Configuring SoftEtherVPN VPN Server for Linux

      As it was already written on the hub, literally in the beginning of January of this year, under the GPL2 license, a very interesting and, in its way, unique project - SoftEther VPN . It was written by students of the Japanese University of Tsukuba. This product positions itself as a VPN server with support for a huge number of tunneling protocols: L2TP, L2TP / IPsec, L2TPv3 / IPsec, MS-SSTP, EtherIP / IPsec, OpenVPN, SSL-VPN (proprietary), L2VPN, as well as such tricky things like tunneling through ICMP and DNS. It supports tunneling at both the third and second level, it can VLAN and IPv6. It works on almost all known platforms (even ARM and MIPS) and also does not require root rights. The full specification can be found here.. To be honest, when I saw the list of features of this program - I just could not believe my eyes and thought: “If THIS works, then I MUST test it!”
      This article will describe the installation and configuration of SoftEther VPN Server for Linux. In the next article I will try to draw beautiful comparative performance graphs.
      This software has an unusually nice interface for Windows, however, under Linux, all configuration is done through the CLI. The manual is certainly good, but for example it seemed to me too detailed, and also with a bias towards the graphical interface and overly colorful Japanese pictures. Therefore, I decided to lay out the main CLI commands for those who are too lazy to shovel a lot of English letters.

      For starters - install this miracle. I had on hand a VPS with a 64-bit Debian 7 on board, so the choice was obvious. I warn you right away : you only need to install from GitHub'a (currently release version 4.04 build 9412)! On the official site, you can download the sources for different platforms, but the ambush is that the makefiles were generated there in some kind of sadistic-Westernist way, and at the output you get only two files - the server’s binary itself and its CLI box. No copying to / usr / bin / and other civilized things is written there. In contrast, the makefile on the github behaves much more friendly (although it doesn’t do the same script anyway, it’s an infection).

      Before you put the program, I recommend to go hereand find out what she needs to install. For example, I needed to put a number of libraries (then they can be demolished):

# apt-get install libreadline-dev libssl-dev libncurses5-dev zlib1g-dev

      Further installation is not simple, but very simple, but I want to note that instead of “make install” I write “checkinstall” so that the apt package manager knows about the new program and can then delete it correctly (more details here ).

# git clone github.com/SoftEtherVPN/SoftEtherVPN.git
# cd SoftEtherVPN\
# ./configure
# make
# checkinstall

      In the process, the installer will ask you to read the License Agreement, as well as indicate your platform and OS bit depth. By the way, he will put the program in any way in / usr / vpnserver /, and binaries in / usr / bin /, keep in mind. If you don’t like the installation path, you can change it with your hands in the makefile. At the end of the installation, he will say:

- Installation completed successfully.

Execute 'vpnserver start' to run the SoftEther VPN Server background service.
Execute 'vpnbridge start' to run the SoftEther VPN Bridge background service.
Execute 'vpnclient start' to run the SoftEther VPN Client background service.
Execute 'vpncmd' to run SoftEther VPN Command-Line Utility to configure VPN Server, VPN Bridge or VPN Client.
-------------------------------------------------- ------------------

      From here you can logically understand how this magic starts and stops. You can leave it like that, but you can take it off. site simple init-script , which will be more familiar to us the way to do the same.

      So, the VPN server is installed and it can be started:

# vpnserver start
SoftEther VPN Server Service Started.

      Getting to the configuration. In general, the manual offers us two ways to do this: through its own command line vpncmd or through the configuration file vpn_server.config , with great preference being given to the first method. The manufacturer considers operations with the configuration file as a risky occupation and in every possible way tries to dissuade us from this . The fact is that the server continuously reads this file and any changes in it instantly affect the server. The only case when the configuration from the config file is justified is when the VPN server is turned off. I don’t know why this was done, but the author, in any case, knows better. Anyway, the program has a good CLI, after working with which you simply forget about the existence of a config file as unnecessary.

      By the way, immediately after installation, I noticed that the program for some reason hit on the address 130.158.6.77:80. It turned out that there is nothing suspicious, just in this way the server sends keepalive packets to its website (keepalive.softether.org:80) so that different PPP sessions do not break by timeout. Immediately after installation, I disabled this function with the KeepDisable command .

      So, immediately after starting up, the VPN server is already working and accepting connections to TCP ports 443 (SSL VPN), 992, 1194 (OpenVPN) and 5555 (port numbers can be changed with the ListenerCreate and ListenerDelete commands ), however, to start using it you need to make a number of simple settings. We go into the CLI with the vpncmd command :

# vpncmd
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.04 Build 9412 (English)
Compiled 2014/01/15 17:22:14 by yagi at pc25
Copyright (c) SoftEther VPN Project. All Rights Reserved.

By using vpncmd program, the following can be achieved.

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3:

      Choice 1 will transfer us to the server editing mode, Choice 2 - to the client properties editing mode, and Choice 3 - the mode of testing and creating server certificates. Select 1, the server will prompt you to enter the IP address of the server to which we want to connect (Hostname of IP Address of Destination :), just press Enter, because going to edit the local server. For the third and last time, the program will ask us the name of the virtual hub (Specify Virtual Hub Name :) with which we will work. We are not going to work with virtual hubs yet, so press Enter again and get to the command line of the server itself.

      It is necessary to explain what virtual hubs are in the terminology of the developer. A virtual hub is a rather independent instance of a VPN server with its own set of settings for virtual interfaces, security policies, and VPN protocols. In total, you can create up to 4096 virtual hubs, while they will not intersect with each other either at the 2nd or 3rd level - that is, they will be completely isolated from each other. Each virtual hub works with its own set of users and does not know anything about users of another virtual hub, although they are on the same physical server. On the other hand, if we want, we can configure their interaction with each other, in the terminology of the author this is called Virtual bridge / router. Thus, a virtual hub is what

      After entering vpncmd, we will be prompted:

Connection has been established with VPN Server "localhost" (port 443).

You have administrator privileges for the entire VPN Server.

VPN Server>

You can enter help and read the list of commands.
      The first thing we must do is set the root password of the server. This is done with the ServerPasswordSet command . Next, as I wrote with the KeepDisable command , disable keepalive packages.
Next, create a virtual hub with the HubCreate <virtual hub name> command , for example

VPN Server>hubcreate vpn
HubCreate command - Create New Virtual Hub
Please enter the password. To cancel press the Ctrl+D key.

Password:

      You can set the admin password for the new hub, then it will be possible to delegate the administration of this hub to another person. And for simplicity, you can press Enter and not do it (for this, there is the SetHubPassword command in the future ). After creating the hub, we must go into the administration mode of this hub with the Hub vpn command . You can view the status of the hub using the StatusGet command . I will not give the output of this command here, because it is long and pretty straightforward. The hub can be turned off with the Offline command and returned back with the Online command .

      I liked the SetEnumDeny team. The fact is that when you enter the address of the VPN server in the VPN client, it immediately gives you the names of all the virtual hubs registered on the server, as in the picture. This command prohibits displaying the name of the given hub in the list. Like a small, but a bonus to security.



      Okay, let's do some more interesting things. We create the user with the UserCreate command and set the password using the UserPasswordSet . The commands are very simple, with minimal English knowledge to understand the server’s dialog messages. At this stage, for simplicity, we will not bother with certificates, but trust the self-signed server certificate that it generated at the installation stage.

      That's basically all, the minimal installation is complete and we can hook onto our server by specifying its IP address and any of the ports on the ListenerList . The author recommends port 5555, since this port does not require root rights in the system. I have already shown the VPN client window above, everything is intuitive and very beautiful there. Authentication passes and a VPN tunnel is established. However, in this form, the tunnel benefits little. it allows you to access only the server itself and nowhere else.

      Suppose our task is broader, and we want to use a VPN server to access the corporate network. To do this, we need to configure NAT. This is done quite simply with the SecureNATEnable command . Automatically, along with NAT, DHCP is also enabled.

      In general, SecureNAT is a rather interesting technology from the authors of SoftEtherVPN. As we know, network address translation in * NIX systems is performed in the kernel; accordingly, you must have superuser rights to configure NAT. SoftEtherVPN creators decided it was too excessive and write your own TCP / IP stack is a custom to filtering and natirovanie carried out in userspace. Cool idea, I don’t know if it was worth it, but it works - it's a fact!
      You can change the SecureNAT interface address with the SecureNatHostSet command (by default, 192.168.30.1/24), and the range of issued addresses and other DHCP options (for example, the main gateway and DNS server) with the DhcpSet command. Isn't that friendly CLI? For example, if you enter "secure?" and press Enter, then a list of possible auto-completion is displayed:

VPN Server/vpn>secure?
"secure": The command-name is ambiguous.
The specified command name matches the following multiple commands.
SecureNatDisable - Disable the Virtual NAT and DHCP Server Function (SecureNat Function)
SecureNatEnable - Enable the Virtual NAT and DHCP Server Function (SecureNat Function)
SecureNatHostGet - Get Network Interface Setting of Virtual Host of SecureNAT Function
SecureNatHostSet - Change Network Interface Setting of Virtual Host of SecureNAT Function
SecureNatStatusGet - Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function)
Please re-specify the command name more strictly.

      By default, no packet filtering is applied, i.e. VPN clients can access the corporate subnet indefinitely and use the corporate Internet, if any. Optionally, add firewall rules with the AccessAdd command . As criteria for a firewall, you can specify the user name, MAC and IP source and destination addresses, ports, protocols and TCP flags. And most importantly, it works, I checked! Note also that the filtering rules of different virtual hubs do not affect each other in any way, which allows you to flexibly control access to the corporate environment.

      As a nice bonus, Dynamic DNS is available from softether.net. You can register your VPN server in DDNS with the DynamicDnsSetHostname command, after which you need to enter the desired domain name of the 3rd level. It will turn out something like myvpn.softether.net. Agree, a trifle, but nice and, moreover, completely free!

      Let's talk about VPN protocols. I tested L2TP / IPsec and OpenVPN. Setting up two seemingly such different protocols turned out to be quite simple. OpenVPN is enabled initially on UDP port 1194, but in order for it to work, you need to enter IPsecEnable in the global server mode ( Hub command without parameters)and then answer a series of questions regarding whether we want to enable bare L2TP, encrypted L2TP / IPsec, as well as L2TPv3 / IPsec. The most important issues are the Pre-shared key (PSK) for IPsec and the Default Hub. With PSK, everything is clear, this is the key that must be entered on the client device, but I'll tell you more about Default Hub.

      The fact is that the same OpenVPN does not work through IPsec, but inherits the account policy from IPsec. Therefore, when trying to connect using the OpenVPN protocol, a username and password will be requested. The username must be entered in the format "user @ hub", but if we specify which hub to use by default, then the "@ hub" can be omitted.

      You can generate a config file for OpenVPN using the OpenVpnMakeConfig command, and then specify the location where to save the generated file. This file can be immediately fed to OpenVPN client and the connection will go. The file is provided in two versions at once: Layer2VPN and Layer3VPN, that is, the VPN server as a switch, and the VPN server as a router. Both that, and another perfectly works. Conveniently!

      Configuring L2TP / IPsec turned out to be generally trivial: after the IPsecEnable command , nothing needs to be changed on the server , but in the settings for the Windows built-in VPN client, for example, you need to specify the L2TP IPsec VPN protocol, in the additional parameters specify the preliminary key (PSK), which we already installed, well, of course, enter the credentials in the format that I mentioned above.
      Similarly, everything is configured on Android. It was checked on 4.2.1, everything works using only standard tools.

      Conclusion: SoftEtherVPN is a very powerful and, most importantly, convenient tool for building VPN tunnels. Of course, I did not test all the features, but in most cases there are enough of those that I wrote. In the near future I will try to lay out comparative performance tests, as well as tests of such ridiculous things as VPN over ICMP and DNS. I do not want to communicate with the SSL VPN and MS SSTP protocols yet. reluctance to bother with certificates, besides, you still need to look at such features of the program as Load Balancing aka clustering, fault tolerance, authorization from RADIUS and AD and Layer2 VPN, including VLAN trunking!

      So, it seems to me that software is, at a minimum, worth taking a closer look at it. The manufacturer positions its product as superior to OpenVPN in everything, even promises throughput for gigabit. In general, you need to test! At this stage, I really like this stuff.