SoftEther VPN - ICMP/DNS

Many of us like to use private connections while on open WiFi networks. Have you ever been on a network which blocked your VPN from establishing a connection? There is a good chance that using a SoftEther VPN client could get around that.

While this application supports many devices which can support L2TP or SSTP, using the client for windows/mac/linux is the only way to engage in the ICMP/DNS tunneling function.

I have the server software running on Windows 2008R2 and client software running on Windows 7.

After finding no more than a basic understanding of the ICMP/DNS functionality in their documentation...I decided to dig deeper and share my experience with others.

The diagram below depicts how the SoftEther VPN client will try and connect with its normal TCP communication, and if that fails, it will fallback to connecting via DNS, and if that fails then it will finally try using ICMP (type 15, Information request).

I already had a basic configuration setup on my server/client, now all I had to do was enable the function to try ICMP/DNS when all else fails.

In order to force the client to use this feature, I used my computer's local firewall (Symantec Endpoint Protection) to allow DNS but block all other traffic.


I enabled these rules only on the physical interface which provides my access to the server/internet, so not to have the rules conflict with packets on the windows virtual interface used by the VPN client.

Then I forwarded internet traffic destined for port 53 to the server.

Voila

At about 5MB/s the VPN client was running up the CPU a bit

I was not able to get ICMP to work over the internet, as my ISP provided firewall would only allow me to "port forward" echo request packets to internal hosts.

Please comment if this was of any interest to you