This Blog is Untitled

The following note outlines how to set up a VPN so that lab members can connect to the computation servers from anywhere on the campus network.

1) Requirements

• Goal: Allow remote VPN clients to access lab servers on a different subnet.
• VPN software: SoftEther VPN Server (L2-bridge mode) + SoftEther VPN Client.
• Network device: Layer-3 switch that supports SVIs and inter-VLAN routing.

2) Addressing & VLANs

• VLAN 2 (“VPN clients”): 10.10.2.0/24
  • SVI on L3 switch: 10.10.2.1/24 (default gateway for VPN clients)
  • SoftEther-bridge NIC on VPN server: 10.10.2.10/24
  • SoftEther DHCP scope: 10.10.2.100-10.10.2.200 (example)
• VLAN 3 (“Lab servers”): 10.10.3.0/24
  • SVI on L3 switch: 10.10.3.1/24 (default gateway for lab servers)

Public Internet ↔ [X.Y.Z.W] ↔ SoftEther VPN Server (VLAN 2, 10.10.2.0/24) ↔ L3 Switch ↔ Lab Servers (VLAN 3, 10.10.3.0/24)

3) VPN Server Configuration

• Bind your SoftEther L2-Bridge to the physical interface (e.g. eth0).
• Assign eth0 a static IP in VLAN 2:

# ip addr add 10.10.2.10/24 dev eth0
# ip link set eth0 up

• In SoftEther Server Manager:
  • Create a Virtual Hub.
  • Disable “SecureNAT”.
  • Under “Local Bridge Settings,” bridge that Virtual Hub to eth0.
  • (Optional) DNSMASQ, it supports pushing routes.

4) L3 Switch Configuration (in Cisco)

Global:
enable
configure terminal
ip routing !– turn on inter-VLAN routing

Create the two SVIs:
interface Vlan2
description “VPN Clients VLAN”
ip address 10.10.2.1 255.255.255.0 !– gateway for VLAN 2
no shutdown

interface Vlan3
description “Lab Servers VLAN”
ip address 10.10.3.1 255.255.255.0 !– gateway for VLAN 3
no shutdown

Configure the port to the VPN server:
interface GigabitEthernet0/1
description “Link to SoftEther VPN Server (eth0)”
switchport mode access
switchport access vlan 2 !– place in VLAN 2
spanning-tree portfast !– if supported and desired

(If your VPN server NIC is trunking multiple VLANs, use switchport mode trunk + switchport trunk allowed vlan 2 instead.)

5) Client & Server Default Gateways

• VPN client: get an IP from 10.10.2.0/24, gateway = 10.10.2.1
• Lab server: static or DHCP IP in 10.10.3.0/24, gateway = 10.10.3.1

6) Verification & Notes

• MTU: L2 bridging adds negligible overhead, try sending some big files to make further testings.

Why use both a VPN server and an L3 switch?

By offloading user authentication and tunnel setup to the VPN server, and letting the Layer 3 switch forward packets directly to the destination servers, we achieve a more robust, secure, and low-latency connection framework.

Below is an example of step-by-step walkthrough of this SoftEther VPN + L3-switch setup, showing exactly how packets travel and why almost all forwarding happens in hardware-yielding very low latency and high throughput.

Topology & Addressing

• Internet-facing VPN Server at X.Y.Z.W
• SoftEther VPN Bridge bound into VLAN 2 (10.10.2.0/16), DHCP-serving 10.10.2.0/24
• L3 Switch with:
  • SVI Vlan2 = 10.10.2.1/16 (gateway for VPN clients)
  • SVI Vlan3 = 10.10.3.1/16 (gateway for campus servers)
  • Gi0/1 access port in VLAN 2 → uplink to VPN Bridge NIC
• Campus servers on VLAN 3 (10.10.3.0/16)

Client→Server Forward Path

• VPN Tunnel Establishment
  • Client (any public IP) opens an SSL-VPN session to X.Y.Z.W.
  • SoftEther terminates the tunnel, treats the client as if it were a “virtual NIC” on VLAN 2.
  • DHCP assigns the client an address, e.g. 10.10.2.100/16, with gateway 10.10.2.1.
• Sending Data to a Campus Server (e.g. 10.10.3.5)
  • On the client, the application issues an IP packet:
  • Src=10.10.2.100 → Dst=10.10.3.5
    • SoftEther Client library encrypts and encapsulates it over the SSL-VPN tunnel.
    • VPN Server decapsulates in kernel space, restores the original Ethernet frame, and bridges it out its physical NIC in VLAN 2.
• Hardware-based Routing on the L3 Switch
  • Gi0/1 sees an 802.1Q VLAN 2 frame, strips the tag, and hands the packet to its ASIC’s routing engine.
  • The switch performs a hardware IP route lookup:
    • 10.10.3.5 ∈ 10.10.3.0/16 → next-hop = SVI Vlan3 (10.10.3.1)
  • The ASIC re-encapsulates into an Ethernet frame on VLAN 3 and forwards directly out toward the server port.

Server→Client Return Path

• Campus Server Reply
  • Server (10.10.3.5) replies: Src=10.10.3.5 → Dst=10.10.2.100
  • Packet is sent to its default-gateway 10.10.3.1 (the switch).
• Hardware Routing on the L3 Switch
  • ASIC receives the packet on VLAN 3, routes it to VLAN 2 (SVI 10.10.2.1), and forwards on Gi0/1 tagged VLAN 2.
• Re-encapsulation & Delivery to Client
  • VPN Bridge NIC picks up the Ethernet frame, bridges it into SoftEther’s virtual switch.
  • SoftEther adds VPN encryption, sends it back over the public SSL-VPN tunnel to the client.
  • Client decrypts, delivers the native IP packet to the application.

Why This Is Ultra-Efficient

• SoftEther Server does only two things in software: SSL-VPN crypto and L2 bridging.
• No IP routing or NAT happens on the server-only frame encapsulation/decapsulation.
• All inter-VLAN routing is off-loaded to the switch ASICs, doing millions of PPS at wire speed.
• The only software “hops” are the crypto operations at tunnel endpoints; the switch paths never touch a CPU.
• Result: minimal context switches, minimal CPU forwarding overhead, maximal throughput and very low latency.

With this setup:

• SoftEther handles the L2 “tap” into VLAN 2, so VPN clients appear exactly like on-campus PCs.
• The L3 switch routes between VLAN 2 and VLAN 3 in hardware, giving you maximum throughput.

Security Considerations

Since this VPN is used exclusively by lab members on the campus network, there are no significant external threats. AES-GCM is the recommended cipher; if maximum performance is your goal, you may even select “none”.

Device:

Cisco Business CBS350-24T-4G