Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: beckynet on December 14, 2015, 05:48:03 PM
-
Hello World,
PPTP being compromise and is not very reliable through a NAT.
I want to use SoftEther https://www.softether.org/.
SoftEther offer many VPN protocol and his installation is relatively easy the final administration is under a remote windows.
On SME 8 I could make it work.
But under EMS 9.1 I can not.
In fact at start SoftEther creates a TAP device (soft_tap), I assign an address to this tap and I created a new range in the dhcpd.conf.
But the SME DHCP only listens on em1 impossible to force it to also listen tap_soft.
I tried to add em1 and tap_soft in DHCPARGS but nothing change SME listen only on em1.
How to force DHCP to listen the dhcp tap_soft and em1 ?
Thanks in advance
Olivier
-
hi.. can you share how you tried to make it work so we can take a look and help you?
moreover: can you please tell us how did you make it work on SME8 so we can help you to replicate it on SME9? (and we can document it too in the wiki)
thank you
-
Or use something already built and working
http://wiki.contribs.org/OpenVPN_Routed
http://wiki.contribs.org/OpenVPN_SiteToSite
http://wiki.contribs.org/OpenVPN_Bridge
Routed works well but depends on what access your clients require.
I have been working on a ipsec/xl2tpd contrib but still have a way to go yet.
-
searching a bit with google leads me to understand that there are no rpms for softether and that you must compile it..
so, are you trying to install a more secure vpn (why not openvpn, for example?) installing developments tools on your server? :-)
-
I've a SME server in a VM that I use to compile SoftEther.
On SME
cp /opt
wget http://www.softether-download.com/files/softether/v4.18-9570-rtm-2015.07.26-tree/Linux/SoftEther_VPN_Server/32bit_-_Intel_x86/softether-vpnserver-v4.18-9570-rtm-2015.07.26-linux-x86-32bit.tar.gz
tar zxvf softether-vpnserver-v4.18-9570-rtm-2015.07.26-linux-x86-32bit.tar.gz
cd /opt/vpnserver
yum install autoconf automake gcc
make (read and accept the licence)
open some tcp port 5555 (For the management)
open some udp port 500, 1701, 4500 (For L2TP)
in /opt/vpnserver
./vpnserver start
On Windows Computer
download and install Windows Management Tools
http://www.softether-download.com/files/softether/v4.18-9570-rtm-2015.07.26-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.18-9570-rtm-2015.07.26-windows-x86_x64-intel.exe
Create a New connection with port number 5555
At first time insert blank password and create new password.
In local bridge setting create bridge with new tap device named soft
in IPsec / LT2P Setting IPSec Pre shared key indicate something.
On SME
I've made custom file in dhcpd.conf
cd /etc/e-smith/templates-custom/etc/dhcpd.conf/
nano 30BeginLocalSubnet
{
my $ipaddrBits = esmith::util::IPquadToAddr ($LocalIP);
my $netmaskBits = esmith::util::IPquadToAddr ($LocalNetmask);
local $network = esmith::util::IPaddrToQuad ($ipaddrBits & $netmaskBits);
$OUT .= "subnet 192.168.2.0 netmask 255.255.255.0\n\{";
}
nano 35Broadcast
{
my $ipaddrBits = esmith::util::IPquadToAddr ($LocalIP);
my $netmaskBits = esmith::util::IPquadToAddr ($LocalNetmask);
local $broadcast = esmith::util::IPaddrToQuad ($ipaddrBits | (~ $netmaskBits));
$OUT .= " option broadcast-address 192.168.2.255;";
}
nano 35DomainName
{
$OUT .= " option domain-name \"$DomainName\";";
}
nano 35DomainNameServers
option domain-name-servers { $LocalIP };
nano 35LeaseTimeDefault
default-lease-time { 86400 };
nano 35LeaseTimeMax
max-lease-time { 7*86400 };
nano 35NetbiosDDServer
{
return "" unless $DHCP_WINSServer;
return " option netbios-dd-server $DHCP_WINSServer;";
}
nano 35NetbiosNameServers
{
return "" unless $DHCP_WINSServer;
return " option netbios-name-servers $DHCP_WINSServer;";
}
nano 35NetbiosNodeType
{
my $server_role = $smb{ServerRole} || 'WS';
return "" unless $server_role =~ m{^(PDC|ADS)$};
return " option netbios-node-type 8;";
}
nano 35Netmask
option subnet-mask { $LocalNetmask };
nano 36Forwarding
option ip-forwarding true;
option router-discovery true;
nano 37Range
{
$OUT .= " range 192.168.2.100 192.168.2.200;";
}
nano 38Routers
{
my $router = (defined $SystemMode && $SystemMode =~ /servergateway/)
? $LocalIP :
defined $GatewayIP ? $GatewayIP : undef;
$OUT = "";
if ($router)
{
$OUT .= " option routers 192.168.2.1;";
}
}
nano 39EndLocalSubnet
\}
expand-template /etc/dhcpd.conf
/etc/init.d/dhcpd restart
add address to tap_soft
ifcfg tap_soft add 192.168.2.1
Add Rules to iptables
iptables -A FORWARD -i em1 -o tap_soft -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tap_soft -o em1 -j ACCEPT
Identification is done, but I can't receive IP Address from dhcp server.
cat /opt/vpnserver/server_log/vpn_20151215.log
2015-12-15 19:01:25.860 L2TP PPP Session [XX.XX.XX.XX:1701]: Trying to request an IP address from the DHCP server.
2015-12-15 19:01:30.869 L2TP PPP Session [XX.XX.XX.XX:1701]: Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to.
-
Couple of things.
You have obviously done a lot of work on this. Can you please add it to a wiki page please for others to benefit. Just ask for an account and someone can help you format it if required. You could also ask for access to CVS so that your code could be imported/compiled on the build system and a contrib RPM built. Again please ask.
I get the feeling that this may be your primary issue - you have a connection but no packets are flowing :
L2TP PPP Session [XX.XX.XX.XX:1701]: Acquiring an IP address from the DHCP server failed.
I think that your 1701 packets are not traversing the firewall.
I had a struggle with getting iptables to work until I found out you do not need to create many rules yourself.
Create a service and tell it what ports you want it to use and your server will create the rules for you. Check with iptables
e.g. for my pure ipsec :
config ipsec show
ipsec=service
UDPPort=500
access=public
status=enabled
These should help :
http://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables
http://wiki.contribs.org/Useful_Commands#Create_a_service_with_db_command_and_set_network_access
So you could set a service entry like 'softether' and add the relevant ports. I think you need 500 & 4500 (setprop UDPPorts 500 4500)
See here at the bottom :
https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/1.Setup_L2TP%2F%2F%2F%2FIPsec_VPN_Server_on_SoftEther_VPN_Server
I have a couple of masq template fragments as follows - these enable or disable the rules depending on whether the service is enabled/disabled. This was because the ipsec packets were showing up as ESP. You may or may not need similar depending on what you find in your logs. Have a look in /var/log/secure to see if any packets are being dropped.
(Still not sure I need this one)
[root@test masq]# cat 40AllowIPsec
{
my $ipsec_access = $ipsec{access};
if ( $ipsec_access eq 'public' ) {
$OUT .= " # Do not NAT VPN traffic\n";
$OUT .=
" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
}
}
[root@test masq]# cat 56AllowESP
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
{
my $ipsec_access = $ipsec{access};
if ($ipsec_access eq 'public') {
$OUT .= " /sbin/iptables --new-chain esp-in\n";
$OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
$OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
$OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
$OUT .= " /sbin/iptables --append esp-in -j denylog\n";
}
}
[root@test masq]# cat 90adjustESP
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
{
my $ipsec_access = $ipsec{access};
my $ipsec_status = $ipsec{status};
if ( $ipsec_access eq 'public' ) {
my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
$OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
$OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
}
}
You may find something here (nothing to do with me) about ifcfg
http://wiki.contribs.org/Ipsec
You could also also have a look at Daniels openvpn routed contrib for ways to sort out firewalling.
B. Rgds
John
-
I'm interrest to share this project.
But actually it don't run on SME 9.1.
if I stop iptables all run fine.
I must investigate, and after I share in the wiki
Thanks Olivier
-
Well, if I were in your shoes I'd try to adapt smeserver-openvpn templates/fragments
-
I must investigate, and after I share in the wiki
My advise would be to just simply start writing your notes and findings on a new wiki page. That way others can pitch in and learn and add to the page whilst you are off-line. That's what the wiki if for, collaborative editing documentation.
Waiting until one can deliver a complete working and tested how-to from your notes will take a long time and often one will no longer shift all info over to the wiki.
-
I'm interrest to share this project.
But actually it don't run on SME 9.1.
It does run but...
if I stop iptables all run fine.
This is where your problem is, as per my comments above.
I must investigate, and after I share in the wiki
Make sure you check /var/log/iptables/current as well - this will tell you which packets are being blocked.
B. Rgds
John
-
My advise would be to just simply start writing your notes and findings on a new wiki page.
Here you go to get you started http://wiki.contribs.org/SoftEther_VPN (http://wiki.contribs.org/SoftEther_VPN)
-
Here you go to get you started http://wiki.contribs.org/SoftEther_VPN (http://wiki.contribs.org/SoftEther_VPN)
Nice one HSF
-
Hello World
http://wiki.contribs.org/SoftEther_VPN is Online and runnable.
Some TODO to make before make contribs
Thanks Olivier
-
From wiki and from this post I am not able to understand if the authentication is done against standard SME server users or you need to keep another user/pass/certificate.... set
Can anyone point the right direction to look in this issue?
-
From wiki and from this post I am not able to understand if the authentication is done against standard SME server users or you need to keep another user/pass/certificate.... set
Can anyone point the right direction to look in this issue?
Actually you must set another list of user. After test I can't use the internal SME LDAP.
Olivier
-
FYI: https://wiki.contribs.org/SoftEther_VPN#Radius_authentication
-
Note that if you want/need L2TP, I have built a L2TP Ipsec contrib for testing:
https://wiki.contribs.org/Smeserver-libreswan-xl2tpd
https://forums.contribs.org/index.php/topic,53021.0/all.html
The main benefit over SoftEther is on most mobiles you do not need additional client software to configure or connect to it - just a few simple commands at the server console and a couple of settings in most mobile phones and it can be running in minutes. It also uses local user authentication.
-
No flaming intended here but Softether VPN support virtually all clients platforms natively.
https://www.softether.org/1-features
I have tested Android with the build in VPN client and OS X with the native VPN client. Works like a charm.
-
No flaming intended here but Softether VPN support virtually all clients platforms natively.
I have tested Android with the build in VPN client and OS X with the native VPN client. Works like a charm.
Cool ! I thought you needed (or used to need) a client.
-
The wiki page for this contribution needs "uninstall" instructions.
More to the point, I need uninstall instructions so I can back it out. The configuration is a bit above our skill set at this point.
-
I can do you uninstall but its pretty well:
yum remove smeserver-libreswan*
signal-event post-upgrade;signal-event reboot
I can't see it is any worse than softether ?
Essentially...
Install
Create a L2TPD/IPsec connection (I could automate some of this) with your ipsec password and your L2TPD Dhcp range and make sure it is outside the normal server range
Enable the services (for security I set them disabled by default)
Set a user in the server manager for VPN Access
Post-upgrade/reboot
On your phone add a connection
Set the server IP
Set the username
Set the password
Connect.....
I can't make it much simpler on the CLI
Theoretically it should be trivial to panelise this byt it us beyond me
-
PS if tell me some of your server config I can tell you the settings to use
Mainly need the internal IP adress, subnet & dhcp range
config show dhcpd