entranceSofteTher VPN Server server on Windows Installation and configuration. SofteTher VPN - an advanced multiprotocol VPN server and a VPN Client Manager client does not connect
SofteTher VPN Client Manager is a program for replacing the IP address and server selection for connecting manually or automatically. Download Sophtefer VPN Client Manager can be completely free for Windows WINTOVS. To get started, the Internet connection is necessary, otherwise the appropriate entry will appear when the program starts. The following address, country and provider will be displayed on the screen. Next, the user can select a server through which traffic will be redirected. Make it can be manually or use the authentic mode. What is the difference? The Russian version will help to find the hardware part of the application faster, which is simplified as much as possible. Manual mode Designed for self-selection of the country and the connection region. For this, it is enough to click on the list on the desired string twice, and the connection will begin.
Automatic mode does everything alone. It defines the most suitable bridge for the connection and connects. All traffic ─ outgoing and incoming ─ redirected through the "Mirror", another server. With a stable and high-quality connection, the delay between the commands is imperceptible. You can download the SofteTher VPN Client in Russian in free access by direct link. The installer is suitable for x32 and x64 inclusive. How does the program work? The client redirects the connection to "Mirrors". The user connects to the server of another country, then ─ on the site you need.
The sequence is as follows: a request from the computer to the server mask, from it to the site and back through the server to the computer. Therefore, another address is displayed on the site, not actual. Just just download the SofteTher VPN Client Manager to the computer and forget about the lock forever. The program can work both constantly and when handling. Does not load rAM And the processor works quickly and efficiently. The product is fully compatible with all versions of the OS and does not require additional software.
The advantages of the application are as follows:
- russian language;
- simple and convenient interface;
- support for popular protocols;
- stable connection;
- automatic resuming at break.
SofteTher VPN Server 4.20.9608 (stable release, i.e. not Beta) - SofteTher-VPNServer_VPNBridge-V4.20-9608-RTM-2016.04.17-Windows-x86_x64-Intel.exe.
OS version - Windows 7 Professional X64 SP1.
SofteTher VPN Server - VPN server on Windows Installation and Setup
The software product SofteTher VPN Server allows you to easily and quickly get a VPN server on Windows. This allows you to combine various devices, servers and computers to one network (virtual). At the same time, all these devices can be physically located anywhere in the world. The article discusses the installation and configuration of the SofteTher VPN Server on Windows. SofteTher VPN Server is a Freeware product.
Usually a VPN server is used to organize remote access In the network of the enterprise from home or other remote networks (offices) of the organization. Also, any other devices that are allowed access, such as a mobile phone, can be connected to this network. Those. may with mobile phone Enter your desktop desktop. Therefore, often, the VPN server is a central node to which customers are connected to gain access to the internal network of the enterprise.
Installing SofteTher VPN Server on Windows
Distribution can be taken from here - SofteTher Download Center. Please note that the Beta version of the product is first displayed on the download page.
Download and run - softeTher-VPNServer_VPNBridge-V4.20-9608-RTM-2016.04.17-Windows-x86_x64-Intel.exe
Here to choose - Softether VPN Server.
SofteTher VPN Server Manager (Admin Tools Only) - You can not install the server itself, but only the administration tools, for example, to the administrator's workstation.
SofteTher VPN Bridge - SofteTher VPN Server can work in the bridge mode between networks (in this article is not considered).
Agree with a license
Here are all the most key technical details - you can read.
Here you can select the folder where the SofteTher VPN Server is installed and choose for specific user It will be installed or for all users on the computer.
Configuring SofteTher VPN Server
SofteTher VPN Server Manager can always be launched Start. – All Programs — Softether VPN Server — SofteTher VPN Server Manager.
When you start, you will display a list of connections with SofteTher VPN Server servers. Here you can create new connections or change the parameters already existing connections. To do this, select a specific connection (in this example it is one) and click Edit Setting..
Here you can specify the settings for a specific connection.
1. The name of the connection
2. Server name where SofteTher VPN Server is installed or its IP address + port.
3. Direct connection to the server or through proxy.
4. This is a connection to the server or hub. This article discusses a single server, so Server Admin Mode.
Connect with the server. To do this, on the main screen Softeter VPN Server Manager click Connect.. When you first connect, the wizard will start to configure the VPN server.
Choose REMOTE ACCESS VPN Server.
Here the name of the virtual hub is introduced (this is how - as if the piece of iron to which everyone joins). Let it be as it is.
You can configure the connection with Azure Cloud. This article is not considered, so choose Disable VPN Azure..
Select in paragraph 3 network card On the server that looks into the Internet.
You must also create a user under which everyone will connect to the VPN server. One can one on all or for each one.
To create a user to press Create User.. The figure highlights the fields to create a user with password authentication.
1. Enter the username
2. You can set a group for the user and the expiration date of this account (i.e. access to someone can be provided for a while).
3. Select the type of authentication - Password authentication.
4. You can adjust specific permissions.
5. Set password to the user.
6. You can manage an individual certificate for authentication for a specific user.
7. Settings for a signed certificate.
Exit form VPN Easy Setup Tasks - Click Close.
If you install Softeter VPN Server on virtual servermay appear the following window. In which it is warned that you need to make sure that for this virtual machine Promiscuous Mode is on and not prohibited. If this is not the case - it needs to be enabled and allowed.
All the server is ready for operation and now when connections with a server via Softeter VPN Server Manager, you will see this window.
If you change the ports through which users connect - open these ports in any Firewall that you have between the client and the server. In Firewall operating windows systems When installing the SofteTher VPN Server Manager, the rule for C is automatically created for C: \\ Program Files \\ Softeter VPN Server \\ vpnServer_x64.exe.
Customer connection with Softeter VPN Server
To connect clients with SofteTher VPN Server, you can use as built-in OS software using the L2TP / IPSec protocol connection with common key So and your own SofteTher VPN Client client. Which as the developers say, it works faster and encrypts traffic using SSL. Those. VPN can work even in networks where protocols are different from HTTPS are prohibited.
How soon I can interest you if I say that in this article we will talk about a VPN server, which can lift L2TP / IPSec, OpenVPN, MS-SSTP, L2TPV3, Etherip-servers, and also has its own protocol "SSL-VPN ", Which is indistinguished by the usual HTTPS traffic (which you can not say about OpenVPN Handshake, for example), can work not only through TCP / UDP, but also through ICMP (like Pingtunnel, Hanstunnel) and DNS (like iodine), works faster (by Certification of developers) current implementations, builds L2 and L3 tunnels, has a built-in DHCP server, supports both kernel-mode and user-mode NAT, IPv6, shaping, QoS, clusterization, load balance and fault tolerance, can be run under Windows , Linux, Mac OS, FreeBSD and Solaris and is an Open-Source project under GPLV2?
That and it. It is impossible to miss this.
Uh-Oh, what is it for the thing?
Most likely, you have not heard about this project before. The fact is that Daiyu Nobori (大 遊) began to develop it, as soon as he went to Tsukubsk University, and PPTP did not earn from the campus network. In 2003, when he was 18 years old, he released the first version of Softether, and the Government of Japan was hit on him, which believed that this project could be regarded almost as malicious software, because It allows you to bypass the firewall (OpenVPN at that time also appeared), and can also "harm the image of other VPN products" and forbade the program to disseminate. He tried to explain, but because Because of this, it could, perhaps, to deduct from the university, he did not insist and removed the program from free access. Some time passes, and Mitsubishi Materials Corporation offers to buy Softeter 1.0 and sign a contract for 10 years (April 2004-April 2014), which gives corporations to sell Softeter and prohibits Daiyu Nobori to sell a program and / or based on it, but March 2013 He begins to distribute Softeter for free, and only quite recently (January 4, 2014) it was possible to open it under GPLv2. Unfortunately, now there are still some problems with copywrites, so in Softeter until April 2014, it is likely to see some important features: RADIUS / Active Directory Authentication, RSA-key authentication, DOS protection, Source IP ACL, SYSLOG TRANSFER and DEEP-INSPECT PACKET LOGGING.Description
Learn more about the server features:- Many virtual hubs. Those. Not every instance of the server serves only its customers, and all in the limit of one server.
- Remote-Access (Client-K-LAN) and Site-to-Site (combining two or more LAN in one) tunnels.
- Support L2TP / IPsec, OpenVPN, MS-SSTP, L2TPV3, Etherip and your protocol
- VPN via ICMP and via DNS (only through your protocol)
- Dynamic DNS and Nat Traversal through free relay ( yes, yes, you can raise a VPN server with a gray IP!)
- Logging
- Built-in firewall
- IPv6 support in L3 mode (well, in L2, of course, too)
- Shaping traffic by user groups either for specific users
- SecureNat (User-Space Nat and DHCP server). Convenient on non-server Windows
- Support VLAN.
- QoS support with automatic prioritization
The software consists of a server, bridge server, client, GUI (Windows only) and CUI administration utilities. The client is needed to connect a single computer to the LAN (Remote Access VPN), and the bridge server for connecting two or more networks (Site-to-Site VPN). Unfortunately, CUI is not very well documented and started the server only from Cui. I could not use the Windows version of the server and the GUI utility. It should be noted that the GUI utility can work not only with local server. You can run the server itself on Linux, and administer it through the GUI utility under Windows. In the GUI there are only basic settings, to change the advanced settings you will have to climb or use CUI.
Here you have several GUI screenshots, so that there is a view that the server can and how everything is easy to configure.
Server management window
Window control hob
Editing a user
ACL with the ability to simulate Packet Loss and Jitter
SECURITY POLICY for user
Setting in SecureNat.
Setting L2TP / IPsec
Setup OpenVPN and SSTP
There are two ways to combine networks using SofteTher VPN.
1) Connecting the bridge, while networks are combined into one Ethernet segment. This option is uncomfortable, because If there are services in both networks that require work in a single instance, this will lead to conflicts (for example, DHCP). In addition, if there are many nodes in the network, then there will be an increase in broadcast traffic.
2) The second method is based on the first. But here you create a virtual switch of the third level OSI, which manages traffic between networks. Also creates an additional virtual hub (hub) to which it is connected remote Network. Of minuses: Dynamic routing protocols are not supported, IGMP protocol is not supported, on nodes with common resources It is necessary to prescribe static routes.
This article discusses the second method.
The advantage of this scheme is that it is worthwhile to spend money on expensive routers with VPN, and Paranoids use the holey PPTP protocol. Included PCs - and the connection automatically rose, if at the other end of the PC is also included. Communication performance rests on the speed of your Internet channel (including the routing performance of the router) and the power of the PC processor, because Traffic encryption is carried out by them.
We have two networks, with central nodes as a router with a DHCP server and WAN. On the PC on the same network you need to install SofteTher VPN Server, and in another network Softeter VPN Bridge.
Installing a VPN server on Windows
Installing the Softeter VPN Server is quite simple. I will illustrate her pictures with small comments. Download the SofteTher VPN Server distribution from the official site and run.
Select the installation option - VPN Server and click "Next".
Then we accept the terms of the agreement and choose the standard installation.
After starting the VPN server, the administration window will appear, press the "Connect" button. We specify the server administrator password.
Indicate the server type - Site-to-Site VPN Server. (Center)
Then there is a configuration of the Dynamic DNS function, click Exit. Later it can be disabled by changing the line in the configuration file to: "Declare DDNSClient (Bool Disabled True".
Next, you must specify a physical network card for connecting a virtual hub with a local network. The compound is carried out on channel level OSI, so the virtual hub does not receive any IP address on the network. However, some routers can notice on the local network the appearance of the subnet IP address 172.31.0.0/16. This address is used to track the compliance of ARP entries IP addresses or something like that.
Next, it is proposed to configure access via L2TP and enable Azure VPN. Let's miss these steps, because In this scheme, they do not participate. Azure VPN can be disabled if you have a white IP. If the address is gray, then do not disconnect and use the Azure VPN domain address instead of IP.
Configure VPN Server
At the end of the primary setting, we get into the server administration window. First of all, delete unnecessary ports (everything except 5555 - it is used to connect to the administration panel). We specify any non-standard TCP port for listening, for example, 7710. If you do not have a white IP address, then to use Azure VPN you need to listen to the 443 port.
Now you need to create a second virtual hub to which the remote network will be connected. To create a second hub, click the Create A Virtual Hub button. We call it, for example, by a remote network number - 12. In this virtual hub, create Local Bridge is unnecessary.
Next, select 12 hub and click "MANGE VIRTUAL HUB", then "Manage Users" Create a user for a remote network. Let's call it "Network 12", instead of password, we will use a self-signed certificate with a secret key.
Create Certificate and fill the "COMMON NAME" line.
Select the certificate format - x509 (certificate separately, secret key separately).
The saved certificate and the secret key will need to be downloaded to the SofteTher VPN Bridge client.
Next, you must open the port in the router - the one that listens to the server, and configure the port broadcast on the PC with the server. Read more about how to open ports, you can read in this article. .
For example, in PfSense, the rule for opening the port looks like this. PfSense - When creating a rule for NAT, automatically creates a rule for Firewall. Other routers can not do this, so you need to create both rules with handles.
Also in firewall On both routers it is necessary to allow traffic passing between networks. To resolve the passage of any traffic, the rule will look like this:
If there is a firewall on computers, then there is also a traffic passage for the desired network.
Next you need to create virtual router. Click the Layer 3 Switch Settings button, create a new virtual router and click the "Edit" button. Then, you need to create virtual interfaces for each hub. For a hub with the name 10, we create an interface with the address 192.168.10.100, for a hub named 12 - 192.168.12.100. Addresses can be invented their own, the main thing is that they are not busy and belong to each of their subnet. The developers assure that it is optional to add routes, but it's better to add just in case. To start the router, press the "Start" button.
Setting up a VPN client
Run the installation of the SofteTher VPN Server, while selecting the installation option of the SofteTher VPN Bridge. Click all the time "Next", then set the administrator password.
At this step, you specify a network card to create a bridge with a local network.
After that, we get into the SofteTher VPN Bridge control panel. As you can see, many functions in this mode are disabled.
Next, you need to create a cascade connection to the SofteTher VPN server. Click "MANGE VIRTUAL HUB" then "MANGE CASCADE CONNECTION" and fill the data for the connection.
Settings Name - connection name.
Host Name - White IP address or domain name DDNS router network where the server is installed. If you do not have a white IP address, we use the Azure VPN service and write the domain name received in this service (VPN123456789.vpnazure.net). I think it is clear that without a white IP address to open ports on the router unnecessary.
PORT NUMBER - the port that listens to the server.
Virtual Hub Name is the name of the virtual hub on the server.
User Authentication Settings - User Authentication Settings. Since we decided to use a self-signed certificate instead of a password, we select the Lock "Client Certificate Authentication". We write the username (in the example it is Network 12). Clause "Specify Client Certificate", load the certificate and secret encryption key.
Now you need to configure the connection settings - click "Advanced Settings". Here it is necessary to specify the number of TCP compounds, 8 is recommended for broadband compound.
Routing setup
The setting is to prescribe static routes in the routers of both subnets.
On the router 192.168.10.1 (see the scheme) we prescribe a route to the network 192.168.12.0. It will look like this: 192.168.12.0 Mask 255.255.255.0 Gateway 192.168.10.100.
On the router 192.168.12.1 we register the route to the network 192.168.10.0: 192.168.10.0 Mask 255.255.255.0 Gateway 192.168.12.100.
For reliability, we reboot both PCs and a router.
Access to shared folders via SofteTher VPN
After the settings produced above, all computers on the network must "ping" each other normally (if not prohibited by the firewall). However, access to common folders Windows is impossible. This problem is solved by prescribing static routes directly on computers with common resources. Run the Windows command prompt on behalf of the administrator and write the team:
For computers located on the network 192.168.10.0:
Route -p Add 192.168.12.0 Mask 255.255.255.0 192.168.10.100
For computers on the network 192.168.12.0:
Route -p Add 192.168.10.0 Mask 255.255.255.0 192.168.12.100
This is completed on this. To analyze traffic route, I advise you to use the command windows string, team Pathping.
I ask questions in the comments.
Data protection today worries more and more people. Trends not only do not please, they are just horrified - even televisions begin to follow us. The surest way is to always assume that someone listens to us and preventively defend themselves. You can raise SSH tunnels and SOCKS'FIF them through them the right traffic, you can everywhere where it turns out, use HTTPS by setting the plug-ins for this. However, the most suitable technology was, there will be a VPN for a long time.
Where to get VPN to safely connect with various devices "On the go" and in public places? Simple I. fast way - Take advantage of one of the numerous services. But from the point of view of security, this method raises questions. Voluntarily start your traffic through "Uncle", and even pay for it not too sternly. Yes, and with anonymity is not so good, the major service will hand you up with gutters on the first request, it is enough to remember the history of Hidemyass and Lulzsec. Small muddy offices can never be reduced you yourself. You cannot check the inner kitchen VPN service, and rely on assurances that no logs are kept, naive.
What remains poor paranoid? To raise the VPN server yourself, good is not so much for it. The most suitable implementation for your own server until recently was OpenVPN. His tangible minus is quite complex setting and unfriendly to by the usual user. Install and configure it by itself only by the sophisticated man in the network affairs. The presence of a large number of STEP-by-Step manuals does not strongly help the situation. In addition, OpenVPN requires access to Tun / Tap-devices on the server, so all Vps / VPS hostings are suitable for it. However, from recently, a powerful multiprotokol VPN server opened under the GPLV2 license - SofteTher VPN. On the first, and in the second look, this server is striking the possibilities.
It has its own SSL-VPN protocol, which is indistinguishable from regular HTTPS traffic (OpenVPN traffic is still possible to highlight with DPI). Applicated support for L2TP / IPsec, MS-SSTP, OpenVPN, L2TPV3 and Etherip, and a strict compatibility with built-in clients in iOS and Android is specified for L2TP. The server itself has versions under Windows, Linux, OS X, FreeBSD and Solaris and, as approved on the site, is an optimal alternative to OpenVPN, and it works faster.
A complete list of all goodies can be found on the official website. I will note only the main chips. The VPN server can be fully controlled through very thoughtful graphic interfaceAnd you can do it remotely. Yes, yes, it is now possible to sink the server part along the string on Linux and remotely steer them from the nyashny GUI version for Windows. SofteTher VPN has a built-in NAT and DHCP server, that is, under Linux and FreeBSD no longer need to mess with the settings IPTables and NATD. In my opinion, the creation of its own VPN network has never been so legalized. The SSL-VPN's own protocol can work via TCP, and multiple TCP sessions, UDP and even ICMP are supported.
Trying
Consider this charm from a practical point of view. To install, we will need Dedic or VDS / VPS, the SofteTher VPN does not require Tun / Tap devices to work, so even silent options with any type of virtualization are suitable. Installing the server part is satisfied simple. On the www.softeter-download.com page, select the SofteTher VPN Server distribution unit for the desired operating system and architecture (in * NIX OS architecture can be found on the UNAME -M command). For example, consider Linux as the most common option on VDS. Download distribution to the server in any available way, then unpack and install:
TAR XZVF Softeter-VPNServer-V4.05-9416.tar.gz && CD VPNServer && Make
We will be asked to confirm that we read License Agreement and agree with him. After that, our SofteTher VPN Server will be installed in this directory and is ready for launch. The documentation optionally advise it to move it to / usr / local / vpnserver, but there is no difference, you can even run it from / Var / TMP. Do you feel a clone? 🙂 Run
./vpnServer Start.
All, our own VPN server is ready and default expects our connection on ports 443, 992, 1194 and 5555. You can manage the server through it configuration file. Or, which is much more convenient, using the management utility. You can connect to control to control using the VPNCMD console utility, located in the same directory or using the GUI for Windows, called SofteTher VPN Server Manager for windows. It is part of the SofteTher VPN Server for Windows, but you can install it separately by selecting the desired ticks in the installer or download a separate zip archive from the download page. Consider it as the most friendly.
To connect to Server Manager, specify the host and port (any of the listened) of our server. When you first connect, we will be asked to install the administrator password. We specify your password and proceed to the configuration. It makes sense to edit the port list, in order to clearly not fill the presence of VPN on the server. I only leave 443, and you choose yourself to taste. SofteTher VPN supports the so-called virtual hubs (Virtual Hubs), essentially separate virtual VPN servers, each with its administrators, VPN users, settings and ACL policies. Create such a hub if it was not default, and go to its settings, where we need to create a user in Manage Users. SofteTher VPN supports various authentication methods, including authorization on the certificate, RADIUS and NT DOMAIN. It is enough for us to get enough ordinary Password authentication, so we simply specify the user login and password. You can also look at the Security Policy, where you can limit the user with the width of the canal and prohibit other joys.
In order to have connected to VPN users There was access to the Internet, we use NAT. All settings are on the corresponding button in the context of the hub, it is enough for us to simply turn on the NAT, leaving everything else by default. At this stage, you can already connect to the server using the Softether VPN client, which works on the SSL-VPN's own protocol, the trivial configuration and difficulties will not cause. To connect via L2TP and L2TP / IPSec, you need to use them on the server, the corresponding options are in IPsec / L2TP Settings. Similarly, the support for OpenVPN clients is also included, and in this case SofteTher will even offer to generate a configuration file.OVPN for OpenVPN.
Now you can connect to VPN as from desktop operating systemsand with mobile devicesThe instructions for configuring the connection can be found on the network, they do not differ from the usual. Manuals with illustrations are also available on www.softeter.org. It's time to feel yourself the proud owner of the VPN server or even by purchasing a dozen servers in different countries, open your own VPN service :).
Nearby VPN.
Sometimes it happens that the direct connection between the client and the VPN server is difficult or impossible for some reason ( the local network, Exit from which strictly firewalls on the boundary router, or the server does not have an external IP and is behind NAT or has a dynamic address). A common case - we installed the VPN-server houses and we want to go home on a secure channel, but the trouble, the home provider does not give us a valid aiphernik. Yes, you never know for what reasons may not be direct visibility to the server. And then Softeter VPN has something to show us. The SSL-VPN's own protocol has a number of interesting techniques for overcoming network barriers. Moreover, they will not require any effort, everything works literally on the machine. In addition to the usual SOCKS / Proxy support, which is no longer surprised after OpenVPN, Softeter VPN can:
- DDNS service;
- Nat Traversal;
- VPN OVER ICMP;
- VPN OVER DNS;
- VPN Azure Cloud.
If the server does not have a constant ip or we just want convenience, SofteTher VPN will kindly provide us with a third-level domain in the * .softeter.net domain. It is not necessary to even register, everything that is required is to choose a subdomain to taste, and it will work independently. NAT, ICMP- and DNS tunneling breaks are poorly documented and not configured. Therefore, to make sure of their work, you may need Wireshark. However, by default, everything works more than perfectly. The NAT Traversal scanning technique successfully struck my firewall on the router, on which I blocked the outgoing packets to the VPN server for the test, and no less successfully managed to connect to the VPN server, which was posted for Full-Cone Nat. The connection problem with the home server is solved for me forever :). It should be borne in mind that the third host is required for NAT Traversal, which is still provided by Softeher VPN.
Influence what technique will be used, it is impossible in the current version. SofteTher VPN Client tries them alternately, if the direct connection "in the forehead" failed. Connections on the 137th and 53rd port of the server are traversed, NAT Traversal is activated, ICMP packets are sent. For VPN Over ICMP uses ICMP ECHO, or, simply speaking, ordinary ping.
Conclusion
Softether VPN develops very dynamically, and by the time you will read this article, the functionality can become even more delicious. So powerful and at the same time with this friendly opening solution has not yet been. The project definitely deserves attention.