setup softethervpn with radius authentication l2tp over ipsec and openvpn ubuntu 16.04

In this post i followed most of the contents from digital ocean post.

https://www.digitalocean.com/community/tutorials/how-to-setup-a-multi-protocol-vpn-server-using-softether

how to install and configure a multi-protocol VPN server using the SoftEther package. We enable and configure OpenVPN and L2TP over IPSec and SSTP VPN Servers on Linux.

Most of the things are posted by every blogger which are common. I will post here so that you are not going to find it some where and become confused. For your ease i am listing every step here and will also list how to authenticate through radius server.

sing the command below, update and upgrade your server software packages to the latest version:

Debian / Ubuntu:

apt-get update && apt-get upgrade

Download SoftEther

You can download the latest SoftEther server package for Linux from their website:

Download SoftEther

Unfortunately, there is no way of getting the latest version through package managers (or even using a single url) at the moment. Therefore you have to browse their website using a desktop browser to download the package. There are a couple of ways of dealing with this: First, browse their website on your own computer and then depending on your server configuration (OS, x86/x64, etc.) find the link to the appropriate package then use wget to download the package to your server. Alternatively, you can use a terminal based web browser such as lynx to browse the SoftEther website and download the right package.

Here’s how to do it using lynx:

First install lynx on your server:

Debian / Ubuntu:

apt-get install lynx -y

lynx http://www.softether-download.com/files/softether/


I did download through the link listed below.


wget http://www.softether-download.com/files/softether/v4.22-9634-beta-2016.11.27-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.22-9634-beta-2016.11.27-linux-x64-64bit.tar.gz


apt-get install build-essential -y

Unzip the zip of softEther bundle..

Install and Configure SoftEther:

Now we have to extract the package we received from the SoftEther download page and compile it.

tar -zxvf softether-vpnserver-v4.22-9634-beta-2016.11.27-linux-x64-64bit.tar.gz

After extracting it, a directory named vpnserver will be created in the working folder. In order to compile SoftEther, the following tools and packages must be installed on your server:

First “cd” into vpnserver directory:

cd vpnserver

And now run “make” to compile SoftEther into an executable file:

make

SoftEther will ask you to read and agree with its License Agreement. Select 1 to read the agreement, again to confirm read, and finally to agree to the License Agreement.

SoftEther is now compiled and made into executable files (vpnserver and vpncmd). If the process fails, check if you have all of the requirement packages installed.

Now that SoftEther is compiled we can move the vpnserver directory to someplace else, here we move it to usr/local:

cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/

And then change the files permission in order to protect them:

chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd

If you like SoftEther to start as a service on startup create a file named vpnserver in /etc/init.d directory and change it to the following:

First create and open the file using vim

vim /etc/init.d/vpnserver

And paste the following into the file:

#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case “$1” in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo “Usage: $0 {start|stop|restart}”
exit 1
esac
exit 0

Finally save and close the file by pressing esc and typing :wq to close vim.

We have to make a directory at /var/lock/subsys if one does not exist:

mkdir /var/lock/subsys

Now change the permission for the startup script and start vpnserver using command below:

chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start

Use the command below make it to run at startup:

Debian / Ubuntu:

update-rc.d vpnserver defaults

SoftEther VPN Server is now installed and configured to run at startup. Finally, we have to check if the VPN server is working:

cd /usr/local/vpnserver
./vpncmd

Now press 3 to choose Use of VPN Tools and then type:

check

If all of the checks pass, then your server is ready to be a SoftEther VPN server and you can move on to the next step. Type “exit” to exit VPN Tools.

We are going to use vpncmd tool to configure softethervpn.

Change Admin Password
Now that you have SoftEther VPN server installed, you have to assign an administrator password in order to use with SoftEther. You can do this using vpncmd which is SoftEther’s command line based administration tool:

./vpncmd

Press 1 to select “Management of VPN Server or VPN Bridge”, then press Enter without typing anything to connect to the localhost server, and again press Enter without inputting anything to connect to server by server admin mode.

Then use command below to change admin password:

ServerPasswordSet

Create A Virtual Hub
To use SoftEther we must first create a Virtual Hub. Here as an example we create a hub named VPN, in order to do that enter command below in the vpncmd tool:

HubCreate VPN

Next you will be asked to enter an administrator password for the hub. This password will be used whenever you are not logged in as server admin mode, and you want to manage that specific hub.

Now select the Virtual Hub you created using this command:

Hub VPN

Enable SecureNAT
There are two ways of connecting your hubs to the server network: using a Local Bridge connection or using the SecureNAT function.

You can use each one separately, but using these two together will cause problems.

Here we use SecureNAT, which is very easy to setup and works pretty well in most situations. You could also use Local Bridge, but then you have to install and configure a DHCP Server too.

SecureNAT is a combination of Virtual NAT and DHCP Server function. You can enable SecureNAT using the command below:

SecureNatEnable

As we are going to use radius authentication for the users setup in radius database so we will not needed to create users through softether vpncmd command. Yes we do need to create a global user with username ‘ * ‘ which pass the parameters to the radius server.

VPN Server/VPN>UserList

It will show nothing at the moment.

So we have to create * user through command UserCreate

VPN Server/VPN>UserCreate *

UserCreate command – Create User
Assigned Group Name:

User Full Name: *

User Description: Radius User

Now run the command UserList.

VPN Server/VPN>Userlist
UserList command – Get List of Users
Item |Value
—————-+————————-
User Name |*
Full Name |
Group Name |-
Description |
Auth Method |RADIUS Authentication
Num Logins |3
Last Login |2017-08-09 (Wed) 12:34:26
Expiration Date |No Expiration
Transfer Bytes |9,486,824
Transfer Packets|76,314
The command completed successfully.

Now we have to setup the Radius Authentication for the vpn services. VPN Server/VPN>RadiusServerGet will show you nothing. So we have to run the command VPN Server/VPN>RadiusServerSet Provide the details of the radius server i.e Radius Server IP, Radius Secret. 800 miliseconds. Now run the command VPN Server/VPN>RadiusServerGet

VPN Server/VPN>RadiusServerGet
RadiusServerGet command – Get Setting of RADIUS Server Used for User Authentication
Item |Value
—————————————+————-
Use RADIUS Server |Enable
RADIUS Server Host Name or IP Address: |**.***.***.**
RADIUS Server Port Number |1812
Shared Secret |testing123
Retry Interval (in milliseconds) |800
The command completed successfully.

Setup L2TP/IPSec
To enable L2TP/IPsec VPN server you can use the command below:

IPsecEnable

After entering this command, you will be asked to configure the L2TP server functions:

Enable L2TP over IPsec Server Function: Choose yes to enable L2TP VPN over IPSec with pre-shared key encryption. Now you can make VPN connections to this server using iPhone, Android, Windows, and Mac OS X devices.

Enable Raw L2TP Server Function: This will enable L2TP VPN for clients with no IPSec encryption.

Enable EtherIP / L2TPv3 over IPsec Server Function: Routers which are compatible with EtherIP / L2TPv3 over IPsec can connect to this server by enabling this function.

Pre Shared Key for IPsec: Enter a pre-shared key to use with L2TP VPN.

Default Virtual HUB in a case of omitting the HUB on the Username: Users must specify the Virtual Hub they are trying to connect to by using Username@TargetHubName as their username when connecting. This option specifies which Virtual Hub to be used if the user does not provide such information. In our case enter VPN.

Setup SSTP/OpenVPN
The SoftEther can clone the functions of Microsoft SSTP VPN Server and OpenVPN Server. But before we enable these we have to generate a self-signed SSL certificate for our server. You can use openssl or SoftEther’s own command to generate a SSL certificate.

Here we use SoftEther’s ServerCertRegenerate command to generate and register a self-signed SSL certificate for our server. The argument passed to command is CN (Common Name), and must be set to your host name (FQDN) or IP address:

ServerCertRegenerate [CN] servername

Note 1: SoftEther also comes with a built-in Dynamic DNS function, which can assign a unique and permanent hostname for your server. You can use the hostname assigned by this function for creating a SSL Certificate and connecting to your server.

Note 2: If you already have a SSL certificate or you have created one using openssl, it can be added to the server using the command ServerCertSet.

Now that we have created the certificate, we have to download the certificate to our clients and add them as trusted. Using the command below, we save the server certificate into a file named cert.cer:

ServerCertGet ~/cert.cer

Now you can download the certificate to your client using FileZilla or any other SFTP Client.

To make the certificate trusted in Windows, you have to install it in the Trusted Root Certification Authorities store. Here’s an article explaining how (read the To install a certificate chain part):

Installing a Certificate Chain

Now that we have created and registered a SSL Certificate for our server, we can enable SSTP function with this command:

SstpEnable yes

And to enable OpenVPN:

OpenVpnEnable yes /PORTS:1194

Note: OpenVPN’s default port is 1194, but you can change it to any port you want by changing the /PORTS:1194 part of the command above to your desired port or ports (yes it supports multiple ports).

After you enabled OpenVPN, you can download a sample configuration file for OpenVPN client. Here we create a sample OpenVPN configuration file and save it to myopenvpnconfig.zip:

OpenVpnMakeConfig ~/my_openvpn_config.zip

Then you can download it using any SFTP client such as FileZilla and apply it to your OpenVPN clients.

SoftEther also provides a dedicated VPN Client software for both Windows and Linux. It supports a SoftEther specific protocol called Ethernet over HTTPS or SSL-VPN which is very powerful. It uses HTTPS protocol and port 443 in order to establish a VPN tunnel, and because this port is well-known, almost all firewalls, proxy servers and NATs can pass the packet. In order to use SSL-VPN protocol, you must download and install SoftEther VPN Client, which can be obtained from their website.

Now download the softethervpn client to your pc and try to connect through l2tp over ipsec with shared key and openvpn. You can find a blog how to connect from softether site.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *