search

cenk1cenk2 / docker-softether-vpnsrv

SoftEther VPN Server with DNSMASQ DHCP Server or bridge mode connection for VPN-to-site setup.
29 stars 15 forks source link

Providing example for pushing routes to clients via dnsmasq #11

Closed disaac closed 3 years ago

disaac commented 3 years ago

Currently the default dnsmasq.conf provides a configuration that is well suited to get the service up and running using google dns for the default dns provider disabling dnsmasq dns services. The container also works great if you want to use dnsmasq to push routes as dhcp options to windows and *nix clients to support split tunneling enabling the dnsmasq dns service.

Below is an example configuration that would push to vpn clients private routes: 10.11.11.0/24 & 192.168.128.0/24. Also a public IP: 172.217.4.174/32. The routes would cause VPN clients to send traffic for those destinations through the VPN connection supporting split tunneling.

I have verified this configuration works well when using the native windows and macos VPN client to connect to the softether L2TP/IPSEC service. Assumes PR#10 has been merged or issue #9 has been otherwise addressed

# Comment out the port=0 so dnsmasq can provide dns services to clients
# port=0
interface=tap_soft
dhcp-range=tap_soft,$SRVIPSUBNET.10,$SRVIPSUBNET.200,$SRVIPNETMASK,12h
dhcp-option=tap_soft,3,$SRVIPSUBNET.1
# set option 6 to announce itself as the DNS server
dhcp-option=tap_soft,6,$SRVIPSUBNET.1
# Use option 121 to announce to *nix vpn clients various routes you want routed through the VPN to allow split tunnel
dhcp-option=tap_soft,121,10.11.11.0/24,$SRVIPSUBNET.1,192.168.128.0/24,$SRVIPSUBNET.1,172.217.4.174/32,$SRVIPSUBNET.1
# use option 249 to announce to windows vpn clients the same routes as 121
dhcp-option=tap_soft,249,10.11.11.0/24,$SRVIPSUBNET.1,192.168.128.0/24,$SRVIPSUBNET.1,172.217.4.174/32,$SRVIPSUBNET.1
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/4cde5ceb-4fc1-4f9a-82e9-13f6b38d930c
dhcp-option=vendor:MSFT,2,1i
cenk1cenk2 commented 3 years ago

You can mount any dnsmasq config in /etc/dnsmasq.conf.default. But you are right I will add this to README.

cenk1cenk2 commented 3 years ago

Will do some changes and update readme as well.

cenk1cenk2 commented 3 years ago

Okay, I updated a README to make it more clear, thank you for bringing this to my attention and given the repository a bit of face-lift while at it.