Wednesday, July 9, 2014

Use Certificate-based Authentication with the Open Source Version of SoftEtherVPN

First of all, to whom that do not know what is SoftEtherVPN: It is "An Open-Source Free ​Cross-platform Multi-protocol VPN Program" released by the University of Tsukuba, Japan. The servers and clients can work on multiple platforms such as Linux, Mac OS X, FreeBSD, Windows... as well as allow you to use OS's native VPN client such as Windows' PPTP, OpenVPN, IPSec, and so on.

One of the very useful features of SoftEtherVPN Server is that it allows clients to be authenticated using certificates or active directories. However, such features are disabled in the open-source version of SoftEtherVPN Server.

In practical usages, while I am using SoftEtherVPN at several sites, I have found that I can use certificate-based at some sites and cannot at others with the same binary version of SoftEtherVPN Server downloaded from its website. Therefore, I've decided to investigate in its source code.

After a while, I have found the following function which disables the advanced features.

// Update the global server flags
void UpdateGlobalServerFlags(SERVER *s, CAPSLIST *t)
bool is_restricted = false;
// Validate arguments
if (s == NULL || t == NULL)

is_restricted = SiIsEnterpriseFunctionsRestrictedOnOpenSource(s->Cedar);

SetGlobalServerFlag(GSF_DISABLE_PUSH_ROUTE, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_RADIUS_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_CERT_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_DEEP_LOGGING, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_AC, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_SYSLOG, is_restricted);

The above code means the key here is the function "SiIsEnterpriseFunctionsRestrictedOnOpenSource", which is used to identify that whether or not to restrict advanced features.

Go up to the definition of above function, I have found the following comment.

// Check whether some enterprise functions are restricted
// ** Hints by Daiyuu Nobori, written on March 19, 2014 **
// The following 'enterprise functions' are implemented on SoftEther VPN Server
// since March 19, 2014. However, these functions are disabled on
// SoftEther VPN Servers which run in Japan and China.
// - RADIUS / NT Domain user authentication
// - RSA certificate authentication
// - Deep-inspect packet logging
// - Source IP address control list
// - syslog transfer
// The SoftEther VPN Project intentionally disables these functions for users
// in Japan and China. The reason is: Daiyuu Nobori, the chief author of
// SoftEther VPN, has been liable to observe the existing agreements and
// restrictions between him and some companies. The agreements have regulated
// the region-limited restriction to implement and distribute the above
// enterprise functions on the SoftEther VPN open-source program.
// Therefore, the SoftEther VPN Project distributes the binary program and
// the source code with the "SiIsEnterpriseFunctionsRestrictedOnOpenSource"
// function. This function identifies whether the SoftEther VPN Server
// program is running in either Japan or China. If the restricted region is
// detected, then the above enterprise functions will be disabled.
// Please note that the above restriction has been imposed only on the
// original binaries and source codes from the SoftEther VPN Project.
// Anyone, except Daiyuu Nobori, who understands and writes the C language
// program can remove this restriction at his own risk.

Wow, you are a great man with a kind hints, Daiyuu Nobori. We can disable the restrictions with our own risks.

All other steps are now based on you. If you plan to use SoftEtherVPN Server outside of Japan and China, just download the compiled version from its website. Otherwise, go on to disable the above function with your own knowledge on C programming language.

Have a nice day!


Thanh, Vo Minh said...

Hi Cường,

Mình cũng đã test softether vpn server trên (AWS) amazon web service hosting với Region: Singapore. Đúng là chức năng chứng thực trên Radius server & 1 số tính năng khác ko hoạt động. Sau khi comment các đoạn code trên & install thì ko bị báo lỗi khi nhập các thông số radius server & tạo user nữa nhưng user vẫn ko đăng nhập được. Không biết Cường test thành công chưa?

Aruna Ram said...

You providing the content is very easy to understand for me and attractive to me. Truly well post keep continue the posting...
Primavera Training in Chennai
Primavera Course in Chennai
Tableau Training in Chennai
Spark Training in Chennai
Power BI Training in Chennai
Excel Training in Chennai
Oracle Training in Chennai
Oracle DBA Training in Chennai
Social Media Marketing Courses in Chennai

cathrine juliet said...

I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing..

Web Designing Course Training in Chennai | Web Designing Course Training in annanagar | Web Designing Course Training in omr | Web Designing Course Training in porur | Web Designing Course Training in tambaram | Web Designing Course Training in velachery

nisharoshan said...

Really it as an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing.

Web Designing Training in Chennai

Web Designing Course in Chennai

Web Designing Training in Bangalore

Web Designing Course in Bangalore

Web Designing Training in Hyderabad

Web Designing Course in Hyderabad

Web Designing Training in Coimbatore

Web Designing Training

Web Designing Online Training

Data Science said...

Awesome article with top quality information and found very interesting looking forward for next blog thank you.
typeerror nonetype object is not subscriptable

Ethical Hacking Course said...

Great article with top quality information, found very helpful thanks for sharing waiting for next blog update.
Ethical Hacking Course in Bangalore 360DigiTMG

Data Science Training said...

Really nice and interesting article information shared was valuable, enjoyed reading this one. Thanks you.
Data Science Training in Hyderabad

Data Science Training said...

I will very much appreciate the writer's choice for choosing this excellent article suitable for my topic. Here is a detailed description of the topic of the article that helped me the most. PMP Training in Hyderabad

Data Science said...

Amazing article with informative information found valuable and enjoyed reading it thanks for sharing.
Data Analytics Course Online

Data Science Training said...

Hello. I found your blog using msn. This is a very well written article. I'll be sure to bookmark it and come back for more useful information. Thanks for the post. I will definitely be back. PMP Certification in Hyderabad

Cyber Security said...

Nice Information Your first-class knowledge of this great job can become a suitable foundation for these people. I did some research on the subject and found that almost everyone will agree with your blog.
Cyber Security Course in Bangalore

Cyber Security Course said...

Writing in style and getting good compliments on the article is hard enough, to be honest, but you did it so calmly and with such a great feeling and got the job done. This item is owned with style and I give it a nice compliment. Better!
Cyber Security Training in Bangalore

Business Analytics Course said...

Really impressed! Everything is a very open and very clear clarification of the issues. It contains true facts. Your website is very valuable. Thanks for sharing.

Business Analytics Course in Bangalore

Data Analytics Course said...

I wanted to leave a little comment to support you and wish you the best of luck. We wish you the best of luck in all of your blogging endeavors.

Data Analytics Course in Bangalore

EXCELR said...

A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your postdata science training in Hyderabad