto kernel metric 256 pref medium
fe80::/64 dev veth42fa998 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev tap_tap proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::42:dbff:fed9:3647 dev docker0 table local proto kernel metric 0 pref medium
local fe80::20c:29ff:fe4c:33c5 dev ens192 table local proto kernel metric 0 pref medium
local fe80::1023:61ff:fe8a:39c4 dev vethbb689a3 table local proto kernel metric 0 pref medium
local fe80::419d:4821:9441:8e9 dev tun0 table local proto kernel metric 0 pref medium
local fe80::5c10:beff:fe44:47a7 dev tap_tap table local proto kernel metric 0 pref medium
local fe80::606d:c1ff:fe27:c7d4 dev vetheedda44 table local proto kernel metric 0 pref medium
local fe80::8482:65ff:fef3:ce3d dev veth58ab83d table local proto kernel metric 0 pref medium
local fe80::9c14:e1ff:feb4:f16d dev veth42fa998 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev ens192 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev docker0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev vethbb689a3 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev vetheedda44 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev veth58ab83d table local proto kernel metric 256 pref medium
multicast ff00::/8 dev veth42fa998 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tap_tap table local proto kernel metric 256 pref medium
iptables -t nat -L:

Code: Select all

root@Gamora:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:9090
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:9443
MASQUERADE  tcp  --  172.17.0.5           172.17.0.5           tcp dpt:3000
SNAT       all  --  192.168.9.0/24       anywhere             to:172.25.0.11
SNAT       all  --  192.168.9.0/24       anywhere             to:172.25.0.24

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:4968 to:172.17.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8984 to:172.17.0.3:9090
DNAT       tcp  --  anywhere             anywhere             tcp dpt:9443 to:172.17.0.4:9443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8364 to:172.17.0.5:3000
iptables -S:

Code: Select all

root@Gamora:~# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT ! -s 127.135.138.83/32 ! -d 127.167.27.227/32 -p icmp -m icmp --icmp-type 3/3 -m connmark ! --mark 0x6082458d -j DROP
-A OUTPUT ! -s 127.74.189.243/32 ! -d 127.67.194.175/32 -p tcp -m tcp --sport 61001:65535 --tcp-flags RST RST -m connmark ! --mark 0x5c562f17 -j DROP
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9090 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
cat /proc/sys/net/ipv4/ip_forward:

Code: Select all

root@Gamora:~# cat /proc/sys/net/ipv4/ip_forward
1
brctl show:

Code: Select all

root@Gamora:~# brctl show
-bash: brctl: command not found
netstat -tapn:

Code: Select all

root@Gamora:~# netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:4968            0.0.0.0:*               LISTEN      963/docker-proxy
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      55089/vpnserver
tcp        0      0 127.0.0.1:36011         0.0.0.0:*               LISTEN      1382/casaos-app-man
tcp        0      0 0.0.0.0:8364            0.0.0.0:*               LISTEN      1033/docker-proxy
tcp        0      0 127.0.0.1:35725         0.0.0.0:*               LISTEN      640/casaos-gateway
tcp        0      0 127.0.0.1:45679         0.0.0.0:*               LISTEN      640/casaos-gateway
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      55089/vpnserver
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      668/sshd: /usr/sbin
tcp        0      0 127.0.0.1:32983         0.0.0.0:*               LISTEN      744/casaos-local-st
tcp        0      0 0.0.0.0:8984            0.0.0.0:*               LISTEN      990/docker-proxy
tcp        0      0 127.0.0.1:44315         0.0.0.0:*               LISTEN      667/casaos
tcp        0      0 127.0.0.1:46175         0.0.0.0:*               LISTEN      726/casaos-user-ser
tcp        0      0 0.0.0.0:992             0.0.0.0:*               LISTEN      55089/vpnserver
tcp        0      0 0.0.0.0:9443            0.0.0.0:*               LISTEN      1011/docker-proxy
tcp        0      0 127.0.0.1:44963         0.0.0.0:*               LISTEN      677/casaos-message-
tcp        0    144 ---------------:22       ---------------:49311     ESTABLISHED 54815/sshd: root@pt
tcp        0     39 ---------------:54992    ---------------:443         ESTABLISHED 32851/openvpn
tcp        0      0 127.0.0.1:57222         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55550         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33844         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33052         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:57220         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55560         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33832         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:57254         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33040         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:38260         127.0.0.1:44963         ESTABLISHED 726/casaos-user-ser
tcp        0      0 127.0.0.1:36168         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55558         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33442         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55568         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33426         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33030         127.0.0.1:44315         TIME_WAIT   -
tcp   197340      0 127.0.0.1:44963         127.0.0.1:38260         ESTABLISHED 677/casaos-message-
tcp        0      0 127.0.0.1:33042         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33440         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33430         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:36174         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33816         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 158.58.191.133:43626    79.127.127.35:443       ESTABLISHED 55089/vpnserver
tcp        0      0 127.0.0.1:36162         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:57238         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:36148         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33858         127.0.0.1:44315         TIME_WAIT   -
tcp6       0      0 :::4968                 :::*                    LISTEN      975/docker-proxy
tcp6       0      0 :::1194                 :::*                    LISTEN      55089/vpnserver
tcp6       0      0 :::9100                 :::*                    LISTEN      1205/node_exporter
tcp6       0      0 :::8364                 :::*                    LISTEN      1047/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      640/casaos-gateway
tcp6       0      0 :::5555                 :::*                    LISTEN      55089/vpnserver
tcp6       0      0 :::22                   :::*                    LISTEN      668/sshd: /usr/sbin
tcp6       0      0 :::8984                 :::*                    LISTEN      997/docker-proxy
tcp6       0      0 :::992                  :::*                    LISTEN      55089/vpnserver
tcp6       0      0 :::9443                 :::*                    LISTEN      1018/docker-proxy
tcp6       0      0 ---------------:9100     172.17.0.3:34302        ESTABLISHED 1205/node_exporter
Last edited by a.saneie on Thu Feb 02, 2023 7:43 am, edited 1 time in total.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Thu Feb 02, 2023 2:28 am

a.saneie wrote:
Wed Feb 01, 2023 10:10 pm
tap_tap: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::5c10:beff:fe44:47a7 prefixlen 64 scopeid 0x20<link>
ether 5e:10:be:44:47:a7 txqueuelen 1000 (Ethernet)
Man, without looking any further, here is the first fundamental error - no IPv4 address!
BTW, edit out your post and redact the public IPs.

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Thu Feb 02, 2023 7:45 am

solo wrote:
Thu Feb 02, 2023 2:28 am
Man, without looking any further, here is the first fundamental error - no IPv4 address!
Yeah notice that before but didn't know if it was supposed to be like this or not plus IDK how to fix it.
How can I fix this?
solo wrote:
Thu Feb 02, 2023 2:28 am
BTW, edit out your post and redact the public IPs.
Thanks done.

ratepace
Posts: 1
Joined: Thu Feb 02, 2023 2:59 pm

Re: Route only SoftEther server traffic through OpenVPN

Post by ratepace » Thu Feb 02, 2023 3:02 pm

What is 10.245.254.254 representing in that code? should I change it? Also any other part?

SoftEther Fan
Last edited by ratepace on Sat Feb 04, 2023 1:04 pm, edited 1 time in total.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Thu Feb 02, 2023 10:49 pm

a.saneie wrote:
Thu Feb 02, 2023 7:45 am
Yeah notice that before but didn't know if it was supposed to be like this or not plus IDK how to fix it. How can I fix this?
https://www.vpnusers.com/viewtopic.php? ... 926#p97433
documented already (ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap)

ratepace wrote:
Thu Feb 02, 2023 3:02 pm
What is 10.245.254.254 representing in that code? should I change it? Also any other part?
https://www.vpnusers.com/viewtopic.php? ... 072#p98036
answered already

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Fri Feb 03, 2023 12:45 am

solo wrote:
Thu Feb 02, 2023 10:49 pm
https://www.vpnusers.com/viewtopic.php? ... 926#p97433
documented already (ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap)
I added this before, and it's not working.

Code: Select all

root@Gamora:~# cat /lib/systemd/system/vpnserver.service
ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Sat Feb 04, 2023 1:36 am

Any idea?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Sat Feb 04, 2023 2:04 am

Add some "sleep" prior to the ExecStartPost.

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Sat Feb 04, 2023 7:58 pm

solo wrote:
Sat Feb 04, 2023 2:04 am
Add some "sleep" prior to the ExecStartPost.
Like this:

Code: Select all

root@Gamora:~# cat /lib/systemd/system/vpnserver.service
ExecStartPost=/bin/sleep 30
ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Sat Feb 04, 2023 11:03 pm

yes but not 30 sec, 3 will do

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Mon Feb 13, 2023 12:35 am

solo wrote:
Sat Feb 04, 2023 11:03 pm
yes but not 30 sec, 3 will do
I did as you said and I got the IP on the tap_tap but still the same result (When I connect softether on VPS I got the public IP of VPS not the OpenVPN server which the VPS connected to via OpenVPN client).

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Mon Feb 13, 2023 1:18 am

Have another look at the re-routing thread, there are updates.

@fa1rid had successfully applied it in a similar Docker environment as yours https://www.vpnusers.com/viewtopic.php? ... ker#p98207

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Mon Feb 13, 2023 3:15 pm

solo wrote:
Mon Feb 13, 2023 1:18 am
Have another look at the re-routing thread, there are updates.

@fa1rid had successfully applied it in a similar Docker environment as yours https://www.vpnusers.com/viewtopic.php? ... ker#p98207
Sure, I will look into that again, but mine is not the same scenario as his because he is running that client as a docker container, but for me I just have the docker installed on the OS my routing and VPN stuff have nothing to do with it.

Also, I've got a question: should I turn on the "SecureNAT" on VPS Softether or not? (Because when it's off and I connect to the VPS the dhcp doesn't give me an IP)

Although I added this to /etc/dnsmasq.conf

Code: Select all

interface=tap_tap
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Route only SoftEther server traffic through OpenVPN

Post by shakibamoshiri » Mon Feb 13, 2023 6:52 pm

a.saneie wrote:
Mon Feb 13, 2023 3:15 pm

Sure, I will look into that again, but mine is not the same scenario as his because he is running that client as a docker container, but for me I just have the docker installed on the OS my routing and VPN stuff have nothing to do with it.

Also, I've got a question: should I turn on the "SecureNAT" on VPS Softether or not? (Because when it's off and I connect to the VPS the dhcp doesn't give me an IP)

Although I added this to /etc/dnsmasq.conf

Code: Select all

interface=tap_tap
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1
Please ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Mon Feb 13, 2023 9:04 pm

shakibamoshiri wrote:
Mon Feb 13, 2023 6:52 pm
Please ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks
I asked for clarification over the provided answer on the same topic that it was given.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Mon Feb 13, 2023 10:18 pm

a.saneie wrote:
Mon Feb 13, 2023 3:15 pm
should I turn on the "SecureNAT" on VPS Softether or not
It's up to you, but only SecureNAT without vNAT will work. We have discussed these options extensively in the other thread.

a.saneie
Posts: 20
Joined: Fri Jan 27, 2023 1:09 am

Re: Route only SoftEther server traffic through OpenVPN

Post by a.saneie » Sat Feb 18, 2023 5:18 pm

Still same results :(

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Sat Feb 18, 2023 11:48 pm

I had asked you "If you are absolutely sure that you have adapted the VPN Gate method precisely, and SE server is running, do..." post logs. Back then I pointed out the first critical error and stopped reading your logs. I had another look now and note at least two more flaws:

- the dnsmasq process is not running
- the ip rules are deficient

Apparently you were "absolutely sure" about your implementation but presented a totally dysfunctional setup. Let's try once more - please do your best and post the same set of logs (redact your public IPs). If you have decided to go with SE vDHCP in the current iteration then dnsmasq needs not to run of course.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Route only SoftEther server traffic through OpenVPN

Post by shakibamoshiri » Sun Feb 19, 2023 10:05 am

a.saneie wrote:
Mon Feb 13, 2023 9:04 pm
shakibamoshiri wrote:
Mon Feb 13, 2023 6:52 pm
Please ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks
I asked for clarification over the provided answer on the same topic that it was given.
Sorry I did not check originally its your question.

Can you answer these questions ?
Q1 do you want to implement a double VPN (client ==>. server-1 ===> server-2) ?
Q2 if Q1==YES, you do NOT want to use CC (=Cascade Connection) ? and you want to use OpenVPN client running on your server-1 ?
Q3 if Q2==YES, do you want to run OpenVPN client with full-tunnel or split-tunnel ?
Q4 does the below workflow match your need?

# workflow
clients ===> server-1 ===> server-2

# server-1
SE server + DHCP + Local Bridge (so you have tap_xxx interface ?)
OpenVPN client connected to server-2 (so you have tun0 interface ? )

# server-2
OpenVPN server

based on this workflow you mentioned
MY PC <=> "OVPNdomestic" VPS (Softether <=> "OVPNfree") <=> "OVPNfree" <=> Internet
You need a double VPN which you can achieve it using any of
1. port forwarding from hop-1 (domestic) to hop-2 (your endpoint)
2. Policy Based Routing (PBR) to route traffics
3. Cascade Connection (CC) which SE server makes it super simple

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Route only SoftEther server traffic through OpenVPN

Post by solo » Sun Feb 19, 2023 10:29 pm

For simplicity sake I have dropped DHCP and got it working with just TWO COMMANDS.

Preset
- Linux server with IP forwarding and no firewall
- SoftEther server in default state with only LBS to soft tap and nothing extra in ExecStart, etc.
- OpenVPN client already running (I connected to VPN Gate)

VPS log

Code: Select all

ifconfig
...
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.242.21.197  P-t-P:10.242.21.198  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.242.21.198   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s3
10.242.21.198   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.242.21.198   128.0.0.0       UG    0      0        0 tun0
219.100.37.145  10.0.2.2        255.255.255.255 UGH   0      0        0 enp0s3

traceroute 9.9.9.9
traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets
 1  10.242.254.254 (10.242.254.254)  439.534 ms  287.576 ms  362.289 ms
 2  gw2.vpngate.v4.open.ad.jp (219.100.37.253)  320.121 ms  320.097 ms  319.435 ms
 3  igp1.green.v4.open.ad.jp (202.222.12.190)  581.388 ms  483.662 ms  460.331 ms
 4  bgp3.openospf1.v4.open.ad.jp (202.222.12.33)  537.734 ms  624.070 ms  625.069 ms
 5  150.99.184.33 (150.99.184.33)  624.062 ms  404.239 ms  325.049 ms
 6  150.99.21.21 (150.99.21.21)  382.131 ms  302.935 ms  275.133 ms
 7  ty8.gslnetworks.com (103.137.13.76)  352.902 ms  278.624 ms  348.789 ms
 8  scrub.ty8.gslnetworks.com (103.137.13.77)  298.470 ms  300.678 ms  320.533 ms
 9  203.10.98.35 (203.10.98.35)  313.464 ms  277.452 ms  287.996 ms
10  dns9.quad9.net (9.9.9.9)  287.966 ms !X  265.531 ms !X  277.329 ms !X

TWO COMMANDS
  1. ifconfig tap_tap 192.168.9.2 netmask 255.255.255.0 promisc arp up
  2. iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j MASQUERADE

Windows VPN client on static IP 192.168.9.3

Code: Select all

ping 192.168.9.2
Pinging 192.168.9.2 with 32 bytes of data:
Reply from 192.168.9.2: bytes=32 time=1ms TTL=64
Reply from 192.168.9.2: bytes=32 time<1ms TTL=64
Reply from 192.168.9.2: bytes=32 time<1ms TTL=64
Reply from 192.168.9.2: bytes=32 time<1ms TTL=64

route add 9.9.9.9 mask 255.255.255.255 192.168.9.2

ping 9.9.9.9
Pinging 9.9.9.9 with 32 bytes of data:
Reply from 9.9.9.9: bytes=32 time=291ms TTL=54
Reply from 9.9.9.9: bytes=32 time=289ms TTL=54
Reply from 9.9.9.9: bytes=32 time=292ms TTL=54
Reply from 9.9.9.9: bytes=32 time=289ms TTL=54

tracert 9.9.9.9
Tracing route to dns9.quad9.net [9.9.9.9]
over a maximum of 30 hops:
  1     1 ms    <1 ms    <1 ms  192.168.9.2
  2   502 ms     *      469 ms  10.242.254.254
  3   370 ms   328 ms   375 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   405 ms   484 ms   407 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   379 ms   272 ms   342 ms  bgp4.openospf2.v4.open.ad.jp [202.222.12.41]
  6   346 ms   383 ms   330 ms  150.99.184.33
  7   835 ms   960 ms   568 ms  150.99.21.21
  8   609 ms   463 ms   419 ms  ty8.gslnetworks.com [103.137.13.76]
  9   427 ms   559 ms   446 ms  scrub.ty8.gslnetworks.com [103.137.13.77]
 10     *      463 ms   360 ms  203.10.98.35
 11   588 ms   537 ms   877 ms  dns9.quad9.net [9.9.9.9]
Trace complete.

Code: Select all

local VPN clients > SoftEther server > OpenVPN client > OpenVPN server somewhere
                  [----------------VPS----------------]
It just works.

Post Reply