Friday, August 24, 2018

SoftEther 4 Installation Guide on CentOS 7

This article provides instructions to implement SoftEther VPN Server and Client on CentOS 7.2.1511 and Fedora 24, respectively. SoftEther VPN is an open source VPN solution that can be used for secure client remote access VPN or branch offices site to site VPN. It supports most portable devices and operating systems as well as emulating several other VPN standards such as Cisco IPSEC and OpenVPN.
This article’s focus will be secure client remote access using SoftEther VPN’s native protocol.

SoftEther VPN Server

CentOS 7 Install

Begin by completing a base operating system build to your preference or you can follow my guide found here:
https://rharmonson.github.io/cos7inst.html

Install Requirements

After the base OS installation and configuration, install SoftEther VPN Server’s build dependencies.
Requirements
  • gcc software
  • binutils software
  • tar, gzip or other software for extracting package files
  • chkconfig system utility
  • cat, cp or other basic file operation utility
  • EUC-JP, UTF-8 or other code page table for use in a Japanese language environment
  • libc (glibc) library
  • zlib library
  • openssl library
  • readline library
  • ncurses library
  • pthread library
To meet the requirements above, execute the command below to the install the packages and their dependencies.
# yum install gcc zlib-devel openssl-devel readline-devel ncurses-devel
Results
Dependencies Resolved

================================================================================
 Package                 Arch       Version                   Repository   Size
================================================================================
Installing:
 gcc                     x86_64     4.8.5-4.el7               base         16 M
 ncurses-devel           x86_64     5.9-13.20130511.el7       base        713 k
 openssl-devel           x86_64     1:1.0.1e-51.el7_2.5       updates     1.2 M
 readline-devel          x86_64     6.2-9.el7                 base        138 k
 zlib-devel              x86_64     1.2.7-15.el7              base         50 k
Installing for dependencies:
 cpp                     x86_64     4.8.5-4.el7               base        5.9 M
 glibc-devel             x86_64     2.17-106.el7_2.8          updates     1.0 M
 glibc-headers           x86_64     2.17-106.el7_2.8          updates     663 k
 kernel-headers          x86_64     3.10.0-327.28.2.el7       updates     3.2 M
 keyutils-libs-devel     x86_64     1.5.8-3.el7               base         37 k
 krb5-devel              x86_64     1.13.2-12.el7_2           updates     649 k
 libcom_err-devel        x86_64     1.42.9-7.el7              base         30 k
 libmpc                  x86_64     1.0.1-3.el7               base         51 k
 libselinux-devel        x86_64     2.2.2-6.el7               base        174 k
 libsepol-devel          x86_64     2.1.9-3.el7               base         71 k
 libverto-devel          x86_64     0.2.5-4.el7               base         12 k
 mpfr                    x86_64     3.1.1-4.el7               base        203 k
 pcre-devel              x86_64     8.32-15.el7_2.1           updates     479 k

Transaction Summary
================================================================================
Install  5 Packages (+13 Dependent packages)

Total download size: 31 M
Installed size: 67 M
Is this ok [y/d/N]:

SELinux

Prior to installation and testing, I updated /etc/selinux/config from enforcing to permissive. After testing, I set back to enforcing. No problem so far. knock-on-wood. It may have been an unnecessary step.

Firewall

If you followed my CentOS 7 1511 Minimal guide, firewalld was ripped out and the iptables-services package was installed. If not, revise the script below as necessary. The primary change to my default iptables filter is the addition of iptables -I INPUT -p tcp --dport 443 -j ACCEPT. This assumes you will be using the SoftEther VPN client on port 443. After installation and testing, creating an alternative port is painless.
Create file, vi softether.fw
#!/bin/bash
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Permit ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Accept incoming SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# Accept incoming HTTPS for SoftEther (default)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT

# Save Changes
service iptables save

# Service
systemctl restart iptables
systemctl status iptables
Set the file to executable using chmod +x softether.fw then execute ./softether.fw. Review the change using iptables -L -n -v.

Install SoftEther VPN Server

Download

Using a browser, go to http://www.softether-download.com/files/softether/ and locate the version of the product to install. Copy or type the link location as follows to download using curl.
# curl -O http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6117k  100 6117k    0     0   451k      0  0:00:13  0:00:13 --:--:--  726k

Unpack

Unpack the archive using tar.
[root@sevpn ~]# tar xzvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz -C /usr/local/
vpnserver/
vpnserver/Makefile
vpnserver/.install.sh
vpnserver/ReadMeFirst_License.txt
vpnserver/Authors.txt
vpnserver/ReadMeFirst_Important_Notices_ja.txt
vpnserver/ReadMeFirst_Important_Notices_en.txt
vpnserver/ReadMeFirst_Important_Notices_cn.txt
vpnserver/code/
vpnserver/code/vpnserver.a
vpnserver/code/vpncmd.a
vpnserver/lib/
vpnserver/lib/libcharset.a
vpnserver/lib/libcrypto.a
vpnserver/lib/libedit.a
vpnserver/lib/libiconv.a
vpnserver/lib/libintelaes.a
vpnserver/lib/libncurses.a
vpnserver/lib/libssl.a
vpnserver/lib/libz.a
vpnserver/lib/License.txt
vpnserver/hamcore.se2

Compile

Time to compile or make SoftEther.
# cd /usr/local/vpnserver
# make
Results
make[1]: Entering directory `/usr/local/vpnserver'
Preparing SoftEther VPN Server...
ranlib lib/libcharset.a
ranlib lib/libcrypto.a
ranlib lib/libedit.a
ranlib lib/libiconv.a
ranlib lib/libintelaes.a
ranlib lib/libncurses.a
ranlib lib/libssl.a
ranlib lib/libz.a
ranlib code/vpnserver.a
gcc code/vpnserver.a -O2 -fsigned-char -pthread -m64 -lm -ldl -lrt -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a lib/libintelaes.a -o vpnserver
ranlib code/vpncmd.a
gcc code/vpncmd.a -O2 -fsigned-char -pthread -m64 -lm -ldl -lrt -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a lib/libintelaes.a -o vpncmd
./vpncmd /tool /cmd:Check
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608   (English)
Compiled 2016/04/17 21:59:35 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.

VPN Tools has been launched. By inputting HELP, you can view a list of the commands that can be used.

VPN Tools>Check
Check command - Check whether SoftEther VPN Operation is Possible
---------------------------------------------------
SoftEther VPN Operation Environment Check Tool

Copyright (c) SoftEther VPN Project.
All Rights Reserved.

If this operation environment check tool is run on a system and that system passes, it is most likely that SoftEther VPN software can operate on that system. This check may take a while. Please wait...

Checking 'Kernel System'...
              Pass
Checking 'Memory Operation System'...
              Pass
Checking 'ANSI / Unicode string processing system'...
              Pass
Checking 'File system'...
              Pass
Checking 'Thread processing system'...
              Pass
Checking 'Network system'...
              Pass

All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system.

The command completed successfully.


--------------------------------------------------------------------
The preparation of SoftEther VPN Server is completed !


*** How to switch the display language of the SoftEther VPN Server Service ***
SoftEther VPN Server supports the following languages:
  - Japanese
  - English
  - Simplified Chinese

You can choose your prefered language of SoftEther VPN Server at any time.
To switch the current language, open and edit the 'lang.config' file.


*** How to start the SoftEther VPN Server Service ***

Please execute './vpnserver start' to run the SoftEther VPN Server Background Service.
And please execute './vpncmd' to run the SoftEther VPN Command-Line Utility to configure SoftEther VPN Server.
Of course, you can use the VPN Server Manager GUI Application for Windows on the other Windows PC in order to configure the SoftEther VPN Server remotely.
--------------------------------------------------------------------

make[1]: Leaving directory `/usr/local/vpnserver'

Start SoftEther

Verify vpnserver operations before continuing by starting SoftEther from command-line.
# cd /usr/local/vpnserver
# ./vpnserver start
To close the vpnserver, execute ./vpnserver close.

Permissions

Update file permissions to something a bit more sane.
[root@sevpn ~]
# chown -R root:root /usr/local/vpnserver  
# cd /usr/local/vpnserver/  
# chmod -R 600 *  
# chmod 700 vpncmd  
# chmod 700 vpnserver

Create systemd Script

Create a systemd script to auto-start/stop SoftEther. Kudos to hsaito!
Reference: https://github.com/hsaito/SoftEtherVPN/blob/a9b9afc806a5df8598fd9acda2424d9c48ac8462/systemd/softether-vpnserver.service
# vi /etc/systemd/system/softether.service
[Unit]
Description=SoftEther VPN Server  
After=network.target auditd.service  
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking  
EnvironmentFile=-/usr/local/vpnserver  
ExecStart=/usr/local/vpnserver/vpnserver start  
ExecStop=/usr/local/vpnserver/vpnserver stop  
KillMode=process  
Restart=on-failure

# Hardening
PrivateTmp=yes  
ProtectHome=yes  
ProtectSystem=full  
ReadOnlyDirectories=/  
ReadWriteDirectories=-/usr/local/vpnserver  
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_ADMIN CAP_SETUID

[Install]
WantedBy=multi-user.target
Also, enable and start the service.
# systemctl enable vpnserver
# systemctl start vpnserver

Configure SoftEther VPN Server

Next step is to use the vpncmd command or the SoftEther VPN Server Manager for Windows to configure SoftEther. The URL https://www.softether.org/4-docs/2-howto shows the various network scenarios or topographies for use with SoftEther. Our use case is “remote access,” so an excellent starting point is “Remote Access VPN to LAN” and “Build a PC to LAN Remote Access VPN”.
Next, I would advise following the instructions on configuring “SecureNAT”. In my experience, it is the easiest to setup. Once the setup is complete, move to the section titled “SoftEther VPN Client”.

Local Bridge & dnsmasq (optional)

After the completion of your secure remote access service, use it. If the performance is acceptable, then move on to another project. However, if you feel that SecureNAT is sluggish, you may benefit using a local bridge. Begin by reading “Measuring Effective Throughput” and obtain metrics of your SecureNAT implementation. Then read “Local Bridges”. Make sure you have disabled SecureNAT before implementing the local bridge. Obtain metrics using the local bridge and choose the solution that best meets your requirements.

systemd

If using a local bridge, update your systemd script to include an address assignment for the tap device.
#/etc/systemd/system/vpnserver.service
# chown root / chmod 644
[Unit]
Description=SoftEther VPN Server with TAP
After=network.target auditd.service  
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking  
EnvironmentFile=-/usr/local/vpnserver  
ExecStart=/usr/local/vpnserver/vpnserver start  
ExecStartPost=/bin/sleep 1  
ExecStartPost=/sbin/ip address add 192.168.10.254/24 dev tap_vpn  
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process  
Restart=on-failure

# Hardening
PrivateTmp=yes  
ProtectHome=yes  
ProtectSystem=full  
ReadOnlyDirectories=/  
ReadWriteDirectories=-/usr/local/vpnserver  
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE #CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_ADMIN CAP_SETUID

[Install]
WantedBy=multi-user.target

dnsmasq

In addition, you may need DHCP. With SecureNAT, DHCP was provided but this is not the case (to my knowledge) using SoftEther VPN Server and a local bridge. Use dnsmasq.
Edit using vi /etc/dnsmasq.conf then copy and paste the following to the bottom of the file and revise for your environment.
# VPN Server Interface
interface=tap_vpn

# VPN Client DHCP Pool
dhcp-range=tap_vpn,192.168.10.10,192.168.10.200,255.255.255.0,4h

# Gateway
dhcp-option=tap_vpn,3,192.168.10.254

# DNS
dhcp-option=tap_vpn,6,192.168.1.1

# Domain
dhcp-option=tap_vpn,15,mydomain.net

# NTP
dhcp-option=tap_vpn,42,192.168.1.1
Enable and start dnsmasq using systemctl enable dnsmasq then systemctl start dnsmasq.

iptables

We need to permit DHCP for the bridge interface and configure a NAT. You can execute the changes from the shell or iptables -f (flush) the current policies and execute the updated script. The default INPUT policy is DROP, so use the console versus SSH.
#!/bin/bash

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Permit ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Accept incoming SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# SoftEther
iptables -I INPUT -p udp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT

# DHCP (dnsmasq)
iptables -A INPUT -i tap_vpn -p udp --dport 67 -j ACCEPT

# NAT using Local Bridge
# 192.168.10.0/24 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 192.168.2.1 = SoftEther VPN Server's network interface
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 192.168.2.1

# Save Changes
service iptables save

# Service
systemctl restart iptables
systemctl status iptables

SoftEther VPN Client

The Windows client works very well and requires little configuration outside of providing the correct host name or IP address, port, and credentials. It’s interface, route, and DNS configuration is painless. The Linux client is not as seamless nor does the SoftEther VPN Project provide instruction. This section describes my method to setup the client on Fedora 24.

Use Case

The use case is as follows:
  • Fedora 24 Workstation
  • Mobile user
  • User has SUDO privileges
  • VPN on demand versus always-on
  • No split-tunnel access
  • VPN Server with DHCP
Prior to proceeding, complete a Fedora 24 Workstation installation. I successfully tested Gnome, KDE, and several other Spins.

Download Client

Obtain the SoftEther VPN Client from http://www.softether-download.com/files/softether/ using curl.
[john@wss ~]$ pwd
/home/john
[john@wss ~]$ mkdir temp
[john@wss ~]$ cd temp
[john@wss temp]$ curl -O http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Client/64bit_-_Intel_x64_or_AMD64/softether-vpnclient-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6116k  100 6116k    0     0   855k      0  0:00:07  0:00:07 --:--:-- 1248k
[john@wss temp]$

Unpack & Compile

The compile requirements appear to be the same as the SoftEther VPN Server. With a default Fedora 24 Workstation installation, no additional packages were required to compile.
Using tar, unpack the file.
[john@wss temp]$ tar xzvf softether-vpnclient-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
vpnclient/
vpnclient/Makefile
vpnclient/.install.sh
vpnclient/ReadMeFirst_License.txt
vpnclient/Authors.txt
vpnclient/ReadMeFirst_Important_Notices_ja.txt
vpnclient/ReadMeFirst_Important_Notices_en.txt
vpnclient/ReadMeFirst_Important_Notices_cn.txt
vpnclient/code/
vpnclient/code/vpnclient.a
vpnclient/code/vpncmd.a
vpnclient/lib/
vpnclient/lib/libcharset.a
vpnclient/lib/libcrypto.a
vpnclient/lib/libedit.a
vpnclient/lib/libiconv.a
vpnclient/lib/libintelaes.a
vpnclient/lib/libncurses.a
vpnclient/lib/libssl.a
vpnclient/lib/libz.a
vpnclient/lib/License.txt
vpnclient/hamcore.se2
cd into the vpnclient directory from the unpacked archive then compile using make.
[john@wss temp]$ cd vpnclient/
[john@wss vpnclient]$ make
--------------------------------------------------------------------

SoftEther VPN Client (Ver 4.20, Build 9608, Intel x64 / AMD64) for Linux Install Utility
Copyright (c) SoftEther Project at University of Tsukuba, Japan. All Rights Reserved.

--------------------------------------------------------------------


Do you want to read the License Agreement for this software ?

 1. Yes
 2. No

Please choose one of above number: 1

..skip

Did you read and understand the License Agreement ?
(If you couldn't read above text, Please read 'ReadMeFirst_License.txt'
 file with any text editor.)

 1. Yes
 2. No

Please choose one of above number:
1


Did you agree the License Agreement ?

1. Agree
2. Do Not Agree

Please choose one of above number:
1

make[1]: Entering directory '/home/john/temp/vpnclient'
Preparing SoftEther VPN Client...
ranlib lib/libcharset.a
ranlib lib/libcrypto.a
ranlib lib/libedit.a
ranlib lib/libiconv.a
ranlib lib/libintelaes.a
ranlib lib/libncurses.a
ranlib lib/libssl.a
ranlib lib/libz.a
ranlib code/vpnclient.a
gcc code/vpnclient.a -O2 -fsigned-char -pthread -m64 -lm -ldl -lrt -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a lib/libintelaes.a -o vpnclient
ranlib code/vpncmd.a
gcc code/vpncmd.a -O2 -fsigned-char -pthread -m64 -lm -ldl -lrt -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a lib/libintelaes.a -o vpncmd

--------------------------------------------------------------------
The preparation of SoftEther VPN Client is completed !


*** How to switch the display language of the SoftEther VPN Client Service ***
SoftEther VPN Client supports the following languages:
  - Japanese
  - English
  - Simplified Chinese

You can choose your preferred language of SoftEther VPN Client at any time.
To switch the current language, open and edit the 'lang.config' file.


*** How to start the SoftEther VPN Client Service ***

Please execute './vpnclient start' to run the SoftEther VPN Client Background Service.
And please execute './vpncmd' to run the SoftEther VPN Command-Line Utility to configure SoftEther VPN Client.
Of course, you can use the VPN Server Manager GUI Application for Windows on the other Windows PC in order to configure the SoftEther VPN Client remotely.
--------------------------------------------------------------------

make[1]: Leaving directory '/home/john/temp/vpnclient'
Change ownership to root, set permissions, then move /usr/local.
[john@wss vpnclient]$ chmod -R 600 *  
[john@wss vpnclient]$ chmod 700 vpncmd  
[john@wss vpnclient]$ chmod 700 vpnclient
[john@wss vpnclient]$ cd ..
[john@wss temp]$ sudo chown -R root.root vpnclient/
[john@wss temp]$ sudo mv vpnclient/ /usr/local/

Start & Configure Client

The SoftEther VPN Client is started and stopped using /usr/local/vpnclient/vpnclient start or /vpnclient stop. To configure the client, use vpncmd as shown below. Substitute the values below as desired. Use help to show all available commands.
[john@wss temp]$ sudo /usr/local/vpnclient/vpnclient start
The SoftEther VPN Client service has been started.
[john@wss temp]$ sudo /usr/local/vpnclient/vpncmd
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608   (English)
Compiled 2016/04/17 21:59:35 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.

By using vpncmd program, the following can be achieved.

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 2

Specify the host name or IP address of the computer that the destination VPN Client is operating on.
If nothing is input and Enter is pressed, connection will be made to localhost (this computer).
Hostname of IP Address of Destination:

Connected to VPN Client "localhost".

VPN Client>niccreate
NicCreate command - Create New Virtual Network Adapter
Virtual Network Adapter Name: sev0

The command completed successfully.

VPN Client>accountcreate
AccountCreate command - Create New VPN Connection Setting
Name of VPN Connection Setting: myLab

Destination VPN Server Host Name and Port Number: ddns.domain.net:443


Destination Virtual Hub Name: vpn

Connecting User Name: john

Used Virtual Network Adapter Name: sev0

The command completed successfully.

VPN Client>accountpasswordset
AccountPasswordSet command - Set User Authentication Type of VPN Connection Setting to Password Authentication
Name of VPN Connection Setting: myLab

Please enter the password. To cancel press the Ctrl+D key.

Password: ********
Confirm input: ********


Specify standard or radius: standard

The command completed successfully.

VPN Client>accountstartupset
AccountStartupSet command - Set VPN Connection Setting as Startup Connection
Name of VPN Connection Setting: myLab

The command completed successfully.

VPN Client>exit
Stop SoftEther VPN Client.
[john@wss temp]$ sudo /usr/local/vpnclient/vpnclient stop
Stopping the SoftEther VPN Client service ...
SoftEther VPN Client service has been stopped.
[john@wss temp]$
Now we have a connection profile, user account and password, and the profile set to connect on start. Note that the vpncmd option AccountStartupSet sets the default profile, but you can use AccountConnect and AccountDisconnect to utilize different profiles.

Connection Script

The connection process is as follows:
  1. Create static route to SoftEther VPN server via the default gateway interface
  2. Start SoftEther client using /usr/local/vpnclient/vpnclient start
  3. Bring up VPN interface and utilize DHCP
To disconnect, the process is reversed to restore prior connection.
In the script below:
  • ip = vpnserver Internet IP address to DNAT (firewall)
  • nicdev = workstation’s physical interface
  • nicgw = workstation’s initial default gateway interface
I would advise walking through the script manually via bash, then tailor the script below to meet your use case. When using bash, you can still use the variables by executing ip=216.50.190.90[enter]. You can see the results using echo $ip[enter]. Also, I was receiving messages on console from auditd (SELinux) when executing dhclient. I need to research further.
Create and edit the file “vpn.”
[john@wss temp]$ sudo touch /usr/local/vpnclient/vpn
[john@wss temp]$ sudo chmod +x /usr/local/vpnclient/vpn
[john@wss temp]$ sudo vi /usr/local/vpnclient/vpn
Copy and paste then update the bash script to fit your environment.
##!/bin/bash                                                                                         
# SoftEther VPN Client start/stop script                                                             

# Use DNS or DDNS for the SoftEther VPN Server                                                       
host=sevpn.mydomain.net

# Workstation interface device name from ifconfig or ip addr
nicdev=eth0

# Use SoftEther VPN Client interface; vpn_[NicCreate]
sedev=vpn_sev0

# START VPN CLIENT
if [[ $1 == "start" ]]; then

    # Determine IP address for SoftEther VPN Server
    ip=$(dig +short $host)

    # Write IP address to file for /vpn stop
    echo "$ip" > /tmp/sevpnip

    # Determine default route for workstation prior to establishing VPN
    nicgw=$(ip -4 route list 0/0 | cut -d ' ' -f 3)

    # Write workstation default gateway to file for /vpn stop
    echo "$nicgw" > /tmp/sevpngw

    # Create static host route to SoftEther VPN Server
    ip route add $ip via $nicgw dev $nicdev
    sleep .5

    # Start SoftEther VPN
    /usr/local/vpnclient/vpnclient start
    sleep .5

    # Request DHCP
    dhclient $sedev

    # Delete default route. Note on subsequent stops, the routes drop
    # automatically, thus sending to /dev/null to silence possible
    # RTNETLINK no such process error.
    ip route del default via $nicgw &>/dev/null
    sleep .5

# STOP VPN CLIENT
elif [[ $1 == "stop" ]]; then

    # Release DHCP
    dhclient -r $sedev
    sleep .5

    # Stop SoftEther VPN Client which remove interface and default route
    /usr/local/vpnclient/vpnclient stop
    sleep .5

    # Read in workstation physical network interface's default gateway
    nicgw=$(cat /tmp/sevpngw)
    sleep .5

    # Re-enstate default route
    ip route add default via $nicgw
    sleep .5

    # Read in SoftEther VPN Server IP address
    ip=$(cat /tmp/sevpnip)

    # Delete the host route to SoftEther VPN Server
    ip route del $ip

    # Cleanup
    rm -f /tmp/sevpnip
    rm -f /tmp/sevpngw

# User forgot to provide start or stop arguments
else
    echo "Please use args start or stop!"
fi

Start daemon automatically after a reboot

nano /etc/init.d/vpnclient

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Client
DAEMON=/usr/local/vpnclient/vpnclient
LOCK=/var/lock/subsys/vpnclient
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Done!?

At this point, you should have a Secure Remote Access solution using SoftEther VPN Server & Client 4.2 on Linux. Once you have a working solution and some time with it up and running, I advise updating the virtual hub, default is vpn, to enable the “No Enumerate to Anonymous Users” to obfuscate the service.

oVirt & Promiscuous Mode

The SoftEther project page calls out that running the SoftEther VPN Server’s network interface in promiscuous mode will improve performance. I have not validated the statement. If using oVirt, you have a bit of work to permit an oVirt guest to use promiscuous mode.
First, install “vdsm-hook-macspoof” package on each Compute host.
[root@node1 ~]# yum install vdsm-hook-macspoof
Results
Dependencies Resolved

================================================================================
 Package                Arch       Version             Repository          Size
================================================================================
Installing:
 vdsm-hook-macspoof     noarch     4.17.32-1.el7       centos-ovirt36      21 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 21 k
Installed size: 5.1 k
Is this ok [y/d/N]: y
Second, update the hosted engine to have a user defined property for oVirt guests.
Using username "root".
root@eng's password:
Last login: Thu Aug 11 05:20:58 2016
[root@eng ~]# sudo engine-config -s "UserDefinedVMProperties=macspoof=^(true|false)$"
Please select a version:
1. 3.0
2. 3.1
3. 3.2
4. 3.3
5. 3.4
6. 3.5
7. 3.6
7
[root@eng ~]#
Lastly, restart the hosted engine.

No comments:

Post a Comment