Creating your own VPNAzure DynamicDNS Like Service (In Testing, Needs Testers)
There will be many cases where you cannot (or not want to) port forward your VPN server hosted behind a Firewall/NAT/CGNAT. SoftEtherVPN Project already has a solution for this problem called VPNAzure and DynamicDNS which routes your VPN connections over the internet to the service. The main issues with the current VPNAzure + DynamicDNS services is that
1.) It's proprietary and cannot be self-hosted,
2.) It's using the outdated and highly insecure TLS 1.0,
3.) The speeds are at best around 2-4 Mbps which makes using VPNAzure in a business or multi-user setting difficult/impossible
4.) VPN Azure is located in the University of Tsukuba in the Ibaraki prefecture of Japan meaning for people in Europe/Africa/America will experience very high latency.
5.) VPNAzure servers have been unreliable as of late and are prone to blocking, throttling, hacking, and eventually will be shut down at some point.
The solution is to create your own VPNAzure + DynamicDNS like service that can be hosted on any VPS service just as long as you have a dedicated IPv4 and a Domain Name. The major downside of doing this is that it's going to cost you money for the hosting, however there are many free trial and low-cost VPS services out there and you may be able to pay less than $5/mo in most cases. The most important part in selecting your VPS is to select a location that is closest to your VPN server.
- Host on your own server, with your own rules
- Ability to host in a datacenter close to you
- Uses Secure, Proven, and active Open Source Software
- Allows you to port forward meaning it can be used for more than just a "VPNAzure" service. You can even setup 1:1 NAT with failover IPs if you have any. You can use this guide as a framework for setting up a "Cloud Router" device.
- Uses the latest SSL/TLS technology (TLS 3.0) and supports both Let's Encrypt and Enterprise Issued SSL
- Unlike VPNAzure, this solution will likely survive for longer and can be extended or modified if newer/better software solutions come out.
- Higher speeds, lower latency, and less probability of a firewall blocking you.
- IPv6 Support
- Can be complex to setup for both the Server Admin and the Backends. Requires intermediate knowledge of computer networking to get working.
- Costs Money for a VPS. (However this can be as low as $3/mo with some providers)
- VPS eats a LOT of bandwidth (expect 2TB+/mo per heavy-use Backend)
- Guide still may be incomplete, and problems with SoftEtherVPN itself lead to some limitations at the moment.
Server/VPS/Frontend- The "VPNAzure" server you will be hosting.
vClients/Backend- Your VPN Server hosted behind the firewall (such as your home server)
Client(s)/Device(s)- Client devices that will connect to the Backend through the Frontend
Create A records pointing to your domain for the following hosts via your Domain Name Provider's DNS panel.
www.yourdomain.tld: Subdomain for an apache site (Just in case)
vpn.yourdomain.tld: SoftEther's subdomain
server2.yourdomain.tld: Your first Backends's subdomain
Add more subdomains later for future Backends or Services.
Create AAAA records pointing to your domain for the following hosts via your Domain Name Provider's DNS panel.
www.yourdomain.tld: Subdomain for an apache site (Just in case). Point this to the Server's IPv6 Address
vpn6.yourdomain.tld: SoftEther's subdomain Point this to the Server's IPv6 Address
server2.yourdomain.tld: Your first Backend's subdomain POINT THIS TO THE Backend's IPv6 ADDRESS ONCE IT'S ASSIGNED!
Add more subdomains later for future Backends or Services
The first thing you need to do is buy a VPS from a reliable provider that will give you a dedicated IPv4 address. Some of the best services to choose from being OVHCloud, DigitalOcean, Linode, Contabo, etc. If you can get a route-able /64 IPv6 address that would be a nice to have as well. I would suggest Debian 10 or 11 or Ubuntu 20.04 for the operating system. Feel free to purchase additional IPv4s if you want your Backends to have access to it's own IPv4.
If your VPS does not come with a routeable IPv6 /64 subnet, I would highly suggest creating a Tunnelbroker account with Hurricane Electric and getting a /64 subnet from them. It's Free to sign up and use and will allow your Backends to have their own, globally routable IPv6 address. Also IPv6 is the future so might as well get it set up now!
Once you logged in as root and got situated (setting up IPv6, etc..) you will need to run updates to ensure your server is running the most recent versions of software available to ensure everything works. On Debian/Ubuntu systems (which is what I will be using throughout this guide), run sudo apt update && sudo apt upgrade if on Debian and sudo is not installed run apt install sudo as root.
NOTE: The DNSMasq and softether-iptables.sh IPTables rules are slightly modifed versions from This Article If you have any problems with my configurations feel free to use the linked articles refrence files.
The software that we will be using is as follows
-
SoftEtherVPN for connecting the Backends to the VPS
-
DNSmasq for managing and distributing IPv4 and IPv6 addresses
-
IPtables (netfilter), and IProute2 for port-forwarding
-
SSLH for hosting multiple SoftEther/SSTP servers as well as HTTPS websites
As root or the user of your choice -
NOTE: It is up to you to resolve any missing dependencies if you are using a light or cloud version of Debian/Ubuntu or any other Distro. Please refer to src/BUILD_UNIX.md for more information.
sudo apt -y install cmake gcc g++ make libncurses5-dev libssl-dev libsodium-dev libreadline-dev zlib1g-dev git pkg-config
git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git
cd SoftEtherVPN
git submodule init && git submodule update
./configure
make -C build
I do not suggest installing it with make install unless you have a reason to.
sudo ./build/vpnserver start
sudo ./build/vpncmd
In VPNCMD
ServerPasswordSet
ListenerDisable 443
hubcreate myhub
BridgeCreate myhub /DEVICE:soft /TAP:yes
hub myhub
usercreate myuser
userpassword myuser
Follow This Guide from our Wiki to get SSLH installed and configured. If you have any dependency issues you will need to resolve them on your own.
sudo apt install dnsmasq
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old
sudo nano /etc/dnsmasq.conf Edit the file and make changes if needed. The most important changes you make is the IPv6 range (comment out for no V6) and modify the IPv4 private subnet if required.
################################################################################## Interface Settings
# Listen to interface
# In this case it is the Softether bridge
interface=tap_soft
# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=eth0
# In case you have bind on your server and doesn't want dnsmasq to use the default dns port #53:
#port=5353
listen-address=172.18.0.1
bind-interfaces
################################################################################## Options
# Let's give the connecting clients an internal IP
dhcp-range=tap_soft,172.18.0.2,172.18.255.255,720h
# Default route and dns
#dhcp-option=tap_soft,3,172.18.0.1
# enable dhcp
dhcp-authoritative
# enable IPv6 Route Advertisements
enable-ra
# have your simple hosts expanded to domain
expand-hosts
# Let dnsmasq use the dns servers in the order you chose.
strict-order
# Let's try not giving the same IP to all, right?
dhcp-no-override
# Let's assign a unique and real IPv6 address to all clients.
# Here, we are using the IPv6 addresses from the he-ipv6 interface (Hurricane Electric ipv6 tunnel)
# You should replace it with your own IP range.
# This way even if you have only 1 shared IPv4
# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless in case you have trouble connecting
# For tunnelbroker, assign your ROUTABLE ip address to the tunnel interface and addresses in softether and dnsmasq If you have problems you can swith out ra-names with ra-stateless and see if that helps.
dhcp-range=tap_soft,2001:0475:012d:0420:0000:0000:0000:0001,2001:0475:012d:0420:FFFF:FFFF:FFFF:FFFF,slaac,ra-names,64,infinite
quiet-ra
# Let's advertise ourself as a DNSSec server.
# Since we're running in the VPN network this shouldn't be any problem.
# Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.
# This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network
# between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
#proxy-dnssec
# The following directives prevent dnsmasq from forwarding plain names (without any dots)
# or addresses in the non-routed address space to the parent nameservers.
domain-needed
# Never forward addresses in the non-routed address spaces
#bogus-priv
# blocks probe-machines attack
stop-dns-rebind
rebind-localhost-ok
# Set the maximum number of concurrent DNS queries. The default value is 150. Adjust to your needs.
dns-forward-max=300
# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
# but from below
no-resolv
no-poll
# Prevent Windows 7 DHCPDISCOVER floods
# http://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html
dhcp-option=252,"\n"
################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=1.1.1.1
server=1.0.0.1
# Use these IPv6 DNS Servers for lookups/ OpenDNS
server=2606:4700:4700::64
server=2606:4700:4700::6400
#########################################
################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 and IPv6 addresses that are already assigned to the tap_soft
# So that everything runs through us.
# This is good for caching and adblocking.
# Set IPv4 DNS server for client machines # option:6
dhcp-option=option:dns-server,1.1.1.1,1.0.0.1
# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_soft if you
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2606:4700:4700::64],[2606:4700:4700::6400]
#########################################
######################################### TTL & Caching options
# How many DNS queries should we cache? By defaults this is 150
# Can go up to 10k.
cache-size=10000
# Negative caching allows dnsmasq to remember 'no such domain' answers from the parent nameservers,
# so it does not query for the same non-existent hostnames again and again.
# This is probably useful for spam filters or MTA services.
#no-negcache
# The neg-ttl directive sets a default TTL value to add to negative replies from the parent nameservers,
# in case these replies do not contain TTL information.
# If neg-ttl is not set and a negative reply from a parent DNS server does not contain TTL information,
# then dnsmasq will not cache the reply.
neg-ttl=80000
local-ttl=3600
# TTL
dhcp-option=23,64
#########################################
################################################################################## MISC
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
dhcp-option=vendor:MSFT,2,1i
#########################################
## 44-47 NetBIOS
dhcp-option=44,172.18.0.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,172.18.0.1 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
dhcp-option=47
# IF you want to give clients the same static internal IP,
# you should create and use use /etc/ethers for static hosts;
# same format as --dhcp-host
# <hwaddr> [<hostname>] <ipaddr>
read-ethers
# Additional hosts, for adblocking.
# You can create that file yourself or just download and run:
# https://github.com/nomadturk/vpn-adblock/blob/master/updateHosts.sh
#addn-hosts=/etc/hosts.supp
log-facility=/var/log/dnsmasq.log
log-async=5
################################################################################## Experimental
log-dhcp
quiet-dhcp6
dhcp-option=option:router,172.18.0.1
#dhcp-option=option:ntp-server,192.168.30.1
# With settings below, you can ping other clients on your lan.
#dhcp-option=option:domain-search,lan
#dhcp-option=option6:domain-search,lan
#domain=
# Gateway
#dhcp-option=3,172.18.0.1
sudo nano ~/softether-iptables.sh
#!/bin/bash
##########################################################################################################################################
### Configuration
#############################
TAP_ADDR=172.18.0.1 # Main IP of your TAP interface
TAP_INTERFACE=tap_soft # The name of your TAP interface.
VPN_SUBNET=172.18.0.0/16 # Virtual IP subnet you want to use within your VPN
NET_INTERFACE=eth0 # Your network adapter that connects you to the world.In OpenVZ this is venet0 for example.
IPV6_ADDR=2001:0475:012d:0420:0000:0000:0000:0001 # You can also assign this as DNS server in dnsmasq config.
IPV6_SUBNET=2001:0475:012d:0420::/64 # Used to assign IPv6 to connecting clients. Remember to use the same subnet in dnsmasq.conf
VPNEXTERNALIP=81.131.125.119 # Your machines external IPv4 address.
# Write down you IP or one of the IP adresses if you have more than one.
# Warning! NAT Machine users, here write the local IP address of your VPS instead of the external IP.
#############################
### End of Configuration
##########################################################################################################################################
#Flush Current rules
iptables -F && iptables -X
#######################################################################################
# Base SoftEther VPN Rules for IPTables. You can remove and use these iptables-persistent if you want
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# Forward VPN traffic that comes from the listed users through $NET_INTERFACE or other interface for outgoing packets. ALL Clients NEED this rule in order to get internet access
iptables -t nat -A POSTROUTING -s 172.18.0.57 -j SNAT --to-source 192.91.129.113 # Example if using a secondary IP.
iptables -t nat -A POSTROUTING -s 172.18.83.155 -j SNAT --to-source $VPNEXTERNALIP # General Example
#For now on, keep adding to this list when you get new clients. Use the template below as a guide.
#iptables -t nat -A POSTROUTING -s 172.18.XXX.XXX -j SNAT --to-source $VPNEXTERNALIP
# Alternate rule if your server has dynamic IP
#iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
#
# Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT
#
# IPv6
# This is the IP we use to reply DNS requests.
#ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
# Let's define forwarding rules for IPv6 as well...
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT
#ip6tables -A FORWARD -s $IPV6_SUBNET -m state --state NEW -j ACCEPT
#ip6tables -A INPUT -s $IPV6_SUBNET -m state --state NEW -j ACCEPT
#ip6tables -A OUTPUT -s $IPV6_SUBNET -m state --state NEW -j ACCEPT
#######################################################################################
# End of Base IPTables Rules
#######################################################################################
# Enable SSLH's rules
bash /usr/local/sbin/server_tproxy_add.sh
# Run other scripts. Such as port forwarding if desired.
#bash /root/portforwardA.sh
chmod +x /root/softether-iptables.sh
Change the paths to match your server's configuration if needed.
sudo nano /lib/systemd/system/vpnserver.service
[Unit]
Description=SoftEther VPN Server
After=network.target
[Service]
Type=forking
ExecStart=/root/SoftEtherVPN/build/vpnserver start
ExecStop=/root/SoftEtherVPN/build/vpnserver stop
ExecStartPost=/bin/sleep 05
ExecStartPost=/bin/bash /root/softether-iptables.sh
ExecStartPost=/bin/sleep 03
ExecStartPost=/bin/systemctl start dnsmasq.service
ExecReload=/bin/sleep 05
ExecReload=/bin/bash /root/softether-iptables.sh
ExecReload=/bin/sleep 03
ExecReload=/bin/systemctl restart dnsmasq.service
ExecStopPost=/bin/systemctl stop dnsmasq.service
Restart=always
[Install]
WantedBy=multi-user.target
sudo nano /etc/sysctl.conf Insert these at the bottom change tap_soft if you named your tap interface somthing different.
net.core.somaxconn=4096
net.ipv4.ip_forward=1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.tap_soft.accept_ra=2
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_source_route=1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.proxy_ndp = 1
sysctl -f
systemctl enable vpnserver
systemctl enable dnsmasq
sudo reboot
On Windows, Install and configure SoftEtherVPN Server and SoftEtherVPN Client on your machine. For IPv6, Disable temporary IPv6 addresses using the proper command for your operating system. Configure and Connect VPN Client on the Backend to the VPS Server. Configure your firewall if needed and you should be rolling.
On Linux, If you compiled SoftEtherVPN from source on your Backend already then the latest VPN Client will also be located in the SoftEtherVPN/build directory. Run vpnclient start and then use vpncmd to configure a connection. Name the virtual NIC vps or something you will remember. It's important for later. Run
I am going to assume you setup SoftEtherVPN server for the Backend the same way as the VPS (a.k.a compiled to /home/user/SoftEtherVPN or /root/SoftEtherVPN
When you compiled the SoftEtherVPN Server to run on your Backend, that also compiled the VPN Client as well. Run sudo ./SoftEtherVPN/build/vpnclient start and then sudo ./SoftEtherVPN/build/vpncmd Select 2 this time to configure the client
In the client, run the following
NicCreate vps
AccountCreate vps
Follow the Promts to connect to your VPS in the cloud. Use the server address, port number, and enter the username you created and to use the Hub myhub.
Set the password
AccountPassword vps
Connect to the VPS
AccountConnect VPS
Get the MAC address from the vpn_vps interface copy and paste it on the VPS into /etc/ethers add a space and type the desired IPv4 next to it. Restart dnsmasq if needed. This will allow you to always have the same IPv4 address for this client. Meaning when you port forward or use SSLH you only need to set the IP once. For example: 5A:2E:1F:6A:3E:1D 172.18.0.5
Once you set a static IP and restarted DNSMasq on the VPS, run this command on the Backend to get the IP.
sudo dhclient vpn_vps
On the VPS again, run this command. Replace SERVERIP with the IP of your public interface. Copy and paste the command in the softether-iptables.sh file we made eariler so it's presistant on reboots.
iptables -t nat -A POSTROUTING -s 172.18.XXX.XXX -j SNAT --to-source SERVERIP
There are two options, You can either set the VPN as the default gateway, which is easy but not recommended. Or you can use the built in IProute2 and IPTables so you can set up policy based routing meaning only traffic from the VPN gets sent back out the VPN without changing the source address to the VPN's default gateway. This allows for "Transparency" for increased security and more accurate logging.
nano /etc/iproute2/rt_tables
Add the following below the other rules. This is presistant and won't get erased between reboots.
100 vpn_table
sudo nano policyrouting.sh
Insert the following into the file. BE SURE TO CHANGE THE VARIABLES TO FIT YOUR CONFIGURATION THIS IS VERY IMPORTANT! VPS refers to the VPS in the cloud, VPN refers to the local VPN adapter, and the ETH refers to your physical network connection. VPN_TABLE refers to the table we created above.
#/bin/bash
#Vars
VPN_DEFAULT_GW=172.18.0.1
VPN_INTERFACE_IP=172.18.83.155
VPS_TAP_SOFT_IP6=2001:475:12d:420:5c78:d8ff:fee1:4dd1
VPN_INTERFACE_IP6=2001:475:12d:420:5ca6:6bff:fe72:9e4e
VPN_IP6_SUBNET=2001:475:12d:420::/64
VPN_INTERFACE=vpn_vps
VPN_TABLE=vpn_table
#Only set these if you have a public IPv6 from your ISP
ETH_INTERFACE=enp0s25
ETH_GATEWAY6=fe80::10:18ff:fe1c:4cd5
#IPv4
sudo iptables -A PREROUTING -t mangle -i $VPN_INTERFACE -j MARK --set-mark 4
sudo iptables -A PREROUTING -t mangle -i $VPN_INTERFACE -j CONNMARK --save-mark
sudo iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark
sudo ip rule add priority 1000 fwmark 0x4 table $VPN_TABLE
sudo ip route add table vpn_table 0.0.0.0/0 via $VPN_DEFAULT_GW dev $VPN_INTERFACE src $VPN_INTERFACE_IP
#IPv6
sudo ip6tables -A PREROUTING -t mangle -i $VPN_INTERFACE -j MARK --set-mark 5
sudo ip6tables -A PREROUTING -t mangle -i $VPN_INTERFACE -j CONNMARK --save-mark
sudo ip6tables -A OUTPUT -t mangle -j CONNMARK --restore-mark
sudo ip -6 rule add priority 1000 fwmark 0x5 table $VPN_TABLE
sudo ip -6 route add table $VPN_TABLE ::/0 via $VPS_TAP_SOFT_IP6 dev $VPN_INTERFACE src $VPN_INTERFACE_IP6
# Only Enable these two if you have an IPv6 from your ISP
sudo ip route add ::/0 via $ETH_GATEWAY6 metric 1023 dev $ETH_INTERFACE
sudo ip route add $VPN_IP6_SUBNET via $ETH_GATEWAY6 metric 255 dev $ETH_INTERFACE
This will allow your system to auto-connect to the VPS. Be sure to set the paths to your SoftEther installation. If you do not start your Backends vpn server as a service you could also throw in ExecStartPost=/home/user/SoftEtherVPN/build/vpnserver start to start the VPN server after the Backend connected. NOTE you may need to change the /bin/sleep/02 commands to somthing longer based on your environment.
sudo nano /etc/systemd/system/vclientconnect.service
[Unit]
Description=Automaticly connects Backends to VPS on boot.
After=network.target
[Service]
Type=forking
ExecStart=/home/user/SoftEtherVPN/build/vpnclient start
ExecStop=/home/user/SoftEtherVPN/build/vpnclient stop
ExecStartPost=/bin/sleep 02
ExecStartPost=/home/user/SoftEtherVPN/build/vpncmd 127.0.0.1 /CLIENT /CMD:AccountConnect vps
ExecStartPost=/bin/sleep 02
ExecStartPost=/bin/bash dhclient vpn_vps
ExecStartPost=/bin/sleep 02
ExecStartPost=/bin/bash /home/user/policyrouting.sh
ExecStopPost=/home/user/SoftEtherVPN/build/vpncmd 127.0.0.1 /CLIENT /CMD:AccountDisconnect vps
Restart=always
[Install]
WantedBy=multi-user.target
sudo systemctl enable vclientconnect.service
Test the service by rebooting.
reboot
Honestly the best thing to do as of now, especially if you run the VPS in the cloud, is to generate Let's Encrypt SSL certificates the same way you would for any other virtual host on the VPS. (refer to this article's section) and then send the public key (fullchain.pem) and private key (privkey.pem) over to the Backend via SCP or SFTP.
So far this has been one of the biggest hallenges/problems with this whole thing. The first problem being How can the Backend securely generate SSL certificates from Let's Encrypt? and the second problem being If the only way is to generate the SSL certificate on the VPS, How do we allow users to securely download their Let's Encrypt Certificate from the VPS in the cloud and how does this VPS keep it private from other users and even the service operator?
Insert the following in the /etc/sslh/sslh.cfg file on the VPS. Be sure to check your syntax! Use the IP address assocaited with the Backend.
,{ name: "tls"; sni_hostnames: [ "server2.mydomain.tld" ]; host: "172.18.XXX.XXX"; port: "5555"; log_level: 1; }
Exit the file and run
sudo systemctl restart sslh.service
You should now be able to connect to your VPN server at home using the public IP of the cloud VPS! Connect to the VPN server on a client device using the server2.mydomain.tld hostname that points to the VPS and use the username, password, and hub you configured on your vCleint's VPN server. If you have issues. One of the first things you should try to do is ping the Backend's IP from the VPS to ensure the Backends and VPS can talk to each other.
1:1 NAT can be useful if you have a Failover IP. Failover IPs + 1:1 NAT are a cheap and easy way get a "Dedicated IP" on a Backend. If you can set virtual MAC addresses such as on an OVH/SYS Dedicated server. There is a way for you to use the bridge feature in SoftEtherVPN to get public address directly on a Backend. But I won't go into that here (yet). Do the following on the VPS AFTER buying a Failover IP and configuring it to the VPS. You do NOT need to configure port fowarding on the VPS for IPv6. That is managed directly by the Backend.
Based on my testing, Port Forwarding in IPtables takes president over local VPS applications listening on an IP/Port. Please keep that in mind when allocating ports to Backends!
sudo nano 1to1NAT-serverA.sh
INTERNALIP=172.18.0.57 # The Backend's IP
EXTERNALIP=54.XXX.XXX.XXX # The Failover/Secondary IP you want to assign to the Backend
INTERFACE=eth0 # The interface the Failover IP is configured on. (Do NOT include the ID, i.e eth0:0 will still be eth0)
iptables -t nat -A POSTROUTING -o $INTERFACE -s $INTERNALIP -j SNAT --to-source $EXTERNALIP
iptables -t nat -A PREROUTING -i $INTERFACE -d $EXTERNALIP -j DNAT --to-destination $INTERNALIP
iptables -A FORWARD -s $EXTERNALIP -j ACCEPT
iptables -A FORWARD -d $INTERNALIP -j ACCEPT
#If you haven't already done this in softether-iptables.sh If you done it already with the failover IP then keep the below command commented out.
#iptables -t nat -A POSTROUTING -s $INTERNALIP -j SNAT --to-source $EXTERNALIP
sudo chmod +x 1to1NAT-serverA.sh
sudo ./1to1NAT-serverA.sh
To get it to auto apply at boot. Drop this command in the bottom of softether-iptables.sh
bash 1to1NAT-serverA.sh
Now any service you open up on the Backend should be accessible from the external (Failover) IP address. Don't forget to set the VPN as the default gateway or setup rule based routing as described below or you may encounter problems.
You may want multiple Backends to share a single IP address but still have services out on the public internet. You do NOT need to configure port fowarding on the VPS for IPv6. That is managed directly by the Backends.
Based on my testing, Port Forwarding in IPtables takes president over local VPS applications listening on an IP/Port. Please keep that in mind when allocating ports to Backends!
sudo nano portforwardA.sh
EXTERNALIP=155.222.76.33 #The IP public address you want the port to be open on
CLIENTIP=172.18.0.57 #The Backend's IP Address where you want to send traffic directed at the port
EXTERNALPORT=25565 #The port to be open on the public IP on the VPS
INTERNALPORT=25565 #The port that is being listened to on the Backend
PROTO=tcp #The protocol of the application
iptables -t nat -A PREROUTING -d $EXTERNALIP -p $PROTO --dport $EXTRENALPORT -j DNAT --to-dest $INTERNALIP:$INTERNALPORT
# May Not be needed. Enable below command if the first one alone does not work.
#iptables -t filter -A INPUT -p $PROTO -d $INTERNALIP --dport $EXTERNALPORT -j ACCEPT
# Forward Backend to internet if you haven't done so allready
iptables -t nat -A POSTROUTING -s $INTERNALIP -j SNAT --to-source $EXTERNALIP
sudo chmod +x PortforwardA.sh
sudo ./portforwardA.sh
To get it to auto apply at boot. Drop this command in the bottom of softether-iptables.sh
bash portfowardA.sh
If 1:1 NAT is off the table, but you are using an application such as an FTP Server and need multiple ports opened for it to function. Here is an example on opening a port range. Please note that the VPS and Backend must forward the same port range.
Based on my testing, Port Forwarding in IPtables takes president over local VPS applications listening on an IP/Port. Please keep that in mind when allocating ports to Backends!
sudo nano portforwardB.sh
EXTERNALIP=155.222.76.33 #The IP public address you want the port to be open on
CLIENTIP=172.18.96.69 #The Backend's IP Address where you want to send traffic directed at the port
PORTSTART=32400 #The port at the begining of the range.
PORTEND=32555 #The port at the end of the range.
PROTO=tcp #The protocol of the application
iptables -t nat -A PREROUTING -d $EXTERNALIP -p $PROTO --dport $PORTSTART:$PORTEND -j DNAT --to $INTERNALIP --sport $PORTSTART:$PORTEND
iptables -t nat -A POSTROUTING -d $CLIENTIP -p $PROTO --dport $PORTSTART:$PORTEND -j SNAT --to $EXTERNALIP --sport $PORTSTART:$PORTEND
# May Not be needed. Enable below command if the first one alone does not work.
#iptables -t nat -A INPUT -p $PROTO --dport $PORTSTART:$PORTEND -j ACCEPT
# Forward Backend to internet if you haven't done so allready
iptables -t nat -A POSTROUTING -s $INTERNALIP -j SNAT --to-source $EXTERNALIP
sudo chmod +x PortforwardB.sh
sudo ./portforwardB.sh
To get it to auto apply at boot. Drop this command in the bottom of softether-iptables.sh
bash portfowardB.sh
This guide took a while to write and is very long so it is prone to have error. I have ran through this guide on an OVH VPS running Debian 11 and it seemed to work after making some minor changes. This guide is NOT intended for beginners at the moment.
The Developers of SoftEtherVPN can help in a major way by implementing the following features if possible.
- Allow SoftEtherVPN server to listen on one specfic IPv4 and IPv6. Not either or as it is now.
2. Allow for domain-based certifcates so a user can have multiple subdomains point to one SE server and still have valid SSL through a service like Let's Encrypt. (This may allready be possible through certifcate combining but I never tested.)
There is a PR in the works that will allow for multi-domain certifcates which will likley solve this problem.
-
IPv6 support for OpenVPN and WireGuard can help extend connection options for users. Which would be a nice touch.
-
Advertise this as a way for "Advance" users to host their own VPNAzure-like service
5. (Maybe) build Let's Encrypt into SoftEther for easy cert gen. Or help me find a way for Backends to generate their own certifcates.
This is probobly pointless.
-
Help me smooth this out by adding more automationand maybe even implment this as an offical method in the SoftEther Software.
I added many scripts to help automate the process. However it can be improved by incorparating the Backend portion into SE Server Itself.
- As I learn more I will keep adding more to this. However I am considering splitting this up into multiple pages due to the fact that some of the optional stuff goes a little off topic. I may also split the Sevrer and Backend into seprate articles to help get users settled.
Thank You. This took a long time and I hope it benifits the community. I will be happy to see users push this to it's limits and share their results and even suggest improvements. We will continute discussion on this in my post