What Rules Need To Be Setup To Allow NAT on Softether VPN?
0
I would like some assistance setting up Softether on a locally bridged network with NAT, as well help getting the ip tables rules setup. I have 2 network interfaces with Ubuntu 18.04 LTS. I would like to ensure that I can get access through softether VPN software into the server which is acting as a gateway and VPN hub.
18.04 vpn ipsec
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
add a comment |
0
I would like some assistance setting up Softether on a locally bridged network with NAT, as well help getting the ip tables rules setup. I have 2 network interfaces with Ubuntu 18.04 LTS. I would like to ensure that I can get access through softether VPN software into the server which is acting as a gateway and VPN hub.
18.04 vpn ipsec
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
add a comment |
0
0
0
I would like some assistance setting up Softether on a locally bridged network with NAT, as well help getting the ip tables rules setup. I have 2 network interfaces with Ubuntu 18.04 LTS. I would like to ensure that I can get access through softether VPN software into the server which is acting as a gateway and VPN hub.
18.04 vpn ipsec
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
I would like some assistance setting up Softether on a locally bridged network with NAT, as well help getting the ip tables rules setup. I have 2 network interfaces with Ubuntu 18.04 LTS. I would like to ensure that I can get access through softether VPN software into the server which is acting as a gateway and VPN hub.
18.04 vpn ipsec
18.04 vpn ipsec
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
edited Jan 23 at 16:38
Vince Pike
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
asked Jan 22 at 2:39
Vince PikeVince Pike
2115
2115
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
1
First Off, ensure that you are using Softether's Local Bridge function, and utilizing the tap interface. This will be faster than the standard bridge, and will allow you to setup DHCP in a way that doesn't break things for your other clients. :-)
I have named my TAP interface 'soft' for ease of use, but remember to adjust your netplan rules as listed below:
In the rules below I have used enp0s7 as the WAN, and enp3s0f0 as the LAN interface.
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
enp0s7:
dhcp4: true
optional: false
enp3s0f0:
addresses: [192.168.254.1/24]
nameservers:
addresses: [9.9.9.9,192.168.1.254]
search: [vinceworks.com]
dhcp4: false
optional: true
tap_soft:
addresses: [192.168.253.1/24]
dhcp4: false
optional: true
version: 2
You will also need to adjust your DHCP rules in the /etc/dhcp/dhcpd.conf file:
subnet 192.168.254.0 netmask 255.255.255.0 {
range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
option broadcast-address 192.168.254.255;
option routers 192.168.254.1;
}
subnet 192.168.253.0 netmask 255.255.255.0 {
range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
option broadcast-address 192.168.253.255;
option routers 192.168.253.1;
}
Here are the iptables rules you should setup on boot:
# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1
# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT
# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1111825%2fwhat-rules-need-to-be-setup-to-allow-nat-on-softether-vpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
First Off, ensure that you are using Softether's Local Bridge function, and utilizing the tap interface. This will be faster than the standard bridge, and will allow you to setup DHCP in a way that doesn't break things for your other clients. :-)
I have named my TAP interface 'soft' for ease of use, but remember to adjust your netplan rules as listed below:
In the rules below I have used enp0s7 as the WAN, and enp3s0f0 as the LAN interface.
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
enp0s7:
dhcp4: true
optional: false
enp3s0f0:
addresses: [192.168.254.1/24]
nameservers:
addresses: [9.9.9.9,192.168.1.254]
search: [vinceworks.com]
dhcp4: false
optional: true
tap_soft:
addresses: [192.168.253.1/24]
dhcp4: false
optional: true
version: 2
You will also need to adjust your DHCP rules in the /etc/dhcp/dhcpd.conf file:
subnet 192.168.254.0 netmask 255.255.255.0 {
range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
option broadcast-address 192.168.254.255;
option routers 192.168.254.1;
}
subnet 192.168.253.0 netmask 255.255.255.0 {
range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
option broadcast-address 192.168.253.255;
option routers 192.168.253.1;
}
Here are the iptables rules you should setup on boot:
# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1
# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT
# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
add a comment |
1
First Off, ensure that you are using Softether's Local Bridge function, and utilizing the tap interface. This will be faster than the standard bridge, and will allow you to setup DHCP in a way that doesn't break things for your other clients. :-)
I have named my TAP interface 'soft' for ease of use, but remember to adjust your netplan rules as listed below:
In the rules below I have used enp0s7 as the WAN, and enp3s0f0 as the LAN interface.
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
enp0s7:
dhcp4: true
optional: false
enp3s0f0:
addresses: [192.168.254.1/24]
nameservers:
addresses: [9.9.9.9,192.168.1.254]
search: [vinceworks.com]
dhcp4: false
optional: true
tap_soft:
addresses: [192.168.253.1/24]
dhcp4: false
optional: true
version: 2
You will also need to adjust your DHCP rules in the /etc/dhcp/dhcpd.conf file:
subnet 192.168.254.0 netmask 255.255.255.0 {
range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
option broadcast-address 192.168.254.255;
option routers 192.168.254.1;
}
subnet 192.168.253.0 netmask 255.255.255.0 {
range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
option broadcast-address 192.168.253.255;
option routers 192.168.253.1;
}
Here are the iptables rules you should setup on boot:
# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1
# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT
# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
add a comment |
1
1
1
First Off, ensure that you are using Softether's Local Bridge function, and utilizing the tap interface. This will be faster than the standard bridge, and will allow you to setup DHCP in a way that doesn't break things for your other clients. :-)
I have named my TAP interface 'soft' for ease of use, but remember to adjust your netplan rules as listed below:
In the rules below I have used enp0s7 as the WAN, and enp3s0f0 as the LAN interface.
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
enp0s7:
dhcp4: true
optional: false
enp3s0f0:
addresses: [192.168.254.1/24]
nameservers:
addresses: [9.9.9.9,192.168.1.254]
search: [vinceworks.com]
dhcp4: false
optional: true
tap_soft:
addresses: [192.168.253.1/24]
dhcp4: false
optional: true
version: 2
You will also need to adjust your DHCP rules in the /etc/dhcp/dhcpd.conf file:
subnet 192.168.254.0 netmask 255.255.255.0 {
range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
option broadcast-address 192.168.254.255;
option routers 192.168.254.1;
}
subnet 192.168.253.0 netmask 255.255.255.0 {
range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
option broadcast-address 192.168.253.255;
option routers 192.168.253.1;
}
Here are the iptables rules you should setup on boot:
# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1
# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT
# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
First Off, ensure that you are using Softether's Local Bridge function, and utilizing the tap interface. This will be faster than the standard bridge, and will allow you to setup DHCP in a way that doesn't break things for your other clients. :-)
I have named my TAP interface 'soft' for ease of use, but remember to adjust your netplan rules as listed below:
In the rules below I have used enp0s7 as the WAN, and enp3s0f0 as the LAN interface.
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
enp0s7:
dhcp4: true
optional: false
enp3s0f0:
addresses: [192.168.254.1/24]
nameservers:
addresses: [9.9.9.9,192.168.1.254]
search: [vinceworks.com]
dhcp4: false
optional: true
tap_soft:
addresses: [192.168.253.1/24]
dhcp4: false
optional: true
version: 2
You will also need to adjust your DHCP rules in the /etc/dhcp/dhcpd.conf file:
subnet 192.168.254.0 netmask 255.255.255.0 {
range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
option broadcast-address 192.168.254.255;
option routers 192.168.254.1;
}
subnet 192.168.253.0 netmask 255.255.255.0 {
range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
option broadcast-address 192.168.253.255;
option routers 192.168.253.1;
}
Here are the iptables rules you should setup on boot:
# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1
# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT
# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
edited Feb 6 at 18:24
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
answered Jan 29 at 21:23
Vince PikeVince Pike
2115
2115
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1111825%2fwhat-rules-need-to-be-setup-to-allow-nat-on-softether-vpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
