Impossible to get access to Host VPN Server from remote client

[kvv213]

Hello eveyrone,

I think I discovered a serious problem with SE VPN when it is installed at Ubunutu (and probably other Linux).
Set-up: 192.168.0.0/24 network, Ubuntu 16LTS Server, The Simpliest Remote VPN Configuration, Local Bridge, One Hub, No ACL and other tricks, IPsec and OpenVPN options are enabled.
Client: Android device with standard IPsec (tested with Adnroid 6 and 4), OpenVPN client.

The problem: when Adnroid establishes VPN Tunnel then it can reach any computer at 192.168.0.0/24 network except the VPN Host with Ubuntu. The situation is vice versa: any computer from the network can ping Android device. But VPN Host with Ubuntu can't ping it.

I tryied to use ordinary ping and arping (from Ubuntu). I checked route table. I've updated ARP table with concrete corresponce between the client IP-address and its MAC-address. With no success.

Due to User Space of SE at Linux there is no separate network VPN adapter for VPN. SE uses its internal realization of VPN network interface adapter. We can't see it via ifconfig and we can't route packets to it from the local machine.

Anyway if I try to connect from Win10 with SE client to the same Virtual HUB I can reach VPN Host with Ubuntu.....

[DDGo]

That's not going to be possible and not a problem of Softether. This is also mentioned manual under 3.6.11 and I quote:

imitations within the Linux or UNIX operating system prevent communication with IP addresses assigned to the network adapter locally bridged from the VPN side (Virtual Hub side). The cause of this restriction lies with OS's internal kernel codes rather than with the SoftEther VPN. When wishing to communicate in any form with a UNIX computer used for local bridging from the VPN side (Virtual Hub side), (for instance, when running both the VPN Server / VPN Bridge service & the HTTP Server service and wishing to grant access to the server service from the VPN side as well), prepare and connect a local bridge network adapter and physically connect both it and the existing network adapter to the same segment (as explained in 3.6 Local Bridges, it is recommended to prepare a network adapter for exclusive use in local bridging for this and other situations).

In short, the Linux kernel prevents access to the interface you bridged for your VPN for security reasons as far I have read (had this issue aswell when I was new to SoftEther). The real solution is getting a second network card in the server you use for the VPN. Then you have one interface dedicated to routing internet traffic and the other interface as management where you can SSH into it.

I hope this helps you any further. Note: I'm not a maintainer and/or member of this project, but just a user that runs its own SoftEther VPN server.

[kvv213]

In short, the Linux kernel prevents access to the interface you bridged for your VPN for security reasons as far I have read (had this issue aswell when I was new to SoftEther). The real solution is getting a second network card in the server you use for the VPN. Then you have one interface dedicated to routing internet traffic and the other interface as management where you can SSH into it.

I came to the same thought. But my servers are very tiny computers that has integrated CPU, without active cooling and there is no space to install any additional Network Card. So I'm thinking about something like Raspberry or Pine64 maybe with Windows on it. In that case there shouldn't be any troubles.

[DDGo]

Windows does indeed not have problem with this. I have run SoftEther VPN Server on a Windows operating system before I transfered over to Linux, due to getting a second NIC for it.

[kvv213]

May be it is a worthy thing to try to create a Virtual Network Adapter in Ubuntu and create Local Bridge in SE VPN to this Virtual Adapter?

[Erutan409]

For whatever it's worth, I've noticed the same thing with my instance running on a RaspberryPi 3. My only work around was to SSH into another RP running on my network, to then reverse SSH into from the aforementioned. Which, does work.

It doesn't solve the problem of connecting to my VPN server with the Windows Admin tool, but I can make manual configurations that way if absolutely necessary.

[nickete]

Hi,

Watch this as workaround to the problem: https://www.youtube.com/watch?v=jqRkFKHdz4A

Define a tap device (forget about bridging it to the NIC) and then configure network for the VPN clients behind a NAT.

regards,

[eduardpaul]

Hello everyone! I'm using softether+openhab (domotics) and experiencing the same issue: PI does not respond to any device connected through VPN.

@nickete your solution seems to be feasible but I couldn't figure what configuration is needed. I created the tap device and used the SoftEther secure nat feature. The same behavior as before, I can ping any device in my LAN except my PI. I would greatly appreciate any hints on how to implement it.

Also, I'm wondering why I can't ping the WLAN interface of PI if I'm using the eth interface for a VPN.

Greetings,

[DRSDavidSoft]

I'm interested to look into exactly why the Linux kernel is blocking this. (I can't believe such a limitation does not exist on a Windows OS). This issue was driving me insane until I found out the explanation in SoftEther documentation.

Since I can not use a dedicated network card for bridging, I hope there could be another solution that I can use (aside from defining a TAP interface, or reverse SSH`ing using another Raspberry Pi).

[ruimgoncalves]

Please follow this workaround

https://www.vpnusers.com/viewtopic.php?t=6824

[ELCarmen01]

Please follow this workaround

https://www.vpnusers.com/viewtopic.php?t=6824

I try going to this link it does not load

[ELCarmen01]

Please follow this workaround
https://www.vpnusers.com/viewtopic.php?t=6824

I try going to this link it does not load

wait it just did after created a GitHub account

[cok3307788]

test passed on centos7, please use command like 'shutdown -r 3' to keep remote server live.
1.create a tap bridge by use se-managetool , a bridge between a random name tap device and "VPN" hub
2.create a stand bridge, such as 'brctl addbr vpn'
3.up the new bridge ,like 'ifconfig vpn up'
4.(maybe cause link broke) brctl addif vpn eth0
5.dhclient vpn
6.brctl addif vpn "the tap device"
7.done