Difference between revisions of "Softethervpn-server"
Unnilennium (talk | contribs) |
|||
(5 intermediate revisions by 3 users not shown) | |||
Line 27: | Line 27: | ||
[[User:Unnilennium|JP Pialasse]] | [[User:Unnilennium|JP Pialasse]] | ||
− | === Version === | + | ===Version=== |
<!-- keep this first element as is, you can add some if needed --> | <!-- keep this first element as is, you can add some if needed --> | ||
{{#smeversion: {{#var:smecontribname}} }} | {{#smeversion: {{#var:smecontribname}} }} | ||
{{#smeversion: softethervpn }} | {{#smeversion: softethervpn }} | ||
− | === Description === | + | ===Description=== |
SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android. | SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android. | ||
[[Image:SoftEther_Schematic.jpg|link=https://wiki.contribs.org/File:SoftEther_Schematic.jpg]] | [[Image:SoftEther_Schematic.jpg|link=https://wiki.contribs.org/File:SoftEther_Schematic.jpg]] | ||
− | === Installation === | + | ===Installation=== |
− | yum install smeserver-bridge --enablerepo=smecontribs | + | <tabs container style="display: inline-block;"><tab name="For SME 10"> |
+ | yum install smeserver-bridge-interface --enablerepo=smecontribs | ||
yum --enablerepo=smecontribs,smedev install {{#var:smecontribname}} | yum --enablerepo=smecontribs,smedev install {{#var:smecontribname}} | ||
− | config setprop bridge tap0,tap_soft | + | config setprop bridge tapInterface tap0,tap_soft |
+ | |||
+ | # following has been found to effect some eth cards if or when removing bridge, caution | ||
+ | config setprop ExternalInterface MTU 2000 | ||
+ | config setprop InternalInterface MTU 2000 | ||
+ | |||
+ | config setprop bridge MTU 2000 | ||
+ | service bridge restart | ||
+ | signal-event smeserver-softethervpn-server-update | ||
+ | |||
+ | if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443 | ||
+ | config setprop httpd-e-smith httpsOnlyLocal enabled | ||
+ | expand-template /etc/httpd/conf/httpd.conf | ||
+ | service httpd-e-smith stop | ||
+ | service httpd-e-smith start | ||
+ | service vpnserver start | ||
+ | service vpnserver stop | ||
+ | then edit the configuration | ||
+ | vim /usr/vpnserver/vpn_server.config | ||
+ | |||
+ | to set in place of 0.0.0.0<syntaxhighlight lang="bash"> | ||
+ | string ListenIP ip.ip.ip.ip | ||
+ | </syntaxhighlight> | ||
+ | </tab><tab name="For SME 9"> | ||
+ | yum install smeserver-bridge-interface --enablerepo=smecontribs | ||
+ | yum --enablerepo=smecontribs,smedev install {{#var:smecontribname}} | ||
+ | config setprop bridge tapInterface tap0,tap_soft | ||
config setprop ExternalInterface MTU 2000 | config setprop ExternalInterface MTU 2000 | ||
config setprop InternalInterface MTU 2000 | config setprop InternalInterface MTU 2000 | ||
Line 63: | Line 90: | ||
Then, for all to finish: | Then, for all to finish: | ||
service vpnserver start | service vpnserver start | ||
+ | </tab> | ||
+ | </tabs> | ||
− | ==== Finishing configuration using windows ==== | + | ====Finishing configuration using windows==== |
Note: the windows utility works great with wine under Linuc. | Note: the windows utility works great with wine under Linuc. | ||
Line 121: | Line 150: | ||
[[Image:SoftEther_WIN_11.png|link=https://wiki.contribs.org/File:SoftEther_WIN_11.png]] | [[Image:SoftEther_WIN_11.png|link=https://wiki.contribs.org/File:SoftEther_WIN_11.png]] | ||
− | + | {{Warning box|Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on some occasions. | |
− | If you have chosen in the first part of the install to force httpd to only listen on Local interface, then you can start the 443 Listener}}Create Local Bridge | + | If you have chosen in the first part of the install to force httpd to only listen on Local interface, then you can start the 443 Listener}}Create Local Bridge |
+ | |||
+ | [[Image:SoftEther_WIN_14.png|link=https://wiki.contribs.org/File:SoftEther_WIN_14.png]] | ||
Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft | Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft | ||
Line 129: | Line 160: | ||
[[Image:SoftEther_WIN_15.png|link=https://wiki.contribs.org/File:SoftEther_WIN_15.png]] | [[Image:SoftEther_WIN_15.png|link=https://wiki.contribs.org/File:SoftEther_WIN_15.png]] | ||
− | ==== Finishing configuration with windows using the SME radius to auth users ==== | + | ====Finishing configuration with windows using the SME radius to auth users==== |
one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself) | one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself) | ||
host: localhost or 127.0.0.1 | host: localhost or 127.0.0.1 | ||
Line 153: | Line 184: | ||
If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN. | If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN. | ||
− | ==== Finishing configuration using CLI ==== | + | ====Finishing configuration using CLI==== |
'''TODO''' | '''TODO''' | ||
Line 166: | Line 197: | ||
vpncmd `config get ExternalIP`:5555 /SERVER | vpncmd `config get ExternalIP`:5555 /SERVER | ||
− | === Configuration === | + | ===Configuration=== |
you can list the available configuration with the followinf command : | you can list the available configuration with the followinf command : | ||
config show vpnserver | config show vpnserver | ||
Line 199: | Line 230: | ||
config getprop httpd-e-smith httpsOnlyLocal | config getprop httpd-e-smith httpsOnlyLocal | ||
− | === Uninstall === | + | ===Uninstall=== |
yum remove {{#var:smecontribname}} {{#var:contribname}} | yum remove {{#var:smecontribname}} {{#var:contribname}} | ||
config delprop httpd-e-smith httpsOnlyLocal | config delprop httpd-e-smith httpsOnlyLocal | ||
signal-event remoteaccess-update | signal-event remoteaccess-update | ||
− | === Bugs === | + | ===Bugs=== |
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | ||
and select the {{#var:smecontribname}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{#var:smecontribname}}|title=this link}} | and select the {{#var:smecontribname}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{#var:smecontribname}}|title=this link}} | ||
Line 219: | Line 250: | ||
[[Category: Contrib]] | [[Category: Contrib]] | ||
<!-- Please keep there the template revision number as is --> | <!-- Please keep there the template revision number as is --> | ||
+ | |||
+ | ==Other articles in this category== | ||
+ | {{#ask: [[Category:VPN]]}} | ||
+ | [[Category:VPN]] |
Latest revision as of 06:27, 14 April 2024
softethervpn-server logo | |
Maintainer | Unnilennium |
---|---|
Url | https://www.softether.org |
Licence | Apache License 2.0 |
Category | |
Tags | VPN |
This page was inspired form this how-to : SoftEther_VPN
Maintainer
Version
Description
SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android.
Installation
yum install smeserver-bridge-interface --enablerepo=smecontribs yum --enablerepo=smecontribs,smedev install smeserver-softethervpn-server config setprop bridge tapInterface tap0,tap_soft
# following has been found to effect some eth cards if or when removing bridge, caution config setprop ExternalInterface MTU 2000 config setprop InternalInterface MTU 2000 config setprop bridge MTU 2000 service bridge restart signal-event smeserver-softethervpn-server-update
if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443
config setprop httpd-e-smith httpsOnlyLocal enabled expand-template /etc/httpd/conf/httpd.conf service httpd-e-smith stop service httpd-e-smith start service vpnserver start service vpnserver stop
then edit the configuration
vim /usr/vpnserver/vpn_server.configto set in place of 0.0.0.0
string ListenIP ip.ip.ip.ip
yum install smeserver-bridge-interface --enablerepo=smecontribs yum --enablerepo=smecontribs,smedev install smeserver-softethervpn-server config setprop bridge tapInterface tap0,tap_soft config setprop ExternalInterface MTU 2000 config setprop InternalInterface MTU 2000 config setprop bridge MTU 2000 service bridge start expand-template /etc/raddb/users signal-event remoteaccess-update
if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443
config setprop httpd-e-smith httpsOnlyLocal enabled expand-template /etc/httpd/conf/httpd.conf service httpd-e-smith stop service httpd-e-smith start service vpnserver start service vpnserver stop
then edit the configuration
vim /usr/vpnserver/vpn_server.configto set in place of 0.0.0.0
string ListenIP ip.ip.ip.ip
Then, for all to finish:
service vpnserver start
Finishing configuration using windows
Note: the windows utility works great with wine under Linuc.
Download Management Interface
For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx
After installation Clic On New Setting
Set Setting Name, Set Host Name, Choose Port Number 5555
Connect
Create Management Password
Choose Remote Access VPN Server
Create Virtual Hub Name
Set Dynamic DNS if Needed (Dynamic IP)
Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android)
PSK lengths greater than 9 characters ARE able to be entered and saved, See following post from Softether forums and English lang dialog box that is referenced in that post: http://www.vpnusers.com/viewtopic.php?f=7&t=8405 it requires the answering of the following dialog box with No to set a PSK length greater than 9, beware of issues with Android when length is greater than 10
Disable VPN Azure
Create User(s)
Set User Name, Autentification Method, Password
Create Local Bridge
Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft
Finishing configuration with windows using the SME radius to auth users
one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself)
host: localhost or 127.0.0.1 UDP port 1812 key: default shared secret that can be found with: cat /etc/radiusclient-ng/servers
The create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users.
If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*'
Finally one must set the pre-shared key also in the L2TP settings of the virtualhub
All SME Server users should now be able to create a VPN connection. Since Softether VPN is not 'integrated' yet into the db and templating system, one does not need to enable VPN access on SME Server user accounts. This option in Server Manager will be ignored by Softether VPN. By default when authenticating against the SME Server Radius server all users will be able to create a VPN connection.
If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN.
Finishing configuration using CLI
TODO
You can first connect using :
vpncmd `config get ExternalIP`:5555 /SERVER /CMD ServerPasswordSet
then you will be asked to change the password.
Following access could be done
vpncmd `config get ExternalIP`:5555 /SERVER
Configuration
you can list the available configuration with the followinf command :
config show vpnserver
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
property | default | values | |
---|---|---|---|
TCPPorts | 1194,5555 | coma separated port numbers | |
UDPPorts | 1194,500,1701,4500 | coma separated port numbers | |
access | public | private, public | |
status | enabled | enabled,disabled |
also mportant other propertie is (enabled will allow to use 443 port for VPN on external interface):
config getprop httpd-e-smith httpsOnlyLocal
Uninstall
yum remove smeserver-softethervpn-server softethervpn-server config delprop httpd-e-smith httpsOnlyLocal signal-event remoteaccess-update
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-softethervpn-server component or use this link
Below is an overview of the current issues for this contrib:
ID | Product | Version | Status | Summary (5 tasks) ⇒ |
---|---|---|---|---|
12334 | SME Contribs | 10.0 | RESOLVED | add backup list |
12333 | SME Contribs | 10.0 | RESOLVED | /etc/raddb/users has moved to /etc/raddb/mods-config/files/authorize |
12093 | SME Contribs | 10.0 | CONFIRMED | Update softether to latest source 4.39, needs openssl3.0.2 |
11330 | SME Contribs | 10alpha | IN_PROGRESS | Update softethervpn package so that it stands alone |
10915 | SME Contribs | 9.3 | CONFIRMED | NFR: initial configuration using action /event |
Changelog
Only released version in smecontrib are listed here.
- move template custom to core for https access on local only [SME: 11511]
- Fix-Environment-in-service-file [SME: 11329]
- Fix-vpnserver-path-in-service-file-override [SME: 11326]
- Patch-Service-File-for-SME10 [SME: 11326]
2021/01/16 Brian Read 4.34-2.sme
- Initial import to SME10 tree [SME: 11326]
Other articles in this category
Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard