Wednesday, July 9, 2014

Use Certificate-based Authentication with the Open Source Version of SoftEtherVPN

First of all, to whom that do not know what is SoftEtherVPN: It is "An Open-Source Free ​Cross-platform Multi-protocol VPN Program" released by the University of Tsukuba, Japan. The servers and clients can work on multiple platforms such as Linux, Mac OS X, FreeBSD, Windows... as well as allow you to use OS's native VPN client such as Windows' PPTP, OpenVPN, IPSec, and so on.

One of the very useful features of SoftEtherVPN Server is that it allows clients to be authenticated using certificates or active directories. However, such features are disabled in the open-source version of SoftEtherVPN Server.

In practical usages, while I am using SoftEtherVPN at several sites, I have found that I can use certificate-based at some sites and cannot at others with the same binary version of SoftEtherVPN Server downloaded from its website. Therefore, I've decided to investigate in its source code.

After a while, I have found the following function which disables the advanced features.

// Update the global server flags
void UpdateGlobalServerFlags(SERVER *s, CAPSLIST *t)
bool is_restricted = false;
// Validate arguments
if (s == NULL || t == NULL)

is_restricted = SiIsEnterpriseFunctionsRestrictedOnOpenSource(s->Cedar);

SetGlobalServerFlag(GSF_DISABLE_PUSH_ROUTE, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_RADIUS_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_CERT_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_DEEP_LOGGING, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_AC, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_SYSLOG, is_restricted);

The above code means the key here is the function "SiIsEnterpriseFunctionsRestrictedOnOpenSource", which is used to identify that whether or not to restrict advanced features.

Go up to the definition of above function, I have found the following comment.

// Check whether some enterprise functions are restricted
// ** Hints by Daiyuu Nobori, written on March 19, 2014 **
// The following 'enterprise functions' are implemented on SoftEther VPN Server
// since March 19, 2014. However, these functions are disabled on
// SoftEther VPN Servers which run in Japan and China.
// - RADIUS / NT Domain user authentication
// - RSA certificate authentication
// - Deep-inspect packet logging
// - Source IP address control list
// - syslog transfer
// The SoftEther VPN Project intentionally disables these functions for users
// in Japan and China. The reason is: Daiyuu Nobori, the chief author of
// SoftEther VPN, has been liable to observe the existing agreements and
// restrictions between him and some companies. The agreements have regulated
// the region-limited restriction to implement and distribute the above
// enterprise functions on the SoftEther VPN open-source program.
// Therefore, the SoftEther VPN Project distributes the binary program and
// the source code with the "SiIsEnterpriseFunctionsRestrictedOnOpenSource"
// function. This function identifies whether the SoftEther VPN Server
// program is running in either Japan or China. If the restricted region is
// detected, then the above enterprise functions will be disabled.
// Please note that the above restriction has been imposed only on the
// original binaries and source codes from the SoftEther VPN Project.
// Anyone, except Daiyuu Nobori, who understands and writes the C language
// program can remove this restriction at his own risk.

Wow, you are a great man with a kind hints, Daiyuu Nobori. We can disable the restrictions with our own risks.

All other steps are now based on you. If you plan to use SoftEtherVPN Server outside of Japan and China, just download the compiled version from its website. Otherwise, go on to disable the above function with your own knowledge on C programming language.

Have a nice day!