Softether local bridge no internet access

Four20

http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/

I used this guide to setup Softether using local bridge on a clean debian install, but I'm not getting internet access after connecting to the VPN. However, everything works fine when I enable SecureNAT.

http://image.prntscr.com/image/827268783c2443b58fd736b93170f38a.png
http://image.prntscr.com/image/d6e95e42988249448e0928779ce45a14.png

How do I fix it? I'd just use SecureNAT, but from what I read, using local bridge is better.

TarZZ92

did you make sure to enable ip forwarding and run that iptables rule?

also it wont work with natted vps.

Four20

@TarZZ92 said:
did you make sure to enable ip forwarding and run that iptables rule?

also it wont work with natted vps.

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [VPS IP ADDRESS]

I did this, but how to confirm?
I tried iptables -S and got this only

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

EDIT: yea its not a nat vps.

Four20

I also have net.ipv4.ip_forward = 1 in /etc/sysctl.d/ipv4_forwarding.conf

netomx

@Four20 said:
I also have net.ipv4.ip_forward = 1 in /etc/sysctl.d/ipv4_forwarding.conf

sysctl -p

Four20

@netomx said:

@Four20 said:
I also have net.ipv4.ip_forward = 1 in /etc/sysctl.d/ipv4_forwarding.conf

sysctl -p

yea I did sysctl --system

netomx

Are you getting IP?

Four20

@netomx said:
Are you getting IP?

I'm getting this

IPv4 Address. . . . . . . . . . . : 192.168.7.57
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

netomx

Doesn't seem right. Did you modify the dnsmasq file?

Falzo

Really sounds like you missed a small thing? I followed both tutorials a lot and can tell it is working... Mind sharing ifconfig from your vm?

TarZZ92

as others have said please share ifconfig (you can remove most of the IP with XX)

Four20

@netomx said:
Doesn't seem right. Did you modify the dnsmasq file?

yea I did, these are the last three lines

interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1

Four20

@Falzo said:
Really sounds like you missed a small thing? I followed both tutorials a lot and can tell it is working... Mind sharing ifconfig from your vm?

@TarZZ92 said:
as others have said please share ifconfig (you can remove most of the IP with XX)

Yea I've missed something for sure, but I don't know what is it.
Re-installed the VPS few times and followed that tutorial again, but still getting the same result.

tap_soft  Link encap:Ethernet  HWaddr 00:ac:96:c8:ad:ab
          inet addr:192.168.7.1  Bcast:192.168.7.255  Mask:255.255.255.0
          inet6 addr: fe80::2ac:96ff:fec8:adab/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:86 (86.0 B)  TX bytes:726 (726.0 B)

http://pastebin.com/raw/vyS3CtsQ

TarZZ92

okay

your problem is you appear to have a NAT vps will only work on pub ip's

inet addr:172.20.13.79

Four20

@TarZZ92 said:
okay

your problem is you appear to have a NAT vps will only work on pub ip's

inet addr:172.20.13.79

It's not NAT though. I'm using lunanode.com.

TarZZ92

Four20 said: It's not NAT though. I'm using lunanode.com.

it clearly is. (notice the 172 part) which is nat

https://whois.domaintools.com/172.20.13.79

IP Location Private Ip Address Lan

TarZZ92

it may not be large scale nat but a sticky IP type but it's still NAT

Falzo

Four20 said: I did this, but how to confirm? I tried iptables -S and got this only

to confirm the entry is there you need to specify the table when listing, so

iptables -t nat -L

should be the command you're looking for...

for the rest of it, let's try to narrow it down somehow ;-)

what protocol and client are you using to connect?
is this an OVZ or KVM VPS?
do you have any other firewall-rules or filters in place?
just for protocol: you deactivated securenat before trying localbridge?

if anything fails, feel free to shoot me a PM if you want me to have a look at it...

Four20

@Falzo said:

Four20 said: I did this, but how to confirm? I tried iptables -S and got this only

to confirm the entry is there you need to specify the table when listing, so

iptables -t nat -L

should be the command you're looking for...

for the rest of it, let's try to narrow it down somehow ;-)

what protocol and client are you using to connect?
is this an OVZ or KVM VPS?
do you have any other firewall-rules or filters in place?
just for protocol: you deactivated securenat before trying localbridge?

if anything fails, feel free to shoot me a PM if you want me to have a look at it...

I get this now
http://pastebin.com/raw/ykWUjH00

Also, I've sent you a pm. Thank you.

Falzo

Four20 said: I get this now http://pastebin.com/raw/ykWUjH00

looks right to me, just like the other things you posted above... I'll see how I can help you any further ;-)

TarZZ92

Falzo said: looks right to me, just like the other things you posted above... I'll see how I can help you any further ;-)

as i said above you wont be able to fix this as OP is using NAT you need a public IP only for SE bridge.

Falzo

TarZZ92 said: as i said above you wont be able to fix this as OP is using NAT you need a public IP only for SE bridge.

you may be right ;-)

I am looking into it right now, and it seems I have missed @Four20 posting the full ifconfig via pastebin before. finally your answer above makes sense ^^

yet I'd say it depends on the whole network configuration lunanode is using on these, may be some kind of full 1:1 forwarding - seen something like this on hetzner VMs before.

so I do think it may work if the iptables nat rule is set to the IP given for eth0 instead of the external, only problem is this may change on a reboot or at least on a reinstall (it now is .13.80).

will try to get it working and report back later ;-)

EDIT: indeed just changing the IPtables nat rule to that local IP of eth0 instead of that real public one made it working correctly ;-)

PM'ed with @Four20 so he hopefully can try himself and confirm if this will work.

Four20

Thanks for the help everyone.
@Falzo was more than helpful and he fixed it for me, thanks mate!

deadbeef

Awesome, I've always had the same issue and was just enabling SecureNAT as a workaround. Great to know, thank you guys!

netomx

the problem was on the iptable, you needed to use your internal IP instead of the public one. This is for NAT