SoftEther VPN on AWS

[dkvarts]

Hi folks,

I'm new to SoftEtherVPN. I have set it up on AWS EC2 (public instance), however after connecting via L2TP/IPSec with my mac, I'm unable to reach the VPN host's IP, as well as other EC2 instances that are reachable from VPN server (I've double checked the security groups, firewalls etc. that's not the issue I promise). I don't want to use SecureNAT (I've succeeded in configuring it but it's slow for my use case), and I'm aware that I cannot use local bridge because AWS doesn't allow promiscuous mode for it's network interfaces. Are there any other options? Is everybody just using SecureNAT when deploying on AWS?

Funny thing is, I can accomplish my goal when connecting from a windows machine via SoftEther client. I've set up local VPN client on the VPN server as specified in this guide https://www.softether.org/4-docs/2-howt ... into_Cloud; and also disabled source/destination check option from AWS console. If this method is working, then what's up with L2TP/IPSec?

[solo]

If this method is working, then what's up with L2TP/IPSec?

It's the same. On Mac you have to apply equivalent Windows client's setup.
As for SecureNAT replacement, on AWS Windows use RRAS and on AWS Linux use iptables NAT.

[dkvarts]

It's the same. On Mac you have to apply equivalent Windows client's setup.

Please correct me if I'm wrong: Doesn't VPN client connect via SSL-VPN as opposed to L2TP/IPSec?

Is there a guide that shows how to apply the same setup on mac? Should I look closely into the routing table configuration?

[solo]

after connecting via L2TP/IPSec with my mac, I'm unable to reach the VPN host's IP, as well as other EC2 instances

If you can connect then we do not need to diagnose VPN protocols like SSL-VPN or L2TP/IPSec anymore.
It seems you have a routing issue.
If you do not use SecureNAT or other DHCP server, then set a static IP on the Mac manually.

[dkvarts]

If you do not use SecureNAT or other DHCP server, then set a static IP on the Mac manually.

I'm using SoftEther's virtual DHCP, but I have NAT disabled. I can see in the session that my laptop gets assigned an IP from the range I specified. In addition to that, I can successfully ping a gateway (172.16.0.1) in that range.

It seems you have a routing issue.

I guess. But is it on client side or server side?
Also, is there a way to push the changes to the client's routing configuration from the VPN server?

[solo]

AWS gateway 172.16.0.1
AWS SE client 172.16.0.2
Windows SE client 172.16.0.100
Mac client 172.16.0.101

Correct my assumptions, ping between the clients and tell us what works.

Funny thing is, I can accomplish my goal when connecting from a windows machine via SoftEther client.

What else can the successful client do?

[dkvarts]

I will clear up some confusion.

My AWS VPC is in the range 192.168.0.0/16. SE virtual DHCP assigns IPs within the range 172.16.0.0/12.

Mac client (172.16.0.2) can ping 172.16.0.1 (which I guess is the DHCP server), it can also ping AWS SE client (172.16.0.4)

Successful Windows SE client can ping everything mac client can, but also can reach out to nodes in the range 192.168.0.0/16.

[solo]

Very well, to complete the setup either force the Mac to use VPN's default gateway, or in SecureNAT add the 192.168.0.0/16 range to "Edit the static routing table to push" section.