Setting up your own virtual private network server is a good way to evade blockage and be able to access sites that are blocked in your country. Choice of open source VPN packages is long but today we decided to try Softether coming from University of Tsukuba in Japan. Softether have long been proprietary product under name PacketX and it has been open sourced just several years ago. That may be the reason why it is so Windows oriented, the configuration GUI is windows only and connecting from Linux clients requires extra work. We are going to use only Linux and no GUIs here, so lets start. In the beginning, lets update the system, install dependencies and disable SElinux
yum update
yum -y groupinstall "Development Tools"
yum -y install gcc zlib-devel openssl-devel readline-devel ncurses-devel wget tar dnsmasq net-tools iptables-services system-config-firewall-tui nano iptables-servicessed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
After this reboot the computer so selinux stop and new kernel start if update had any new kernel. After the server boots up, disable both firewalls because they can interfere with testing. The firewall rules will be set after all is configured
systemctl disable firewalld
systemctl stop firewalld
systemctl status firewalldservice iptables save
service iptables stop
chkconfig iptables off
Of those two batches of commands, one will error because you are not running two firewalls. Next we need to cd to /usr/src, download the Softether, unpack it and compile it. We will use 4.20 version of Softether which is in the time of writing newest rtm version. There is also 4.21 but that is beta.
wget www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
tar xzvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz -C /usr/local
cd /usr/local/vpnserver
make
Compile will ask you three questions at the end, you need to answer all with 1.
Next wee need to make init script for softether, as one is not included into the install. So run vi /etc/init.d/vpnserver and make paste this script.
#!/bin/sh
### BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable Softether by daemon.
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.7.1test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Next need to add the executable bit to the init script and start it for the first time in the old fashion way and then enable it it with systemd to start at every boot.
chmod +x /etc/init.d/vpnserver
/etc/init.d/vpnserver start
systemctl enable vpnserver
Don't mind that it complaints about tap interface, that is because we added it to init script and made it start with softether but didn't yet made the tap interface in softether config. We will come to that latter.
Softether is installed, now we configure
Moving over to configuration part, we need to start vpncmd utility
/usr/local/vpnserver/vpncmd
Press 1 to select "Management of VPN Server or VPN Bridge", and then whe it asks you which server to configure, just press enter and it wll chose localhost where you just installed Softether. Press Enter one more time to get access to server as Administrator. Next type
ServerPasswordSet
to set admin password for the server. In order to use softether, virtual hub needs to be created. We will create one named MOB with following command
HubCreate MOB
It will ask you to set password, which you will use to administer a hub, without access to entire VPN server.
Now we need to create local bridge. That is more efficient of the ways, there is also SecureNAT which is easier to setup but it is resource intensive. We will go with local bridge and tap device, note that with local bridge also DHCP server needs to be configured and installed which will do at the end of tutorial. So local bridge is created with following command:
BridgeCreate /DEVICE:"soft" /TAP:yes MOB
If TAP device creation fails with message about insufficient privileges, you might want to check if your network controller is set in promiscuous mode. HyperV and VMware by default create VMs without promiscuous mode. Set promiscuous mode and then retry creation of the tap device.
Now we need to create user for the MOB virtual hub we created. Users are created with command UserCreate and you can view the list of users by command UserList. Users can be added to groups and each group can have different authentication mode, for example Password, Certificate, RADIUS, NTLM and others.
Configuring the virtual Hub
Now we switch to hub MOB
Hub MOB
and create user
UserCreate test
We will keep it simple and use password auth, so use the following command
UserPasswordSet test
Now we setup L2TP/IPSec, work the prompt as follows, bold is what you need to type:
VPN Server/MOB>IPsecEnable
IPsecEnable command - Enable or Disable IPsec VPN Server Function
Enable L2TP over IPsec Server Function (yes / no): yesEnable Raw L2TP Server Function (yes / no): yes
Enable EtherIP / L2TPv3 over IPsec Server Function (yes / no): yes
Pre Shared Key for IPsec (Recommended: 9 letters at maximum): linoxide
Default Virtual HUB in a case of omitting the HUB on the Username: MOB
The command completed successfully.
That is it for IPsec, but we also want to have other protocols. For example OpenVPN and Microsoft protocols. We use ServerCertRegenerate command to generate and register a SSL certificate for the server in order to be able to use it for OpenVPN and Microsoft clients. Argument passed to the command must be your server IP adress or FQDIN:
ServerCertRegenerate <YOUR SERVER IP or FQDN>
A new server certificate has been created, we needs to save it to file:
ServerCertGet ~/cert.cer
This certificate now can be transfered to your clients. We can now enable SSTP function with this command:
SstpEnable yes
And to enable OpenVPN:
OpenVpnEnable yes /PORTS:1194
Port for OpenVPN can be changed to your liking. Then we need to create config for OpenVPN client like this
OpenVpnMakeConfig ~/openvpn_config.zip
VPN over DNS and VPN over ICMP
Type Hub to return to administering entire vpn server and not just MOB hub.
VPN Server/MOB>Hub
Hub command - Select Virtual Hub to Manage
The Virtual Hub selection has been unselected.
The command completed successfully.
For maximal evasion of all blockages, we also need to enable VPN over ICMP and DNS:
VpnOverIcmpDnsEnable /ICMP:yes /DNS:yes
VpnOverIcmpDnsEnable command - Enable / Disable the VPN over ICMP / VPN over DNS Server Function
The command completed successfully.
Now exit the vpncmd because we need to stop the vpnserver and setup dnsmasq
service vpnserver stop
DHCP server, forwarding and postrouting
Softether is now configured, but since we are not using SecureNAT and going with local bridge instead, will need a DHCP server. The dnsmasq is already installed in first stage of tutorial when we installed dependancies, so now we need to configure it. We need to edit /etc/dnsmasq.conf or use echo command to append needed lines to it. We will use latter opton and while we are at it, we will also echo the ipv4_forwarding.conf
echo interface=tap_soft >> /etc/dnsmasq.conf
echo dhcp-range=tap_soft,192.168.7.50,192.168.7.90,12h >> /etc/dnsmasq.conf
echo dhcp-option=tap_soft,3,192.168.7.1 >> /etc/dnsmasq.conf
echo port=0 >> /etc/dnsmasq.conf
echo dhcp-option=option:dns-server,8.8.8.8 >> /etc/dnsmasq.confecho net.ipv4.ip_forward = 1 >> /etc/sysctl.d/ipv4_forwarding.conf
Apply this setting by runing
sysctl -n -e --system
Check if it is applied:
cat /proc/sys/net/ipv4/ip_forward
It should show 1. If it shows 0, do this
echo 1 > /proc/sys/net/ipv4/ip_forward
Enable nat and postrouting:
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [YOUR SERVER IP ADDRESS]
iptables-save > /etc/sysconfig/iptables
Restart vpn and dhcp servers with folowing commands and enable them to start at every boot:
service vpnserver start
systemctl start dnsmasq
systemctl enable dnsmasq
chkconfig vpnserver on
Conclusion
That concludes the install and configuration of Softether VPN server. It is configured with Local Bridge for maximum performance, we only now need to connect clients. The Windows and android ones are easy, for Windows you just head to the Softether site and download GUI client and connect. For android, you dont need even that, you have VPN client built in. But for Linux, to be able to connect, you need Virtual Layer-3 switch on Server, and you need to run dhclient on the virtual interface on client GNU/Linux machine. In future article we will concentrate on this Desktop GNU/Linux client which guys from Tsukuba University for some reason don't like and require all this additional steps.
The post How to Install Softether VPN server on Centos 7 appeared first on LinOxide.