[Bug] SecureNAT DHCP does not give any IP address, if client is re-connecting, and if set to Fixed IPv4:

[PizzaProgram]

The only way currently to set a Fixed IP address for a client, is to write it to the user's "note" field:

But there is a serious bug I'd like to report, which makes the whole VPN useless at enterprise level:

• if client gets disconnected for any reason (restarting his PC or simply clicking disconnect) ,
• and trying to reconnect,
• it will not get any IP address! (In best case a non-standard automatic one, something like 169.154.x.x )

So basically if any fixed IP client is disconnecting from the VPN, it will be unreachable until DHCP lease time is over, no matter how many times it tries to get it's IP address again. (And the DHCP lease time is normally set to maximum, otherwise the client is always disconnecting for renewal! Which is also a very very bad behaviour.)

I guess the reason is because:

• the server still thinks there is an active session with that IP,
• and because of that, it can not give the Fixed IP again to the new connection,
• so it does not give any IP address at all.

I've just tested it with latest DE server upgraded with make. (5.02.5180) DE,
with latest client. [Night build of the Dev. Client] 2023-12-03 (v5.02.5369) downloaded from Azure srv.

[chipitsine]

we might have better design for that machinery.

I recall similar approach in another projects, you end with encoding json in comment, and it was a nightmare.

but regardless to poor design, it looks like a bug. I really wonder how other users use it

[chipitsine]

as for APIPA (169.254.x.x addressing), it might be explicitly disabled https://www.itprotoday.com/windows-78/how-can-i-disable-apipa#close-modal

(but it won't make dhcp leases working)

[shakibamoshiri]

Setting a fix IP for each user is possible if you separate your DHCP and set custom MAC addresses in "NOTE" section
based on each custom MAC address you set, the DNS server will pick up the associated IP address to that MAC address.
You have to setup N users up front manually

About the DHCP lease time, there seems to be a bug, even I did not face it, but some users reported
So to avoid this a separate DHCP is configured

[PizzaProgram]

@shakibamoshiri Sadly setting up a separate DHCP is not a solution, because I need to see the list of user=PC + IP addresses to be able to react within 5 seconds, if the user is getting into trouble.

Managing 100 groups + 300 users + 300 MAC addresses + 300 IPs in separate lists would make everyone insane.
What happens if I quickly need to add +1 ?

Also if I turn off SecureNAT, how do I push routing to the clients?

The solution would be if somebody would FIX these errors!
(Both DHCP lease time + this one.)

This is the log, what is happening when the client is trying to re-connect but does not get any IP address:

2024-01-29,16:12:37.247,SID-EN-11,-,5E4B17AEE76E,FFFFFFFFFFFF,0x0800,342,DHCPv4,Request,0.0.0.0,bootpc(68),255.255.255.255,bootps(67),-,-,TransactionId=3052210119 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.111 RelayIP=0.0.0.0,-,185.79.92.50,-
2024-01-29,16:12:37.247,SID-EN-11,-,5E4B17AEE76E,FFFFFFFFFFFF,0x0800,342,DHCPv4,Request,0.0.0.0,bootpc(68),255.255.255.255,bootps(67),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.111 RelayIP=0.0.0.0,-,185.79.92.50,-
2024-01-29,16:12:37.247,SID-SECURENAT-10,-,5EB271181DDA,FFFFFFFFFFFF,0x0800,342,DHCPv4,Response,10.111.5.1,bootps(67),255.255.255.255,bootpc(68),-,-,TransactionId=3052210119 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.1 RelayIP=0.0.0.0,-,-,-
2024-01-29,16:12:37.247,SID-SECURENAT-10,-,5EB271181DDA,FFFFFFFFFFFF,0x0800,342,DHCPv4,Response,10.111.5.1,bootps(67),255.255.255.255,bootpc(68),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.1 RelayIP=0.0.0.0,-,-,-
2024-01-29,16:12:41.243,SID-EN-11,-,5E4B17AEE76E,FFFFFFFFFFFF,0x0800,342,DHCPv4,Request,0.0.0.0,bootpc(68),255.255.255.255,bootps(67),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.111 RelayIP=0.0.0.0,-,185.79.92.50,-
2024-01-29,16:12:41.243,SID-SECURENAT-10,-,5EB271181DDA,FFFFFFFFFFFF,0x0800,342,DHCPv4,Response,10.111.5.1,bootps(67),255.255.255.255,bootpc(68),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.1 RelayIP=0.0.0.0,-,-,-
2024-01-29,16:12:49.862,SID-EN-11,-,5E4B17AEE76E,FFFFFFFFFFFF,0x0800,342,DHCPv4,Request,0.0.0.0,bootpc(68),255.255.255.255,bootps(67),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.111 RelayIP=0.0.0.0,-,185.79.92.50,-
2024-01-29,16:12:49.862,SID-SECURENAT-10,-,5EB271181DDA,FFFFFFFFFFFF,0x0800,342,DHCPv4,Response,10.111.5.1,bootps(67),255.255.255.255,bootpc(68),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.1 RelayIP=0.0.0.0,-,-,-
2024-01-29,16:13:05.822,SID-EN-11,-,5E4B17AEE76E,FFFFFFFFFFFF,0x0800,342,DHCPv4,Request,0.0.0.0,bootpc(68),255.255.255.255,bootps(67),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.111 RelayIP=0.0.0.0,-,185.79.92.50,-
2024-01-29,16:13:05.822,SID-SECURENAT-10,-,5EB271181DDA,FFFFFFFFFFFF,0x0800,342,DHCPv4,Response,10.111.5.1,bootps(67),255.255.255.255,bootpc(68),-,-,TransactionId=829133897 ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=10.111.5.1 RelayIP=0.0.0.0,-,-,-

[chipitsine]

while it does not look like a fix submitted by @hiura2023 recently (there were no REQUEST/RESPONSE), I'd suggest to try new version anyway

https://github.com/SoftEtherVPN/SoftEtherVPN/releases/tag/5.02.5183

[PizzaProgram]

@chipitsine Thank you for the suggestion, I will try it as soon as I have some time for it.

But to be honest, I do not have any more hope for any up-to-date SoftEther development any more.
(Donated 50.000 HUF ca one year ago to fix the DHCP problem, but nothing happened. And the problem is on server side, not the client is responsible to give away the IP + routing push message.)

And an other huge problem I've detected with SE:

• It is consuming too much server resources !
• Even using simple AES128-GCM-SHA256 coding, the 2 core VPS showed 80% CPU load during one single VNC connection between 2 clients.

If both server and the client app would use Wireguard and everything would be automated for it with just 1 click, this speed would probably improve, but it won't be able to use P2P ever.

OFF:

During this year I've found this site: awesome-tunneling
and tried many other solutions from the list.

Setup-wise the best I've found was the self-hosted ZeroTier but as it turned out:

• The connection between 2 clients is not stable.

Second best would be headscale, but it will be difficult to set up 100+ separated groups using a text/JSON based "rule list configuration" called ACL.

Currently I'm trying to solve it with N2N .

There are less and less solution which can support both Win7 32 bit clients + Android+iOS too.
(Because most of these apps are written in GoLang, which does not support Win7 since 2023.dec 👎 )

[davidebeatrici]

(Donated 50.000 HUF ca one year ago to fix the DHCP problem, but nothing happened. And the problem is on server side, not the client is responsible to give away the IP + routing push message.)

How did you donate?

[hiura2023]

@PizzaProgram
Question1:
I think that an user with a fixed IPv4 address defined in the NOTE field cannot establish multiple VPN connections.
Are you using single VPN connection ?

Question2:
What is network configuration ?
Are VPN client and VPN server running in the same PC ?

[PizzaProgram]

Are you using single VPN connection ?

Yes.

What is network configuration ?

1 client PC = 1 user = 1 IP address .

Are VPN client and VPN server running in the same PC ?

No.
Server is running on a VPS in the cloud.

[hiura2023]

Change the time-out period value to 5 seconds on "security policy of user" screen.
And try.

[hiura2023]

Pull request below will dissolve only DHCP sequence.
#1989

[chipitsine]

There are installers built with PR https://github.com/SoftEtherVPN/SoftEtherVPN/actions/runs/8844193026#artifacts

…

On Fri, Apr 26, 2024, 09:08 hiura2023 ***@***.***> wrote: Pull request below will dissolve this issue. #1989 <#1989> — Reply to this email directly, view it on GitHub <#1947 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQ5KUEI7LGD7PXSTRCHXALY7H4QTAVCNFSM6AAAAABCSSDTSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZYG43DENJWGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[hiura2023]

@PizzaProgram
Default time-out period may have caused the failure of VPN connection.
Change the time-out period value to 5 seconds on "security policy of user" screen.
And try.

When VPN connection is broken due to some reason, VPN server can not detect it immediately.
After confirming that there is no communication for the given 5 seconds, the VPN connection is processed for cleanup.
So, DHCP client can not receive DHCP OFFER, even if it sends DHCP DISCOVER.
A new VPN connection will then be available with 5 seconds delay.

Attached A:
DHCP sequence when the time-out period is 5 seconds on "security policy of user" screen.

My test environment:
VPN server:WIN11 PRO 23H2
VPN client:WIN11 HOME 23H2

[hiura2023]

@PizzaProgram
Another solution here.
Set the "DisableSessionReconnect" to true in "vpn_server.config".
It makes VPN server detect breakage of TCP connection immediately.
At the same time, the VPN connection is processed for cleanup.
A new VPN connection will then be available without delay.

Attached A:
"DisableSessionReconnect" in "vpn_server.config".

Attached B:
Ideal DHCP sequence.

[hiura2023]

@PizzaProgram

The solution would be if somebody would FIX these errors!
(Both DHCP lease time + this one.)

①As to reassigning static IP address.
This pull request will fix. #1989

②If necessary, do the following.
Set the "DisableSessionReconnect" to true in "vpn_server.config".
Change the "Time-out Period" value to 5 seconds on "Security Policy of User" screen.