Today’s Question is From Tom:
Could you share a post or details on how you configured your SoftEther VPN in order to reach the internal network from the outside, on Verizon? I’m in the same predicament, which an unlimited 4G connection, but am unable to reach files due to Verizon’s 4G NAT firewall. If you have some time, after the holidays, would you be so kind as to publish a write-up? Right now I am connecting to a Private Internet Access VPN on my local machine in order to increase download speeds.
Hi, Tom. I setup a SoftEther VPN server on my LAN under a VMware VM, but you can also run SoftEther on your desktop or on pretty much any server. Here’s how mine is setup in ESXi 5.5.
Enable Promiscuous Mode on the VMware vSwitch that’s connected to the network that you will VPN into (most likely you only have one vSwitch in VMware) by going to Configuration, Networking, vSwitch Properties, choose vSwitch, Edit, Security tab, and change Promiscuous Mode to Accept.
Create a VM for SoftEther, you can use just about any OS, however SoftEther says it works best with Linux and recommends a RHEL compatible OS. I’ve built it on Ubuntu 14.04 and not had any issues, but for this post I’ll show how to do it with CentOS 7. Here’s my VM settings…
Pretty standard CentOS 7 install, choose infrastructure server and development tools. And of course don’t forget to configure and enable networking before hitting begin installation… I always seem to miss that.
# yum upgrade
Disable SE Linux by setting SELINUX=disabled in /etc/selinux/config and then reboot or
# echo 0 > /selinux/enforce
Disable the firewall…
# service firewalld disable # systemctl disable firewalld
Follow the SoftEther Install on Linux and Initial Configurations document. By the end of that document you should have a running SoftEther service but it still won’t be configured.
Download the SoftEther Server Manager for Windows and connect to your VM… the first time you connect you’ll be prompted to set an Administrator password.
And you’ll be presented with a Setup Wizard…
SoftEther can do DDNS if you like so you can pick a sub-domain….
You can optionally choose to enable IPSEC / L2TP but it’s not needed if you’ll be using the SoftEther client.
You can also enable SoftEther’s free VPN Azure service. This is a nice backup if you can’t connect directly using NAT traversal.
Then create a user and set the local bridge to the network adapter on the network that you want to be able to access.
Now on the client…
You can connect to example.softether.net resolves to your Verizon Wireless external IPv4 IP address… By default SoftEther continually sends out UDP packets to traverse the NAT, so when a client attempts to connect it follows the packets back through.
Sometimes this UDP hole punching technique doesn’t work for NAT traversal, I seem to have noticed issues if the VPN client is also behind a NAT or some restricted network like at a hotel. That’s what the VPNAzure address is for. SoftEther maintains a reverse tunnel by connecting to vpnazure so you can access your network using example.vpnazure.net which will relay your connection back to your VPN server. I don’t think it matters what port you connect on, I usually use port 5555 but sometimes networks block those ports in which case I’ll use 443.
A couple of other settings you may be interested in… under Advanced Settings I usually check “Use Data Compression” to speed things up a bit. And if all you’re using your VPN for is to access resources on your network, and not tunnel all your internet traffic you can check the “No Adjustments of Routing Table” which prevents your internet connection from being routed through your VPN.
Hope that helps.
10 thoughts on “VPN into LAN behind Verizon Wireless NAT using SoftEther”
Hi, Ben! Long time since I have swung by your neck of the internet woods. I am still chugging along on my 4g VZW internet setup that your post inspired. I found myself hitting a wall, however, whenever I wanted to access my home server from outside my LAN. I have since looked all over the internet for a possible solution. The closest I ever got was “might be possible through a VPN”… And then today, it hit me. Why don’t I check on my good buddy Ben!
So I am pleased to see that you have cracked this nut. I am trying to dig into what you have done here, but I’m not sure I totally get it. I am utilizing an Ubuntu media server that is running on my network 24/7. Do I still need a VM setup, or can I just run that SoftEther directly on my server? I see that the program is not designed for Debian based distro’s, yet you say you managed to get it to work. Are there any deviations I must take from the provided setup instructions in order to be successful?
Hope you’re doing well. Once again, thanks so much for taking the time to put this stuff up on your site. It really is the only place I seem to find what I’m looking for.
Hi, Eddie! You should be able to run SoftEther on your server, it doesn’t need to be on a VM. And yes, I had no trouble installing it on Ubuntu. I still have an Ubuntu install that’s working great. Here’s some instructions for compiling it on Ubuntu. https://www.digitalocean.com/community/tutorials/how-to-setup-a-multi-protocol-vpn-server-using-softether after you get it compiled and running switch over to my instructions to finish setting it up.
Glad the site has helped you! That’s why I post, and I enjoy it when others blog about their solutions as well.
One other solution I employ that you might be interested in is using a $5/month VPS to hold an SSH tunnel open back to your server and forward ports through that tunnel. See: https://b3n.org/port-forwarding-verizon-wireless-nat/ I actually use this method to host a minecraft server from my house.
Okay, so I got myself a VPS and followed your instructions to create a SSH tunnel with limited success. I’ve got the SSH key working so I can login from root on my home server to root on the VPS without needing a password.
I can actually get autossh to work by manually entering the command in terminal. The problem arises when I try to automate the process. I just can’t get the cron job to execute properly. I have set the permission to 755, as per your instruction. I’m trying to research how to diagnose this but it is exceeding my knowledge base. Any ideas?
Can you check your local machine’s root mail account to see if you have any messages from cron relating to the failure to run autossh?
“no mail for root”
Also, when executing a “grep CRON /var/log/syslog”, I get zero results.
Hi Ben, I set up the VPN with softether on a Win machine connected with 1 ethernet cable to the router of the LAN I want to remotely access. On the client side I’m using SoftEther software running on Win7. I’m using AzureVPN since the server is behind NAT (since the modem is a usb dongle).
I can establish the connection and ping the IP devices that are in my Remote LAN and internet traffic is also going through the VPN.
The issue is that if I put in my local browser the IP address of the device I want to connect with (and that is in the remote LAN) I can’t reach it.
For Example: the address 192.168.1.102 is given to the client. The VPN Server local address is 192.168.1.101 and I can ping but not connect with 192.168.1.1-50
I have no idea to solve the problem..do you have any advice?
Hi, Fabio. Since you can ping but can’t connect to the first two thing I’d check is to make sure a firewall isn’t blocking you–you may just want to disable the firewall on the VPN server and on the machine you’re trying to connect to in order to troubleshoot. Also, you may want to make sure the network you’re connecting from is on a different subnet as the one you’re connecting to… for example if you’re passing through a 192.168.1/24 on both sides that may cause a problem. I usually have my home network on 10.x.x/24 to avoid that problem. Not sure if that’s the problem but it’s hard to know.
Hi Ben, thanks a lot. Disabling the firewall worked!!!!!! Now, I still have both the local and a the remote LAN on the same ip ranges…do you suggest me to change them? What kind of problem can I get?
Also, right now I’m using Softether NAT-T vpn that is able to pass the NAT imposed by my ISP (I’m using a usb dongle) and it’s running on a PC there. Is there a chance I can implement the thing directly on a router? (I don’t have bandwidth in any case so i don’t care if it’s slower) I heard about the Mikrotik option and maybe something associated with dd-wrt but I’m not sure..
Thanks again for the huge help!
Would you mind going over the setup for VPN over DNS & ICMP on the server side? I know you can enable them under ‘Encryption and Network Settings’, but do you need to port forward 53 (DNS) to the DNS server? What if the DNS server is in a corporate environment and you can’t get the network admins to approve this change? And assuming the port forwarding is setup, how do you force the VPN client to connect over DNS/ICMP?
I’ve tried disabling all TCP & UDP ports under Windows Firewall and I can still ping OK (which means ICMP is working OK). According to the documentation, VPN over DNS/ICMP relies on NAT-T, so I’ve left the ‘Disable NAT-T’ box unticked and tried to connect. Wouldn’t go through. If I enable TCP & UDP Windows Firewall rules and try again, works OK. Seems like VPN over ICMP doesn’t work as designed.
Then I’ve tried the same thing but left port 53 enabled for TCP & UDP. I can ping e.g. google.com but all other ports are blocked. Tried connecting to VPN server, fails.
Aside from that, a few things I think you should clarify/update in your post are:
– SoftEther’s proprietary SSL-VPN (HTTPS VPN) tunnels on HTTPS to pass through NATS and firewalls. This is pretty much what is ‘advertised’ on their website or documentation. However, this is true only if you enable NAT-T (nat traversal). The problem with NAT-T is degraded performance and you’ll actually get a message popup once you’re connected via NAT-T.
– To maximize the SSL-VPN protocol (i.e better throughput and speed compared to OpenVPN as documented on their website), you will want to disable NAT-T traversal on the client side (tick ‘Disable NAT-T) and make sure port 443 is forwarded on the router to the VPN server (assuming you’re also connecting on 443 on the client side too). However, this may not be possible when the VPN server is a VM or PC in a corporate environment, where you can’t simply get port forwarding approved unless you’re a network admin.
– VPN Azure is a relay/middleman and data/traffic routes through there, so the performance may be degraded as well.
– With NAT-T, you can specify any port on the client side. The port does not have to match any port that is listened by the VPN server. In fact, if you stop/delete all ports on the VPN server, NAT-T will still work. I don’t quite understand why that is though. I guess the important thing to note here is that on the client side (assuming you’re in a corporate network and trying to connect to your home network for example), it’s likely that ports like 5555 are blocked on the corporate firewall, but 443 isn’t. So in that case, you’d want to connect on port 443 on the client side and it wouldn’t matter if the VPN server is listening on that port or not.