Sunday, January 25, 2015

SoftEther VPN

OpenVPN has provided a great solid solution over the years and I've installed many point to point solutions as well as VPNs for commercial and private use.  While I'm certainly a fan, circumstances have warranted investigating a new solution, specifically one that provides L2TP/IPsec server functionality and additional throughput.  Enter SoftEther.

SoftEther is a multi-protocol VPN software that runs on Mac, Linux, FreeBSD and Windows.  Due to the clone function, it even allows for easy integration from OpenVPN, meaning you can connect using the client you previously used to connect to an OpenVPN server.  Furthermore the L2TP capability aids in connectivity with iOS and Android devices.  A full review of the specifications and capability can be found at softether.org.

For my purposes, I needed the ability to provide VPN access from an iPhone, and a LAN to LAN bridge to connect several commercial offices. 

My specifications as you can see were initially very conservative.  I found that even a system with as little as 512MB and 5G of storage was capable of providing a reasonable VPN for a small office or home use.  While not necessary, I choose to run a separate server or virtual machine for VPN access.

  • Virtual Machine
    • Debian 7
    • 1G (Virtual allows for easy modification based on usage)
    • 10G Storage

1. Install Debian 

I used the mini.iso, no options other than system tools.  I like to run lean and don't use a gui for any production system.

Acquire the necessary tools for compiling SoftEther.

apt-get install build-essential

2. Download & Install SoftEther

Wget or Lynx are your best options.

apt-get install lynx
lynx http://www.softether-download.com/files/softether/
You have multiple different versions to choose from.  I've typically utilized the 'rtm' versions instead of 'beta' but the choice is yours. 

Once you locate your version of choice and architecture, highlight it and press "d" to download.  When prompted, choose "save to disk".

I keep my downloads in /usr/local/src.

cd /usr/local/src
tar xvfz softether-vpnserver-version-number-you-downloaded.tar.gz
The archive will extract and create a vpnserver directory.

cd /usr/local/src/vpnserver
make
You'll be prompted to read the License Agreement, confirm you read it and agree to the License Agreement.

Any issues with 'make' are likely due to unmet dependancies.  Verify you completed the step of installing the 'build-essential' components.

My habit is to move services to the /etc folder.

mv /usr/local/src/vpnserver /etc
cd /etc/vpnserver
chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd
Create startup script

vi /etc/init.d/vpnserver
Example:

#!/bin/sh
# SoftEther
DAEMON=/etc/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
chmod 755 /etc/init.d/vpnserver
Debian makes it easy to update the run levels and have SoftEther start on boot up.

update-rc.d vpnserver defaults
Note the use of /var/lock/subsys, you'll need to create the directory.

Start SoftEther

/etc/init.d/vpnserver start

3. Check Installation and configure.

cd /etc/vpnserver
./vpncmd

Check installation by choosing option 3.

check
exit

Virtual Hub

./vpncmd
Choose option 1 this time

HubCreate SoftVPN
You now need to choose the Hub you just created (like a database).

Hub SoftVPN
SecureNatEnable
UserCreate NewUserName
There are different ways for authentication (please read and determine how best to proceed for your circumstances).

UserPasswordSet NewUserName
Enable L2TP

IPsecEnable

This is a very basic configuration.  There are a multitude of other options available, far beyond what I've described here.  I'd also suggest changing/setting an administrative password which wasn't covered, but is a simple command.

A few items that I intend to write a follow up on are:
  • Certificate Setup & Generation
  • OpenVPN Compatibility Configuration
  • SSTP Config
  • Client Configuration
  • LAN to LAN Bridge




No comments: