Wednesday, July 9, 2014

Use Certificate-based Authentication with the Open Source Version of SoftEtherVPN

First of all, to whom that do not know what is SoftEtherVPN: It is "An Open-Source Free ​Cross-platform Multi-protocol VPN Program" released by the University of Tsukuba, Japan. The servers and clients can work on multiple platforms such as Linux, Mac OS X, FreeBSD, Windows... as well as allow you to use OS's native VPN client such as Windows' PPTP, OpenVPN, IPSec, and so on.

One of the very useful features of SoftEtherVPN Server is that it allows clients to be authenticated using certificates or active directories. However, such features are disabled in the open-source version of SoftEtherVPN Server.

In practical usages, while I am using SoftEtherVPN at several sites, I have found that I can use certificate-based at some sites and cannot at others with the same binary version of SoftEtherVPN Server downloaded from its website. Therefore, I've decided to investigate in its source code.

After a while, I have found the following function which disables the advanced features.

// Update the global server flags
void UpdateGlobalServerFlags(SERVER *s, CAPSLIST *t)
bool is_restricted = false;
// Validate arguments
if (s == NULL || t == NULL)

is_restricted = SiIsEnterpriseFunctionsRestrictedOnOpenSource(s->Cedar);

SetGlobalServerFlag(GSF_DISABLE_PUSH_ROUTE, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_RADIUS_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_CERT_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_DEEP_LOGGING, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_AC, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_SYSLOG, is_restricted);

The above code means the key here is the function "SiIsEnterpriseFunctionsRestrictedOnOpenSource", which is used to identify that whether or not to restrict advanced features.

Go up to the definition of above function, I have found the following comment.

// Check whether some enterprise functions are restricted
// ** Hints by Daiyuu Nobori, written on March 19, 2014 **
// The following 'enterprise functions' are implemented on SoftEther VPN Server
// since March 19, 2014. However, these functions are disabled on
// SoftEther VPN Servers which run in Japan and China.
// - RADIUS / NT Domain user authentication
// - RSA certificate authentication
// - Deep-inspect packet logging
// - Source IP address control list
// - syslog transfer
// The SoftEther VPN Project intentionally disables these functions for users
// in Japan and China. The reason is: Daiyuu Nobori, the chief author of
// SoftEther VPN, has been liable to observe the existing agreements and
// restrictions between him and some companies. The agreements have regulated
// the region-limited restriction to implement and distribute the above
// enterprise functions on the SoftEther VPN open-source program.
// Therefore, the SoftEther VPN Project distributes the binary program and
// the source code with the "SiIsEnterpriseFunctionsRestrictedOnOpenSource"
// function. This function identifies whether the SoftEther VPN Server
// program is running in either Japan or China. If the restricted region is
// detected, then the above enterprise functions will be disabled.
// Please note that the above restriction has been imposed only on the
// original binaries and source codes from the SoftEther VPN Project.
// Anyone, except Daiyuu Nobori, who understands and writes the C language
// program can remove this restriction at his own risk.

Wow, you are a great man with a kind hints, Daiyuu Nobori. We can disable the restrictions with our own risks.

All other steps are now based on you. If you plan to use SoftEtherVPN Server outside of Japan and China, just download the compiled version from its website. Otherwise, go on to disable the above function with your own knowledge on C programming language.

Have a nice day!

Thursday, March 6, 2014

A Simple Way to Create A Windows Installation USB on Linux

Sometime you might want to create a flash drive (USB drive) for installing Windows, but... on Linux. One of the simple way is to use UNetbootin. However, the recent versions of UNetbootin do not support NTFS partition anymore, and you just cannot create such a drive in usual way.

Fortunately, UNetbootin is not support NTFS partition in GUI only, it still work like a charm with the command line options.

Now, it is time to begin.

0. I assume that you have a ISO file of Windows 7 (or 8) Installation Disk (win7.iso, for example) and a flash drive with the capacity of at least 4GB (which is recognized as /dev/sdd, for example.) I also assume that you already have UNetbootin in your system.

1. First of all, creating a partition which is big enough for storing Windows installation packages. It should be larger than 3.2 GB. You can use any tool that you are familiar with, such as gparted, Disk Utility, etc. I use parted here for example.

$ sudo parted -s /dev/sdd mklabel msdos mkpart primary 1024KiB 4GiB print
$ sudo mkfs.ntfs -L WIN /dev/sdd1

2. Mount the created partition to a point in your system. If you use Genome, it should mount that partition automatically to /run/media/${USER}/WIN. If it is not the case, use the following command.

$ sudo mount /dev/sdd1 /mnt

3. Run the following command.

$ sudo unetbootin method=diskimage isofile=win7.iso targetdrive=/dev/sdd1

The GUI will be shown with all the options you need. Click OK.

Blah, blah, blah...