Activated certificate based authentication on Softether

Amazon Linux

In below post I established VPN by Softether.

How to obtain static IP address by LightSail and softether for 3.5 USD per month?
I am running Nextcloud on my Raspberry Pi.I buy static IP address from internet service provider(=ISP) for 10 USD per mo...
linuxfun.org
2022.08.27



In this post I switched to use certicate based authentication which are sure to be more secure than password.

There are lots of articles which introduces how to use GUI tool on Windows.
I don’t have Windows PC so I setup by command line on Linux.

  1. Server authentication
    1. Server side
    2. Client side
  2. Client authentication
    1. Server side
    2. Client side
  3. Conclusion

Server authentication

This chapter shows how to configure client to authenticate server.

Server side

Let’s create certificate and key pair.

Softether has covenient commands MakeCert and MakeCert2048.
– The difference is just the key length, MakeCert is 1024bit, MakeCert2048 is 2048bit.
Each field can be empty.
Period will be automatically 10 years if empty.

sudo /opt/vpnserver/vpncmd
(snip)
1. Management of VPN Server or VPN Bridge 
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 1 (Enter)
(snip)
Hostname of IP Address of Destination: localhost:5555 (Enter)
(snip)
Specify Virtual Hub Name: (Enter)
(snip)
VPN Server>MakeCert2048
MakeCert2048 command - Create New X.509 Certificate and Private Key (2048 bit)
Name of Certificate to Create (CN): (Enter)

Organization of Certificate to Create (O): (Enter)

Organization Unit of Certificate to Create (OU): (Enter)

Country of Certificate to Create (C): (Enter)

State of Certificate to Create (ST): (Enter)

Locale of Certificate to Create (L): (Enter)

Serial Number of Certificate to Create (Hexadecimal): (Enter)

Expiration Date of Certificate to Create (Days): (Enter)

File Name to Save Certificate to Create: /opt/vpnserver/server.cert

File Name to Save Private Key to Create: /opt/vpnserver/server.priv

The command completed successfully.



Next is to configure these certificate and key to be used for authentication.

VPN Server>Hub virtual_hub
(snip)
VPN Server/virtual_hub>ServerCertSet
ServerCertSet command - Set SSL Certificate and Private Key of VPN Server
Read X.509 certificate from file name: /opt/vpnserver/server.cert

Read private key from file name: /opt/vpnserver/server.priv

The command completed successfully.

Now certificate and key is stored in configuration file of VPN Server so you can delete.
If you want to restore you can do by ServerCertGet command.

Client side

Next let’s configure to authenticate server by certificate.
Please copy certificate file and do these commands.

sudo /opt/vpnclient/vpncmd 
(snip)
1. Management of VPN Server or VPN Bridge 
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 2 (Enter)
(snip)
Hostname of IP Address of Destination: (Enter)
(snip)
VPN Client>AccountServerCertEnable virtual_connection
AccountServerCertEnable command - Enable VPN Connection Setting Server Certificate Verification Option

The command completed successfully.

VPN Client>AccountServerCertSet virtual_connection
AccountServerCertSet command - Set Server Individual Certificate for VPN Connection Setting

Read X.509 certificate from file name: ./server.cert

The command completed successfully.



Disconnect and connect to see configuration is properly done.
Yes, it’s good!

VPN Client>AccountDisconnect virtual_connection
AccountDisconnect command - Disconnect VPN Connection Setting During Connection

The command completed successfully.

VPN Client>AccountConnect virtual_connection
AccountConnect command - Start Connection to VPN Server using VPN Connection Setting

The command completed successfully.

VPN Client>AccountStatusGet virtual_connection
AccountStatusGet command - Get Current VPN Connection Setting Status

Item                                      |Value
------------------------------------------+------------------------------------------------------------------------
VPN Connection Setting Name               |virtual_connection
Session Status                            |Connection Completed (Session Established)
(snip)

VPN Client>AccountGet virtual_connection
AccountGet command - Get Setting of VPN Connection Setting 

Item                                                 |Value
-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------
(snip)
Verify Server Certificate                            |Enable
Registered Server Individual Certificate             |, SERIAL="00" (Digest: MD5="12345678901234567890123456789012", SHA1="1234567890123456789012345678901234567890")
(snip)

Client authentication

We can do client authentication as well.

Server side

Please create client certificate and key by MakeCert or MakeCert2048.
Server needs to configure to use certificate for authentication of client.

VPN Server>Hub virtual_hub
(snip)
VPN Server/virtual_hub>UserSignedSet
UserSignedSet command - Set Signed Certificate Authentication for User Auth Type
User Name: yasu

Limit of Common Name (CN) Value: 

Limit of Serial Number Value: 

The command completed successfully.

VPN Server/virtual_hub>UserCertSet
UserCertSet command - Set Individual Certificate Authentication for User Auth Type and Set Certificate
User Name: yasu

Read X.509 certificate from file name: /opt/vpnserver/yasu.cert

The command completed successfully.

Client side

Client side as well.

sudo /opt/vpnclient/vpncmd 
(snip)
1. Management of VPN Server or VPN Bridge 
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 2 (Enter)
(snip)
Hostname of IP Address of Destination: (Enter)
(snip)
VPN Client>AccountCertSet virtual_connection
AccountCertSet command - Set User Authentication Type of VPN Connection Setting to Client Certificate Authentication

Read X.509 certificate from file name: /opt/vpnserver/yasu.cert

Read private key from file name: /opt/vpnclient/yasu.priv

The command completed successfully.



Disconnect and connect again.
Yes, client authentication worked as well.

VPN Client>AccountDisconnect virtual_connection
AccountDisconnect command - Disconnect VPN Connection Setting During Connection

The command completed successfully.

VPN Client>AccountConnect virtual_connection
AccountConnect command - Start Connection to VPN Server using VPN Connection Setting

The command completed successfully.

VPN Client>AccountStatusGet virtual_connection
AccountStatusGet command - Get Current VPN Connection Setting Status

Item                                      |Value
------------------------------------------+--------------------------------------------------------
VPN Connection Setting Name               |virtual_connection
Session Status                            |Connection Completed (Session Established)
(snip)
VPN Client>AccountGet virtual_connection
AccountGet command - Get Setting of VPN Connection Setting 

Item                                                 |Value
-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------
VPN Connection Setting Name                          |virtual_connection
(snip)
Authentication Type                                  |Client Certificate Authentication
User Name                                            |yasu
Client Certificate for Authentication Use            |, SERIAL="00" (Digest: MD5="12345678901234567890123456789012", SHA1="1234567890123456789012345678901234567890")
(snip)



Now certificate based authentication was done for both server and client!

Conclusion

How was it?

This isn’t complicated as you are expecting!

Comments

Copied title and URL