[Solved] Access VPN server as client on TAP device

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
graphik_
Posts: 3
Joined: Sun Aug 15, 2021 11:10 am

[Solved] Access VPN server as client on TAP device

Post by graphik_ » Sun Aug 15, 2021 2:01 pm

Hello community,

I am relatively new to Softhethers advanced features and I hope someone can help me to find my issue.
I like to start with my goal:

In general I want to connect to my softether VPN server and get routet to a MITM proxy which should listen on the VPN servers interfaces.
In detail I like to use softethers build-in DHCP server so that I do not setup a seperate on and I do not require access to the connected LAN in general.

So I planned my idea and randomly found this instruction: https://sites.google.com/view/softether-dhcp-bridge
It describes an issue which could occour if a local bridge is created and the softether DHCP is used.

My issue:
I setup everything like in the linked instruction except step A. I think the bridge interface is not necessary for my goal.
This means:
- I have two VPN hubs which are connected through the cascading feature (it's set to "online" too)
- One local bridge which connects the server side VPN hub with a tap interface
- SecureNAT enabled for the client side VPN hub but without SecureNAT, ony for DHCP usage
- blocked DHCP to be transmitted to the server side VPN hub to staz save with my LAN
- Additionally I added an IP address to the tap interface (ip addr add 192.168.42.1/32 dev tap_vpn)

Now I am able to establish the VPN connection and ping the servers VPN ip (192.168.30.1) but I am not able to access the tap interface 192.168.42.1.
I also tried to enable ip forwarding (sysctl -w net.ipv4.ip_forward=1) with the hope that the routing was disabled in some way but it didn't help.
For me it looks like that the client VPN hub is not properly routed into the server side VPN hub but I am not able to identify or debug this in any way.

Is someone here who can help me with my issue?


Network plan:
Softether.png
Kind regards,
graphik_
You do not have the required permissions to view the files attached to this post.
Last edited by graphik_ on Mon Aug 16, 2021 4:53 pm, edited 2 times in total.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Access VPN server as client on TAP device

Post by eddiewu » Mon Aug 16, 2021 11:12 am

Don’t understand what the two IP addresses represent. Need an illustration.

graphik_
Posts: 3
Joined: Sun Aug 15, 2021 11:10 am

Re: Access VPN server as client on TAP device

Post by graphik_ » Mon Aug 16, 2021 11:32 am

I will create a diagram and update my post later :)

EDIT:
Diagram added.
I hope it is clear how the routing should work.
- external client establishes VPN and receive a SecureNAT DHCP IP: 192.168.30.10
- the Client VPN Hub communication seems to work because I can ping 192.268.30.1 what is the VPN IP of the Softether Server itself
- the VPN Hubs are cascaded and the Server VPN Hub has a bridge to tap_VPN
- tap_VPN has the IP address 192.168.42.1 assigned
- the client (192.168.30.10 cannot access 192.168.42.1)

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Access VPN server as client on TAP device

Post by eddiewu » Mon Aug 16, 2021 4:23 pm

OK. So if I understand correctly, you have two virtual hubs on the server, hub 1 with secure dhcp enabled (192.168.30.0/24) and hub 2 bridged with a tap (192.168.42.0/24).
The VPN client is connecting to hub 1.
But you want it to be able to access the tap device which is in hub 2.
I don't know why you need two hubs. Two hubs are only needed if you have two groups of clients and they are not supposed to communicate with each other. You can use one hub to connect both the tap and clients.
However if you insist the two-hub approach, you either need to enable securenat or setup a virtual L3 switch and routing between two hubs.

graphik_
Posts: 3
Joined: Sun Aug 15, 2021 11:10 am

Re: Access VPN server as client on TAP device

Post by graphik_ » Mon Aug 16, 2021 4:52 pm

If you not see the forest for the trees :|
Thank you for the hint.
The approach of the two hubs was that the DHCP server will not answer request from the TAP interface. My original idea was to use a local bridge to a physical NIC which would cause issue if the SecureNAT DHCP would answer for my normal LAN clients.
But caused by the TAP usage this becomes unnecessary and the only think I needed to add was a rout for the TAP device back to my VPN network:
ip route add 192.168.30.0/24 dev tap_VPN.

That should have come in my mind earlier.

Thank you very much for safing some nerves, now it is working as desired :)

Post Reply