Changes

Jump to navigation Jump to search

SoftEther VPN (view source)

Revision as of 07:53, 18 April 2021

3,544 bytes added ,  07:53, 18 April 2021
→‎Hints and tips
Line 1: Line 1: −
{{WIP box}}
+
{{Warning box|This How-to while still working in March 2020, is outdated.
 +
Please note that a contribs is now available here [[Softethervpn-server]] to configure a Softethernet server on a SME as Server Gateway.
 +
You can still use as reference this page for the windows client configuration and for the configuration on a server only.}}
 +
 
 
==Maintainer==
 
==Maintainer==
 
This howto has been developed by [[User:beckynet|Olivier Beeckmans]]
 
This howto has been developed by [[User:beckynet|Olivier Beeckmans]]
Line 5: Line 8:  
Sources info are located here : http://www.softether.org/
 
Sources info are located here : http://www.softether.org/
   −
Placeholder for http://forums.contribs.org/index.php/topic,52134.0.html
+
Compiled from http://forums.contribs.org/index.php/topic,52134.0.html
 
  −
==Status==
  −
{{Note box|Project Under Development.}}
      
==Description==
 
==Description==
Line 88: Line 88:  
|-
 
|-
 
|}
 
|}
      
or you can manually add the portforwarding rules:
 
or you can manually add the portforwarding rules:
Line 106: Line 105:       −
= For SME 9.x 32 Bits =
+
===For SME 9.x 32 Bits===
    
  cd /opt
 
  cd /opt
  wget http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/32bit_-_Intel_x86/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x86-32bit.tar.gz
+
  wget http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Linux/SoftEther_VPN_Server/32bit_-_Intel_x86/softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-x86-32bit.tar.gz
 
  tar zxvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x86-32bit.tar.gz
 
  tar zxvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x86-32bit.tar.gz
 
  cd vpnserver
 
  cd vpnserver
Line 115: Line 114:  
  ./vpnserver start
 
  ./vpnserver start
   −
= For SME 9.x 64 Bits =
+
===For SME 9.x 64 Bits===
    
  cd /opt
 
  cd /opt
  wget http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
+
  wget http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-x64-64bit.tar.gz
 
  tar zxvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
 
  tar zxvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
 
  cd vpnserver
 
  cd vpnserver
 
  make # Read and Accept License Agreement, after compile (1 min)
 
  make # Read and Accept License Agreement, after compile (1 min)
 
  ./vpnserver start
 
  ./vpnserver start
<headertabs />
+
 
    
Remove gcc for security reasons:
 
Remove gcc for security reasons:
Line 131: Line 130:     
Download Management Interface<BR>
 
Download Management Interface<BR>
http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.20-9608-rtm-2016.04.17-windows-x86_x64-intel.exe
+
http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.25-9656-rtm-2018.01.15-windows-x86_x64-intel.exe
    
For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx
 
For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx
Line 158: Line 157:  
Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android)<BR>
 
Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android)<BR>
 
[[Image:SoftEther_WIN_8.png]]
 
[[Image:SoftEther_WIN_8.png]]
 +
 +
PSK lengths greater than 9 characters ARE able to be entered and saved, See following post from Softether forums and English lang dialog box that is referenced in that post:  http://www.vpnusers.com/viewtopic.php?f=7&t=8405 it requires the answering of the following dialog box with No to set a PSK length greater than 9, beware of issues with Android when length is greater than 10
 +
 +
[[Image:Softether-psk.png|500px]]
    
Disable VPN Azure<BR>
 
Disable VPN Azure<BR>
Line 289: Line 292:     
==Radius authentication==
 
==Radius authentication==
First set the Radius server credentials (thus the info of SME Server itself)
+
 
  host: 127.0.0.1
+
A custom template fragment is required to force ldap authentication for Radius. Create the template fragment:
 +
mkdir -p /etc/e-smith/templates-custom/etc/raddb/users/
 +
echo "DEFAULT Auth-Type := LDAP" > /etc/e-smith/templates-custom/etc/raddb/users/40ldap
 +
Then we need to expand the template fragments and restart radiusd:
 +
signal-event remoteaccess-update
 +
 
 +
Then one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself)
 +
  host: localhost or 127.0.0.1
 
  UDP port 1812
 
  UDP port 1812
 
  key: default shared secret that can be found with:
 
  key: default shared secret that can be found with:
Line 296: Line 306:  
[[Image:softether_radius.png|600px]]
 
[[Image:softether_radius.png|600px]]
   −
Secondly create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users.
+
The  create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users.
    
If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*'
 
If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*'
Line 302: Line 312:  
[[Image:softether_user.png|600px]]
 
[[Image:softether_user.png|600px]]
   −
All SME Server users should now be able to create a VPN connection.
+
Finally one must set the pre-shared key '''also''' in the L2TP settings of the virtualhub
 +
 
 +
[[Image:softether-L2TP-1.png|600px]]
 +
 
 +
[[Image:softether-L2TP-2.png|600px]]
 +
 
 +
All SME Server users should now be able to create a VPN connection. Since Softether VPN is not 'integrated' yet into the db and templating system, one does not need to enable VPN access on SME Server user accounts. This option in Server Manager will be ignored by Softether VPN. By default when authenticating against the SME Server Radius server all users will be able to create a VPN connection.
 +
 
 +
If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN.
 +
 
 +
==Server Only Mode==
 +
If you have configured your SME server to be in server only mode then it isn't routing traffic in and out of your network. It has been found that with some modem/routers you may need to enable the Virtual DHCP Server functions of Softether so as to access remote lan resources.
 +
 
 +
From the Softether VPN server manager connect to the relevant VPN server
 +
 
 +
[[File:SoftEther_WIN_3.png]]
 +
 
 +
Select Manage selected virtual hub
 +
 
 +
[[File:Semanage.png]]
 +
 
 +
Select Virtual Nat and Virtual DHCP
 +
 
 +
[[File:Semanagehub.png]]
 +
 
 +
Select enable secure NAT and then SecureNAT Configuration
 +
 
 +
[[File:Sevirtnatset.png]]
 +
 
 +
In Virtual DHCP Server Settings Set IP range settings as appropriate for the remote lan.
   −
==TODO==
+
[[File:Sevirtnat.png]]
   −
Create a rpm with softether vpnserver RTM<BR>
+
==Disable SME Server PPTPD service==
Create a rpm with a bridge for softether<BR>
+
After verifying that your new Softether VPN is working, you may disable the default (and insecure) SME Server PPTPD service:
<s>Use SME Radius</s>
+
config setprop pptpd status disabled
 +
signal-event remoteaccess-update
 +
 
 +
==Uninstall==
 +
To completely remove SoftEther from your SME Server you may run the below commands. You may safely ignore any warning if you did not install some of the components.
 +
service vpnserver stop
 +
rm -f /etc/rc7.d/S79vpnserver
 +
rm -f /etc/init.d/vpnserver
 +
rm -fR /opt/vpnserver
 +
db portforward_tcp delete 1194
 +
db portforward_tcp delete 5555
 +
db portforward_udp delete 1194
 +
db portforward_udp delete 500
 +
db portforward_udp delete 1701
 +
db portforward_udp delete 4500
 +
yum remove smeserver-bridge-interface
 +
db configuration delete bridge
 +
rm -f /etc/e-smith/templates-custom/etc/raddb/clients.conf/10localhost
 +
rm -f /etc/e-smith/templates-custom/etc/radiusclient-ng/servers/10localhost
 +
rm -f /etc/e-smith/templates-custom/etc/raddb/users/40ldap
 +
signal-event post-upgrade; signal-event reboot
    
==Hints and tips==
 
==Hints and tips==
Line 314: Line 373:     
----
 
----
[[Category:Contrib]]
+
[[Category:Howto]]
 
[[Category:Administration:VPN]]
 
[[Category:Administration:VPN]]
 
[[Category:VPN]]
 
[[Category:VPN]]
Unnilennium
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,250

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/33609...39906"

Navigation menu