Solved Firewall vs Softether VPN

Hello everyone,

I'm having little problem with my setup of FreeBSD and Softether VPN. I want to be able to make connection with my VPN Server while firewall_type="closed".
I thought I had to add these rules:
Code:
add allow udp from any to any 67 setup keep-state
add allow udp from any to any 68 setup keep-state
add allow tcp from any to any 443 setup keep-state
When those rules are added then VPN client tries to make connection and is requesting an IP but it a second it is saying that VPN server is offline.


I hope there is someone who can help me with my issue, I am new in FreeBSD world and whole "firewall'ing".
Sorry for my English
 
Ports 67 and 68 are for DHCP, you don't want to allow this everywhere. Probably not needed as I assume your server has a static IP address. IP address assignment with a VPN client is typically not done with DHCP, so you don't need it for that either.

I want to be able to make connection with my VPN Server while firewall_type="closed".
That's not going to work. Closed means closed.
closed: entirely disables IP traffic except for the loopback interface.

I suggest you use workstation or client.


I also suggest reading /etc/rc.firewall
Code:
############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using stateful
#     firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.
 
Ports 67 and 68 are for DHCP, you don't want to allow this everywhere. Probably not needed as I assume your server has a static IP address. IP address assignment with a VPN client is typically not done with DHCP, so you don't need it for that either.


That's not going to work. Closed means closed.


I suggest you use workstation or client.


I also suggest reading /etc/rc.firewall
Code:
############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using stateful
#     firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

Firstly thanks for your answer.


Im using Softether with DHCP function, this is why I thought I had to allow ports 67, 68. Could you tell me how to manage that my VPN client can make connection with VPN server on port 443 and also gets an IP from the VPN server?
If I allow tcp connections on port 443, what other rules do I need.
 
How is Softether set up? Which protocols are you using? VPN is just a generic name for a technique, you can set up a VPN will all sorts of different protocols, each will have their own way of working.
 
It is LAN to LAN. I'm using it to access workstations which are in the office through VPN and then RDP.
 
1606381560692.png
Normally it should get an IP within seconds.
 
Still doesn't tell me which protocols are being used. L2TP? PPTP? IPSec?
 
Ok, that gives us a better idea of your situation. I understand you're trying to connect two LANs but it's still somewhat unclear what you're trying to accomplish. To prevent this from turning into an XY problem, tell us exactly what you're trying to do instead of asking about a specific problem with a firewall configuration. I have a feeling you're taking the wrong route.
 
Sorry, I'm a newbie. So I want a VPN server on FreeBSD host. Softether is installed and running, and if firewall type is open I'm able to make connection and all the stuff works excellent. I am thinking that using type="open" isn't really secure so I want to make a change to type="workstation/ client". With the default rules of this two types I'm not able to access VPN server through VPN client. I want to configure firewall to pass VPN connections. As I said, the client requests an IP but then it losses connection.
 
So I want a VPN server on FreeBSD host.
On which side of the two LANs? It's also important to know which side initiates the connection because incoming connections are treated differently from outgoing. Is there any particular reason you need to use L2TP? If you just want to be able to connect from LAN1 to machines in LAN2 or vice versa then you don't need a layer 2 connection. A layer 3 (IP) connection usually suffices and will work with proper routing set up. Things can get a little hairy when both LAN1 and LAN2 use the same IP ranges though. So you may need to do revise your IP number plan, and change IP ranges on one of the LANs.

I am thinking that using type="open" isn't really secure so I want to make a change to type="workstation/ client".
Worry about firewall settings later. You need to first figure out what it is you're trying to do. What is your end goal?
 
So the server has 3 ethernet connections.
1st is 192.168.1.0 - for the internet
2nd is 192.168.7.0 - The LAN I want to access
3nd is 10.0.0.0 - The Management (ESXi, iLO4)

I followed basic Softehter tutorials which were saying to enable L2TP.
 
Well, the good news is that you have different IP ranges there, that makes things a lot easier. To access ESXi or iLO you don't need layer 2, IP connectivity is all that's needed. That's probably also the case for everything else connected to that server.

This server is on LAN2? And you have a client machine on LAN1? How is your client machine connected to LAN1? Do you need to connect your client on LAN1 to the attached networks on that server (which is on LAN2)? How is LAN1 connected, is it completely separate and the only way to get to LAN2 is over the internet? Or are LAN1 and LAN2 already connected in some way? Is it just one machine (your client machine) that needs to access it?

I would suggest using net/openvpn, it's fairly easy to set up and will provide the necessary IP connectivity without the need for complicated things like L2TP and/or DHCP. In order to connect two LANs over the internet I would normally use IPSec (security/strongswan) but that's quite an undertaking if you've never set that up. I've also used OpenVPN for quick-and-dirty connections because it's a lot simpler to set up and often suffices for the intended purpose.
 
LAN 1 is to access vpn server from outside the network. LAN 1 and 2 are separate networks. Sometimes it is needed to access Workstations in LAN 2 from the LAN3 (while you're in the office) but also from outside the network (while you're at home).
 
LAN 1 is to access vpn server from outside the network. LAN 1 and 2 are separate networks.
This is all the same LAN. You just have multiple subnets within that LAN. It sounds like you're confusing the term LAN with subnets/broadcast domains.

Sometimes it is needed to access Workstations in LAN 2 from the LAN3 (while you're in the office)
This is a routing issue, you don't need a VPN to solve that.

but also from outside the network (while you're at home).
This is the only case that would necessitate a VPN. Here's where you are actually trying to access one LAN (office network) from another (home network).

This is what I meant with "end goal". Setting up a VPN is not the goal, it is a way to achieve a goal. The end goal is to be able to work from home.
 
Hi, I use softether too, you have enabled the default port (5555) enabled on your firewall?
No, I don't. Why would I do that? I use port 443.

This is all the same LAN. You just have multiple subnets within that LAN. It sounds like you're confusing the term LAN with subnets/broadcast domains.


This is a routing issue, you don't need a VPN to solve that.


This is the only case that would necessitate a VPN. Here's where you are actually trying to access one LAN (office network) from another (home network).

This is what I meant with "end goal". Setting up a VPN is not the goal, it is a way to achieve a goal. The end goal is to be able to work from home.
Okay, I understand now. Those are the same LAN but other subnets. But further, how do I configure firewall to achieve my goal which is Working from home?
 
But further, how do I configure firewall to achieve my goal which is Working from home?
I'm not too familiar with Softether but is there anything other than L2TP you can use? You really don't need a layer 2 connection here (and therefor no DHCP either). The tunnel end points can have IP addresses from an entirely different range. Maybe use a range from 172.16.0.0/12 because that isn't used anywhere else on your networks. Then just have it provide the gateway for the 10.0.0.0/8 (/24?) and 192.168.7.0/24 networks. That way, when the VPN is active from a home connection and you need to connect to a host in 192.168.7.0/24 routing will send it through the VPN tunnel. Basic TCP/IP routing will do the rest.
 
Don't give up so easily. It's really not that difficult. It's not shameful to admit you started out wrong and need to start over. It is a shame if you would just give up after a setback. You're still learning, you're going to make mistakes. Nothing wrong with that.
 
Don't give up so easily. It's really not that difficult. It's not shameful to admit you started out wrong and need to start over. It is a shame if you would just give up after a setback. You're still learning, you're going to make mistakes. Nothing wrong with that.
I meant I'm giving up for today. Tomorrow is also a day.
 
I have no idea how to manage this. I give up. Thanks for support
give a try to this :

Code:
softether-4.34.9745_3          SoftEther VPN 4 (RTM version)
softether5-5.01.9674_3,1       SoftEther VPN 5 (Developer Edition)

maybe is more easy to you to configure
 
I meant I'm giving up for today. Tomorrow is also a day.
That I can definitely understand. Your previous comment sounded rather ominous (I've seen people give up quite easily before). But yes, sometimes you just have to let things sink in a bit. I regularly do this when I'm "stuck". Just take a break, do something else, take your mind off the problem. Then you can look at it again with a fresh perspective.
 
give a try to this :

Code:
softether-4.34.9745_3          SoftEther VPN 4 (RTM version)
softether5-5.01.9674_3,1       SoftEther VPN 5 (Developer Edition)

maybe is more easy to you to configure
As I said, the problem isn't the Softether, but the firewall and its config.
 
Back
Top