Page 1 of 1

Android SSL client - random Mac addresses

Posted: Mon Jun 10, 2019 8:01 am
by coolname
Hi there,

Trying to put together an android SSL client mimicking Softether Windows client - a scaled down version but ran into an issue. The server keeps complaining about this:

Although the virtual hub has attempt to assign a new MAC address "40-00-40-11-B1-0B" was made, 3 MAC addresses have already been assigned for this service. According to the security policy, this session is denied bridges and is therefore allowed to hold no more than 3 MAC addresses. The packet has been discarded.

Prior to this, server has already "assigned" 3 Mac addresses as the log indicates with this kind of message: A new MAC address "40-00-40-06-E7-15" has been assigned.

Questions for the experts:

1. Why is softether server assigning Mac addresses to clients? Why not just use the Mac address from the client in the packets like the Windows client? Is there a way to tweak the server configuration/code to change this behavior to avoid the above mentioned error message so the data packets are accepted?

2. Since android VpnService API requires a VPN IP address in order to call its establish() to create a tun interface, while normally on linux, I must create a network interface first in order to get an IP address from a DHCP server, how to address the chicken and egg issue on android? Does it make sense to modify the server to maintain a lookup table of VPN IP addresses, and their sessions and send the IP address to android client during the initial handshake? Are there better solutions?

3. Another issue is that my android client sends data blocks to server, server accepts them, but the server doesn't send any real data blocks to client except for keepalive. There is no data from server even after the limit of 3 Mac addresses were increased to 3000. What's causing this?

4. After the initial handshake, the connection would usually disconnect in 1 min. But if an "additional" handshake is done, even though the server terminates it immediately, somehow the first connection lasts about 10 min before it's disconnected while there is still keepalive exchanges. Is there a reason for such behavior?

5. Softether has been a target for GFW especially its active probes. Are there any ideas on improving softether server to counter GFW?

6. Should UDP acceleration be turned off to minimize the risk of the server being detected by GFW? What would be the speed impact w/o it?

7. What part of the server needs to be modified in order for the android client to work? Any other obstacles I might run into? Any recommendations?

Thank you in advance for any guidance and experience you can share.

Re: Android SSL client - random Mac addresses

Posted: Wed Jun 12, 2019 3:48 pm
by coolname
Looks like the random Mac addresses are a result of the differences between Tun and Tap. A wrapper to make tun packets look like Tap packets is needed. Anybody has any experience on how to implement it? On client side or server side? Is the OpenVpn clone a good example to model?

Re: Android SSL client - random Mac addresses

Posted: Wed Jun 12, 2019 11:32 pm
by coolname
Does Softether server support tun interface (instead of the default tap?) If not, does it make sense to tweak the server code to provide support for a tun vs. changing client or adding a tun to tap wrapper?

Does the softether data blocks - tap ethernet frames - include IP packet headers + data, or just data but w/o IP packet headers?

Any resources on conversion between tun IP packets and tap ethernet frames would be appreciated.

Re: Android SSL client - random Mac addresses

Posted: Mon Jun 24, 2019 7:38 am
by cedar
Please turn on 'Bridge/Router mode' to disable MAC address restriction.
This restriction is for the commercial license model and is not required for the open source version.

Re: Android SSL client - random Mac addresses

Posted: Fri Jun 28, 2019 3:56 pm
by coolname
Thanks for your response. I looked into Bridge/Router mode. Turning it on might be able to avoid the warning but from my testing it was an issue caused by missing Mac header.

Re: Android SSL client - random Mac addresses

Posted: Fri Jun 28, 2019 9:34 pm
by cedar
The Ethernet header is required in the SoftEther VPN protocol because it handles Ethernet frames.
If you need to implement an SSL-based VPN, you should implement SSTP.
Alternatively, it is necessary to implement ARP and delayed transmission to add Ethernet header.

Re: Android SSL client - random Mac addresses

Posted: Wed Jul 03, 2019 7:34 pm
by coolname
I've managed to get the SSL app working on android. But the speed is very low. Testing on a Samsung device, the speed is about 5-20mbps (out of ~170mbps bandwidth), about 1/3 of L2TP, 1/10 of the Windows client with UDP acceleration on.

Looks like UDP acceleration seems to be the key factor on improving speed. Questions:

1. Could you please point me to any documentation on UDP Acceleration? It seems to be a fairly new feature and softether website doesn't have much info about it.

2. The possible risk of using UDP acceleration would be giving firewalls way to detect softether as they might be able to use this as a signature of softether to identify and block the data packets. Have you heard any such reports from especially the doings of GFW? One possible solution is to give user the option to determine if they want all traffic to go through SSL with a low speed, or they can allow UDP communication for a better speed, a tradeoff between speed and security.

3. Are there any other parameters we can tweak to improve the speed, such as reducing the keepalive packet size?

4. Could you please elaborate on the benefit of SSTP over SSL for an android solution? Any reports/data on its performance?

Thank you!

Re: Android SSL client - random Mac addresses

Posted: Sun Jul 14, 2019 4:05 am
by coolname
Does UDP Acceleration feature require client side to support NAT-T as well? Can't the client and server skip NAT-T and go straight with client/server UDP socket communication just like TCP? My server is not behind any NAT/routers but clients are likely to be behind routers/NAT.

Re: Android SSL client - random Mac addresses

Posted: Sun Jul 14, 2019 4:50 am
by sky59
how you compile android client?

i compiled it from source for api14, but i have to play a lot with terminal to start it on tablet

but then it works absolutely reliable not disconecting rven after 2 days , i did not test longer

speed is about 5mbit that is excellent, out of 15mbit connection tested with

Re: Android SSL client - random Mac addresses

Posted: Mon Jul 15, 2019 5:04 pm
by coolname
I wrote an android app with Java and native C code mimicking the SoftEther Windows client. The goal is for any un-rooted android phone to be able to run an SSL based softether client. It connects now but is slow. Trying to implement UDP acceleration as it seems to be the key to improve speed. But it has its own challenges: it requires NAT-T. NAT-T relies on NAT-T server such as * which can be a vulnerability. I hope the UDP acceleration can be implemented w/o the need to use NAT-T. Hopefully the experts maintaining Softether code here can advise on a good solution to improve speed w/o having to deal with NAT-T.

Is it correct that you build the softether Linux client code for rooted android device? Did you have to change a lot of code to make it work?

Re: Android SSL client - random Mac addresses

Posted: Fri Aug 09, 2019 7:52 pm
by slim8020
Hi! Take a look at this topic, it maybe usefull ... 573#p81573