2

I've correctly installed and configured Softether on my Ubuntu 14 x64 VPS in local bridge mode with a virtual TAP interface.

What I have now is a fully functioning L2TP/IPSEC server with two network interfaces which I'd like to further secure using ufw.

Having scoured the internet I hacked together a solution as per below that does work, but I'm not sure how secure/correct it is and was hoping someone here could guide me in the right direction.

Starting with my (shortened) ifconfig:

eth0      Link encap:Ethernet  HWaddr XX  
          inet addr:XXX.XXX.XXX.XXX  Bcast:XXX.XXX.XXX.255  Mask:255.255.255.0
          inet6 addr: XX Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1

tap_soft  Link encap:Ethernet  HWaddr XX  
          inet addr:192.168.7.1  Bcast:192.168.7.255  Mask:255.255.255.0
          inet6 addr: XX Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

1 - In /etc/ufw/before.rules I've inserted a POSTROUTING rule before the *filter line:

# Rules for NAT Table of iptables
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from Softether through eth0.
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
# tell ufw to process the lines
COMMIT


2 - In /etc/default/ufw I've enabled forwarding and set DEFAULT_FORWARD_POLICY="ACCEPT"

3 - Appended net.ipv4.ip_forward = 1 to /etc/sysctl.conf - and reloaded sysctl of course.

4 - Because I'm running in Local Bridge mode, tap_soft requires a DHCP server.
So my dnsmasq.conf file looks like this:

interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1

5 - ufw verbose status:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)

To                         Action      From
--                         ------      ----
67 on tap_soft             ALLOW IN    Anywhere
53 on tap_soft             ALLOW IN    Anywhere
1701                       ALLOW IN    Anywhere
4500/udp                   ALLOW IN    Anywhere
500/udp                    ALLOW IN    Anywhere

The steps above mean I have a fully functioning VPN server with a firewall - but is my firewall configuration still secure/correct/recommended?

The only other way I found to get it working correctly is to
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source MYPUBLICIPADDRESS and only open ports 67 and 53 in ufw.
Not being well versed in iptables, I'm not 100% sure what this does or why it works.

Touff
  • 183
  • 1
  • 3
  • 14

1 Answers1

3

Creating an L2 Bridge with SoftEther into a TAP interface like this is essentially a SecureNAT configuration. SoftEther can do what you want without dnsmasq or ufw.

Revert the current configuration and try this instead:

  1. Create a new virtual hub named snat.
  2. Click the Manage Virtual Hub button.
  3. Click Virtual NAT and Virtual DHCP.
  4. Click SecureNAT Configuration.
  5. Enable: Use Virtual NAT Function
  6. Enable: Use Virtual DHCP Functions
  7. Set: IP Address = 192.168.7.1
  8. Set: Subnet Mask = 255.255.255.0
  9. Set: Distributes IP Address 192.168.7.50 to 192.168.7.60
  10. Set: Subnet Mask = 255.255.255.0
  11. Set: Default Gateway Address = 192.168.7.1
  12. Set the DNS server addresses to whatever is currently in the /etc/resolv.conf file.
  13. Click OK.
  14. Click Enable SecureNAT.
  15. Click Exit.
  16. Click Exit again.

Step 5 and step 6 enable features in SoftEther that do the same thing as dnsmasq except that SoftEther does not implement a DNS forwarder. Remember to create user accounts in the new hub. Ignore all warnings about virtual machine environments.

The non-obvious thing about SoftEther is that the 192.168.7.1 gateway address is not bound to the server and is not accessible from the server. If you want the server to communicate with VPN clients, then do this too:

  1. Click the Local Bridge Setting button.
  2. Choose snat in the Virtual Hub pulldown menu.
  3. Choose Bridge with New Tap Device.
  4. Set New Tap Device Name = snat
  5. Click Create Local Bridge.
  6. Click Exit.

Now put this stanza in the /etc/network/interfaces file:

allow-hotplug tap_snat
iface tap_snat inet static
address 192.168.7.2
netmask 255.255.255.0

Note how interfaces created by SoftEther always have a tap_ prefix in the host environment. After a reboot, the tap_snat interface will come online when SoftEther is started.

Remember that SoftEther does not use Linux kernel facilities for NAT and that the host must not attach the SoftEther gateway address to any of its interfaces. Using .2 here is not a typo.

The default SoftEther security policy permits VPN clients to use a static IP address outside of the DHCP range, so UFW can do port forwarding (with IP forwarding disabled) like this:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 1234 -j DNAT --to 192.168.7.3:1234
COMMIT

The super-neat thing about doing it this way is that SoftEther will bridge broadcast traffic such that things like mDNS and uPNP work properly and the server will appear as MyServer.local in the Explorer panel of client computers that are connecting with a compatible VPN client.

Darik Horn
  • 186
  • 2
  • Darik, thanks for the write up I am familiar with how to setup a SecureNat environment. The problem with that according to SoftEther themselves is that LocalBridge mode is much faster and lighter on the system - this was explained briefly by Lincoln Lee here http://blog.lincoln.hk/blog/2013/03/19/softether-on-vps/ . In my own testing from various locations Local Bridge is nearly always up to 50% faster. My question was primarily questioning wether or not I've configured my firewall in a recommended manner. Thank you though! – Touff Sep 05 '14 at 20:50