We are managing users in RADIUS, but we need a wildcard entry here to not block everybody.SoftEther Configuration Virtual Hub Creating a Virtual Hub On the Hyper-V host, go to the gateway VM settings and click “Enable MAC address spoofing” in the “Advanced Features” of the VM’s internal NIC. Copy your CA’s root certificate to the directory C:\Program Files\SoftEther VPN Server\chain_certs.Switch the encryption algorithm name to ECDHE-RSA-AES256-GCM-SHA384.Disable “Use Keep Alive Internet Connection”.Specify the location of the certificate’s KEY file.Click “Import” and specify the location of the CER file.Click “Encryption and Network Settings”.Choose the format “Base-64 encoded X.509 (CER)”. Locate your certificate, right-click and select All Tasks – Export. To convert, double-click the P7B file to open it in the certificates MMC. You get a P7B file, but SoftEther expects a CER.Important: if you want to incorporate multiple server namens in the certificate, specify them in the additional attributes field as follows: san:dns=&dns=.OpenSSL is part of any Splunk installation, for example (even on Windows).Ĭreate a private key: openssl genrsa -des3 -out c:\temp\vpn\vpn.key 4096Ĭreate a certificate request with the private key: openssl req -new -key c:\temp\vpn\vpn.key -out c:\temp\vpn\vpn.csr Run the following openssl commands on any Windows or Linux machine that has OpenSSL installed. On the CA, configure a certificate template to not include revocation information in issued certificates.Set the following registry values on your VPN clients: HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\NoCertRevocationCheck=1.The Windows SSTP client refuses to connect when it cannot contact the CRL specified in a server certificate. As a consequence, the CA’s certificate revocation list (CRL) is not accessible from the internet either. We are using an internal certificate authority that is not accessible from the internet. I used a TLS certificate from our internal Active Directory root CA. The bad thing is that we need to deal with certificates. The good thing about that is that most firewalls and hotel networks should let it through. Authentication should be performed against a RADIUS server (we use Duo Authentication Proxy).The VPN should be bridged to the local network so that VPN clients get IP addresses from the internal network’s DHCP server.Installing additional client software should not be necessary. It should be possible to connect to the VPN with the clients that come with each operating system.
One is connected to the internal network, the other to the internet. Multiple Hyper-V hosts with VMs on an internal network.It shows how to set up a VPN for macOS and Windows clients on a Hyper-V Windows guest VM. This post describes a real-world configuration of the free VPN server SoftEther.
0 kommentar(er)
