Softethervpn-server

From SME Server
Revision as of 03:40, 29 March 2020 by Unnilennium (talk | contribs) (initial work)
Jump to navigation Jump to search




Selogo.jpg
softethervpn-server logo
MaintainerUnnilennium
Urlhttps://www.softether.org
LicenceApache License 2.0
Category

Contrib

Tags VPN


PythonIcon.png Advanced
The instructions on this page may require deviations from default procedures. A good understanding of linux and SME is recommended


[[Category: {{{1}}}]]

Warning.png Warning:
This contrib will help you to do the basic integration but you will still need to do most of the configuration needed and take some decision


Maintainer

JP Pialasse

Version

Devel 10:
Contrib 10:
Alpha 9:
smeserver-softethervpn-server
The latest version of smeserver-softethervpn-server is available in the SME repository, click on the version number(s) for more information.


Contrib 10:
Alpha 9:
softethervpn
The latest version of softethervpn is available in the SME repository, click on the version number(s) for more information.


Description

SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android.


 

Installation

yum install smeserver-bridge --enablerepo=smecontribs
yum --enablerepo=smecontribs,smedev install smeserver-softethervpn-server 
config setprop bridge tap0,tap_soft
config setprop ExternalInterface MTU 2000 
config setprop InternalInterface MTU 2000
config setprop bridge MTU 2000
service bridge start
expand-template /etc/raddb/users
signal-event remoteaccess-update 

if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443

config setprop httpd-e-smith httpsOnlyLocal enabled 
expand-template /etc/httpd/conf/httpd.conf 
service httpd-e-smith stop 
service httpd-e-smith start
service vpnserver start 
service vpnserver stop 

then edit the configuration

vim /usr/vpnserver/vpn_server.config

to set in place of 0.0.0.0

string ListenIP ip.ip.ip.ip

Then, for all to finish:

service vpnserver start 

Finishing configuration using windows

Note: the windows utility works great with wine under Linuc.

Download Management Interface

http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.25-9656-rtm-2018.01.15-windows-x86_x64-intel.exe

For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx

After installation Clic On New Setting

 

Set Setting Name, Set Host Name, Choose Port Number 5555

 

Connect

 

Create Management Password

 

Choose Remote Access VPN Server

 

Create Virtual Hub Name

 

Set Dynamic DNS if Needed (Dynamic IP)

 

Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android)

 

PSK lengths greater than 9 characters ARE able to be entered and saved, See following post from Softether forums and English lang dialog box that is referenced in that post: http://www.vpnusers.com/viewtopic.php?f=7&t=8405 it requires the answering of the following dialog box with No to set a PSK length greater than 9, beware of issues with Android when length is greater than 10

 

Disable VPN Azure

 

Create User(s)

 

Set User Name, Autentification Method, Password

 

Create Local Bridge

  Warning:
Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on some occasions.

If you have chosen in the first part of the install to force httpd to only listen on Local interface, then you can start the 443 Listener


Create Local Bridge

  Warning:
Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on reboot.


 

Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft

 

Finishing configuration with windows using the SME radius to auth users

one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself)

host: localhost or 127.0.0.1
UDP port 1812
key: default shared secret that can be found with:
cat /etc/radiusclient-ng/servers

 

The create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users.

If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*'

 

Finally one must set the pre-shared key also in the L2TP settings of the virtualhub

 

 

All SME Server users should now be able to create a VPN connection. Since Softether VPN is not 'integrated' yet into the db and templating system, one does not need to enable VPN access on SME Server user accounts. This option in Server Manager will be ignored by Softether VPN. By default when authenticating against the SME Server Radius server all users will be able to create a VPN connection.

If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN.

Finishing configuration using CLI

TODO

You can first connect using :

vpncmd `config get ExternalIP`:5555 /SERVER /CMD ServerPasswordSet

then you will be asked to change the password.

Following access could be done

vpncmd `config get ExternalIP`:5555 /SERVER

Configuration

you can list the available configuration with the followinf command :

config show vpnserver

Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :

property default values
TCPPorts 1194,5555 coma separated port numbers
UDPPorts 1194,500,1701,4500 coma separated port numbers
access public private, public
status enabled enabled,disabled

also mportant other propertie is (enabled will allow to use 443 port for VPN on external interface):

config getprop httpd-e-smith httpsOnlyLocal

Uninstall

yum remove smeserver-softethervpn-server  softethervpn-server 
config delprop httpd-e-smith httpsOnlyLocal 
signal-event remoteaccess-update

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-softethervpn-server component or use this link


Below is an overview of the current issues for this contrib:

IDProductVersionStatusSummary (5 tasks)
12334SME Contribs10.0RESOLVEDadd backup list
12333SME Contribs10.0RESOLVED/etc/raddb/users has moved to /etc/raddb/mods-config/files/authorize
12093SME Contribs10.0CONFIRMEDUpdate softether to latest source 4.39, needs openssl3.0.2
11330SME Contribs10alphaIN_PROGRESSUpdate softethervpn package so that it stands alone
10915SME Contribs9.3CONFIRMEDNFR: initial configuration using action /event

Changelog

Only released version in smecontrib are listed here.

smeserver-softethervpn-server Changelog: SME 10 (smecontribs)
2021/03/30 Jean-Philippe Pialasse 4.34-7.sme
- move template custom to core for https access on local only [SME: 11511]
2021/01/25 Brian Read 4.34-6.sme
- Fix-Environment-in-service-file [SME: 11329]
2021/01/24 Brian Read 4.34-5.sme
- Fix-vpnserver-path-in-service-file-override [SME: 11326]
2021/01/23 Brian Read 4.34-4.sme
- Patch-Service-File-for-SME10 [SME: 11326]

2021/01/16 Brian Read 4.34-2.sme
- Initial import to SME10 tree [SME: 11326]

- Update-Createlinks-for-systemd