When dealing with multiple uncontrolled NAT layers from ISPs, traditional VPN solutions often fail. SoftEther's VPN Azure becomes essential here because:
- It establishes connections where standard IPSec/L2TP fails
- Creates persistent tunnels despite NAT restrictions
- Maintains connectivity even when public IPs change
Your current configuration shows two critical gaps:
# Current routing table (problematic)
Destination Netmask Gateway Interface
192.168.30.0 255.255.255.0 192.168.30.1 22 # VPN LAN only
0.0.0.0 0.0.0.0 192.168.1.1 11 # Local gateway
To force all traffic through the VPN tunnel:
Server-side Configuration:
- Enable SecureNAT in SoftEther Server Manager
- Configure virtual DHCP server (192.168.30.0/24 recommended)
- Set "Bridge to local network" option if local routing needed
Client-side Implementation:
# First remove default route
route delete 0.0.0.0
# Add VPN interface as default gateway
route add 0.0.0.0 mask 0.0.0.0 192.168.30.1 metric 1 if 22
# Verify routing
route print
# Persistent route (optional)
route -p add 0.0.0.0 mask 0.0.0.0 192.168.30.1
If packets get dropped at server:
# SoftEther Server Manager → Manage Virtual Hub → Security Policy
# Enable:
- ARP Spoofing Prevention: No
- IP Spoofing Prevention: No
- DHCP Spoofing Prevention: No
For more granular control:
# On server machine
vpncmd /server localhost /adminhub:DEFAULT /cmd BridgeCreate /DEVICE:soft /TAP:yes
# Create bridge between:
1. VPN virtual adapter
2. Physical network interface
3. Local routing table
When NAT32 interferes:
- Disable NAT32's DNS proxy
- Set manual metric for VPN interface (lower = higher priority)
- Check for IP address conflicts between local and VPN networks
When dealing with multi-NAT environments where neither the ISP's NAT nor intermediate routers are under your control, traditional VPN tunneling methods often fail. The fundamental obstacle lies in the inability to establish direct port forwarding through cascading NAT layers - what networking folks call "NAT traversal hell".
SoftEther's default behavior creates routes only for the remote LAN subnet, leaving other traffic to flow through the local gateway. This stems from its design philosophy of minimizing unnecessary hops. Examining the routing table reveals:
C:\>route print
===========================================================================
Interface List
22...00 ff 1a 2b 3c 4d ......TAP-Windows Adapter V9 (SoftEther)
===========================================================================
IPv4 Route Table
Destination Netmask Gateway Interface Metric
10.0.1.0 255.255.255.0 10.0.1.254 10.0.1.5 20
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25
For full tunneling, we need three critical configurations:
# On SoftEther Server Manager:
1. Enable SecureNAT in Virtual Hub properties
2. Configure DHCP allocator (e.g., 10.0.1.1/24)
3. Enable "Local Bridge" to physical NIC with Internet access
# On Client machine:
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 10.0.1.1 metric 1 if 22
When using VPN Azure (SoftEther's cloud relay service), packet filtering becomes stricter. The server needs explicit configuration to forward non-LAN traffic:
# In server.vpn_server.config
declare SecureNAT {
bool Disabled false
bool SaveLog false
bool MacAddressClone false
uint MaxTcpSessions 32
bool FilterIPv4 false # Critical for full tunneling
bool FilterIPv6 false
}
When packets mysteriously drop:
- Verify MTU settings:
netsh interface ipv4 set subinterface 22 mtu=1400 - Check NAT state:
netsh interface portproxy show all - Test raw connectivity:
tcping -t 10.0.1.1 53
When NAT traversal proves impossible, consider SSTP which uses TCP/443:
Add-VpnConnection -Name "SSTP_Tunnel" -ServerAddress "vpn.example.com"
-TunnelType Sstp -RememberCredential $true -SplitTunneling $false