Line 15: |
Line 15: |
| |category= Contrib | | |category= Contrib |
| |tags= VPN | | |tags= VPN |
− | }} | + | }}{{Level|2=The instructions on this page may require deviations from default procedures. A good understanding of linux and SME is recommended|type=Advanced}}{{Warning box|This contrib will help you to do the basic integration but you will still need to do most of the configuration needed and take some decision}} |
| | | |
| ===Maintainer=== | | ===Maintainer=== |
Line 27: |
Line 27: |
| | | |
| === Description === | | === Description === |
− | <!-- add a description here -->
| + | SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android. |
| | | |
| | | |
| + | [[Image:SoftEther_Schematic.jpg|link=https://wiki.contribs.org/File:SoftEther_Schematic.jpg]] |
| === Installation === | | === Installation === |
− | yum --enablerepo=smecontribs install {{#var:smecontribname}} | + | yum install smeserver-bridge --enablerepo=smecontribs |
| + | yum --enablerepo=smecontribs,smedev install {{#var:smecontribname}} |
| + | config setprop bridge tap0,tap_soft |
| + | config setprop ExternalInterface MTU 2000 |
| + | config setprop InternalInterface MTU 2000 |
| + | config setprop bridge MTU 2000 |
| + | service bridge start |
| + | expand-template /etc/raddb/users |
| + | signal-event remoteaccess-update |
| + | if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443 |
| + | config setprop httpd-e-smith httpsOnlyLocal enabled |
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | service httpd-e-smith stop |
| + | service httpd-e-smith start |
| + | service vpnserver start |
| + | service vpnserver stop |
| + | then edit the configuration |
| + | vim /usr/vpnserver/vpn_server.config |
| | | |
| + | to set in place of 0.0.0.0<syntaxhighlight lang="bash"> |
| + | string ListenIP ip.ip.ip.ip |
| + | </syntaxhighlight> |
| + | |
| + | Then, for all to finish: |
| + | service vpnserver start |
| + | |
| + | ==== Finishing configuration using windows ==== |
| + | Note: the windows utility works great with wine under Linuc. |
| + | |
| + | Download Management Interface |
| + | |
| + | http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.25-9656-rtm-2018.01.15-windows-x86_x64-intel.exe |
| + | |
| + | For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx |
| + | |
| + | After installation Clic On New Setting |
| + | |
| + | [[Image:SoftEther_WIN_1.png|link=https://wiki.contribs.org/File:SoftEther_WIN_1.png]] |
| + | |
| + | Set Setting Name, Set Host Name, Choose Port Number 5555 |
| + | |
| + | [[Image:SoftEther_WIN_2.png|link=https://wiki.contribs.org/File:SoftEther_WIN_2.png]] |
| + | |
| + | Connect |
| + | |
| + | [[Image:SoftEther_WIN_3.png|link=https://wiki.contribs.org/File:SoftEther_WIN_3.png]] |
| + | |
| + | Create Management Password |
| + | |
| + | [[Image:SoftEther_WIN_4.png|link=https://wiki.contribs.org/File:SoftEther_WIN_4.png]] |
| + | |
| + | Choose Remote Access VPN Server |
| + | |
| + | [[Image:SoftEther_WIN_5.png|link=https://wiki.contribs.org/File:SoftEther_WIN_5.png]] |
| + | |
| + | Create Virtual Hub Name |
| + | |
| + | [[Image:SoftEther_WIN_6.png|link=https://wiki.contribs.org/File:SoftEther_WIN_6.png]] |
| + | |
| + | Set Dynamic DNS if Needed (Dynamic IP) |
| + | |
| + | [[Image:SoftEther_WIN_7.png|link=https://wiki.contribs.org/File:SoftEther_WIN_7.png]] |
| + | |
| + | Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android) |
| + | |
| + | [[Image:SoftEther_WIN_8.png|link=https://wiki.contribs.org/File:SoftEther_WIN_8.png]] |
| + | |
| + | PSK lengths greater than 9 characters ARE able to be entered and saved, See following post from Softether forums and English lang dialog box that is referenced in that post: http://www.vpnusers.com/viewtopic.php?f=7&t=8405 it requires the answering of the following dialog box with No to set a PSK length greater than 9, beware of issues with Android when length is greater than 10 |
| + | |
| + | [[Image:Softether-psk.png|500px|link=https://wiki.contribs.org/File:Softether-psk.png]] |
| + | |
| + | Disable VPN Azure |
| + | |
| + | [[Image:SoftEther_WIN_9.png|link=https://wiki.contribs.org/File:SoftEther_WIN_9.png]] |
| + | |
| + | Create User(s) |
| + | |
| + | [[Image:SoftEther_WIN_10.png|link=https://wiki.contribs.org/File:SoftEther_WIN_10.png]] |
| + | |
| + | Set User Name, Autentification Method, Password |
| + | |
| + | [[Image:SoftEther_WIN_11.png|link=https://wiki.contribs.org/File:SoftEther_WIN_11.png]] |
| + | |
| + | Create Local Bridge{{Warning box|Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on some occasions. |
| + | |
| + | If you have chosen in the first part of the install to force httpd to only listen on Local interface, then you can start the 443 Listener}}Create Local Bridge{{Warning box|Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on reboot.}}[[Image:SoftEther_WIN_14.png|link=https://wiki.contribs.org/File:SoftEther_WIN_14.png]] |
| + | |
| + | Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft |
| + | |
| + | [[Image:SoftEther_WIN_15.png|link=https://wiki.contribs.org/File:SoftEther_WIN_15.png]] |
| + | |
| + | ==== Finishing configuration with windows using the SME radius to auth users ==== |
| + | one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself) |
| + | host: localhost or 127.0.0.1 |
| + | UDP port 1812 |
| + | key: default shared secret that can be found with: |
| + | cat /etc/radiusclient-ng/servers |
| + | [[Image:softether_radius.png|600px|link=https://wiki.contribs.org/File:Softether_radius.png]] |
| + | |
| + | The create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users. |
| + | |
| + | If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*' |
| + | |
| + | [[Image:softether_user.png|600px|link=https://wiki.contribs.org/File:Softether_user.png]] |
| + | |
| + | Finally one must set the pre-shared key '''also''' in the L2TP settings of the virtualhub |
| + | |
| + | [[Image:softether-L2TP-1.png|600px|link=https://wiki.contribs.org/File:Softether-L2TP-1.png]] |
| + | |
| + | [[Image:softether-L2TP-2.png|600px|link=https://wiki.contribs.org/File:Softether-L2TP-2.png]] |
| + | |
| + | All SME Server users should now be able to create a VPN connection. Since Softether VPN is not 'integrated' yet into the db and templating system, one does not need to enable VPN access on SME Server user accounts. This option in Server Manager will be ignored by Softether VPN. By default when authenticating against the SME Server Radius server all users will be able to create a VPN connection. |
| + | |
| + | If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN. |
| + | |
| + | ==== Finishing configuration using CLI ==== |
| + | '''TODO''' |
| + | |
| + | You can first connect using : |
| + | |
| + | vpncmd `config get ExternalIP`:5555 /SERVER /CMD ServerPasswordSet |
| + | |
| + | then you will be asked to change the password. |
| + | |
| + | Following access could be done |
| + | |
| + | vpncmd `config get ExternalIP`:5555 /SERVER |
| | | |
| === Configuration === | | === Configuration === |
| you can list the available configuration with the followinf command : | | you can list the available configuration with the followinf command : |
− | config show {{#var:contribname}} | + | config show vpnserver |
| | | |
| Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | | Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : |
Line 45: |
Line 171: |
| ! | | ! |
| |- | | |- |
− | |DbName | + | |TCPPorts |
− | |nextcloud | + | |1194,5555 |
− | |string | + | |coma separated port numbers |
− | |for mysql db | + | | |
| |- | | |- |
− | |DbPassword | + | |UDPPorts |
− | |GENERATED | + | |1194,500,1701,4500 |
− | |string | + | |coma separated port numbers |
− | |for mysql db | + | | |
− | |-
| |
− | |DbUser
| |
− | |nextcloud
| |
− | |string
| |
− | |for mysql db
| |
| |- | | |- |
| |access | | |access |
− | |private | + | |public |
| |private, public | | |private, public |
| | | | | |
Line 69: |
Line 190: |
| |enabled,disabled | | |enabled,disabled |
| |} | | |} |
− | | + | also mportant other propertie is (enabled will allow to use 443 port for VPN on external interface): |
− | | + | config getprop httpd-e-smith httpsOnlyLocal |
| | | |
| === Uninstall === | | === Uninstall === |
− | yum remove {{#var:smecontribname}} {{#var:contribname}} | + | yum remove {{#var:smecontribname}} {{#var:contribname}} |
| + | config delprop httpd-e-smith httpsOnlyLocal |
| + | signal-event remoteaccess-update |
| | | |
| === Bugs === | | === Bugs === |
Line 84: |
Line 207: |
| Only released version in smecontrib are listed here. | | Only released version in smecontrib are listed here. |
| | | |
− | {{ #smechangelog: {{#var:smecontribname}} }} | + | {{#smechangelog: {{#var:smecontribname}} }} |
| | | |
| | | |
Line 91: |
Line 214: |
| | | |
| <!-- Please keep there the template revision number as is --> | | <!-- Please keep there the template revision number as is --> |
− | [[contribtemplate::2| ]]
| |
− | [[contriblang:: {{#var:lang}} | ]]
| |