5.3 Differences between VPN Server and VPN Bridge

    SoftEther VPN Bridge is a software product for creating a connection (bridge) between a Virtual Hub at a remote location and a physical network adapter, minus some of the functions of SoftEther VPN Server. With the exception of the differences noted here, the descriptions of SoftEther VPN Server in 3. SoftEther VPN Server Manual can be used to understand the use, principles of operation, and management of SoftEther VPN Bridge. For the detailed setup method of SoftEther VPN Bridge, refer to this chapter while replacing all descriptions of VPN Server with VPN Bridge and sevpnserver with sevpnbridge.

     

    5.3.1 Features and Usage of VPN Bridge

    VPN Server and VPN Bridge

    SoftEther VPN Server described in 3. SoftEther VPN Server Manual is a software product that provides VPN server functions to the VPN client computer. This software allows you to place several Virtual Hubs on a single VPN Server so VPN Client or VPN Bridge can establish a VPN connection to a Virtual Hub over the network from a remote location. In addition, this software comes with a function for connecting a virtual network and physical network using the local bridge function (see 3.6 Local Bridges) and SecureNAT function (see 3.7 Virtual NAT & Virtual DHCP Servers), which connect a Virtual Hub on VPN Server and a physical network adapter on the computer running VPN Sever.

    VPN Bridge does not have the following functions of VPN Server, which has the features described above.

    • Function for receiving a VPN connection (as a VPN server) and associated functions
    • Function for creating several Virtual Hubs
    • Virtual Layer 3 switching function
    • Packet filtering function using the access list

    Technical Positioning of VPN Bridge

    Technically speaking, SoftEther VPN Bridge is a software program optimized for bridge bases without the VPN Server function for receiving a connection from SoftEther VPN Client or SoftEther VPN Server on a separate computer and the function for creating multiple Virtual Hubs. When SoftEther VPN Bridge is installed, only one Virtual Hub, with the name "BRIDGE", is created. The network administrator creates a local bridge with the base LAN bridging to the Virtual Hub and connects to the Virtual Hub on the destination SoftEther VPN Server.

    VPN Bridge Applications and Usage

    VPN Bridge is optimized for use of the two functions for creating a cascade connection to VPN Server and creating a bridge with a physical network using a local bridge connection, and nearly all other extra functions have been eliminated.

    You can make effective use of VPN Bridge, for example, by placing a Virtual Hub on an existing VPN Server at the head office, installing VPN Bridge to the base LAN at each branch to be connected to the Virtual Hub, and creating a VPN configured to remain constantly connected to the head office network over the Internet.

    Number of VPN Server and VPN Bridge Computers Generally Required

    To create a VPN connecting multiple bases on a general scale, as described in 10.5 Build a LAN-to-LAN VPN (Using L2 Bridge) and 10.6 Build a LAN-to-LAN VPN (Using L3 IP Routing), install VPN Server at one base, install VPN Bridge at the other bases, and create a cascade connection from the Virtual Hub of VPN Bridge to the Virtual Hub of VPN Server, while at the same time creating a local bridge connection between the Virtual Hub and physical network adapter at each base.

    In this case, VPN Bridge must be installed on one less number of computers than the total number bases to be connected to VPN Server. Generally speaking, to establish a peer VPN connection between N-number of bases, provide VPN Bridge on N-1 computers and connect to one VPN Server computer.

    5-3-1.png

    Connecting VPN Server and VPN Bridge at Each Site.

    Configuration File Name

    The configuration file name in VPN Server is vpn_server.config, but in VPN Bridge, the name is vpn_bridge.config.

     

    5.3.2 Virtual Hub on VPN Bridge

    Only one Virtual Hub can exist in the program on VPN Bridge. The name of that Virtual Hub is fixed to "BRIDGE".

    5-3-2.png

    Virtual Hub with the Name "BRIDGE".

     

    VPN Bridge is managed using VPN Server Manager or the vpncmd utility, in the same way as VPN Server, but with the "BRIDGE" Virtual Hub.

    By connecting the "BRIDGE" Virtual Hub to the network adapter physically connected to the computer with the local bridge function, you can join the segment between the "BRIDGE" Virtual Hub and the physical network. Now by creating a cascade connection to the "BRIDGE" Virtual Hub and configuring a constant connection to the desired VPN Server, a VPN connection can be easily created between the bases.

    5.3.3 Cascade Connection Function on VPN Bridge

    The Virtual Hub of VPN Bridge can be cascade-connected to a Virtual Hub operating on a separate computer in the same way as a Virtual Hub of VPN Server. For more information about cascade connections, please refer to 3.4 Virtual Hub Functions.

    Because the Virtual Hub of VPN Bridge cannot receive a VPN connection, it is meaningless if VPN Bridge does not cascade-connect to an external VPN Server. When using VPN Bridge, be sure to use the cascade connection function.

    5-3-3.png

    Cascade Connection Function on VPN Bridge.

    5.3.4 Receiving a Connection on VPN Bridge

    Unlike VPN Server, VPN Bridge does not have a function for receiving a VPN connection. SoftEther VPN Server is the only product in the SoftEther VPN software series with a function for receiving a VPN connection, namely a VPN server function.

    However, VPN Bridge is similar to VPN Server in that it has a TCP/IP listener port. By default, the three enabled TCP/IP listener ports are 443, 992, and 5555, the same as those on VPN Server. These TCP/IP listener ports are required for management connection from a local or remote client to VPN Bridge using VPN Server Manager or the vpncmd utility.

    5-3-4.png

    Management Connection to VPN Bridge.

    5.3.5 Local Bridge Function on VPN Bridge

    A local bridge connection can be configured between the "BRIDGE" Virtual Hub on VPN Bridge and a physical network adapter on the computer running VPN Bridge. This function allows you to connect the Virtual Hub of VPN Bridge to a network on an existing base using Layer 2, using this function as a bridge.

    The method for setting up a local bridge is the same as that for VPN Server. For details, please refer to 3.6 Local Bridges.

    Please note that the local bridge function is not available in VPN Bridge for operating systems other than Windows, Linux, or Solaris. Therefore, VPN Bridge is not very useful on operating systems other than Windows, Linux, or Solaris. However, the SecureNAT function can be used.

    5-3-5.png

    Local Bridge Setup Window in VPN Bridge.

    5.3.6 SecureNAT Function on VPN Bridge

    The "BRIDGE" Virtual Hub on VPN Bridge has a virtual NAT function using SecureNAT and a virtual DHCP server function similar to those of VPN Server. You can enable these functions when necessary. For information about using these functions, please refer to 3.7 Virtual NAT & Virtual DHCP Servers.

    For examples of how to use SoftEther VPN with the SecureNAT function of VPN Bridge, please refer to 10.11 Exploit SecureNAT for Remote Access into Firewall without Any Permission.

     

    5.3.7 Virtual Layer 3 Switch Function on VPN Bridge

    Because VPN Bridge only has one Virtual Hub, a virtual Layer 3 switch is meaningless. Therefore, the virtual Layer 3 switch function has been eliminated in VPN Bridge and cannot be used.

     

    5.3.8 Coexistence of VPN Bridge and VPN Server

    SoftEther VPN beginning users often make the mistake of installing both VPN Server and VPN Bridge on the same computer, which creates conflicting operations. Just as the descriptions of VPN Server and VPN Bridge are separate in this manual, there is no reason to install both VPN Server and VPN Bridge on the same computer.

    Because VPN Server has a function for creating a local bridge between a Virtual Hub and a physical network, the Virtual Hub of VPN Server can be connected to a physical network adapter using Layer 2 on VPN Server alone. To make this type of connection, you do not need to use VPN Bridge.

    Do not install VPN Server and VPN Bridge on the same computer.