The following note outlines how to set up a VPN so that lab members can connect to the computation servers from anywhere on the campus network.<\/p>\n\n\n\n
1) Requirements<\/p>\n\n\n\n
2) Addressing & VLANs<\/p>\n\n\n\n
Public Internet \u2194 [X.Y.Z.W] \u2194 SoftEther VPN Server (VLAN 2, 10.10.2.0\/24) \u2194 L3 Switch \u2194 Lab Servers (VLAN 3, 10.10.3.0\/24)<\/p>\n\n\n\n
3) VPN Server Configuration<\/p>\n\n\n\n
# ip addr add 10.10.2.10\/24 dev eth0\n# ip link set eth0 up\n<\/code><\/pre><\/p>\n\n\n\n\n- In SoftEther Server Manager:\n
\n- Create a Virtual Hub.<\/li>\n\n\n\n
- Disable \u201cSecureNAT\u201d.<\/li>\n\n\n\n
- Under \u201cLocal Bridge Settings,\u201d bridge that Virtual Hub to eth0.<\/li>\n\n\n\n
- (Optional) DNSMASQ, it supports pushing routes.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
4) L3 Switch Configuration (in Cisco)<\/p>\n\n\n\n
Global:
enable
configure terminal
ip routing !\u2013 turn on inter-VLAN routing<\/p>\n\n\n\n
Create the two SVIs:
interface Vlan2
description \u201cVPN Clients VLAN\u201d
ip address 10.10.2.1 255.255.255.0 !\u2013 gateway for VLAN 2
no shutdown<\/p>\n\n\n\n
interface Vlan3
description \u201cLab Servers VLAN\u201d
ip address 10.10.3.1 255.255.255.0 !\u2013 gateway for VLAN 3
no shutdown<\/p>\n\n\n\n
Configure the port to the VPN server:
interface GigabitEthernet0\/1
description \u201cLink to SoftEther VPN Server (eth0)\u201d
switchport mode access
switchport access vlan 2 !\u2013 place in VLAN 2
spanning-tree portfast !\u2013 if supported and desired<\/p>\n\n\n\n
(If your VPN server NIC is trunking multiple VLANs, use switchport mode trunk + switchport trunk allowed vlan 2 instead.)<\/p>\n\n\n\n
5) Client & Server Default Gateways<\/p>\n\n\n\n
\n- VPN client: get an IP from 10.10.2.0\/24, gateway = 10.10.2.1<\/li>\n\n\n\n
- Lab server: static or DHCP IP in 10.10.3.0\/24, gateway = 10.10.3.1<\/li>\n<\/ul>\n\n\n\n
6) Verification & Notes<\/p>\n\n\n\n
\n- MTU: L2 bridging adds negligible overhead, try sending some big files to make further testings.<\/li>\n<\/ul>\n\n\n\n
Why use both a VPN server and an L3 switch?<\/strong><\/p>\n\n\n\nBy offloading user authentication and tunnel setup to the VPN server, and letting the Layer 3 switch forward packets directly to the destination servers, we achieve a more robust, secure, and low-latency connection framework.<\/p>\n\n\n\n
Below is an example of step-by-step walkthrough of this SoftEther VPN + L3-switch setup, showing exactly how packets travel and why almost all forwarding happens in hardware-yielding very low latency and high throughput.<\/p>\n\n\n\n
Topology & Addressing<\/strong><\/p>\n\n\n\n\n- Internet-facing VPN Server at X.Y.Z.W<\/li>\n\n\n\n
- SoftEther VPN Bridge bound into VLAN 2 (10.10.2.0\/16), DHCP-serving 10.10.2.0\/24<\/li>\n\n\n\n
- L3 Switch with:\n
\n- SVI Vlan2 = 10.10.2.1\/16 (gateway for VPN clients)<\/li>\n\n\n\n
- SVI Vlan3 = 10.10.3.1\/16 (gateway for campus servers)<\/li>\n\n\n\n
- Gi0\/1 access port in VLAN 2 \u2192 uplink to VPN Bridge NIC<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Campus servers on VLAN 3 (10.10.3.0\/16)<\/li>\n<\/ul>\n\n\n\n
Client\u2192Server Forward Path<\/strong><\/p>\n\n\n\n\n- VPN Tunnel Establishment\n
\n- Client (any public IP) opens an SSL-VPN session to X.Y.Z.W.<\/li>\n\n\n\n
- SoftEther terminates the tunnel, treats the client as if it were a \u201cvirtual NIC\u201d on VLAN 2.<\/li>\n\n\n\n
- DHCP assigns the client an address, e.g. 10.10.2.100\/16, with gateway 10.10.2.1.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Sending Data to a Campus Server (e.g. 10.10.3.5)\n
\n- On the client, the application issues an IP packet:<\/li>\n\n\n\n
- Src=10.10.2.100 \u2192 Dst=10.10.3.5\n
\n- SoftEther Client library encrypts and encapsulates it over the SSL-VPN tunnel.<\/li>\n\n\n\n
- VPN Server decapsulates in kernel space, restores the original Ethernet frame, and bridges it out its physical NIC in VLAN 2.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Hardware-based Routing on the L3 Switch\n
\n- Gi0\/1 sees an 802.1Q VLAN 2 frame, strips the tag, and hands the packet to its ASIC\u2019s routing engine.<\/li>\n\n\n\n
- The switch performs a hardware IP route lookup:\n
\n- 10.10.3.5 \u2208 10.10.3.0\/16 \u2192 next-hop = SVI Vlan3 (10.10.3.1)<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- The ASIC re-encapsulates into an Ethernet frame on VLAN 3 and forwards directly out toward the server port.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Server\u2192Client Return Path<\/strong><\/p>\n\n\n\n\n- Campus Server Reply\n
\n- Server (10.10.3.5) replies: Src=10.10.3.5 \u2192 Dst=10.10.2.100<\/li>\n\n\n\n
- Packet is sent to its default-gateway 10.10.3.1 (the switch).<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Hardware Routing on the L3 Switch\n
\n- ASIC receives the packet on VLAN 3, routes it to VLAN 2 (SVI 10.10.2.1), and forwards on Gi0\/1 tagged VLAN 2.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Re-encapsulation & Delivery to Client\n
\n- VPN Bridge NIC picks up the Ethernet frame, bridges it into SoftEther\u2019s virtual switch.<\/li>\n\n\n\n
- SoftEther adds VPN encryption, sends it back over the public SSL-VPN tunnel to the client.<\/li>\n\n\n\n
- Client decrypts, delivers the native IP packet to the application.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Why This Is Ultra-Efficient<\/strong><\/p>\n\n\n\n\n- SoftEther Server does only two things in software: SSL-VPN crypto and L2 bridging.<\/li>\n\n\n\n
- No IP routing or NAT happens on the server-only frame encapsulation\/decapsulation.<\/li>\n\n\n\n
- All inter-VLAN routing is off-loaded to the switch ASICs, doing millions of PPS at wire speed.<\/li>\n\n\n\n
- The only software \u201chops\u201d are the crypto operations at tunnel endpoints; the switch paths never touch a CPU.<\/li>\n\n\n\n
- Result: minimal context switches, minimal CPU forwarding overhead, maximal throughput and very low latency.<\/li>\n<\/ul>\n\n\n\n
With this setup:<\/strong><\/p>\n\n\n\n\n- SoftEther handles the L2 \u201ctap\u201d into VLAN 2, so VPN clients appear exactly like on-campus PCs.<\/li>\n\n\n\n
- The L3 switch routes between VLAN 2 and VLAN 3 in hardware, giving you maximum throughput.<\/li>\n<\/ul>\n\n\n\n
Security Considerations<\/strong><\/p>\n\n\n\nSince this VPN is used exclusively by lab members on the campus network, there are no significant external threats. AES-GCM is the recommended cipher; if maximum performance is your goal, you may even select \u201cnone\u201d.<\/p>\n\n\n\n
Device:<\/strong><\/p>\n\n\n\nCisco Business CBS350-24T-4G<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The following note outlines how to set up a VPN so that lab members can connect to the computation servers from anywhere on the campus network. 1) Requirements<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,9],"tags":[32,33],"class_list":["post-380","post","type-post","status-publish","format-standard","hentry","category-misc","category-notes","tag-network","tag-vpn"],"_links":{"self":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts\/380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/comments?post=380"}],"version-history":[{"count":13,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts\/380\/revisions"}],"predecessor-version":[{"id":394,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts\/380\/revisions\/394"}],"wp:attachment":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/categories?post=380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/tags?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}