Difference between revisions of "Softethervpn-server"
Unnilennium (talk | contribs) (Created page with "{{Languages}} <!-- here we define the contrib name variable --> <!-- we get the page title, remove suffix for translated version; if needed you can define there with the value...") |
Unnilennium (talk | contribs) (initial work) |
||
| Line 15: | Line 15: | ||
|category= Contrib | |category= Contrib | ||
|tags= VPN | |tags= VPN | ||
| − | }} | + | }}{{Level|2=The instructions on this page may require deviations from default procedures. A good understanding of linux and SME is recommended|type=Advanced}}{{Warning box|This contrib will help you to do the basic integration but you will still need to do most of the configuration needed and take some decision}} |
===Maintainer=== | ===Maintainer=== | ||
| Line 27: | Line 27: | ||
=== Description === | === Description === | ||
| − | + | SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android. | |
| + | [[Image:SoftEther_Schematic.jpg|link=https://wiki.contribs.org/File:SoftEther_Schematic.jpg]] | ||
=== Installation === | === Installation === | ||
| − | yum --enablerepo=smecontribs install {{#var:smecontribname}} | + | yum install smeserver-bridge --enablerepo=smecontribs |
| + | yum --enablerepo=smecontribs,smedev install {{#var:smecontribname}} | ||
| + | config setprop bridge tap0,tap_soft | ||
| + | config setprop ExternalInterface MTU 2000 | ||
| + | config setprop InternalInterface MTU 2000 | ||
| + | config setprop bridge MTU 2000 | ||
| + | service bridge start | ||
| + | expand-template /etc/raddb/users | ||
| + | signal-event remoteaccess-update | ||
| + | if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443 | ||
| + | config setprop httpd-e-smith httpsOnlyLocal enabled | ||
| + | expand-template /etc/httpd/conf/httpd.conf | ||
| + | service httpd-e-smith stop | ||
| + | service httpd-e-smith start | ||
| + | service vpnserver start | ||
| + | service vpnserver stop | ||
| + | then edit the configuration | ||
| + | vim /usr/vpnserver/vpn_server.config | ||
| + | to set in place of 0.0.0.0<syntaxhighlight lang="bash"> | ||
| + | string ListenIP ip.ip.ip.ip | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Then, for all to finish: | ||
| + | service vpnserver start | ||
| + | |||
| + | ==== Finishing configuration using windows ==== | ||
| + | Note: the windows utility works great with wine under Linuc. | ||
| + | |||
| + | Download Management Interface | ||
| + | |||
| + | http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.25-9656-rtm-2018.01.15-windows-x86_x64-intel.exe | ||
| + | |||
| + | For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx | ||
| + | |||
| + | After installation Clic On New Setting | ||
| + | |||
| + | [[Image:SoftEther_WIN_1.png|link=https://wiki.contribs.org/File:SoftEther_WIN_1.png]] | ||
| + | |||
| + | Set Setting Name, Set Host Name, Choose Port Number 5555 | ||
| + | |||
| + | [[Image:SoftEther_WIN_2.png|link=https://wiki.contribs.org/File:SoftEther_WIN_2.png]] | ||
| + | |||
| + | Connect | ||
| + | |||
| + | [[Image:SoftEther_WIN_3.png|link=https://wiki.contribs.org/File:SoftEther_WIN_3.png]] | ||
| + | |||
| + | Create Management Password | ||
| + | |||
| + | [[Image:SoftEther_WIN_4.png|link=https://wiki.contribs.org/File:SoftEther_WIN_4.png]] | ||
| + | |||
| + | Choose Remote Access VPN Server | ||
| + | |||
| + | [[Image:SoftEther_WIN_5.png|link=https://wiki.contribs.org/File:SoftEther_WIN_5.png]] | ||
| + | |||
| + | Create Virtual Hub Name | ||
| + | |||
| + | [[Image:SoftEther_WIN_6.png|link=https://wiki.contribs.org/File:SoftEther_WIN_6.png]] | ||
| + | |||
| + | Set Dynamic DNS if Needed (Dynamic IP) | ||
| + | |||
| + | [[Image:SoftEther_WIN_7.png|link=https://wiki.contribs.org/File:SoftEther_WIN_7.png]] | ||
| + | |||
| + | Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android) | ||
| + | |||
| + | [[Image:SoftEther_WIN_8.png|link=https://wiki.contribs.org/File:SoftEther_WIN_8.png]] | ||
| + | |||
| + | PSK lengths greater than 9 characters ARE able to be entered and saved, See following post from Softether forums and English lang dialog box that is referenced in that post: http://www.vpnusers.com/viewtopic.php?f=7&t=8405 it requires the answering of the following dialog box with No to set a PSK length greater than 9, beware of issues with Android when length is greater than 10 | ||
| + | |||
| + | [[Image:Softether-psk.png|500px|link=https://wiki.contribs.org/File:Softether-psk.png]] | ||
| + | |||
| + | Disable VPN Azure | ||
| + | |||
| + | [[Image:SoftEther_WIN_9.png|link=https://wiki.contribs.org/File:SoftEther_WIN_9.png]] | ||
| + | |||
| + | Create User(s) | ||
| + | |||
| + | [[Image:SoftEther_WIN_10.png|link=https://wiki.contribs.org/File:SoftEther_WIN_10.png]] | ||
| + | |||
| + | Set User Name, Autentification Method, Password | ||
| + | |||
| + | [[Image:SoftEther_WIN_11.png|link=https://wiki.contribs.org/File:SoftEther_WIN_11.png]] | ||
| + | |||
| + | Create Local Bridge{{Warning box|Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on some occasions. | ||
| + | |||
| + | If you have chosen in the first part of the install to force httpd to only listen on Local interface, then you can start the 443 Listener}}Create Local Bridge{{Warning box|Ensure Listener List TCP 443 is stopped or deleted, otherwise loss of access to server manager and apache will be lost on reboot.}}[[Image:SoftEther_WIN_14.png|link=https://wiki.contribs.org/File:SoftEther_WIN_14.png]] | ||
| + | |||
| + | Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft | ||
| + | |||
| + | [[Image:SoftEther_WIN_15.png|link=https://wiki.contribs.org/File:SoftEther_WIN_15.png]] | ||
| + | |||
| + | ==== Finishing configuration with windows using the SME radius to auth users ==== | ||
| + | one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself) | ||
| + | host: localhost or 127.0.0.1 | ||
| + | UDP port 1812 | ||
| + | key: default shared secret that can be found with: | ||
| + | cat /etc/radiusclient-ng/servers | ||
| + | [[Image:softether_radius.png|600px|link=https://wiki.contribs.org/File:Softether_radius.png]] | ||
| + | |||
| + | The create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users. | ||
| + | |||
| + | If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*' | ||
| + | |||
| + | [[Image:softether_user.png|600px|link=https://wiki.contribs.org/File:Softether_user.png]] | ||
| + | |||
| + | Finally one must set the pre-shared key '''also''' in the L2TP settings of the virtualhub | ||
| + | |||
| + | [[Image:softether-L2TP-1.png|600px|link=https://wiki.contribs.org/File:Softether-L2TP-1.png]] | ||
| + | |||
| + | [[Image:softether-L2TP-2.png|600px|link=https://wiki.contribs.org/File:Softether-L2TP-2.png]] | ||
| + | |||
| + | All SME Server users should now be able to create a VPN connection. Since Softether VPN is not 'integrated' yet into the db and templating system, one does not need to enable VPN access on SME Server user accounts. This option in Server Manager will be ignored by Softether VPN. By default when authenticating against the SME Server Radius server all users will be able to create a VPN connection. | ||
| + | |||
| + | If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN. | ||
| + | |||
| + | ==== Finishing configuration using CLI ==== | ||
| + | '''TODO''' | ||
| + | |||
| + | You can first connect using : | ||
| + | |||
| + | vpncmd `config get ExternalIP`:5555 /SERVER /CMD ServerPasswordSet | ||
| + | |||
| + | then you will be asked to change the password. | ||
| + | |||
| + | Following access could be done | ||
| + | |||
| + | vpncmd `config get ExternalIP`:5555 /SERVER | ||
=== Configuration === | === Configuration === | ||
you can list the available configuration with the followinf command : | you can list the available configuration with the followinf command : | ||
| − | config show | + | config show vpnserver |
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | ||
| Line 45: | Line 171: | ||
! | ! | ||
|- | |- | ||
| − | | | + | |TCPPorts |
| − | | | + | |1194,5555 |
| − | | | + | |coma separated port numbers |
| − | | | + | | |
|- | |- | ||
| − | | | + | |UDPPorts |
| − | | | + | |1194,500,1701,4500 |
| − | | | + | |coma separated port numbers |
| − | | | + | | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|- | |- | ||
|access | |access | ||
| − | | | + | |public |
|private, public | |private, public | ||
| | | | ||
| Line 69: | Line 190: | ||
|enabled,disabled | |enabled,disabled | ||
|} | |} | ||
| − | + | also mportant other propertie is (enabled will allow to use 443 port for VPN on external interface): | |
| − | + | config getprop httpd-e-smith httpsOnlyLocal | |
=== Uninstall === | === Uninstall === | ||
| − | yum remove {{#var:smecontribname}} {{#var:contribname}} | + | yum remove {{#var:smecontribname}} {{#var:contribname}} |
| + | config delprop httpd-e-smith httpsOnlyLocal | ||
| + | signal-event remoteaccess-update | ||
=== Bugs === | === Bugs === | ||
| Line 84: | Line 207: | ||
Only released version in smecontrib are listed here. | Only released version in smecontrib are listed here. | ||
| − | {{ #smechangelog: {{#var:smecontribname}} }} | + | {{#smechangelog: {{#var:smecontribname}} }} |
| Line 91: | Line 214: | ||
<!-- Please keep there the template revision number as is --> | <!-- Please keep there the template revision number as is --> | ||
| − | |||
| − | |||
Revision as of 03:40, 29 March 2020
 | |
| softethervpn-server logo | |
| Maintainer | Unnilennium |
|---|---|
| Url | https://www.softether.org |
| Licence | Apache License 2.0 |
| Category | |
| Tags | VPN |
[[Category: {{{1}}}]]
Maintainer
Version
Description
SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. SoftEther VPN is an optimum alternative to OpenVPN andMicrosoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 10. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function. SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible withWindows, Mac, iOS and Android.
Installation
yum install smeserver-bridge --enablerepo=smecontribs yum --enablerepo=smecontribs,smedev install smeserver-softethervpn-server config setprop bridge tap0,tap_soft config setprop ExternalInterface MTU 2000 config setprop InternalInterface MTU 2000 config setprop bridge MTU 2000 service bridge start expand-template /etc/raddb/users signal-event remoteaccess-update
if you plan to use softether VPN on port 443 (works only if you are in server and gateway mode). Yes you have to stop and then start, restart will fail. You also need a static IP to use port 443
config setprop httpd-e-smith httpsOnlyLocal enabled expand-template /etc/httpd/conf/httpd.conf service httpd-e-smith stop service httpd-e-smith start service vpnserver start service vpnserver stop
then edit the configuration
vim /usr/vpnserver/vpn_server.config
to set in place of 0.0.0.0
string ListenIP ip.ip.ip.ip
Then, for all to finish:
service vpnserver start
Finishing configuration using windows
Note: the windows utility works great with wine under Linuc.
Download Management Interface
For the latest versions of SoftEther components please check http://www.softether-download.com/en.aspx
After installation Clic On New Setting
Set Setting Name, Set Host Name, Choose Port Number 5555
Connect
Create Management Password
Choose Remote Access VPN Server
Create Virtual Hub Name
Set Dynamic DNS if Needed (Dynamic IP)
Enable L2TP/IPSec And Create Pre-Shared Key (No More Of 10 Charactere for compatibility with Android)
PSK lengths greater than 9 characters ARE able to be entered and saved, See following post from Softether forums and English lang dialog box that is referenced in that post: http://www.vpnusers.com/viewtopic.php?f=7&t=8405 it requires the answering of the following dialog box with No to set a PSK length greater than 9, beware of issues with Android when length is greater than 10
Disable VPN Azure
Create User(s)
Set User Name, Autentification Method, Password
Create Local Bridge
Create Local Bridge
Choose Virtual Hub, Choose Bridge With Tap Device, Set Tap Device Name : soft
Finishing configuration with windows using the SME radius to auth users
one must set the Radius server credentials in the Softether VPN server manager (thus the info of SME Server itself)
host: localhost or 127.0.0.1 UDP port 1812 key: default shared secret that can be found with: cat /etc/radiusclient-ng/servers
The create a 'passthrough user' with the username of '*', set Auth Type to Radius and enable security policy. The default policy enables allows all SME Server users.
If you previously created SME Server users manually, you can delete these so there is ONLY one user called '*'
Finally one must set the pre-shared key also in the L2TP settings of the virtualhub
All SME Server users should now be able to create a VPN connection. Since Softether VPN is not 'integrated' yet into the db and templating system, one does not need to enable VPN access on SME Server user accounts. This option in Server Manager will be ignored by Softether VPN. By default when authenticating against the SME Server Radius server all users will be able to create a VPN connection.
If you want to deny VPN access to some SME Server users one must create separate user accounts in VPN manager with the username of SME Server, set authentication to Radius and enable security policy. Then edit the security policy and set it to disabled. The SME Server user is no longer allowed to create a VPN.
Finishing configuration using CLI
TODO
You can first connect using :
vpncmd `config get ExternalIP`:5555 /SERVER /CMD ServerPasswordSet
then you will be asked to change the password.
Following access could be done
vpncmd `config get ExternalIP`:5555 /SERVER
Configuration
you can list the available configuration with the followinf command :
config show vpnserver
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
| property | default | values | |
|---|---|---|---|
| TCPPorts | 1194,5555 | coma separated port numbers | |
| UDPPorts | 1194,500,1701,4500 | coma separated port numbers | |
| access | public | private, public | |
| status | enabled | enabled,disabled |
also mportant other propertie is (enabled will allow to use 443 port for VPN on external interface):
config getprop httpd-e-smith httpsOnlyLocal
Uninstall
yum remove smeserver-softethervpn-server softethervpn-server config delprop httpd-e-smith httpsOnlyLocal signal-event remoteaccess-update
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-softethervpn-server component or use this link
Below is an overview of the current issues for this contrib:
| ID | Product | Version | Status | Summary (5 tasks) ⇒ |
|---|---|---|---|---|
| 12334 | SME Contribs | 10.0 | RESOLVED | add backup list |
| 12333 | SME Contribs | 10.0 | RESOLVED | /etc/raddb/users has moved to /etc/raddb/mods-config/files/authorize |
| 12093 | SME Contribs | 10.0 | CONFIRMED | Update softether to latest source 4.39, needs openssl3.0.2 |
| 11330 | SME Contribs | 10alpha | IN_PROGRESS | Update softethervpn package so that it stands alone |
| 10915 | SME Contribs | 9.3 | CONFIRMED | NFR: initial configuration using action /event |
Changelog
Only released version in smecontrib are listed here.
- move template custom to core for https access on local only [SME: 11511]
- Fix-Environment-in-service-file [SME: 11329]
- Fix-vpnserver-path-in-service-file-override [SME: 11326]
- Patch-Service-File-for-SME10 [SME: 11326]
2021/01/16 Brian Read 4.34-2.sme
- Initial import to SME10 tree [SME: 11326]
