Route only SoftEther server traffic through OpenVPN
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Route only SoftEther server traffic through OpenVPN
Hello everyone
I'm running a softether server on debian 11 and I would like to only route the traffic of the softether (not my whole OS) through the openvpn client, from my other server.
Any Idea on how I'll be able to achieve this?
			
									
									
						I'm running a softether server on debian 11 and I would like to only route the traffic of the softether (not my whole OS) through the openvpn client, from my other server.
Any Idea on how I'll be able to achieve this?
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
The same way like routing through VPN Gate client https://www.vpnusers.com/viewtopic.php? ... 926#p97433
			
									
									
						- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Thanks a lot man @solo
The thing is I don't want any traffic other than Softether to go through OpenVPN that's why I used "pull-filter ignore redirect-gateway" in my OpenVPN client config file but will this line your method is not working anymore.
			
									
									
						The thing is I don't want any traffic other than Softether to go through OpenVPN that's why I used "pull-filter ignore redirect-gateway" in my OpenVPN client config file but will this line your method is not working anymore.
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
Go back to the above link and scroll down to "policy-based routing variant".
			
									
									
						- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Thanks a lot @solo
What is 10.245.254.254 representing in that code? should I change it? Also any other part?
I'm wondering how this is gonna help because if I don't include "pull-filter ignore redirect-gateway" in my OpenVPN client config file VPS is gonna be inaccessible and I'll no longer be able to SSH into that, and I'm connecting to openvpn on that with openvpn that I install with "apt install openvpn" I don't know if you had any other way in mind.
			
									
									
						What is 10.245.254.254 representing in that code? should I change it? Also any other part?
I'm wondering how this is gonna help because if I don't include "pull-filter ignore redirect-gateway" in my OpenVPN client config file VPS is gonna be inaccessible and I'll no longer be able to SSH into that, and I'm connecting to openvpn on that with openvpn that I install with "apt install openvpn" I don't know if you had any other way in mind.
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
10.245.254.254 is a default gateway on the remote (client) connection - adjust accordingly for your OVPN.
			
									
									
						- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
So if I understand correctly it's the OVPN server public IP right? or it's the gateway? mine is like: 
Public IP of VPS: 155.155.155.155
Public IP of OVPN server: 199.199.199.199
OVPN gateway: 172.25.0.1
OVPN client IP (DHCP): 172.25.0.14
What about "pull-filter ignore redirect-gateway" in my OpenVPN client config file?
			
									
									
						Public IP of VPS: 155.155.155.155
Public IP of OVPN server: 199.199.199.199
OVPN gateway: 172.25.0.1
OVPN client IP (DHCP): 172.25.0.14
What about "pull-filter ignore redirect-gateway" in my OpenVPN client config file?
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
- replace 10.245.254.254 with 172.25.0.1
- "pull-filter ignore redirect-gateway" is completely irrelevant in the context of SE-OVPN routing
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Thanks man
But if I don't include this in the config file and connect to the OpenVPN client, VPS becomes inaccessible and if I do, VPS softether won't route the traffic through the OpenVPN client.
I think I should explain the situation again:
I got an OPENVPN client config file from a server which got access to the internet. We call it "OVPNfree".
And I also got a Linux VPS which doesn't have access to the internet but can connect to "OVPNfree".
On VPS, I installed Softether and turned on the OPENVPN server so I could connect to it with my phone and PC, which is called "OVPNdomestic".
Now what I want to achieve is to connect softether server which is running on my VPS to "OVPNfree" in a way that doesn't effect anything else on that VPS and doesn't make the SSH and other services on that VPS inaccessible via the public IP of the VPS. So this way if I connect to "OVPNdomestic" with my phone it will have access to the internet. **I cannot directly connect to "OVPNfree" on my phone or PC**
MY PC <=> "OVPNdomestic" VPS (Softether <=> "OVPNfree") <=> "OVPNfree" <=> Internet
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
If you are absolutely sure that you have adapted the VPN Gate method precisely, and SE server is running, do as follows:
- start OVPN with "pull-filter ignore redirect-gateway"
- from the VPS verify that eg ping 1.1.1.1 is OK
- post as code the output of:
Code: Select all
ifconfig
route -n
ip route
ip rule
ip route show table all
iptables -t nat -L
iptables -S
cat /proc/sys/net/ipv4/ip_forward
brctl show
netstat -tapn- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Here you go man:
ifconfig:
Code: Select all
root@Gamora:~# ifconfig
docker0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:dbff:fed9:3647  prefixlen 64  scopeid 0x20<link>
        ether 02:42:db:d9:36:47  txqueuelen 0  (Ethernet)
        RX packets 51097  bytes 4786726 (4.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43394  bytes 72691554 (69.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
ens192: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet VPS_Public_IP  netmask 255.255.255.248  broadcast VPS_Gateway
        inet6 fe80::20c:29ff:fe4c:33c5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:4c:33:c5  txqueuelen 1000  (Ethernet)
        RX packets 241689  bytes 36633431 (34.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 217314  bytes 31118006 (29.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 706947  bytes 97328768 (92.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 706947  bytes 97328768 (92.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tap_tap: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5c10:beff:fe44:47a7  prefixlen 64  scopeid 0x20<link>
        ether 5e:10:be:44:47:a7  txqueuelen 1000  (Ethernet)
        RX packets 220  bytes 16426 (16.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 314  bytes 25924 (25.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.25.0.24  netmask 255.255.255.0  destination 172.25.0.24
        inet6 fe80::419d:4821:9441:8e9  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 16905  bytes 2940662 (2.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 44  bytes 8580 (8.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
veth42fa998: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::9c14:e1ff:feb4:f16d  prefixlen 64  scopeid 0x20<link>
        ether 9e:14:e1:b4:f1:6d  txqueuelen 0  (Ethernet)
        RX packets 36949  bytes 3977938 (3.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31585  bytes 69235311 (66.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
veth58ab83d: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::8482:65ff:fef3:ce3d  prefixlen 64  scopeid 0x20<link>
        ether 86:82:65:f3:ce:3d  txqueuelen 0  (Ethernet)
        RX packets 84  bytes 54990 (53.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 177  bytes 21393 (20.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
vethbb689a3: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::1023:61ff:fe8a:39c4  prefixlen 64  scopeid 0x20<link>
        ether 12:23:61:8a:39:c4  txqueuelen 0  (Ethernet)
        RX packets 14064  bytes 1469156 (1.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11873  bytes 3464895 (3.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
vetheedda44: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::606d:c1ff:fe27:c7d4  prefixlen 64  scopeid 0x20<link>
        ether 62:6d:c1:27:c7:d4  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 90  bytes 11944 (11.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
route -n:
Code: Select all
root@Gamora:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         -------------  0.0.0.0         UG    0      0        0 ens192
-------------      0.0.0.0         255.255.255.248 U     0      0        0 ens192
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.25.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
Code: Select all
root@Gamora:~# ip route
default via ----------- dev ens192 onlink
-------------/29 dev ens192 proto kernel scope link src ---------------
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.25.0.0/24 dev tun0 proto kernel scope link src 172.25.0.24
Code: Select all
root@Gamora:~# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
Code: Select all
root@Gamora:~# ip route show table all
default via --------------- dev ens192 onlink
---------------/29 dev ens192 proto kernel scope link src ---------------
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.25.0.0/24 dev tun0 proto kernel scope link src 172.25.0.24
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast --------------- dev ens192 table local proto kernel scope link src ---------------
local --------------- dev ens192 table local proto kernel scope host src ---------------
broadcast --------------- dev ens192 table local proto kernel scope link src ---------------
broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1
broadcast 172.25.0.0 dev tun0 table local proto kernel scope link src 172.25.0.24
local 172.25.0.24 dev tun0 table local proto kernel scope host src 172.25.0.24
broadcast 172.25.0.255 dev tun0 table local proto kernel scope link src 172.25.0.24
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens192 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev vethbb689a3 proto kernel metric 256 pref medium
fe80::/64 dev vetheedda44 proto kernel metric 256 pref medium
fe80::/64 dev veth58ab83d proto kernel metric 256 pref medium
fe80::/64 dev veth42fa998 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev tap_tap proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::42:dbff:fed9:3647 dev docker0 table local proto kernel metric 0 pref medium
local fe80::20c:29ff:fe4c:33c5 dev ens192 table local proto kernel metric 0 pref medium
local fe80::1023:61ff:fe8a:39c4 dev vethbb689a3 table local proto kernel metric 0 pref medium
local fe80::419d:4821:9441:8e9 dev tun0 table local proto kernel metric 0 pref medium
local fe80::5c10:beff:fe44:47a7 dev tap_tap table local proto kernel metric 0 pref medium
local fe80::606d:c1ff:fe27:c7d4 dev vetheedda44 table local proto kernel metric 0 pref medium
local fe80::8482:65ff:fef3:ce3d dev veth58ab83d table local proto kernel metric 0 pref medium
local fe80::9c14:e1ff:feb4:f16d dev veth42fa998 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev ens192 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev docker0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev vethbb689a3 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev vetheedda44 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev veth58ab83d table local proto kernel metric 256 pref medium
multicast ff00::/8 dev veth42fa998 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tap_tap table local proto kernel metric 256 pref medium
Code: Select all
root@Gamora:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:9090
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:9443
MASQUERADE  tcp  --  172.17.0.5           172.17.0.5           tcp dpt:3000
SNAT       all  --  192.168.9.0/24       anywhere             to:172.25.0.11
SNAT       all  --  192.168.9.0/24       anywhere             to:172.25.0.24
Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:4968 to:172.17.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8984 to:172.17.0.3:9090
DNAT       tcp  --  anywhere             anywhere             tcp dpt:9443 to:172.17.0.4:9443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8364 to:172.17.0.5:3000
Code: Select all
root@Gamora:~# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT ! -s 127.135.138.83/32 ! -d 127.167.27.227/32 -p icmp -m icmp --icmp-type 3/3 -m connmark ! --mark 0x6082458d -j DROP
-A OUTPUT ! -s 127.74.189.243/32 ! -d 127.67.194.175/32 -p tcp -m tcp --sport 61001:65535 --tcp-flags RST RST -m connmark ! --mark 0x5c562f17 -j DROP
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9090 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
Code: Select all
root@Gamora:~# cat /proc/sys/net/ipv4/ip_forward
1
Code: Select all
root@Gamora:~# brctl show
-bash: brctl: command not found
Code: Select all
root@Gamora:~# netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:4968            0.0.0.0:*               LISTEN      963/docker-proxy
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      55089/vpnserver
tcp        0      0 127.0.0.1:36011         0.0.0.0:*               LISTEN      1382/casaos-app-man
tcp        0      0 0.0.0.0:8364            0.0.0.0:*               LISTEN      1033/docker-proxy
tcp        0      0 127.0.0.1:35725         0.0.0.0:*               LISTEN      640/casaos-gateway
tcp        0      0 127.0.0.1:45679         0.0.0.0:*               LISTEN      640/casaos-gateway
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      55089/vpnserver
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      668/sshd: /usr/sbin
tcp        0      0 127.0.0.1:32983         0.0.0.0:*               LISTEN      744/casaos-local-st
tcp        0      0 0.0.0.0:8984            0.0.0.0:*               LISTEN      990/docker-proxy
tcp        0      0 127.0.0.1:44315         0.0.0.0:*               LISTEN      667/casaos
tcp        0      0 127.0.0.1:46175         0.0.0.0:*               LISTEN      726/casaos-user-ser
tcp        0      0 0.0.0.0:992             0.0.0.0:*               LISTEN      55089/vpnserver
tcp        0      0 0.0.0.0:9443            0.0.0.0:*               LISTEN      1011/docker-proxy
tcp        0      0 127.0.0.1:44963         0.0.0.0:*               LISTEN      677/casaos-message-
tcp        0    144 ---------------:22       ---------------:49311     ESTABLISHED 54815/sshd: root@pt
tcp        0     39 ---------------:54992    ---------------:443         ESTABLISHED 32851/openvpn
tcp        0      0 127.0.0.1:57222         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55550         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33844         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33052         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:57220         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55560         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33832         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:57254         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33040         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:38260         127.0.0.1:44963         ESTABLISHED 726/casaos-user-ser
tcp        0      0 127.0.0.1:36168         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55558         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33442         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:55568         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33426         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33030         127.0.0.1:44315         TIME_WAIT   -
tcp   197340      0 127.0.0.1:44963         127.0.0.1:38260         ESTABLISHED 677/casaos-message-
tcp        0      0 127.0.0.1:33042         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33440         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33430         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:36174         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33816         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 158.58.191.133:43626    79.127.127.35:443       ESTABLISHED 55089/vpnserver
tcp        0      0 127.0.0.1:36162         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:57238         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:36148         127.0.0.1:44315         TIME_WAIT   -
tcp        0      0 127.0.0.1:33858         127.0.0.1:44315         TIME_WAIT   -
tcp6       0      0 :::4968                 :::*                    LISTEN      975/docker-proxy
tcp6       0      0 :::1194                 :::*                    LISTEN      55089/vpnserver
tcp6       0      0 :::9100                 :::*                    LISTEN      1205/node_exporter
tcp6       0      0 :::8364                 :::*                    LISTEN      1047/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      640/casaos-gateway
tcp6       0      0 :::5555                 :::*                    LISTEN      55089/vpnserver
tcp6       0      0 :::22                   :::*                    LISTEN      668/sshd: /usr/sbin
tcp6       0      0 :::8984                 :::*                    LISTEN      997/docker-proxy
tcp6       0      0 :::992                  :::*                    LISTEN      55089/vpnserver
tcp6       0      0 :::9443                 :::*                    LISTEN      1018/docker-proxy
tcp6       0      0 ---------------:9100     172.17.0.3:34302        ESTABLISHED 1205/node_exporter
					Last edited by a.saneie on Thu Feb 02, 2023 7:43 am, edited 1 time in total.
									
			
									
						- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
Man, without looking any further, here is the first fundamental error - no IPv4 address!
BTW, edit out your post and redact the public IPs.
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Yeah notice that before but didn't know if it was supposed to be like this or not plus IDK how to fix it.
How can I fix this?
Thanks done.
- 
				ratepace
- Posts: 1
- Joined: Thu Feb 02, 2023 2:59 pm
Re: Route only SoftEther server traffic through OpenVPN
What is 10.245.254.254 representing in that code? should I change it? Also any other part?
SIZE=1 SoftEther Fan
			
													SIZE=1 SoftEther Fan
					Last edited by ratepace on Sat Feb 04, 2023 1:04 pm, edited 1 time in total.
									
			
									
						- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
https://www.vpnusers.com/viewtopic.php? ... 926#p97433
documented already (ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap)
https://www.vpnusers.com/viewtopic.php? ... 072#p98036
answered already
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
I added this before, and it's not working.solo wrote: ↑Thu Feb 02, 2023 10:49 pmhttps://www.vpnusers.com/viewtopic.php? ... 926#p97433
documented already (ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap)
Code: Select all
root@Gamora:~# cat /lib/systemd/system/vpnserver.service
ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
Add some "sleep" prior to the ExecStartPost.
			
									
									
						- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Like this:
Code: Select all
root@Gamora:~# cat /lib/systemd/system/vpnserver.service
ExecStartPost=/bin/sleep 30
ExecStartPost=/sbin/ip addr add 192.168.9.1/24 brd + dev tap_tap
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
yes but not 30 sec, 3 will do
			
									
									
						- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
Have another look at the re-routing thread, there are updates.
@fa1rid had successfully applied it in a similar Docker environment as yours https://www.vpnusers.com/viewtopic.php? ... ker#p98207
			
									
									
						@fa1rid had successfully applied it in a similar Docker environment as yours https://www.vpnusers.com/viewtopic.php? ... ker#p98207
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Sure, I will look into that again, but mine is not the same scenario as his because he is running that client as a docker container, but for me I just have the docker installed on the OS my routing and VPN stuff have nothing to do with it.solo wrote: ↑Mon Feb 13, 2023 1:18 amHave another look at the re-routing thread, there are updates.
@fa1rid had successfully applied it in a similar Docker environment as yours https://www.vpnusers.com/viewtopic.php? ... ker#p98207
Also, I've got a question: should I turn on the "SecureNAT" on VPS Softether or not? (Because when it's off and I connect to the VPS the dhcp doesn't give me an IP)
Although I added this to /etc/dnsmasq.conf
Code: Select all
interface=tap_tap
dhcp-range=192.168.9.99,192.168.9.199,12h
dhcp-option=3,192.168.9.1
dhcp-option=6,1.1.1.1
- 
				shakibamoshiri
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Route only SoftEther server traffic through OpenVPN
Please ask a new question and do not continue on this topic and provide enough details to discuss your issuea.saneie wrote: ↑Mon Feb 13, 2023 3:15 pm
Sure, I will look into that again, but mine is not the same scenario as his because he is running that client as a docker container, but for me I just have the docker installed on the OS my routing and VPN stuff have nothing to do with it.
Also, I've got a question: should I turn on the "SecureNAT" on VPS Softether or not? (Because when it's off and I connect to the VPS the dhcp doesn't give me an IP)
Although I added this to /etc/dnsmasq.conf
Code: Select all
interface=tap_tap dhcp-range=192.168.9.99,192.168.9.199,12h dhcp-option=3,192.168.9.1 dhcp-option=6,1.1.1.1
Thanks
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
I asked for clarification over the provided answer on the same topic that it was given.shakibamoshiri wrote: ↑Mon Feb 13, 2023 6:52 pmPlease ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
- 
				a.saneie
- Posts: 20
- Joined: Fri Jan 27, 2023 1:09 am
Re: Route only SoftEther server traffic through OpenVPN
Still same results :(
			
									
									
						- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
I had asked you "If you are absolutely sure that you have adapted the VPN Gate method precisely, and SE server is running, do..." post logs. Back then I pointed out the first critical error and stopped reading your logs. I had another look now and note at least two more flaws:
- the dnsmasq process is not running
- the ip rules are deficient
Apparently you were "absolutely sure" about your implementation but presented a totally dysfunctional setup. Let's try once more - please do your best and post the same set of logs (redact your public IPs). If you have decided to go with SE vDHCP in the current iteration then dnsmasq needs not to run of course.
			
									
									
						- the dnsmasq process is not running
- the ip rules are deficient
Apparently you were "absolutely sure" about your implementation but presented a totally dysfunctional setup. Let's try once more - please do your best and post the same set of logs (redact your public IPs). If you have decided to go with SE vDHCP in the current iteration then dnsmasq needs not to run of course.
- 
				shakibamoshiri
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Route only SoftEther server traffic through OpenVPN
Sorry I did not check originally its your question.a.saneie wrote: ↑Mon Feb 13, 2023 9:04 pmI asked for clarification over the provided answer on the same topic that it was given.shakibamoshiri wrote: ↑Mon Feb 13, 2023 6:52 pmPlease ask a new question and do not continue on this topic and provide enough details to discuss your issue
Thanks
Can you answer these questions ?
Q1 do you want to implement a double VPN (client ==>. server-1 ===> server-2) ?
Q2 if Q1==YES, you do NOT want to use CC (=Cascade Connection) ? and you want to use OpenVPN client running on your server-1 ?
Q3 if Q2==YES, do you want to run OpenVPN client with full-tunnel or split-tunnel ?
Q4 does the below workflow match your need?
# workflow
clients ===> server-1 ===> server-2
# server-1
SE server + DHCP + Local Bridge (so you have tap_xxx interface ?)
OpenVPN client connected to server-2 (so you have tun0 interface ? )
# server-2
OpenVPN server
based on this workflow you mentioned
You need a double VPN which you can achieve it using any ofMY PC <=> "OVPNdomestic" VPS (Softether <=> "OVPNfree") <=> "OVPNfree" <=> Internet
1. port forwarding from hop-1 (domestic) to hop-2 (your endpoint)
2. Policy Based Routing (PBR) to route traffics
3. Cascade Connection (CC) which SE server makes it super simple
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
For simplicity sake I have dropped DHCP and got it working with just TWO COMMANDS.
Preset
- Linux server with IP forwarding and no firewall
- SoftEther server in default state with only LBS to soft tap and nothing extra in ExecStart, etc.
- OpenVPN client already running (I connected to VPN Gate)
VPS log
TWO COMMANDS
Windows VPN client on static IP 192.168.9.3
It just works.
			
									
									
						Preset
- Linux server with IP forwarding and no firewall
- SoftEther server in default state with only LBS to soft tap and nothing extra in ExecStart, etc.
- OpenVPN client already running (I connected to VPN Gate)
VPS log
Code: Select all
ifconfig
...
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.242.21.197  P-t-P:10.242.21.198  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.242.21.198   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s3
10.242.21.198   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.242.21.198   128.0.0.0       UG    0      0        0 tun0
219.100.37.145  10.0.2.2        255.255.255.255 UGH   0      0        0 enp0s3
traceroute 9.9.9.9
traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets
 1  10.242.254.254 (10.242.254.254)  439.534 ms  287.576 ms  362.289 ms
 2  gw2.vpngate.v4.open.ad.jp (219.100.37.253)  320.121 ms  320.097 ms  319.435 ms
 3  igp1.green.v4.open.ad.jp (202.222.12.190)  581.388 ms  483.662 ms  460.331 ms
 4  bgp3.openospf1.v4.open.ad.jp (202.222.12.33)  537.734 ms  624.070 ms  625.069 ms
 5  150.99.184.33 (150.99.184.33)  624.062 ms  404.239 ms  325.049 ms
 6  150.99.21.21 (150.99.21.21)  382.131 ms  302.935 ms  275.133 ms
 7  ty8.gslnetworks.com (103.137.13.76)  352.902 ms  278.624 ms  348.789 ms
 8  scrub.ty8.gslnetworks.com (103.137.13.77)  298.470 ms  300.678 ms  320.533 ms
 9  203.10.98.35 (203.10.98.35)  313.464 ms  277.452 ms  287.996 ms
10  dns9.quad9.net (9.9.9.9)  287.966 ms !X  265.531 ms !X  277.329 ms !X
TWO COMMANDS
- ifconfig tap_tap 192.168.9.2 netmask 255.255.255.0 promisc arp up
- iptables -t nat -A POSTROUTING -s 192.168.9.0/24 -o tun0 -j MASQUERADE
Windows VPN client on static IP 192.168.9.3
Code: Select all
ping 192.168.9.2
Pinging 192.168.9.2 with 32 bytes of data:
Reply from 192.168.9.2: bytes=32 time=1ms TTL=64
Reply from 192.168.9.2: bytes=32 time<1ms TTL=64
Reply from 192.168.9.2: bytes=32 time<1ms TTL=64
Reply from 192.168.9.2: bytes=32 time<1ms TTL=64
route add 9.9.9.9 mask 255.255.255.255 192.168.9.2
ping 9.9.9.9
Pinging 9.9.9.9 with 32 bytes of data:
Reply from 9.9.9.9: bytes=32 time=291ms TTL=54
Reply from 9.9.9.9: bytes=32 time=289ms TTL=54
Reply from 9.9.9.9: bytes=32 time=292ms TTL=54
Reply from 9.9.9.9: bytes=32 time=289ms TTL=54
tracert 9.9.9.9
Tracing route to dns9.quad9.net [9.9.9.9]
over a maximum of 30 hops:
  1     1 ms    <1 ms    <1 ms  192.168.9.2
  2   502 ms     *      469 ms  10.242.254.254
  3   370 ms   328 ms   375 ms  gw2.vpngate.v4.open.ad.jp [219.100.37.253]
  4   405 ms   484 ms   407 ms  igp1.green.v4.open.ad.jp [202.222.12.190]
  5   379 ms   272 ms   342 ms  bgp4.openospf2.v4.open.ad.jp [202.222.12.41]
  6   346 ms   383 ms   330 ms  150.99.184.33
  7   835 ms   960 ms   568 ms  150.99.21.21
  8   609 ms   463 ms   419 ms  ty8.gslnetworks.com [103.137.13.76]
  9   427 ms   559 ms   446 ms  scrub.ty8.gslnetworks.com [103.137.13.77]
 10     *      463 ms   360 ms  203.10.98.35
 11   588 ms   537 ms   877 ms  dns9.quad9.net [9.9.9.9]
Trace complete.
Code: Select all
local VPN clients > SoftEther server > OpenVPN client > OpenVPN server somewhere
                  [----------------VPS----------------]
- 
				rakaris
- Posts: 4
- Joined: Tue Jun 04, 2024 3:22 pm
Re: Route only SoftEther server traffic through OpenVPN
Hello,
I have the similar case- but I need to route Strongswan traffic.
I have made the following configuration but it's not possible to ping ipcsec tunnel device.
General info
OS Debian 12
2 NICS: one uses strongswan, second uses Softether (clean install)
host that ne4eds to be accessed 192.168.43.100
tap_ens34tap bridge with Softether binded NIC
ip forwarding enabled
tap for Strongswan ipsec tunel (10.20.244.1)
/etc/systemd/system/softether-vpnserver.service
			
													I have the similar case- but I need to route Strongswan traffic.
I have made the following configuration but it's not possible to ping ipcsec tunnel device.
General info
OS Debian 12
2 NICS: one uses strongswan, second uses Softether (clean install)
host that ne4eds to be accessed 192.168.43.100
tap_ens34tap bridge with Softether binded NIC
ip forwarding enabled
tap for Strongswan ipsec tunel (10.20.244.1)
/etc/dnsmasq.confsudo tunctl -t tunv
Securenat disabledinterface=tap_ens34tap
dhcp-range=tap_ens34tap,192.168.110.50,192.168.110.60,12h
dhcp-option=tap_ens34tap,3,192.168.110.1
dhcp-option=6,1.1.1.1
/etc/systemd/system/softether-vpnserver.service
nat[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/opt/vpnserver/do_not_run
[Service]
Type=forking
EnvironmentFile=-/opt/vpnserver
ExecStart=/opt/vpnserver/vpnserver start
ExecStop=/opt/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure
ExecStartPost=/sbin/ip addr add 192.168.110.1/24 brd + dev tap_ens34tap
# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/opt/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_ADMIN CAP_SETUID
[Install]
WantedBy=multi-user.target
Please help me to undestand what is missing!iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -d 192.168.43.100/32 -o tunv -j MASQUERADE
					Last edited by rakaris on Wed Jun 05, 2024 1:27 pm, edited 1 time in total.
									
			
									
						- 
				rakaris
- Posts: 4
- Joined: Tue Jun 04, 2024 3:22 pm
Re: Route only SoftEther server traffic through OpenVPN
I'm stuck and I can't figure out what's wrong.
from VPN session I can ping 10.20.244.1 (Strongswan tunel ip), but can't ping ipsec target on remote subnet.
Any help is appreciated!
			
									
									
						from VPN session I can ping 10.20.244.1 (Strongswan tunel ip), but can't ping ipsec target on remote subnet.
Any help is appreciated!
- 
				solo
- Posts: 1727
- Joined: Sun Feb 14, 2021 10:31 am
Re: Route only SoftEther server traffic through OpenVPN
Nothing's wrong, NATs are one-way only.
			
									
									
						