Topic: SME SoftEther L2TP VPN revisited

[Mophilly]

I have been having troubles connecting via PPTP from a Mac laptop from remote locations. Not a big surprise, really, and typical of the PPTP experience: some can connect and some (me) cannot.

I read through the threads regarding SoftEther and it seems like a good solution. Before I jump I thought a note to the community might be wise.

I have reviewed these links:
  https://forums.contribs.org/index.php?topic=52134.msg266881#msg266881
  https://wiki.contribs.org/SoftEther_VPN (thanks to RequestedDeletion for the recent updates!)

Any words of wisdom and/or tips are most welcome.

[ReetP]

PPTP has been dropped in iPhones and presumably will go Macs anytime (good job too)

Ipsec/L2TPD is an alternative, fairly easy to set up & lightweight if you want an alternative.

Contrib is available & works but probably could do with more testing/refinement.

[Jean-Philippe Pialasse]

issue with soft ethernet is you will lose access to you https port as it is used by soft ethernet.

[Stefano]

AFAIK you can configure it

[TerryF]

Yes can be configured see attached image

[guest22]

I believe Softether VPN is a very versatile solution that provides VPN access to multi platforms and multi technologies. I had no issues with native VPN clients on Android, IOS, Windows and Mac. All work straight out of the box.


The CLI (vpncmd) of SoftEther provides the admin the tools to access SoftEther from scripts etc.


Other pro's would be the extensive documentation and very steady release cycle.


My 2C

[Mophilly]

Thank you for the feedback.

L2TP/IPsec was my first thought. However, when I look at the contrib, https://wiki.contribs.org/Smeserver-libreswan-xl2tpd, it bears a warning that gave me pause.

SoftEther, while far more complex, appears to be well supported and feature rich.

In general, I prefer to use the built-in features, so enabling L2TP/IPsec would be preferred. However, the features of SoftEther are enticing.

As an aside, the pressure I face today is that I am far away from the server, and need to implement a solution to allow use of the VPN for internal services, like user-manager and other things. Anything attempted needs to be easily reversed or adjusted via an ssh connection.

[ReetP]

I've been using L2TPD on production boxes for a while and not had any issues.

The warning is because it hasn't gone through the contribs process (and neither has softether) and I have not had feedback on it. I wish I had. It is much easier and simpler to install, if less powerful than softether.

I should have gotten it in to the contribs repo but time is against me. It would be a good replacement for PPTP.

The only thing it needs is better eyes/skills than mine on refining templates and adding further configuration (automatically calculating/allowing more IP addresses in a subnet or some networking to run L2TPD connections in their own subnet etc). None of that is rocket science for someone better than me. The core code & templates work. I just feel it just needs some refinements that I haven't the time or competence to do right now.

I'd be happy to do some more on it if people helped test. Difficult to test scenarios when there is one of you!

In other words don't be put off from trying. I'll remove the warning if it makes you feel happier

[ReetP]

PS... no Windoze configuration client required

[guest22]

As an aside, the pressure I face today is that I am far away from the server, and need to implement a solution to allow use of the VPN for internal services, like user-manager and other things. Anything attempted needs to be easily reversed or adjusted via an ssh connection.

That should not be a problem. As per the wiki, SoftEther can be turned 'on' or 'off' just like any other SME Server service. SSH service remains as it is. SoftEther on your far away box can be managed remotely (see wiki on which ports) with VPN Manager GUI (see wiki screenshots) on your local Win/Mac/Linux box(es).

[Stefano]

I tried John's contrib and it works flawlessy.. amazing.. and connecting via mobile devices (android) is easy as a,b,c..

I suggest you to try it and help John to improve it.. it might be a drop in replacement for pptpd vpn module in SME (quite easily, I'd say)

[ReetP]

And thanks to Stefanos help we have updated the wiki with a few notes.

More importantly I now have it working with the built in SME authentication so you can Enable or Disable VPN access for a user via the server-manager the same as you did for the old PPTP.

I feel quite smug actually

I will test a bit more and update the wiki with this shortly.

[Mophilly]

Re: SoftEther. Can it be used in the standard distro?

Re: L2TP. I am tempted to try it. However, even with the recent additions and updates, the wiki page still needs a bit of re-organization. I can help with that, if you like.

[ReetP]

Re: SoftEther. Can it be used in the standard distro?

It isn't a contrib if that is what you mean. However it is used by a lot of people.

Re: L2TP. I am tempted to try it. However, even with the recent additions and updates, the wiki page still needs a bit of re-organization. I can help with that, if you like.

Yes it probably does.... sorry I did some more work on it today but it still probably needs more refinement.

All help gratefully received.

I am going to try and import it into CVS/contribs in the next day or two - my first attempt (AAARGGGHHHH....) We can then use bugzilla to track issues. I am more than happy to work on it as although it is not as comprehensive as softether, it could be a drop in replacement for PPTP and a simple solution for many.

FYI current 0.2-4 should enable you to enable/disable VPN Client access via the server manager.

Ask away.... if you want please open a new thread in v9 contribs to discuss

B. Rgds
John

[Mophilly]

I would be most grateful for any advice on removing the SoftEther contrib. It is a bit more configuration that we can handle today. We want to try the L2TP contrib, and I want to clean up the server. We plan to continue to learn how to use SoftEther.

I think this is needed to back out SoftEther:
1. remove the template fragment in /etc/rc.d/rc7.d/S79vpnserver
2. remove vpnserver from the opt directory
3. remove port forward rules
4. signal update and reboot