7

I have successfully set-up SoftEther on my AWS free tier machine, and put a small apache2 instance on there. I can access the webpage via VPN from windows, Mac & Linux.

BUT - when the VPN client is activated, ALL the traffic goes through the VPN. This is not what I intended, probably not secure, and will cost me (data throughput on AWS).

I have activated SecureNAT but I don't understand how to configure it. If I disable (basic)NAT then I can't access the web server.

The basic AWS machines has eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 172.31.9.151 netmask 255.255.240.0 broadcast 172.31.15.255

and the SecureNat and SoftEther setup are unchanged.

I think the issue is that the DNS gateway (as below from secureNAT) allows access not only to the webserver, but also EVERYTHING else on the web.

[SEE SecureNat standard settings][1] [1]: https://i.stack.imgur.com/hgcj5.png

However if I remove this, then I don't have the knowledge to add in the extra routing to JUST allow access to the webserver.

The solution has to be on the server side, not the client (as clients could alter their setup, and it will be hard to get them to use anything other than just an ovpn link anyway). However the SecureNat dialog does have client routing rules it can push (- which I haven't been able to set correctly.

Any anyone shed any light on this?

Dave M
  • 4,494
  • 21
  • 30
  • 30
Andyj12
  • 149
  • 1
  • 5

1 Answers1

5

I THINK i have this now - so for anyone else reading...

The SoftEther VPN seems to act by default like a privacy VPN for streaming your internet from somewhere else (it of course can do far more than this), so it's a bit promiscuous and once activated will pull in any additional browsing... (and all I want it to do is connect securely to my webserver at e.g. 172.31.9.151 on the AWS internal address.)

To get around this, you need to:

(If you've been struggling with this you might need to reactivate Nat in the vpncmd tool: NatActivate)

  1. Activate NAT

(in the gui VPN Server Manager, "Virtual Nat and Virtual DHCP Server" window)

  1. Activate SecureNAT

  2. delete the Default Gateway address (e.g. by standard is 192.168.30.1)

  3. manually add it back to the Static routing table in that window as:

172.31.9.0/255.255.255.0/192.168.30.1

And it appears to be working, have tried both linux and windows clients, they can go to the 172... address, but if i go elsewhere (e.g. wtfismyip.com) then it's still using my normal connection (not putting traffic through the VPN).

Andyj12
  • 149
  • 1
  • 5
  • upvote, been searching how this works for days, thank you. it was tremendously helpful in allowing softether docker vpn onto the rest of my lan or atleast, my synology as a start! – petrosmm Feb 18 '22 at 23:37