SoftEther VPN

OpenVPN has provided a great solid solution over the years and I've installed many point to point solutions as well as VPNs for commercial and private use.  While I'm certainly a fan, circumstances have warranted investigating a new solution, specifically one that provides L2TP/IPsec server functionality and additional throughput.  Enter SoftEther.

SoftEther is a multi-protocol VPN software that runs on Mac, Linux, FreeBSD and Windows.  Due to the clone function, it even allows for easy integration from OpenVPN, meaning you can connect using the client you previously used to connect to an OpenVPN server.  Furthermore the L2TP capability aids in connectivity with iOS and Android devices.  A full review of the specifications and capability can be found at softether.org.

For my purposes, I needed the ability to provide VPN access from an iPhone, and a LAN to LAN bridge to connect several commercial offices. 

My specifications as you can see were initially very conservative.  I found that even a system with as little as 512MB and 5G of storage was capable of providing a reasonable VPN for a small office or home use.  While not necessary, I choose to run a separate server or virtual machine for VPN access.

• Virtual Machine
• Debian 7
• 1G (Virtual allows for easy modification based on usage)
• 10G Storage

1. Install Debian 

I used the mini.iso, no options other than system tools.  I like to run lean and don't use a gui for any production system.

Acquire the necessary tools for compiling SoftEther.

apt-get install build-essential

2. Download & Install SoftEther

Wget or Lynx are your best options.

apt-get install lynx

lynx http://www.softether-download.com/files/softether/

You have multiple different versions to choose from.  I've typically utilized the 'rtm' versions instead of 'beta' but the choice is yours. 

Once you locate your version of choice and architecture, highlight it and press "d" to download.  When prompted, choose "save to disk".

I keep my downloads in /usr/local/src.

cd /usr/local/src

tar xvfz softether-vpnserver-version-number-you-downloaded.tar.gz

The archive will extract and create a vpnserver directory.

cd /usr/local/src/vpnserver

make

You'll be prompted to read the License Agreement, confirm you read it and agree to the License Agreement.

Any issues with 'make' are likely due to unmet dependancies.  Verify you completed the step of installing the 'build-essential' components.

My habit is to move services to the /etc folder.

mv /usr/local/src/vpnserver /etc

cd /etc/vpnserver

chmod 600 *

chmod 700 vpnserver

chmod 700 vpncmd

Create startup script

vi /etc/init.d/vpnserver

Example:

#!/bin/sh
# SoftEther
DAEMON=/etc/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

chmod 755 /etc/init.d/vpnserver

Debian makes it easy to update the run levels and have SoftEther start on boot up.

update-rc.d vpnserver defaults

Note the use of /var/lock/subsys, you'll need to create the directory.

Start SoftEther

/etc/init.d/vpnserver start

3. Check Installation and configure.

cd /etc/vpnserver

./vpncmd

Check installation by choosing option 3.

check

exit

Virtual Hub

./vpncmd

Choose option 1 this time

HubCreate SoftVPN

You now need to choose the Hub you just created (like a database).

Hub SoftVPN

SecureNatEnable

UserCreate NewUserName

There are different ways for authentication (please read and determine how best to proceed for your circumstances).

UserPasswordSet NewUserName

Enable L2TP

IPsecEnable

This is a very basic configuration.  There are a multitude of other options available, far beyond what I've described here.  I'd also suggest changing/setting an administrative password which wasn't covered, but is a simple command.

A few items that I intend to write a follow up on are:

• Certificate Setup & Generation
• OpenVPN Compatibility Configuration
• SSTP Config
• Client Configuration
• LAN to LAN Bridge

OpenVPN - Bridging Mode

Scope:  OpenVPN 2.2.0 on CentOS 5.6

Previously I documented the install of OpenVPN on Debian in a bridged configuration.  Later I installed a similar setup on CentOS 5.6 and found that some additional steps were required.

 

As a place holder and reminder....

 

Create ifcfg-br0 file.

 

cat /etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0
TYPE=Bridge
IPADDR=192.168.0.100
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
ONBOOT=yes

 

Modify the ifcfg-eth0 file (or the interface file you are creating the bridge to)

 

cat /etc/sysconfig/network-scripts/ifcfg-eth0

 

DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes
 

Set Scripts to run at start-up.

OpenVPN - Linux Client

How-to connect a Linux server to another Linux server via OpenVPN, command line style.

apt-get install openvpn

Copy the example client.conf file

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

I then edited the client.conf file down as listed below for my initial testing.  Please be sure to adjust according to your own Server configuration as well as proper names for the ca, key and crt files.

#---- OpenVPN Client.conf --------------

dev tap0

proto tcp

resolv-retry infinite

nobind

persist-key
persist-tun
remote hostname.com 1194
ca ca.crt 

cert hostname.crt
key hostname.key

verb 3

Restart OpenVPN

/etc/init.d/openvpn start

Test by pinging or logging into the remote server

OpenVPN Howto

Scope:  

• OpenVPN Server on Debian.

• Client connections from Tunnelblick  for Mac OSX, OpenVPN Client for Windows and Linux Client (yet to be tested).

1.  Installation of OpenVPN was completed with apt

apt-get install openvpn

The following extra packages were installed when the above command was initiated.

libpkcs11-helper1 

openvpn-blacklist

 

2.  Next determine whether you will use a routed or bridged VPN.  OpenVPN has a more in depth write up of differences here. Each will require a different set of parameters in the openvpn configuration file but it is well documented. I configured my installation first as routed and then transitioned to a bridged model.

Bridging advantages

• Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work.
• No route statements to configure.
• Works with any protocol that can function over ethernet, including IPv4, IPv6, Netware IPX, AppleTalk, etc.
• Relatively easy-to-configure solution for road warriors.

Bridging disadvantages

• Less efficient than routing, and does not scale well.

Routing advantages

• Efficiency and scalability.
• Allows better tuning of MTU for efficiency.

Routing disadvantages

• Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work.
• Routes must be set up linking each subnet.
• Software that depends on broadcasts will not "see" machines on the other side of the VPN.
• Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.

3.  Certificates need to be generated for both the server and clients.

NOTE:  You must place the key & crt files for the server and client in the same directory as your .conf files unless you explicitly state otherwise it the conf file.

mkdir /etc/openvpn/easy-rsa

cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

3a.  Edit the default values necessary for the certificates.

vi /etc/openvpn/easy-rsa/vars

3b. Generate the Certificate Authority that will be used to sign the certificates.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

3c. Create server keys.

./build-key-server server

3d.  Generate the diffie-hellman parameters.

./build-dh 

3e. Create client keys.

./build-key client1

4. Configure server.conf file.  OpenVPN example found at http://openvpn.net/index.php/open-source/documentation/howto.html#examples

NOTE: For the logging, it will require that you create the /var/log/openvpn directory and I went ahead and created the two logfiles.This example is specifically for a bridged configuration.  Please see the example above for detailed explanations of the various settings and options. 

 

################## 

# server.conf 

##################

local 192.168.0.10 

port 1194 

proto udp 

dev tap0 

ca ca.crt 

cert server.crt 

key server.key 

dh dh2048.pem 

client-config-dir ccd 

server-bridge 192.168.0.10 255.255.255.0 192.168.0.150 192.168.0.160 

ifconfig-pool-persist ipp.txt 

route 192.168.0.0 255.255.255.0 

client-to-client 

keepalive 10 120 

#comp-lzo 

max-clients 15 

#user nobody 

#group nobody 

persist-key 

persist-tun 

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log 

verb 3

 5. Acquire the necessary package for bridged configuration script.

apt-get install bridge-utils

6. Configure the openvpn-bridge script.  I did not have good luck with the example script included on the openvpn.net site.  I opted to utilize the one listed here and it has been successful on multiple systems.  

Edit based on your network settings.

#!/bin/bash

#################################
# OpenVPN Bridge 
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"

eth_ip="192.168.0.10"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
gw="192.168.0.1"

case "$1" in
  start)
  for t in $tap; do
      openvpn --mktun --dev $t
  done

  brctl addbr $br
  brctl addif $br $eth

  for t in $tap; do
      brctl addif $br $t
  done

  for t in $tap; do
      ifconfig $t 0.0.0.0 promisc up
  done

  ifconfig $eth 0.0.0.0 promisc up

  ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
  route add default gw $gw
  ;;
  stop)
  ifconfig $br down
  brctl delbr $br

  for t in $tap; do
      openvpn --rmtun --dev $t
  done
  ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
  route add default gw $gw
  ;;
  *)
  echo "usage openvpn-bridge {start|stop}"

  exit 1
  ;;
esac
exit 0

7. Set openvpn-bridge script to run at startup. (Please test first.)

update-rc.d openvpn-bridge defaults

8. Once the bridge is up and functional you can proceed to start OpenVPN.

/etc/init.d/openvpn start

9. Firewall. Make the necessary firewall changes to allow your clients to connect on the specified port.

10. Client review and configuration to follow....