How is VPN server listening through the firewall

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
dames
Posts: 6
Joined: Tue Mar 16, 2021 4:53 am

How is VPN server listening through the firewall

Post by dames » Tue Mar 16, 2021 5:02 am

Hello
I cannot understand how the Softether server can listen for incoming connections through a firewall with no open ports.
Excuse my ignorance of the topic. I feel I need to understand this better before I can trust the software. For example, if it is able to listen through a firewall, what stops malicious traffic from coming through that same openining?
thank you in advance.

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: How is VPN server listening through the firewall

Post by sky59 » Tue Mar 16, 2021 7:21 am

You are correct! :)

It must be on public IP or if behind router it must forward ports - incoming messages

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: How is VPN server listening through the firewall

Post by eddiewu » Tue Mar 16, 2021 1:02 pm

dames wrote:
Tue Mar 16, 2021 5:02 am
I cannot understand how the Softether server can listen for incoming connections through a firewall with no open ports.
The technique is called NAT traversal, or more specifically, UDP hole punching. Google it.
dames wrote:
Tue Mar 16, 2021 5:02 am
For example, if it is able to listen through a firewall, what stops malicious traffic from coming through that same openining?
The process has to be bi-directional. Client and server are sending packets to each other at the same time (server learns the client's IP from an external NAT-T server). Firewall will generally allow this kind of UDP traffic.
That is to say, a malicious piece of software needs to have an "insider" in order to get through the firewall. To SE client, SE server is that insider.
By the way, this feature can be turned off with an option called DisableNatTraversal.

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: How is VPN server listening through the firewall

Post by sky59 » Tue Mar 16, 2021 6:21 pm

You still need at least one server on public ip

dames
Posts: 6
Joined: Tue Mar 16, 2021 4:53 am

Re: How is VPN server listening through the firewall

Post by dames » Wed Mar 17, 2021 12:06 am

Thank you all for your responses.
BTW, i have the systems set up and working, i am just trying to understand it better.

I am not sure how i feel about the nat-traversal just yet. I have been trying to find out how to disable it and just open the ports to the specific server IP.
Can anyone tell me where to disable the nat-traversal. I cant find in the manual or in the interface.

Also, does anyone have any re-assurances on the safety of nat-traversal?

thanks

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: How is VPN server listening through the firewall

Post by eddiewu » Wed Mar 17, 2021 12:49 am

sky59 wrote:
Tue Mar 16, 2021 6:21 pm
You still need at least one server on public ip
That won't be necessary with DDNS.
dames wrote:
Wed Mar 17, 2021 12:06 am
Can anyone tell me where to disable the nat-traversal. I cant find in the manual or in the interface.

Also, does anyone have any re-assurances on the safety of nat-traversal?
As I said, there is an option called DisableNatTraversal. Find it in the vpn config file and change the value to true.
With NAT-T, you do not need to open any ports, but instead you send your address to an external server (managed by University of Tsukuba) and the connection is not guaranteed. It's not working on some complicated NAT network.
By opening the port, you expose your server to the whole internet, but you are not relying on any external server and you don't need to trust them.
Which way is more secure depends on your usage and of course your knowledge. There is always risk to operate a server.

solo
Posts: 1729
Joined: Sun Feb 14, 2021 10:31 am

Re: How is VPN server listening through the firewall

Post by solo » Wed Mar 17, 2021 3:52 am

dames wrote:
Wed Mar 17, 2021 12:06 am
Can anyone tell me where to disable the nat-traversal. I cant find in the manual or in the interface.
In the manual...
You can disable the NAT Traversal function on your VPN Server by switching the value of "DisableNatTraversal" to "true" in the VPN Server's configuration file.
and the interface
.
no-nat.png
dames wrote:
Wed Mar 17, 2021 12:06 am
does anyone have any re-assurances on the safety of nat-traversal?
Did you ask Skype, whatsapp, countless other messengers and apps before using them? They function thanks to NAT Traversal.
You do not have the required permissions to view the files attached to this post.

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: How is VPN server listening through the firewall

Post by sky59 » Wed Mar 17, 2021 7:37 am

eddiewu wrote:
Wed Mar 17, 2021 12:49 am
sky59 wrote:
Tue Mar 16, 2021 6:21 pm
You still need at least one server on public ip
That won't be necessary with DDNS.
It's not working on some complicated NAT network.
And what is the purpose of DDNS? Though I do not know details it is a "magicbox" that must sit on public IP otherwise no way to establish
communication between two points behind routers... (and I doubt DDNS is enough? - it must have a function to forward some sort of messages between the two points, but it primary function is something completely different)

If you explain how DDNS can tell two points where they are I would like to learn something..

Yes, I know about Azure, this can work because then two points are two clients and Azure is server - sitting on public IP

About complicated networks I myself have made also discovery, see result of this thread:

https://www.vpnusers.com/viewtopic.php?f=7&t=66579

So, the best is to have own server sitting on legacy public IP address!

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: How is VPN server listening through the firewall

Post by eddiewu » Wed Mar 17, 2021 11:31 am

DDNS tracks the public IP of the node.
NAT-T server relays connection information (i.e. address, port).
When a client connects to a server behind some firewall with no port being forwarded, it resolves the DDNS hostname to IP, and send its address and port to NAT-T server, which relays the information to server side and passed back the server's address and port. Then the client and server establishes direct connection.
The tricky part is this generally works for UDP only.
Therefore for TCP there is VPN azure, which not only relays metadata but also the whole traffic.

Post Reply