I've correctly installed and configured Softether on my Ubuntu 14 x64 VPS in local bridge mode with a virtual TAP interface.
What I have now is a fully functioning L2TP/IPSEC server with two network interfaces which I'd like to further secure using ufw.
Having scoured the internet I hacked together a solution as per below that does work, but I'm not sure how secure/correct it is and was hoping someone here could guide me in the right direction.
Starting with my (shortened) ifconfig:
eth0 Link encap:Ethernet HWaddr XX
inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.255 Mask:255.255.255.0
inet6 addr: XX Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
tap_soft Link encap:Ethernet HWaddr XX
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: XX Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
1 – In /etc/ufw/before.rules I've inserted a POSTROUTING rule before the *filter line:
# Rules for NAT Table of iptables
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from Softether through eth0.
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
# tell ufw to process the lines
COMMIT
2 – In /etc/default/ufw I've enabled forwarding and set DEFAULT_FORWARD_POLICY="ACCEPT"
3 – Appended net.ipv4.ip_forward = 1 to /etc/sysctl.conf – and reloaded sysctl of course.
4 – Because I'm running in Local Bridge mode, tap_soft requires a DHCP server.
So my dnsmasq.conf file looks like this:
interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1
5 – ufw verbose status:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
To Action From
-- ------ ----
67 on tap_soft ALLOW IN Anywhere
53 on tap_soft ALLOW IN Anywhere
1701 ALLOW IN Anywhere
4500/udp ALLOW IN Anywhere
500/udp ALLOW IN Anywhere
The steps above mean I have a fully functioning VPN server with a firewall – but is my firewall configuration still secure/correct/recommended?
The only other way I found to get it working correctly is to
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source MYPUBLICIPADDRESS and only open ports 67 and 53 in ufw.
Not being well versed in iptables, I'm not 100% sure what this does or why it works.
Best Answer
Creating an L2 Bridge with SoftEther into a TAP interface like this is essentially a SecureNAT configuration. SoftEther can do what you want without dnsmasq or ufw.
Revert the current configuration and try this instead:
Step 5 and step 6 enable features in SoftEther that do the same thing as dnsmasq except that SoftEther does not implement a DNS forwarder. Remember to create user accounts in the new hub. Ignore all warnings about virtual machine environments.
The non-obvious thing about SoftEther is that the 192.168.7.1 gateway address is not bound to the server and is not accessible from the server. If you want the server to communicate with VPN clients, then do this too:
Now put this stanza in the /etc/network/interfaces file:
Note how interfaces created by SoftEther always have a tap_ prefix in the host environment. After a reboot, the tap_snat interface will come online when SoftEther is started.
Remember that SoftEther does not use Linux kernel facilities for NAT and that the host must not attach the SoftEther gateway address to any of its interfaces. Using .2 here is not a typo.
The default SoftEther security policy permits VPN clients to use a static IP address outside of the DHCP range, so UFW can do port forwarding (with IP forwarding disabled) like this:
The super-neat thing about doing it this way is that SoftEther will bridge broadcast traffic such that things like mDNS and uPNP work properly and the server will appear as MyServer.local in the Explorer panel of client computers that are connecting with a compatible VPN client.