Pros | Cons |
---|---|
|
|
UPDATE (February 2019): Although all the instructions on this page will still work, I have found that using a Raspberry Pi for the VPN server is usually a better option. Instructions on how to use a Pi have been added below under VPN Server on Raspberry Pi.
The following steps are to setup SoftEther VPN running on a Linksys EA6700 with an AdvancedTomato GUI.
Table of Contents
- Router Details
- Configuration
- Flash AdvancedTomato
- Install SoftEther
- Setup VPN Server
- Connect VPN Router to Host Router
- Setup VPN Client
- Optional Configurations
- Additional Resources
Router Details
Linksys EA6700 - Amazon- Wireless AC
- CPU: 2x 800MHz
- RAM: 256MB
- Flash: 128MB
Configuration
Flash AdvancedTomato
- Download the necessary files - https://drive.google.com/drive/folders/15Rf7KnH-kBqjTqcJ4eX0DXuKj7EYjRYS
- Disconnect or disable internet connection(s) on computer
- Set a static IP for the ethernet connection on the computer
- IP address = 192.168.1.100
- Subnet mask = 255.255.255.0
- Default gateway = 192.168.1.1
- Run tftp.exe and fill in fields:
- Server = 192.168.1.1
- Password = admin
- File = FW_EA6700_1.1.40.166281_prod.img
- Connect computer to router’s Ethernet 1 port
- Open a PowerShell/Terminal window
- Plug in router power
- Wait until the TTL from the ping command is 100
- Click Upgrade (if there is an error, try again)
- Click OK
- Click Close
- Wait until the TTL from the ping command is 64
- Navigate browser to 192.168.1.1
- Select both checkboxes and click Next
- Click Login
- Default password = admin
- Click Sign In
- Click Troubleshooting
- Click Diagnostics
- Click Restore previous firmware
- Click Yes
- After the router restarts, sign in again
- Click Connectivity
- Click Choose File and select linksys-ea6700-webflash.bin
- Click Start
- Click Yes
- Click Ok
- Wait until the TTL from the ping command is 64
- Navigate browser to 192.168.1.1
- All three fields = admin
- Click Change Password
- Services > Secure Shell > Enable
- Click Apply Settings
- Navigate browser to http://192.168.1.1/backup/cfe.bin and save the file in case of necessary recovery
- Run cfe_edit.exe and open cfe.bin
- Click on Advanced Mode and edit the values for the specific router
- et0macaddr = MAC address from the bottom of the router
- 0:macaddr = MAC address + 2
- 1:macaddr = MAC address + 4
- secret_code = WPS code on the bottom of the router below the MAC address (no hyphen)
- Save the file
- Open a PowerShell/Terminal window on computer
- Unplug the router, hold the blue WPS button, plug in the router, and release the button when the Linksys logo starts flashing quickly
- Repeat the last step, but press the reset button immediately after releasing the WPS button, and hold it until the TTL from the ping command is 100
- Navigate browser to 192.168.1.1
- Click Restore default NVRAM values.
- Click Continue
- Click Choose File and select tomato-EA6700-AT-ARM-3.5-140-AIO-64K.trx
- Click Upload
- Wait until the TTL from the ping command is 64
- Click Continue
- Administration > Configuration > Restore Default Configuration > Erase all data in NVRAM memory (thorough) > OK > OK
- Wait until the TTL from the ping command is 64
- Navigate browser to 192.168.1.1
- Administration > Admin Access > Authorization Settings
- Enter a unique password
- Click Save
- Connect ISP connection to Internet port
- Set the ethernet connection on the computer to obtain an IP address automatically
ping -t 192.168.1.1
cd <the downloaded directory> scp .\cfe.bin [email protected]:~ ssh [email protected] "mtd -f write cfe.bin /dev/mtd0"
Install SoftEther
- Login to router
- Administration > JFFS
- JFFS Partition > Enable > Enable
- JFFS Partition > Format / Erase…
- Click Ok
- Click Save
- Open a PowerShell/Terminal window on computer
cd <the downloaded directory> ssh [email protected] "mkdir -p /jffs/etc/softether" scp .\<vpnserver or vpnbridge> .\hamcore.se2 [email protected]:/jffs/etc/softether ssh [email protected] "chmod 700 /jffs/etc/softether/*"
Setup VPN Server
- Administration > Scripts
- Init =
- Firewall =
- WAN Up =
- Click Save
- Basic Settings > Network
- WAN Settings > DNS Server = Manual
- WAN Settings > DNS 1 = 8.8.8.8
- WAN Settings > DNS 2 = 1.1.1.1
- LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
- LAN > br0 > IP Range = 192.168.###.101-199 (### to match the IP Address)
- Click OK
- Wireless (2.4 GHz / eth1) > Enable Wireless > Disable
- Wireless (5 GHz / eth2) > Enable Wireless > Disable
- Click Save
- Reboot router
- Download SoftEther VPN Server Manager - http://www.softether-download.com
- Run SoftEther VPN Server Manager
- Click New Setting
- Host Name = Router IP
- Click OK
- Click Connect
- Enter a new password
- Click Remote Access VPN Server
- Click Next
- Click Yes
- Click OK
- Enter a unique Dynamic DNS Hostname
- Click Exit
- Click Enable L2TP Server Function (L2TP over IPSec)
- Click OK
- Click Disable VPN Azure
- Click OK
- Click Create Users
- Create a user for the client router
- User Name = EA6700
- Auth Type = Individual Certificate Authentication
- Click Create Certificate
- Click OK
- Click OK
- Save the file
- Click OK
- Click OK
- Create as many users as wanted with User Name, Full Name, and Password
- Click Exit
- Click Close
- Click Local Bridge Setting
- Click the Virtual Hub from the dropdown
- Click Bridge with New Tap Device
- New Tap Device Name = soft
- Click Create Local Bridge
- Click OK
- Click Exit
- Click Exit
- Click Exit SoftEther VPN Server Manager
modprobe tun openvpn --mktun --dev tap_soft
iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 992 -j ACCEPT iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -p tcp --dport 5555 -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -p udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT
brctl addif br0 tap_soft /jffs/etc/softether/vpnserver start
Connect VPN Router to Host Router
- Connect Internet port on VPN router to Ethernet port on host router
- Connect computer to host router
- Login to host router
- Set reserved IP for VPN router in DHCP settings
- Forward following ports to VPN router
- TCP: 443, 992, 1194, 5555
- UDP: 500, 1194, 1701, 4500
Setup VPN Client
- Administration > Scripts
- WAN Up =
- Click Save
- Basic Settings > Network
- WAN Settings > DNS Server = Manual
- WAN Settings > DNS 1 = 8.8.8.8
- WAN Settings > DNS 2 = 1.1.1.1
- LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
- LAN > br0 > DHCP = Disabled
- OK
- Wireless (2.4 GHz / eth1) & Wireless (5 GHz / eth2)
- SSID = Any name
- Channel = Auto
- Security = WPA2 Personal
- Shared Key = Choose a password
- Click Save
- Reboot router
- Download SoftEther VPN Server Manager - http://www.softether-download.com
- Run SoftEther VPN Server Manager
- Click New Setting
- Host Name = Router IP
- OK
- Click Connect
- Enter a new password
- Click Next
- Click Yes
- Click Configure Connection Setting
- Setting Name = VPN
- Host Name = Dynamic DNS Hostname
- Virtual Hub Name = VPN
- Auth Type = Client Certificate Authentication
- User Name = EA6700
- Click Specify Client Certificate
- Select the file saved when creating the user
- Click OK
- Click Exit
- Click br0 under Set Local Bridge
- Click Close
- Click Exit
- Click Exit SoftEther VPN Server Manager
/jffs/etc/softether/vpnbridge start
Optional Configurations
Separate Local Network
- Basic Settings > Network > LAN
- Bridge = 1 (or any other unused available bridge)
- IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
- Netmask = 255.255.255.0
- DHCP = Enabled
- IP Range = 192.168.###.101-199 (### to match the IP Address)
- Click Add
- Click Save
- Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
- Interface = wl0.1 (or any other unused available interface)
- Enabled = yes
- SSID = Name that will show up on devices
- Bridge = LAN1 (br1) (to match bridge that was just created)
- Click Add
- Security = WPA2 Personal
- Shared Key = new wireless password
- Click Save
- Repeat the above steps for wl1.1 interface with the exact same SSID and Shared Key
- Click Save
- Advanced Settings > VLAN > VLAN Setting
- VLAN = 11 (or any other unused available VLAN)
- VID = 11 (match VLAN)
- Port 1-4 = Yes (for the ports that should not use the VPN; must be unselected for other VLAN)
- Bridge = LAN1 (br1) (to match bridge that was just created)
- Click Add
- Click Save
Separate Guest Network
- Basic Settings > Network > LAN
- Bridge = 2 (or any other unused available bridge)
- IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
- Netmask = 255.255.255.0
- DHCP = Enabled
- IP Range = 192.168.###.101-199 (### to match the IP Address)
- Click Add
- Click Save
- Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
- Interface = wl0.2 (or any other unused available interface)
- Enabled = yes
- SSID = Name that will show up on devices
- Bridge = LAN2 (br2) (to match bridge that was just created)
- Click Add
- Security = WPA2 Personal
- Shared Key = new wireless password
- Click Save
- Repeat the above steps for wl1.2 interface with the exact same SSID and Shared Key
- Click Save
- Advanced Settings > VLAN > VLAN Setting
- VLAN = 12 (or any other unused available VLAN)
- VID = 12 (match VLAN)
- Bridge = LAN2 (br2) (to match bridge that was just created)
- Click Add
- Click Save
VPN Server on Raspberry Pi
Using a Raspberry Pi as the VPN server hardware provides more benefits (e.g. better hardware for similar cost, remote access, smaller footprint, etc.), but it is slightly more technical than using a router. The below steps are meant to replace the steps above under Flash AdvancedTomato and Install SoftEther. These steps are designed for a headless setup (no display needed), and include TeamViewer for remote access. Although most Raspberry Pi models can be used, I recommend the Pi 4, as it includes a true gigabit ethernet port. Here is one possible kit that includes all the parts you would need to create a complete Raspberry Pi setup - CanaKit / Amazon- Download and install NOOBS to the SD card (Some SD cards come pre-installed with NOOBS) - https://www.raspberrypi.org/downloads/noobs
- Edit the recovery.cmdline file and add silentinstall
- Add a file named ssh to the root of the SD card (the contents do not matter)
- Insert SD card into the Pi
- Connect an ethernet cable between the Pi and router
- Connect the power cable to the Pi
- The Pi will now take up to half an hour to install the operating system
- Get the IP of the Pi from router once it is available
- Open a PowerShell/Terminal window on computer
- Create /etc/init.d/vpnserver with the below content
- Set the VPN server to start automatically
- Continue from step 4 under Setup VPN Server above, but skip steps 27 and 28
sed -i '$s/$/ silentinstall/' recovery.cmdline
ssh pi@<IP of the Pi> #password = raspberry sudo raspi-config nonint do_change_locale en_US.UTF-8 sudo raspi-config nonint do_change_timezone America/New_York sudo raspi-config nonint do_configure_keyboard us sudo raspi-config nonint do_wifi_country US sudo raspi-config nonint do_resolution 2 82 sudo apt update -y sudo apt full-upgrade -y sudo apt autoremove -y wget https://download.teamviewer.com/download/linux/teamviewer-host_armhf.deb sudo apt install ./teamviewer-host_armhf.deb -y sudo teamviewer setup curl -s https://api.github.com/repos/SoftEtherVPN/SoftEtherVPN_Stable/releases/latest | grep "browser_download_url.*vpnserver.*linux-arm_eabi-32bit.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -O vpnserver.tar.gz -i - tar zxvf vpnserver.tar.gz cd vpnserver make sudo chmod 600 * sudo chmod 700 vpncmd vpnserver cd .. sudo mv vpnserver /usr/local/
#!/bin/sh ### BEGIN INIT INFO # Provides: vpnserver # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: SoftEther VPN Server # Description: SoftEther VPN Server ### END INIT INFO DAEMON=/usr/local/vpnserver/vpnserver LOCK=/var/lock/subsys/vpnserver test -x $DAEMON || exit 0 case "$1" in start) $DAEMON start touch $LOCK ;; stop) $DAEMON stop rm $LOCK ;; restart) $DAEMON stop sleep 3 $DAEMON start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0
sudo chmod 755 /etc/init.d/vpnserver sudo /etc/init.d/vpnserver start sudo update-rc.d vpnserver defaults sudo reboot
I've always wanted to do this. Thank you!!!
ReplyDeleteHi there,
ReplyDeleteCan you clarify the advantages of the raspberry pi in practical terms? Does it allow significantly better bandwidth than running the VPN client on the router. You say VPN server, but you mean VPN client, right?
I do in fact mean VPN server, not client. A Raspberry Pi will generally have a faster processor and more RAM than a router would at the same price point, which will improve VPN performance. Since none of the wireless capabilities are being used for the server side of the setup, those features of a router are useless anyway.
DeleteIf you have an existing router that you are trying to use, then it will still work fine, but if you're buying new hardware for the VPN server anyway, a Raspberry Pi is the better option.
Wait, so is the idea that the solution on this page would be placing the router or raspberry pi in the United States, to take the place of a commercial VPN service? Or would you have this in your home abroad and it would still get Hulu, etc to work?
DeleteCorrect, the "VPN server" on this page is meant to replace a commercial paid service by having your own VPN service in the U.S. running on the Pi. Only the client router would by in your home abroad, allowing you to connect to the Pi and stream U.S. content.
DeleteHi M!
ReplyDeleteThanks so much for posting this information. I think I successfully got the Pi server up and running, but I was wondering if you could give me some advice on the client piece. I currently have a LinkSys WRT3200ACM router flashed with DD-WRT. Tomato doesn't support this model. Do you think the same setup is possible using the equipment I already have, or do you think I should forget it and buy the EA6700?
Thanks so much for your help!
-Nate
You can definitely use your router. I haven't used DD-WRT in a bit, but these changes to the guide should work:
Delete1) For Install SoftEther step 2, you can use the these instructions to enable JFFS.
2) For Setup VPN Client step 1 you can use these instructions to enter the command for the firewall.
Everything else should pretty much be the same. Let me know if you have any issues. We can also message directly if you need more specific guidance.
Thanks again, M.
ReplyDeleteI think I got everything set up, but something was wrong with the link in your comment about the firewall command instructions, so I'm not sure if I did that part right.
Also, I don't know how to replicate this portion in DD-WRT because I don't see any options like this. Do you have any advice?
LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
LAN > br0 > DHCP = Disabled
One more question for you... My wife is going to bring the Pi with her when she goes back to the States for the summer. I would like to test everything before she leaves to see if I set it up properly. Is there a recommended way to do this? I was thinking of bringing the client router over to a friend's place and trying to connect to the Pi (currently in my house overseas) to see if the VPN connection works. Should this happen automatically if I did everything right?
Thanks again for your help with this!
-Nate
Sorry about that link, not sure what happened. It was supposed to be this: https://wiki.dd-wrt.com/wiki/index.php/Startup_Scripts
Delete`LAN > br0 > IP Address` is going to be equivalent to `Basic Setup > Router IP > Local IP Address` and `LAN > br0 > DHCP` is the same as `Basic Setup > Network Address Server Settings (DHCP) > DHCP Server` in DD-WRT.
The easiest way to test the VPN server is to try and connect from a mobile device using cellular data. If it works, your public IP address should change from the cellular provider to the IP of your home internet connection. Also, if you set up TeamViewer on the Pi, then you can always make changes to the device remotely to fix any issues or modify the configuration. The client router will indeed automatically connect to the server if there are no issues.
Thanks for clearing that up. I think I got everything set up correctly, but I wanted to make sure I could connect to the server through the client, so I connected the Pi to the internet in my friend's house. Unfortunately, I can't get to the internet when I try to go through the client router in my house. One of my friends thinks restrictions on certain types of traffic in our host country might be preventing the connection. Do you think that's possible, or is it more likely that I made a mistake somewhere? I may try to message you directly if this isn't a simple fix/answer.
ReplyDeleteThanks again for all your help, and happy 4th!
Did you follow the steps in Connect VPN Router to Host Router? If the client router doesn't connect to the server then you won't get any internet connection on your devices, since there is no DHCP to assign them an IP address. It's possible but unlikely that it's being blocked in the country, but there are ways around that as well. We can direct message if that still doesn't work for you.
DeleteI'm going to ask some friends and family about this. Is there any way you estimate how much of their bandwidth we'll need and what speed they should have? We do a good amount of streaming in our household. I could offer to chip in to their internet bill, but then I'm back to a monthly fee.
ReplyDeleteIt can really vary. Netflix recommends 5Mbps per HD stream. Streaming music is negligible. If you want accurate numbers, you can see if your existing router does bandwidth monitoring, and check the statistics there.
DeleteIf you are having others test their speed, make sure they are looking at the upload speed, as that will be what affects the VPN the most. It's rare that they would be able to notice your usage at all. Also keep in mind any timezone difference. If you're overseas, your peak streaming may often be when they are asleep or at work.
Hi M
ReplyDeleteThanks for this guide, I decided to give it a try. Unfortunately I'm stuck pretty early. I get an error message when installing the Linksys firmware file. This firmware file won't work on this router. I tried downloading again but it didn't work. Any ideas?
Thanks!
That sounds like something went wrong somewhere in steps 1-22. If the firmware isn't on version 166281, then it will fail to install the file since it's not from Linksys. Did you get any errors in those earlier steps?
Delete1-22 went smoothly. I can try running tftp.exe again. Otherwise I'm not sure what it could be.
ReplyDeleteThanks for your response.
hi, I already connected trough sofether l2tp vpn, but i cannot access netflix and hulu pages. Can you help me? When i try to access netflix and hulu i get this error: you are using anonymous proxy or VPN. How I could fix it?
ReplyDeleteFirst check and make sure the VPN is actually working for you. If you check your public IP address (you can search online for "what's my ip address"), it should be different between when you are connected to the VPN and when you're not. If it's different, then the question is where you have the VPN server running. Is it in a residential location?
DeleteHi, thanks for your reply. Yes I already checked this, I have a new IP address but i still not having access netflix or hulu. Are you use the softehter and works?
DeleteYes. Are you using a residential location for the server? If you set up SoftEther on a cloud server or somewhere with a commercial IP address where many people might be using the same IP, there's a good chance it will be blocked. A house will only have a few users at most, which shouldn't cause any errors.
DeleteThank you, Yes I'm using softether with AWS Ec2. I will try to install the softether VPN server from residential location. In this case I need to put the ip address that my ISP assigns me?
DeleteI would recommend using the Dynamic DNS that SoftEther provides for free. That way if your ISP changes your residential IP address, your VPN will still work. You can change the DDNS url from the SoftEther Server Manager.
DeleteDoes the VPN give users access to the LAN where the VPN Server is installed? Or just access to the internet? I'm hosting the server for a friend and want to make sure I'm not exposing my LAN to anyone who gains access to the VPN.
ReplyDeleteThe VPN creates a bridge to the LAN, so it does expose the other devices. If you don't want that then you can set up a separate subnet on the host router/modem.
DeleteHi, I'm on HL and want to set this up at my daughter's apartment so we can finally ditch ExpressVPN. I want to make sure the Pi instructions (and the recommendation to use it) are still valid and up-to-date. Thanks in advance for doing this! I've worked with both Tomato and DD-WRT and know how tricky it is to hit all of the steps; super appreciated :)
ReplyDeleteIt's been a few months since I last set one up, but it still worked well at that time. I see no reason it shouldn't still be accurate. I'm happy to help if you run into any issues though.
DeleteThank you! I’ll look to order the equipment I. The next few days and reach back out with results.
DeleteWell, I managed to get the equipment, prep the SD card and install the initial steps. I'm stuck on a couple of things:
Delete1) sudo teamviewer setup -- ran this line and it sent me to a login, requesting email/username & password. I entered an email and a generic username/password and it timed out, over and over again. No idea why.
2) Step 10: Create /etc/init.d/vpnserver with the below content --- I don't understand how to do this. I cd down to init.d and tried to use cat > to create vpnserver and permissions were denied. I don't remember how to use chmod to display the permissions that are set and when I looked for info, I got confused. Regardless, seems like this was the wrong move anyway, so I thought I'd ask, instead.
Thanks in advance!
1) That is only a login prompt. You need to already have a TeamViewer account. You can sign up for free on https://www.teamviewer.com/. TeamViewer is only to access the Pi remotely, so you could also another remote access option, but I have found TV to be quite good.
Delete2) There are a few ways to do it, but I personally use `sudo nano /etc/init.d/vpnserver`, and then copy-paste the code from here.
Thank you for the prompt response! I’ll give it a shot today
DeleteHi M,
ReplyDeleteI'm a bit late to the party on this, but I'm planning to follow your guide to set up this system. Since it's been 3 years, would you still recommend the same hardware? I have the router I got from StrongVPN (Netgear Nighthawk X6 R8000), and I'd love to just repurpose that and only buy one new router to be the server along with the Raspberry Pi 4 kit. Have you seen any issues with mixing and matching routers, or other things to consider with the hardware?
Bill
Hi Bill,
DeleteI still recommend the same hardware. You don't need a router and Raspberry Pi for the server, just the Raspberry Pi. Right now they are running a bit more expensive than usual because of the global chip shortage, but it's still the best option.
You should be able to use your Netgear router by uploading an OpenVPN certificate generated by the SoftEther VPN server software. That's not really included in this blog post, so feel free to reach out if you want help with that.
Hi M!
ReplyDeleteGot another question for you. I passed my Raspberry Pi setup to a friend who's living overseas, and it was working great until about a week ago. For some reason the client router got reset to the factory settings, so I just walked the new owner through all of the steps to flash, install SoftEther, and configure the settings on the router. However, I'm not seeing any logins to the Pi server when I check the logs. Is there anything you can think of that we should double check? I figured that all of the configurations and the certificate I generated in the SoftEther program would still be the same, but do we need to redo anything on that side of things? I don't fully understand how the authentication part of this works, so maybe I messed up something in there.
Thanks so much for your help.
-Nate
Resetting the client router shouldn't require you to reflash. Once you have a different firmware installed, it should survive a factory reset.
DeleteWhat would get wiped out is all of the software configuration and JFFS partition, so you will need to reinstall SoftEther and repeat all of the steps under Setup VPN Client. The certificate would still be the same, but you need to install it on the client again.
Okay, great. I think we have everything installed and configured. Now, the guy I'm helping is unable to connect to the client router in SoftEther when he is on step 7 of the Setup VPN Client section. Any ideas for troubleshooting or obvious mistakes we might be making?
DeleteI would make sure that the IP being used to connect to the router is correct. Being connected via ethernet is preferable. Also, make sure the SoftEther service is actually running. By default it only starts when the router detects an internet connection as it is starting up. So you can either reboot the router or run the command manually.
DeleteHi again, M.
ReplyDeleteI recently discovered that the real issue behind this problem was that the person in the U.S. who had the Pi running moved and got a new home router. They never set up port forwarding on the new router. I reconfigured everything, and I can see that the client router is successfully authenticating and establishing sessions with the SoftEther server on the Pi, but I can't seem to get to the internet when I go through the client router. Also, when I connect directly from a device to the VPN server on the Pi, my IP is not changing. I feel like this must be related to the port forwarding, but I don't know how to check. Do you have any ideas or suggestions for troubleshooting?
Thanks so much for all your help!
Hey again, M,
DeleteStill trying to resolve this issue, so I tried to connect to the VPN using my phone on cellular data. It didn't work, even though nothing has changed on the Pi, and it was previously working for several years (until the person in the U.S. moved). The SoftEther logs say this:
- Trying to request an IP address from the DHCP server.
- Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to. If you do not have a DHCP server, you can use the Virtual DHCP function of the SecureNAT on the Virtual Hub instead.
- The VPN Client sent a packet though an IP address of the VPN Client hasn't been determined.
- A PPP protocol error occurred, or the PPP session has been disconnected.
That made me think that something is still wrong in the home network where the Pi is running. We double checked the port forwarding and everything seems good to go, so I started to suspect that there might be another device doing DHCP in his network. Sure enough, I found out that there is a separate cable modem running behind the home router. So the home network consists of an Archer A7 router that is connected to the internet through an EU2251 modem provided by the ISP.
Do you think I should advise the person running the Pi at his house to contact the ISP and ask them to set the modem to bridge mode or something? I'm not sure what else to try at this point, and he doesn't know how to configure the EU2251 at all.
Thanks so much for all your time!
From what I can find about that modem, I don't think it has any firewall built-in, so it should be passing all traffic to the Archer router. Since it's strictly a modem and not a modem/router combo, there shouldn't be any DHCP running on it either.
DeleteAs for troubleshooting your problem, I would check the following in order:
- Are you able to access the SoftEther server remotely using the SoftEther Server Manager? If not, make sure that SoftEther is running on the Pi.
- Are you using the public IP of the Pi directly, or are you using a DDNS, such as the one built into SoftEther (e.g. ***.softether.net)? If you're using the DDNS, try the IP, and make sure the DDNS is properly mapped to the public IP.
- In the SoftEther server, is the local bridge to br0 properly set? If not, that would explain why a VPN client would not be assigned an IP by the Archer's DHCP.
- On the Archer router, does the Pi have a static IP reserved, and does the IP on the Pi actually match? If the Pi is using an older dynamic IP and has not renewed to get the static IP, they could be different.
- For the forwarded ports on the Archer, have you double checked that the type (TCP/UDP) is correct in addition to the port numbers?
- What VPN protocol are you trying to use to test the VPN? I've found L2TP to be the most problematic, but OpenVPN or SoftEther to be more reliable.
- If SoftEther connects but OpenVPN doesn't, you can try using the 5555 port with OpenVPN, even though the default is 1194.
These should pinpoint the issue to be solved, but if not, let me know the results and hopefully that gives me some other ideas on what to check.
Finally! Success! The problem was the bridge. I looked at another server I set up for someone a couple of years ago and realized that the bridge setting in the server was different. For some reason, on these steps:
ReplyDelete26. Click Bridge with New Tap Device
27. New Tap Device Name = soft
...it only works if I choose "Bridge with Physical Existing Network Adapter," and then select "eth0."
It has been a while since I messed with this, so I guess I forgot about that modification. I'm not sure why this worked, but I'm just happy it did.
Thank you again for being so generous with your time. I can't tell you how much my family, and now friends/colleagues, have benefited from your work.