Use DHCP allocation for VPN client but hide from LAN
Posted: Wed Dec 23, 2015 5:48 pm
Hello,
I am trying to build a simple external client to LAN vpn solution, so folks at home can access a corporate LAN. IT seems that I got it working with SoftEther quite easily, and the home users can easily install the client and connect to our servers here on the corporate LAN..
For now I am running SoftEther on a windows server, but I would like to move this whole configuration to some sort of embedded and dedicated system running Linux or similar.
I found that I needed to enable SecureNAT to get the virtual DHCP function to work, so I can allocate IPs out to the clients (I have a specific subnet/range of IPs within our corporate subnet I am allowed to use for VPN users). I also use the virtual DHCP server to assign the LAN DNS server(s) and DNS prefix. I specifically I do NOT assign out the default gateway address, since I need the users to NOT pass their internet traffic through our corporate LAN, but instead I need them to use their local internet connections for their local internet traffic.
I do NOT enable virtual-NAT in the SecureNAT configuration, as I only need this configuration to set up the DHCP services, so connecting clients can obtain their IP address allocations. Instead I use a local bridge to bridge the virtual hub to my physical network.
Anyhow, all of this works out quite well.. The DHCP server allocates out an IP address on our VPN subnet, and the client machines can access our corporate LAN including some database services, and other services I need to allow.... Additionally, I like the fact that I can somewhat control what the VPN clients have access to, since I can choose to block or allow the VPN clients from services using the access lists with the VPN allocated subnet (the VPN address allocations are are on a smaller subnet within the larger corporate subnet, etc).
There is only just one problem, however. It seems that the DHCP server I set up within SoftEther is also attempting to allocate addresses on our corporate LAN as well.. I can easily check this using a DHCP detection tool (like odhcploc) somewhere on the corporate LAN. I find that both the corporate DHCP server on the LAN, as well as the SoftEther DHCP server are answering DHCP requests, which sets up a dangerous situation on our corporate LAN...
I need the VPN server to only allocate DHCP addresses to VPN connecting clients, not to non-VPN clients within our corporate LAN (we have a windows DHCP server for that)..
I have tried to filter DHCP by blocking or allowing UDP ports 67 and 68 within the SoftEther access list rules, but no matter what I try I cannot get the SoftEther DHCP server to limit itself to just allocating addresses to VPN clients. Either I block DHCP from the LAN along with VPN clients, or I allow DHCP from both, but I cannot get it to block DHCP from the LAN while also allowing it for VPN connecting clients...
I am sure there must be an easy way to do this, but the general solution eludes me...
I did (sort of) find a work-around to this, but it requires the VPN server to reside on a Hyper-V server virtual machine, since I can employ the "DHCP guard" option on the interface within the VM. That does seem to work, but I really do not want to run the SoftEther VPN server in a Hyper-V VM permanently, and so I need a better (more universal) solution than that...
Anyhow, I hope I explained my situation well enough (if more clarification is needed, please ask)...
Can someone tell me how I can get the DHCP server to block from the corporate LAN, while still remaining available for use by the connecting VPN clients?
Thanks so much, and I look forward to hearing your suggestions.
I am trying to build a simple external client to LAN vpn solution, so folks at home can access a corporate LAN. IT seems that I got it working with SoftEther quite easily, and the home users can easily install the client and connect to our servers here on the corporate LAN..
For now I am running SoftEther on a windows server, but I would like to move this whole configuration to some sort of embedded and dedicated system running Linux or similar.
I found that I needed to enable SecureNAT to get the virtual DHCP function to work, so I can allocate IPs out to the clients (I have a specific subnet/range of IPs within our corporate subnet I am allowed to use for VPN users). I also use the virtual DHCP server to assign the LAN DNS server(s) and DNS prefix. I specifically I do NOT assign out the default gateway address, since I need the users to NOT pass their internet traffic through our corporate LAN, but instead I need them to use their local internet connections for their local internet traffic.
I do NOT enable virtual-NAT in the SecureNAT configuration, as I only need this configuration to set up the DHCP services, so connecting clients can obtain their IP address allocations. Instead I use a local bridge to bridge the virtual hub to my physical network.
Anyhow, all of this works out quite well.. The DHCP server allocates out an IP address on our VPN subnet, and the client machines can access our corporate LAN including some database services, and other services I need to allow.... Additionally, I like the fact that I can somewhat control what the VPN clients have access to, since I can choose to block or allow the VPN clients from services using the access lists with the VPN allocated subnet (the VPN address allocations are are on a smaller subnet within the larger corporate subnet, etc).
There is only just one problem, however. It seems that the DHCP server I set up within SoftEther is also attempting to allocate addresses on our corporate LAN as well.. I can easily check this using a DHCP detection tool (like odhcploc) somewhere on the corporate LAN. I find that both the corporate DHCP server on the LAN, as well as the SoftEther DHCP server are answering DHCP requests, which sets up a dangerous situation on our corporate LAN...
I need the VPN server to only allocate DHCP addresses to VPN connecting clients, not to non-VPN clients within our corporate LAN (we have a windows DHCP server for that)..
I have tried to filter DHCP by blocking or allowing UDP ports 67 and 68 within the SoftEther access list rules, but no matter what I try I cannot get the SoftEther DHCP server to limit itself to just allocating addresses to VPN clients. Either I block DHCP from the LAN along with VPN clients, or I allow DHCP from both, but I cannot get it to block DHCP from the LAN while also allowing it for VPN connecting clients...
I am sure there must be an easy way to do this, but the general solution eludes me...
I did (sort of) find a work-around to this, but it requires the VPN server to reside on a Hyper-V server virtual machine, since I can employ the "DHCP guard" option on the interface within the VM. That does seem to work, but I really do not want to run the SoftEther VPN server in a Hyper-V VM permanently, and so I need a better (more universal) solution than that...
Anyhow, I hope I explained my situation well enough (if more clarification is needed, please ask)...
Can someone tell me how I can get the DHCP server to block from the corporate LAN, while still remaining available for use by the connecting VPN clients?
Thanks so much, and I look forward to hearing your suggestions.