Ethernet-over-VPN: What Could Possibly Go Wrong?

One of my readers sent me a link to SoftEther, a VPN solution that

[…] penetrates your network admin's troublesome firewall for overprotection. […] Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.

What could possibly go wrong with such a great solution?

Ignoring the security implications of bypassing those pesky firewalls (that someone put in place just to annoy you, not because they’d actually be needed), this wonderful bit of software allows you to bridge between an Ethernet and a VPN tunnel.

You can define a cascading connection between two or more remote Virtual Hubs. With cascading, you can integrate two or more remote Ethernet segments to a single Ethernet segment.

I won’t even start ranting about the beauties of running bridged Ethernet over WAN; it seems a lot of people prefer to learn from hands-on experience ;) However, all you need is someone establishing two VPN tunnels between two VLANs and you have a lot of blinking lights (rate-limited by the encryption speed of your VPN clients).

Finally, running TCP over TCP (in our case TCP-over-IP-over-Ethernet-over-SSL-over-TCP-over-IP-over-Whatever) isn’t the best idea ever, as people trying to run TCP over SSH figured out decades ago. Alas, some people never bother to check past experience and Rule 11 strikes again. But don’t despair, this wonder of technology can also run VPN over DNS or ICMP (as well as over UDP, which actually makes sense).

In short, I never cease to be amazed by how much time people spend inventing solutions that shouldn’t exist in the first place.


  1. I hate the firewall issues just like the next person, but that does not mean I want to drill holes in it.
  2. this technology has other purposes than datacenter or vmotion or vlan extensions.
  3. the most important bit is that every new magic VPN solution has to point out that they have better performance than OpenVPN... which sort of makes OpenVPN the reference, no? :-)
  4. To their credit, one of the original use cases of this technology was simply leveraging the remote-access VPN capability to help those in need with bypassing any "pesky" Great Firewalls ( And let's face it, OpenVPN could use a facelift.
  5. All you need is someone establishing a single VPN tunnel between two hosts in a single subnet 😀
    1. in a single location you mean. Yes, true. Except if the software is smart enough to check if both VPN endpoints are not directly joinable over pure ethernet. Otherwise you would have to make a Ethernet VPN tunnel to a remote location, and then do a second VPN connection back to the host which is in the same LAN as you are. Life is so easier with bridging. I can die in peace now.
  6. An ethernet bridge will always be an ethernet bridge, no matter how hard the layer 7 application tries to hide the complexities.. the fundamentals of networking still apply. "Just because you can, does not mean you should"....
  7. Apart from right or wrong discussion, this is the only open source SSTP server software available today. I don't want to use PPTP for security reason. I don't understand why Microsoft doesn't provide SSTP on desktop version of Windows software. They should get rid of PPTP and provide SSTP on all versions of Windows as they did with the PPTP. PPTP is crap.
  8. Oh yeah Ivan, it allows ARP/IP Spoofing and Man in the middle without even having to be there. They're right, it makes life really easier.
Add comment