Best architecture/setup searched

julian · Post by **julian** » Mon Jul 24, 2023 4:09 pm

Hi everybody and thanks in advance for your input.

Goal: I want to setup a VPN system so that i can connect from my client PC at home using L2TP, OpenVPN and Softether Client to any of multiple LANs connected to a raspberry pi based system in a remote location. This raspi sits behind a Firewall and NAT.

What i've already tried:

Setup a SE bridge on the raspi -> This way i can only connect to one physicall NIC (X)

Setup a SE server on the raspi and configure local bridges -> Couldn't get NAT Traversal working (most likely due to ISP) (X)

Current setup:
Host one SE server on a VM of a cloud provider and make a cascade connection from a server sitting on the raspi to the server in the cloud (so i don't need NAT Traversal since it's outbound traffic from raspi side). The cloud server implements only one VHUB to forward the traffic to the client. This VHUB is then connected to the DEFAULT VHUB on the raspi server. This VHUB uses SecureNAT, to A) enable clients to connect using L2TP and OpenVPN (only worked for me if there is a DHCP server) and B) so that the targets in the remote LAN can answer connections from the clients through NAT (otherwise i'd need to adjust the routing tables of the other devices in the target LAN).

Problem:
I don't know how to setup the SecureNAT so that traffic which comes from the client (e.g. DHCP assigned IP 192.168.30.10) will be routed into a physically connected network of the raspi (e.g. on ETH0 a device with 192.168.1.2) since i can only assign one IP to the SecureNAT VHOST.
Using local bridges on the VHUB enables communication to the target device (192.168.1.2) but without adjusting the routing table of the target the answer can't be sent.

What am i missing or is there a way better setup to implement this requirements anyways?

Thanks and best regards Julian

solo · Post by **solo** » Mon Jul 24, 2023 7:30 pm

julian wrote: ↑
Mon Jul 24, 2023 4:09 pm
Setup a SE bridge on the raspi -> This way i can only connect to one physicall NIC (X)

Hi, but this NIC allows access to the entire remote LAN, therefore the simplest config is:

[raspi SE bridge] ===> [VPS SE server] <=== [SE/VPN clients]

SE bridge:
- no SecureNAT or only vDHCP

SE server:
- no bridge
- no SecureNAT
- no L3
- no VPN Azure
- no/yes IPsec/L2TP
- no/yes OpenVPN/MS-SSTP
- add 1 cascade + x users

julian · Post by **julian** » Tue Jul 25, 2023 7:38 am

Hi and thx for the input first of all.

The thing is, that i not only want to connect to one LAN via one NIC, i want to connect to multiple seperate LANs connected to individual physicall NICs (2 ETH ports, one wifi, GSM, ...). That's what makes the whole thing tricky.

BR Julian

solo · Post by **solo** » Tue Jul 25, 2023 8:52 am

In that case replace "raspi SE bridge" with "raspi SE server" and simply add more bridging+cascading hubs. If you don't care about reverse connections then a SecureNAT solution would be as follows:

[raspi SE server #1] ---> [VPS SE server #2] <--- [SE/VPN clients]

SE server #1:
- no bridge
- yes SecureNAT with all defaults
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- cascade to server #2

SE server #2:
- no bridge
- no SecureNAT
- no L3
- no VPN Azure
- no/yes IPsec/L2TP
- no/yes OpenVPN/MS-SSTP
- add 1 cascade + x users

julian wrote: ↑
Mon Jul 24, 2023 4:09 pm
I don't know how to setup the SecureNAT so that traffic which comes from the client (e.g. DHCP assigned IP 192.168.30.10) will be routed into a physically connected network of the raspi (e.g. on ETH0 a device with 192.168.1.2) since i can only assign one IP to the SecureNAT VHOST.

Just apply SecureNAT's defaults exactly as offered.

julian · Post by **julian** » Tue Jul 25, 2023 11:25 am

Thx again for your fast reply. How can i access the LANs behind the NICs then? If i connect to the VHUB, the DHCP will assign a IP address to my client in the 192.168.30.0 range and add routing entries to my PC for that network. How do i configure the server(s) so that i can also access the 192.168.1.0 and 192.168.2.0 network which are connected to the raspi via ETH0 and ETH1?

solo · Post by **solo** » Tue Jul 25, 2023 2:42 pm

Please follow the config prescription VERBATIM.

If you encounter a problem, we'll deal with it.

julian · Post by **julian** » Wed Jul 26, 2023 7:40 am

Ok i now setup each server completely from scratch to have all defaults. Then applied the proposed settings as given. Still i can't ping devices in the 192.168.1.0 net behind the raspi or ssh connect to a device there. Nevertheless i can now successfully ping and communicate with devices in the other net (192.168.10.0) connected to the raspi. I might also need to add, that in the 192.168.10.0 net, a DHCP server is present, while in the 192.168.1.0 net there is none.

solo · Post by **solo** » Wed Jul 26, 2023 8:32 am

[...]

EDIT

you have changed your post, now I change...
Can SE #1 ping 192.168.1.x?

julian · Post by **julian** » Wed Jul 26, 2023 8:40 am

Yes, from SE #1 (raspi) I can ping 192.168.1.x

solo · Post by **solo** » Wed Jul 26, 2023 8:53 am

Maybe your VPN client is locally on the 192.168.1.x subnet? Connect and post as code:

Code: Select all

VPN SE server #1:
ifconfig
route -n
ip route
iptables -S
ufw status

VPN SE client (Windows):
netstat -r
ipconfig /all
tracert 192.168.1.x
tracert 192.168.10.x

julian · Post by **julian** » Wed Jul 26, 2023 9:21 am

No thats not the case. The 192.168.1.0 net is a isolated network currently consisting of only the raspi (SE #1) (192.168.1.1) and another raspi as test device (192.168.1.2).

SE #1:

Code: Select all

root@e19d25b:~# ifconfig
balena0   Link encap:Ethernet  HWaddr 02:42:0E:72:77:A4
          inet addr:10.114.101.1  Bcast:10.114.101.255  Mask:255.255.255.0
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br-afe19591fb7f Link encap:Ethernet  HWaddr 02:42:57:DA:CB:74
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr E4:5F:01:E5:3F:F5
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::b6c:8ac7:267d:4ca5/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:10303 (10.0 KiB)

eth1      Link encap:Ethernet  HWaddr 00:01:C0:33:0D:D9
          inet addr:192.168.10.57  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::fccf:6cd1:2100:688c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:143241 errors:0 dropped:0 overruns:0 frame:0
          TX packets:142142 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:127374224 (121.4 MiB)  TX bytes:134102927 (127.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6745 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6745 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:550371 (537.4 KiB)  TX bytes:550371 (537.4 KiB)

resin-dns Link encap:Ethernet  HWaddr 02:D3:89:C8:D1:47
          inet addr:10.114.102.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::90b5:40ff:fe1c:11b0/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:164 (164.0 B)

resin-vpn Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:100.64.0.17  P-t-P:10.2.0.1  Mask:255.255.255.255
          inet6 addr: fe80::a187:5398:ddab:1903/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:431 errors:0 dropped:0 overruns:0 frame:0
          TX packets:327 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:32958 (32.1 KiB)  TX bytes:56806 (55.4 KiB)

supervisor0 Link encap:Ethernet  HWaddr 02:42:B7:6B:BB:26
          inet addr:10.114.104.1  Bcast:10.114.104.127  Mask:255.255.255.128
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr E4:5F:01:E5:3F:F7
          inet addr:192.168.218.95  Bcast:192.168.218.255  Mask:255.255.255.0
          inet6 addr: fe80::5834:dca3:aea3:9062/64 Scope:Link
          inet6 addr: 2001:4bb8:2dc:e975:9c66:8361:461f:7079/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:421 errors:0 dropped:0 overruns:0 frame:0
          TX packets:251 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:74018 (72.2 KiB)  TX bytes:41775 (40.7 KiB)

root@e19d25b:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.10.1    0.0.0.0         UG    101    0        0 eth1
0.0.0.0         192.168.218.57  0.0.0.0         UG    600    0        0 wlan0
10.2.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 resin-vpn
10.114.101.0    0.0.0.0         255.255.255.0   U     0      0        0 balena0
10.114.102.0    0.0.0.0         255.255.255.0   U     0      0        0 resin-dns
10.114.104.0    0.0.0.0         255.255.255.128 U     0      0        0 supervisor0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-afe19591fb7f
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U     101    0        0 eth1
192.168.218.0   0.0.0.0         255.255.255.0   U     600    0        0 wlan0
root@e19d25b:~# ip route
default via 192.168.10.1 dev eth1  metric 101
default via 192.168.218.57 dev wlan0  metric 600
10.2.0.1 dev resin-vpn scope link  src 100.64.0.17
10.114.101.0/24 dev balena0 scope link  src 10.114.101.1
10.114.102.0/24 dev resin-dns scope link  src 10.114.102.1
10.114.104.0/25 dev supervisor0 scope link  src 10.114.104.1
172.17.0.0/16 dev br-afe19591fb7f scope link  src 172.17.0.1
192.168.1.0/24 dev eth0 scope link  src 192.168.1.1
192.168.10.0/24 dev eth1 scope link  src 192.168.10.57  metric 101
192.168.218.0/24 dev wlan0 scope link  src 192.168.218.95  metric 600
root@e19d25b:~# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N BALENA-FIREWALL
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -j BALENA-FIREWALL
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o balena0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o balena0 -j DOCKER
-A FORWARD -i balena0 ! -o balena0 -j ACCEPT
-A FORWARD -i balena0 -o balena0 -j ACCEPT
-A FORWARD -o br-afe19591fb7f -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-afe19591fb7f -j DOCKER
-A FORWARD -i br-afe19591fb7f ! -o br-afe19591fb7f -j ACCEPT
-A FORWARD -i br-afe19591fb7f -o br-afe19591fb7f -j ACCEPT
-A FORWARD -o supervisor0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o supervisor0 -j DOCKER
-A FORWARD -i supervisor0 ! -o supervisor0 -j ACCEPT
-A FORWARD -i supervisor0 -o supervisor0 -j ACCEPT
-A BALENA-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BALENA-FIREWALL -m addrtype --src-type LOCAL -j ACCEPT
-A BALENA-FIREWALL -i resin-vpn -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i tun0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i docker0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i lo -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i supervisor0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 48484 -j REJECT --reject-with icmp-port-unreachable
-A BALENA-FIREWALL -p tcp -m tcp --dport 22222 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 2375 -j ACCEPT
-A BALENA-FIREWALL -m addrtype --dst-type MULTICAST -j ACCEPT
-A BALENA-FIREWALL -p icmp -j ACCEPT
-A BALENA-FIREWALL -i balena0 -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -j RETURN
-A BALENA-FIREWALL -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION-STAGE-1 -i balena0 ! -o balena0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-afe19591fb7f ! -o br-afe19591fb7f -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i supervisor0 ! -o supervisor0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o balena0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-afe19591fb7f -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o supervisor0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
root@e19d25b:~# ufw status
-sh: ufw: command not found

Client PC:

Code: Select all

PS C:\Users\Julian> netstat -r
===========================================================================
Interface List
 38...7c 57 58 60 90 0e ......Intel(R) Ethernet Connection (16) I219-LM
 26...94 05 bb 19 79 7d ......Realtek USB GbE Family Controller
 66...00 15 5d 27 a0 4d ......Hyper-V Virtual Ethernet Adapter
  6...00 ff 10 46 01 3c ......TAP-Windows Adapter V9 for OpenVPN Connect
 36...........................OpenVPN Data Channel Offload
 37...30 89 4a cb 9d f1 ......Microsoft Wi-Fi Direct Virtual Adapter #3
 22...32 89 4a cb 9d f0 ......Microsoft Wi-Fi Direct Virtual Adapter #4
 11...5e bf a9 0d d7 2b ......VPN Client Adapter - VPN
 27...5e d6 36 4b 59 87 ......VPN Client Adapter - VPN2
 83...........................SoftEther
 43...30 89 4a cb 9d f0 ......Intel(R) Wi-Fi 6E AX211 160MHz
 10...30 89 4a cb 9d f4 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 16...94 b9 b9 54 44 5f ......Generic Mobile Broadband Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.218.57   192.168.218.91   4280
          0.0.0.0          0.0.0.0         On-link     192.168.30.10     46
    68.183.222.88  255.255.255.255   192.168.218.57   192.168.218.91   4281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4556
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4556
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
     172.28.240.0    255.255.240.0         On-link      172.28.240.1   4496
     172.28.240.1  255.255.255.255         On-link      172.28.240.1   4496
   172.28.255.255  255.255.255.255         On-link      172.28.240.1   4496
     192.168.30.0    255.255.255.0         On-link     192.168.30.10     46
    192.168.30.10  255.255.255.255         On-link     192.168.30.10    301
   192.168.30.255  255.255.255.255         On-link     192.168.30.10    301
    192.168.218.0    255.255.255.0         On-link    192.168.218.91   4536
   192.168.218.91  255.255.255.255         On-link    192.168.218.91   4536
  192.168.218.255  255.255.255.255         On-link    192.168.218.91   4536
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4556
        224.0.0.0        240.0.0.0         On-link    192.168.218.91   4536
        224.0.0.0        240.0.0.0         On-link      172.28.240.1   4496
        224.0.0.0        240.0.0.0         On-link     192.168.30.10     46
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
  255.255.255.255  255.255.255.255         On-link    192.168.218.91   4536
  255.255.255.255  255.255.255.255         On-link      172.28.240.1   4496
  255.255.255.255  255.255.255.255         On-link     192.168.30.10    301
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 43     71 ::/0                     fe80::f4f0:6dff:fe09:648
  1    331 ::1/128                  On-link
 43     71 2001:4bb8:2dc:e975::/64  On-link
 43    311 2001:4bb8:2dc:e975:4c57:9271:8d56:ca7a/128
                                    On-link
 43    311 2001:4bb8:2dc:e975:8aee:9a00:bf71:e0dc/128
                                    On-link
 43    311 fe80::/64                On-link
 66    271 fe80::/64                On-link
 43    311 fe80::2f9a:8efb:5a11:2c6f/128
                                    On-link
 66    271 fe80::ecaa:11c8:de47:af17/128
                                    On-link
  1    331 ff00::/8                 On-link
 43    311 ff00::/8                 On-link
 66    271 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
PS C:\Users\Julian> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : hp-elite
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (16) I219-LM
   Physical Address. . . . . . . . . : 7C-57-58-60-90-0E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek USB GbE Family Controller
   Physical Address. . . . . . . . . : 94-05-BB-19-79-7D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-27-A0-4D
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ecaa:11c8:de47:af17%66(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.28.240.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 1107301725
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-27-7A-C0-7C-57-58-60-90-0E
   NetBIOS over Tcpip. . . . . . . . : Enabled

Unknown adapter LAN-Verbindung:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
   Physical Address. . . . . . . . . : 00-FF-10-46-01-3C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Unknown adapter OpenVPN Connect DCO Adapter:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : OpenVPN Data Channel Offload
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter LAN-Verbindung* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #3
   Physical Address. . . . . . . . . : 30-89-4A-CB-9D-F1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter LAN-Verbindung* 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #4
   Physical Address. . . . . . . . . : 32-89-4A-CB-9D-F0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Unknown adapter VPN - VPN Client:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Client Adapter - VPN
   Physical Address. . . . . . . . . : 5E-BF-A9-0D-D7-2B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Unknown adapter VPN2 - VPN Client:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Client Adapter - VPN2
   Physical Address. . . . . . . . . : 5E-D6-36-4B-59-87
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

PPP adapter SoftEther:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : SoftEther
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.30.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.30.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter WLAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wi-Fi 6E AX211 160MHz
   Physical Address. . . . . . . . . : 30-89-4A-CB-9D-F0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:4bb8:2dc:e975:8aee:9a00:bf71:e0dc(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:4bb8:2dc:e975:4c57:9271:8d56:ca7a(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2f9a:8efb:5a11:2c6f%43(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.218.91(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Mittwoch, 26. Juli 2023 11:08:27
   Lease Expires . . . . . . . . . . : Mittwoch, 26. Juli 2023 12:08:26
   Default Gateway . . . . . . . . . : fe80::f4f0:6dff:fe09:648%43
                                       192.168.218.57
   DHCP Server . . . . . . . . . . . : 192.168.218.57
   DHCPv6 IAID . . . . . . . . . . . : 472942922
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-27-7A-C0-7C-57-58-60-90-0E
   DNS Servers . . . . . . . . . . . : 192.168.218.57
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth-Netzwerkverbindung:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 30-89-4A-CB-9D-F4
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Mobile Broadband adapter Mobilfunk:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Generic Mobile Broadband Adapter
   Physical Address. . . . . . . . . : 94-B9-B9-54-44-5F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
PS C:\Users\Julian> tracert 192.168.10.234

Tracing route to 192.168.10.234 over a maximum of 30 hops

  1    58 ms    78 ms    85 ms  192.168.30.1
  2   247 ms   157 ms   302 ms  192.168.10.234

Trace complete.

I also just saw, that the router within the 192.168.10.0 net assigns a IP address for the client "securenat-da68d60107e1". I guess the problem is, that the secure nat router gets no ip address assigned in the 192.168.1.0 net?

solo · Post by **solo** » Wed Jul 26, 2023 9:37 am

On the server enable IP forwarding and change iptables to "-P FORWARD ACCEPT".
On the client for these tests use the native SE client, not PPP.

julian · Post by **julian** » Wed Jul 26, 2023 10:01 am

Applied the changes and used the SE client... still same behaviour. What do you think is the problem if i may ask?

Code: Select all

root@e19d25b:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@e19d25b:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N BALENA-FIREWALL
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -j BALENA-FIREWALL
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o balena0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o balena0 -j DOCKER
-A FORWARD -i balena0 ! -o balena0 -j ACCEPT
-A FORWARD -i balena0 -o balena0 -j ACCEPT
-A FORWARD -o br-afe19591fb7f -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-afe19591fb7f -j DOCKER
-A FORWARD -i br-afe19591fb7f ! -o br-afe19591fb7f -j ACCEPT
-A FORWARD -i br-afe19591fb7f -o br-afe19591fb7f -j ACCEPT
-A FORWARD -o supervisor0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o supervisor0 -j DOCKER
-A FORWARD -i supervisor0 ! -o supervisor0 -j ACCEPT
-A FORWARD -i supervisor0 -o supervisor0 -j ACCEPT
-A BALENA-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BALENA-FIREWALL -m addrtype --src-type LOCAL -j ACCEPT
-A BALENA-FIREWALL -i resin-vpn -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i tun0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i docker0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i lo -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i supervisor0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 48484 -j REJECT --reject-with icmp-port-unreachable
-A BALENA-FIREWALL -p tcp -m tcp --dport 22222 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 2375 -j ACCEPT
-A BALENA-FIREWALL -m addrtype --dst-type MULTICAST -j ACCEPT
-A BALENA-FIREWALL -p icmp -j ACCEPT
-A BALENA-FIREWALL -i balena0 -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -j RETURN
-A BALENA-FIREWALL -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION-STAGE-1 -i balena0 ! -o balena0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-afe19591fb7f ! -o br-afe19591fb7f -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i supervisor0 ! -o supervisor0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o balena0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-afe19591fb7f -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o supervisor0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

solo · Post by **solo** » Wed Jul 26, 2023 10:30 am

It seems we have discovered a limitation of SE Virtual NAT. I need to re-create an equivalent setup to verify it. This will take some time. Anyway, vNAT can be replaced with much more flexible iptables NAT. Basically you need to enable SE soft tap and add two policy based routes for iptables NAT(s). We have done many times here, search this forum for examples.

julian · Post by **julian** » Wed Jul 26, 2023 11:19 am

Ok thank you. I'd really appreciate if you could keep me updated on your tests in this topic.

Is there a alternative way to implement the requirements without using secure nat?

julian · Post by **julian** » Wed Jul 26, 2023 12:03 pm

Generally i am very curious about how the virtual nat function works. From what i understand is, that the SecureNAT function in generall implements a similar behaviour as a router. When setting up the SecureNAT function, you assign one IP address for the vNIC which will be the one connected to the VHUB. To be able to route traffic (and translate IP addresses) into other domains, this "vRouter" would also need to get an IP in the other networks (in my case the 192.168.1.0 and -.-.10.0 nets). Nevertheless there is no such option to assign those IPs manually in the config menu. How does the vRouter access the other networks then and how would it aquire a ip address in a ip network like my -.-.1.0 net if there is no DHCP server?

Thx again for your help so far. Really very much appreciated!

julian · Post by **julian** » Wed Jul 26, 2023 1:25 pm

Ok so I did some more tests regarding the behaviour of the SecureNAT functionality... here are results:
Starting on the previous setup, I added a router implementing a dhcp server to the 192.168.1.0 net (connected via eth0). Now, both networks physically connected to the raspi include a dhcp server.
After restarting all devices in the 192.168.1.0 net plus the raspi itselfes the devices in the 192.168.1.0 net received IPs from the newly added router. Also the SecureNAT vHost was now recognized and got an IP in this domain. Now I was able to ping and communicate with the devices in this network.
In the 192.168.10.0 domain (connected via eth1 to the raspi) where I previously saw the SecureNAT vHost, it is gone now. I am also not able to ping devices there anymore.
So i thought "Most probably the NAT only converts one IP range to one other e.g. 192.168.30.0 to 192.168.1.0". And to choose to which network it would translate, it would just go through the available NICs of the device running the SE server and take the first with a DHCP since previously, when there was no dhcp server in the eth0 connected net, the vHost was connected to the eth1 network.
Next step i tried to add a second vHub with SecureNAT "because it might just connect to the next available network with a dhcp" in this case eth1 since SecureNAT of the first vHub already uses eth0. But the result was just, that both vHosts were now in the 192.168.1.0 network...

solo · Post by **solo** » Wed Jul 26, 2023 11:00 pm

julian wrote: ↑
Wed Jul 26, 2023 12:03 pm
How does the vRouter access the other networks then and how would it aquire a ip address in a ip network like my -.-.1.0 net if there is no DHCP server?

By injecting itself into OS' TCP/IP stack.

As for the primary issue, it can be resolved by setting DisableKernelModeSecureNAT to 1.

julian · Post by **julian** » Thu Jul 27, 2023 8:28 am

Update:
So today i tried what you suggested plus used this article (https://www.linode.com/docs/guides/linu ... forwarding) to config the raspberry. Now it works as expected, yihaa. Only thing that i need to do now is try to understand what exactly happens here and which considerations regarding security I need to make.
Many thanks for your help so far!

Best architecture/setup searched

Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched

Re: Best architecture/setup searched