Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
com
2015-09-28
Once I learned about SoftEther VPN, I realized I was missing out on a lot. In this article I will
show you how to setup a Client to Site VPN without needing to setup any rules in your rewall
(port forward rule), Very NICE!.
Here is a quick image of a client to site VPN:
We will setup a connection that allows a remote computer/mobile (thats in the di erent part of
the world, that has internet) to connect to our home network, all tra c will be tunneled thru the
internet (meaning it will go thru the internet but it will have a hard shell of encryption around it.
Imagine a tunnel going thru the ocean from a buildingto your home in London. The ocean represents
the open and wild and unsecure internet. The building represents some remote location. The home
represents our home network. The tunnel represents that we are going thru the ocean/internet to our
home, but we are safe from its obstacles encryption)
This VPN Client is connected to the VPN Server CEO by using the NAT Traversal (UDP Hole
Punching) technology.
NAT Traversal allows the VPN Server behind the NAT-box to accept VPN connections from VPN
Client without any port-forwarding setting on the NAT-box.
However, NAT Traversal-based VPN sessions sometimes become unstable, because NAT Traversal
uses UDP-based protocol. For example, the VPN tunnel disconnects every 5 minutes if there is a
poor NAT-box between the VPN Server and the VPN Client. Some large-scale NAT gateways in
cheap ISPs sometimes cause the same problem on NAT Traversal. This is a problem of routers or
ISPs. This is not a problem of SoftEther VPN software.
To solve the unstable tunnel problem, you should connect to the VPN Servers TCP listener port
directly, instead of using NAT Traversal. To connect to the VPN Server directly by using TCP, a
listener port of the VPN Server must be exposed to the Internet by a port-forward setting on the
NAT-box. Ask the administrator of the NAT-box, or refer to the manual of the NAT-box to add a
port-forwarding setting on the NAT-box.
If this message still remains despite the VPN Server is exposing a TCP port to the Internet, check
the Disable NAT-T checkbox on the VPN Client connection setting screen.
The SoftEther VPN Server Manager thats software we will use to con gure SoftEther VPN
Server
The SoftEther VPN Bridge Im not sure what this is, but I assume it bridges the connection
between the software to your listening interface (not sure)
We will only use the SoftEtherVPN Server Manager. So open it up.
The rst thing you need to do is make a New Setting (unless you already have the default one
called localhost see screenshot above. in my clean install I had it. Lets just rename it to
HomeVPN. Click on Edit Setting and rename the Setting Name to HomeVPN and click Ok. When
done click Connect and move to next paragraph ). These Settings are used to manage di erent
VPN Servers. So we set the New Setting Setting name to HomeVPN. We then set the
Hostname to localhost and pick one of the port numbers (just leave it as 5555). Then save it.
And click on your new setting and click Connect. Now we are connecting to theVPN Server
managerment (why all this? becaues you can manage other VPN Server with this VPN Server
management tool so you can have a VPN Server on a Linux box, and manage it thru your Windows
PC with this Server Manager tool).
NOTE: you might get promptedto setup an Administrator password when you rst Connect.
Thats the password to manage/ change settings of HomeVPN setting. Dont forget it. I set it to
something like mymanagepassword.
The rst thing that comes up for me is the QuickSetup (the window is titled SoftEther VPN Server /
Bridge Easy Setup). I just go thru that and when we are done with it, its all ready. However if you
dont get the QuickSetup then try to follow along my steps. If you cant nd what im talking about
search for it by clicking on all of the buttons in the regular interface until you see the option I
clicked (most buttons open more windows etc and the GUI is pretty straight forward in letting you
know when your about to change a setting, so following along should be easy). The regular interface
will make sense (each button opens up a new screen of options, there seems like there are alot of
options, but you really dont have to have that many things setup to get it running).
Anyhow, back to the QuickSetup. The rst thing we do is select the type of VPN we want. So
check the top box only Remote Access VPN Server (client to site) then hit Next and click Ok in
the Are you sure? prompt. Then we create a Virtual Hub (this is just another layer of abstraction
identifying this VPN that we are setting up I assume a VPN Server can setup many dierent kinds of
VPNs each with dierent rules each instance of a VPN is called a Hub. We will just setup 1 hub that
runs IPSec and L2TP and uses azure the best way to thing of a Virtual Hub with SoftEther is that its
just a set of VPN options. Maybe you have one VPN HUB that only lets you access 1 subnet in the
network, and another one that only lets you access 1 server in the network ). By default its VPN,
just change the Name of the Virtual Hub something cool like VPNX (name doesnt matter, but
remember it) and hit Ok.
Now you are faced with your azure settings, enable it with the checkbox and change the
hostname. By default you will get something likevpn490566973.softether.net, instead change it
to something like kossboss123.softether.net (this is an actual fqdn that can be used and will ping
back your home routers wan ip so if you have DNS this is redundant, but redundancy isnt bad). Hit
Set Above HostName. You will notice that you see your routers IP: x.x.x.x (should be a public ip
and not a private ip). You will also see your DNSkey (it looks like this
0+8k543x+st+8xtn12345cWt9Vr0=).I never had to use the DNS key in the setup for the server or
client, so Im not sure what its for (its probably used in the backend for some sort of server to azure
authentication).Setup your proxy server connection if you need it. I dont need to connect via
Proxy so im not going to click on Connect via Proxy Server. So just hit Exit.
Next you will see the IPsec / L2TP / EtherIP / L2TPv3 Server Settings window.
Thereyou can check Enable L2TP server function (l2tp over ipsec) and do not check Enable
L2tP Server function (raw l2tp with no encryption (for obvious reason that we want our VPN to be
encrypted yes you can have a none encrypted vPN which just acts as an unsecure tunnel to the
other network). Also set your IPSec Pre Shared Key to something and write it down, I set it to this
12345 (by default its vpn), but you should set it to something more complex (I never had to
use this IPSec Preshared key,but im assuming if I used an IPsec VPN client I would have to).
Make sure the default Virtual Hub is selected with the one we created called VPNX. And hit Ok.
Next you will be faced with the VPN Azure Service Settings window.
Make sure VPN Azure is enabled. Your Azure Hostname will showup again
kossboss123.vpnazure.net. You can change it if you want. Hit Ok after enabling VPN Azure.
Next we are faced with 3 simple steps windows called VPN Easy Setup Tasks. Here we will
create the user/users for Step 1 and select the network interface which will be used for the VPN
(our main internet interface ) for Step 3. Step 2 will be skipped and greyed out.
kossboss
My Notes, Articles & Guides for Linux, Windows and Networking.
Now create a user. Username: user1 (you will use this user).Set its Authtype to Password
Authentication and set your password to something complex like 12345 (just kidding set it to
something alot stronger). Hit Ok.
You will see your user1 in the list now. Hit Exit.
Back in the VPN Easy Setup Tasks window. We just nished step 1 (creating users). We are
skipping step 2 (its greyed out).Next and nal step 3 in this window and actually nal step for
the whole server con g, you will set Local Bridge interface. I picked my Local Area Connection
interface which is called Ethernet [Realtek PCIe GBE] (open up Windows->ncpa.cpl->and
con rm the name of the interface you should connect to).
Hit Close & that completes Quick Setup and we should be good to go to setting up the client.
Now you should see the main Manage VPN Server window, which is what we would of seen if
we didnt go thru Quick Setup. We dont need to do anything here, just hit Exit.
NOTE: ignore in the picture that my Port Number 443 has an Error. We also have the other
ports we are listening on. 443, 992, 1194, 5555.
So now we have created a virtual hub on our home windows PC which allows a client to connect
and access anything on the network. The only information you will need is your azure fqdn
which we set askossboss123.softether.net and also your virtual hub name which is VPNX and
your port your running the server on (which is 1194, 5555, 443, you can use any of those), and
your username and password which we have as user1 and 12345. Also dont forget to note the
password which you picked when you created the setting mymanagepassword.
NOTE: obviously you can mess with the settings to get alot more things or more ACLs (Access Control
Lists) setup so that clients can only access certain parts of the network or routes so that clients can
access more parts of your network/
Open it and the rst thing you want to do is right click on the bottom window and create a new
Virtual Network Adapter (this creates a new interface which you can use to connect to one VPN
Servers virtual hub, we will use it to connect to our homes VPNX network). All you have to do is
give it a name, name it like VPN100 (note after Windows 8.1 your limited to names like VPNxxx,
where as in Windows 7 I could pick MyLuckyVPN). That is all you need to do to create a virtual
network adapter, just give a name.
Next we need to change the VPN from full-tunnel to split-tunnel. We do this by changing the
metric on the newly created virtual network from 1 to 100.If we dont we will have full-tunnel
VPN which means all of our tra c, even tra c that should not go out the VPN like browsing
www.google.com or Facebook will go out that VPN (I dont know maybe you want this behavior, if
you do then leave the metric alone but you should still be aware of how to switch to split-tunnel).
Split tunnel means only the tra c destined for the remote network will go over the VPN. So
open up the Windows Network Connections screen (the easiest way: click windows button and
type ncpa.cpl and hit enter or navigate to it thru your control panel alsoyou can right click on
your newly created VPN100 virtual network adapter and click Open Windows Network Connections to
get there as well). Once in that all too familiar windows Network Connection window, right click
on VPN100 and click Properties and scroll down to Internet Protocol Version 4 (TCP/IPv4) and
select it (dont uncheck it) and click on Properties and then click advanced and change that metric
value from 1 to 100 (make sure Automatic metric is not checked). Then click Ok as many time as it
takes you to get out of the VPN100 properties and close out of the Network Connections
Window.
Now back to the Client Interface, right click on the top window and select create New VPN
Connection.
Give the setting a name like HomeVPN (name doesnt matter, and also it doesnt have to match the
Server setting name which we picked at the beginning of the server setup. I just called it HomeVPN so
that I know they are related that this HomeVPN connects to the HomeVPN on the server). Set the
hostname tokossboss123.softether.net .Now pick a port (its one of the ports we are listening
on 443,992,1192,5555). I picked 443 (if it doesnt work try the other ports). Wait for a second and
you should see in the Virtual Hub Name dropdown the name of your Virtual hub show up. In
our case you should see VPNX. Make sure to select VPNX (even though I think it autoselects it). If
it doesnt list VPNX, manually write it in (the connection might or might not work, we will know when
we connect). Then put in your username and password user1 and 12345. Now save that by
clicking Ok.
You should get a pop noti cation showing the connection process and then it should show you
an IP address that it received from a DHCP server on that network. So I see something like
10.10.10.111. The popup will automatically disappear.
Thats it we are connected!. Now I can ping and access everything on my home network from my
current location (you can now access the PC 10.10.10.7 and the NAS 10.10.10.8 again a made up
IP)
NOTE: Disconnect the connection and change your Advanced settings to increase thruput and threads
by increasing the Number of TCP connections from the default 1 to 8.You can right click on the VPN
cong which we called HomeVPNand go to Properties. Now your back at the client cong screen,
and click on the Advanced button under Advanced Settings of Communication and change the
Number of TCP connections from 1 to 8, this is good for broadband connections and will increase
your throughput.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
NOTE: 10.9.80.7 is my main interface at my client network that is used to get out to the internet. The
VPN trac is encapsulated before it goes thru there. 10.10.10.111 is the IP that the Virtual Network
Interface got on the VPN100 interface. Also note that changing the metric from 1 to 100 changes to a
dierent number when you view it from route print (its just converted dierently when its shown on
here but the message is the same)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# here is the ipconfig output showing you the ips of main none-vpn network at
the client and the vpn interface ip. I omit extra info thats not needed like
IPv6 and DNS suffixes.
At the server:
Now here is the ports we are listening to on the server. First we need to nd out the process ID
of the VPNserver.
We see the process ID is 3580. So now lets see what ports 3580 is listening on.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# having the process ID of the vpn server we can see what ports its using up
to listen on
*3580
UDP[fe80::5d38:268c:e531:5ba6%15]:500*:
*3580
UDP[fe80::5d38:268c:e531:5ba6%15]:1194*:
*3580
UDP[fe80::5d38:268c:e531:5ba6%15]:4500*:
*3580
UDP[fe80::c164:b387:ce10:5aab%9]:500*:
*3580
UDP[fe80::c164:b387:ce10:5aab%9]:1194*:
*3580
UDP[fe80::c164:b387:ce10:5aab%9]:4500*:
*3580
NOTE: 10.10.10.7 is the Local Area Connection interfaces main IP. Recall Local Area Connection is my
main interface on the VPN server which connects up to my network and then to the internet. Note
that it connects to 130.208.6.126 which is the University of Tsukuba (I assume this is the softether.net
azure network) I assume this is that middle server, the 3rd server. So if you dont use azure and you
use portforwarding method this should go away.
Now it will ask for your username and password that you picked when you made your user and
then it should connect. You can then access anything on the remote network from your phone
(10.10.10.7 computer and your NAS thats on 10.10.10.8
NOTE:The Dierence between TAP and TUN. A TAP device is a virtual ethernet adapter, while a TUN
device is a virtual point-to-point IP link. Even though TUN devices only provide a virtual point-to-point
IP link, we are still able to access everything on the remote network (where the VPN server is) by the
routing that is setup (it basically says to the phone to reach anything on the 10.10.10.x network go
thru the TUN interface to 10.10.10.7, which is the VPN server). For more
info:http://security.stackexchange.com/questions/46442/openvpn-tap-vs-tun-mode
NOTE: you will notice in the cong it asks to connect to yourkossboss123.softether.netwhich will look
like this if your using IPV4kossboss123.v4.softether.net(both point to the same addresses). Also if you
have your own Domain name (such as myplace.kossboss.com), then your domain name & the 2
softher.net address will point to the same address. So they are all interchangeable in the cong.
The end.
2016-01-20 at 11:43 am
Good article, thanks.
Juan
Search
Popular Links
* XRAID/RAID calculator
Use this calculator to nd nal useable lesystem size of a RAID array. This calculator works for
the ReadyNAS and ReadyDATA. Also for any ZFS volumes and any MDADM volumes:
RAID0,1,10,50,60 with any number of vdevs (RAIDz3 not included).
Users
Register
Log in
Entries RSS
Comments RSS
WordPress.org
Activity Calendar
May 2016
M
S
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Apr
Recent Posts
Samba Disabling Trusted Domains (all or speci c ones) 2016-05-19
Accidentally broke date? 2016-05-16
Missing uniq here is an awk substitute FreeBSD 2016-05-16
Dont Use for loops for File Iteration Use while read Loops 2016-05-03
Move Tv Shows in SickRage from one directory / folder to another 2016-04-29
Archives
May 2016(4)
April 2016(5)
March 2016(8)
February 2016(8)
January 2016(8)
December 2015(5)
November 2015(3)
October 2015(8)
September 2015(14)
August 2015(4)
July 2015(5)
June 2015(7)
May 2015(9)
April 2015(8)
March 2015(12)
February 2015(5)
January 2015(6)
December 2014(14)
November 2014(9)
October 2014(7)
September 2014(4)
August 2014(14)
July 2014(10)
June 2014(18)
May 2014(29)
April 2014(14)
March 2014(6)
February 2014(22)
January 2014(226)
Categories
Linux
Windows
Netgear
Networking
Routing
Switching
VPN
Wireless
Programming
Web Developing
Other
Uncategorized