SoftEther VPN Server and Teltonika IoT routers

[Widi2021]

Has anyone had any experience with setting up VPN connections from Teltonika routers to the SoftEther VPN server?

We operate several webcams in remote locations. The data connection to the Internet is provided by Teltonika 3G/4G routers (RUT240, RUT955, ...). Each of these “webcams” is a small, independent network consisting of a smart Teltonika router, a network-based webcam and possibly other devices. For on-site maintenance, the Teltonika routers provide a DHCP service and a WLAN so that you can connect directly to the network via a laptop.

Now I want to set up remote management for the devices. I know there is Teltonika RMS for this - but for us as a non-profit organization, this is prohibitively expensive.

So far I have:

• a SoftEther VPN server as a Docker container on a virtual server on the Internet (IONOS, Germany),
  OpenVPN, L2TP/IPsec and L2TPv3/IPsec activated
• a virtual hub ("users") with SecureNAT+DHCP (IP subnet: 192.168.144.1/24) for RAS connections of maintenance workstations
• several Windows workstations (Win10, Win11) that can connect to the VPN server via L2TP/IPsec and log on to the virtual hub “users”.

Now I want to integrate the external networks of the webcams into my VPN network. I want the subnets of the webcams (192.168.153.0/24, 192.168.154.0/24, ...) to be accessible from the maintenance workstations via the VPN server (at least: ssh, https).
As the webcams are connected to the Internet via (relatively expensive) 3G/4G connections, the data throughput should be as low as possible. I would therefore prefer IPsec connections, as I have the impression that their protocol-specific overhead is somewhat lower than with OpenVPN.

However, I can't set up these VPN connections so that it works. I have already tried many settings using various examples and community pages ... but it doesn't work.

So far I have:

• an IPsec connection from the external device to the VPN server
• here I can specify different IP subnets as local and remote subnet
• local identifier (IPsec phase 1 id) set to “burgcam”, as I want to use it to identify my device on the VPN server
• remote identifier set to "*" (or %any), because the identification (IP address) of the VPN server may change
• The status information on the device claims that the IPsec connection to the VPN server has been set up successfully.

  Code: Select all

  root@burgcam:~# ipsec statusall
  Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.4.259, mips):
    uptime: 93 minutes, since Nov 01 11:24:00 2024
    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
    loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp pem openssl pkcs8 xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
  Listening IP addresses:
    192.168.18.46         // WAN connection
    2001:....
    192.168.154.1         // LAN connection
    fda8:....
  Connections:
  t04rut1-t04rut1_c:  %any...VPN.FQDN  IKEv1
  t04rut1-t04rut1_c:   local:  [burgcam] uses pre-shared key authentication
  t04rut1-t04rut1_c:   remote: uses pre-shared key authentication
  t04rut1-t04rut1_c:   child:  10.2.154.0/24 === 10.1.154.0/24 TUNNEL
  Security Associations (1 up, 0 connecting):
  t04rut1-t04rut1_c[1]: ESTABLISHED 93 minutes ago, 192.168.18.46[burgcam]...xx.xxx.xxx.xxx[172.19.0.76]
  t04rut1-t04rut1_c[1]: IKEv1 SPIs: XXXX_i* XXXX_r, pre-shared key reauthentication in 10 hours
  t04rut1-t04rut1_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
  t04rut1-t04rut1_c{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: YYYY_i YYYY_o
  t04rut1-t04rut1_c{2}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 10 hours
  t04rut1-t04rut1_c{2}:   10.2.154.0/24 === 10.1.154.0/24
  root@burgcam:~#
  

• I can also see that there is a keep-a-live protocol between my device and the VPN server. The logging of my device shows the following sequence every 10 seconds:

  Code: Select all

  Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[NET] <t04rut1-t04rut1_c|1> received packet: from VPN-SERVER-IP[4500] to 192.168.18.46[4500] (92 bytes)
  Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[ENC] <t04rut1-t04rut1_c|1> parsed INFORMATIONAL_V1 request 125700624 [ HASH N(DPD) ]
  Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[ENC] <t04rut1-t04rut1_c|1> generating INFORMATIONAL_V1 request 2378061043 [ HASH N(DPD_ACK) ]
  Fri Nov  1 14:17:34 2024 daemon.info ipsec: 11[NET] <t04rut1-t04rut1_c|1> sending packet: from 192.168.18.46[4500] to VPN-SERVER-IP[4500] (92 bytes)
  

• I can also see these protocol messages in the network tracing of my device, using "tcpdump":

  Code: Select all

  14:17:34.470529 IP VPN-SERVER-IP.4500 > 192.168.18.46.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
  14:17:34.479939 IP 192.168.18.46.4500 > VPN-SERVER-IP.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
  14:17:40.615530 IP VPN-SERVER-IP.4500 > 192.168.18.46.4500: isakmp-nat-keep-alive
  

• and in the network tracing of my VPN server:

  Code: Select all

  13:17:34.456242 IP 172.19.0.76.4500 > DEVICE-WAN-IP.62350: NONESP-encap: isakmp: phase 2/others ? inf[E]
  13:17:34.491457 IP DEVICE-WAN-IP.62350 > 172.19.0.76.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
  13:17:40.601248 IP 172.19.0.76.4500 > DEVICE-WAN-IP.62350: isakmp-nat-keep-alive
  

But I can't send any payload over this tunnel (see "0 bytes_i, 0 bytes_o" above).

Can someone help me, to finally get this up and running?

• How should I configure the virtual hubs in the VPN server? Do I need separate hubs for each external device/subnet or does it make more sense to register all external devices via a common hub?
• What type of IPsec connection should the remote devices use? bare IPsec, L2TP/IPsec, L2TPv3/IPsec?
• What kind of routing is required on the VPN server?`
• What kind of routing do I need on the devices?
• ...

Thanks and regards
Friedbert

[solo]

• ...Do I need separate hubs for each external device/subnet...
• What type of IPsec connection should the remote devices use? bare IPsec, L2TP/IPsec, L2TPv3/IPsec?
• What kind of routing is required on the VPN server?`
• What kind of routing do I need on the devices?

1. yes
2. L2TPv3/IPsec
3. none, install also SE client and connect with a preset, static, remote LAN IP to vhubs on "localhost" address
4. none, connect with a static local LAN IP

[Widi2021]

Thank you for these tips. That already shows me the direction in which I need to think or search.

But now I have a small problem. The firmware of the Teltonika routers is based on a slightly older version of OpenWRT - currently V21.02.0 is used. Unfortunately, the SE client is not yet included in the software repository.
And I don't feel like creating the client in the RUT SDK myself with cross-compilers - especially since I would probably need several versions for different routers with different processors.

Is there also a way to use the standard client for L2TPv3/IPsec? (currently: Linux strongSwan U5.9.6/K5.4.259)

Regards,
Friedbert

[solo]

Yes, on SE server enable the "EtherIP / L2TPv3 over IPsec Server Function".
The next best is "L2TP Server Function (L2TP over IPsec)".
For minimal overhead, go "L2TP Server Function (Raw L2TP with No Encryption)".
SE client is only needed on SE server, while a remote network connects via IPsec/L2TP to the same hub.

Incidentally, SE doc...

Note
Disable any IPsec/L2TP function on the server computer which might conflict with SoftEther VPN Server's IPsec/L2TP function. If the UDP ports (500, 4500 and 1701) conflicts with other programs, IPsec communication will not work well.

[mendoza_lt]

Yes. I managed to make it work with RUT 200, also with RUTX09. On RUT 240 i have used OpenVpn, On RUTX09 you can install SE VPN server/bridge.