Installing SoftEther VPN 4 on CentOS 6.5 Minimal x86_64 - rharmonson/richtech GitHub Wiki
Updated Guide
Please use the updated article / guide found at the URL below for CentOS 7.2.1511 and SoftEther 4.2.
The purpose of SoftEther Project is to distribute SoftEther VPN, to conduct development of SoftEther VPN continuously, to promote academic researches around SoftEther VPN, and to support users of SoftEther VPN on the forum. The project is at University of Tsukuba, Japan, and constituted by student-members of the University.
The current version of SoftEther VPN was Daiyuu Nobori's personal research work for obtaining Master Degree at University of Tsukuba. After the initial development has been completed he decided to release the work as freeware at this softether.org web site on March 8, 2013.
Source: https://www.softether.org/9-about
##CentOS 6.5 Minimal x86_64 Complete a base operating system build to your preference or you can follow my guide found here:
https://github.com/rharmonson/richtech/wiki/CentOS-6.5-Minimal-x86_64-Base-Installation-Guide
##Install Requirements
The following software and libraries are required to install VPN Server to a Linux operating system. Check that the following software and libraries are installed to the system and are enabled. (If the recommended environment distribution is installed using the method specified in 7.3.1, these libraries are also installed.)
- gcc software
- binutils software
- tar, gzip or other software for extracting package files
- chkconfig system utility
- cat, cp or other basic file operation utility
- EUC-JP, UTF-8 or other code page table for use in a Japanese language environment
- libc (glibc) library
- zlib library
- openssl library
- readline library
- ncurses library
- pthread library
To meet the requirements, you can complete a group installation.
# yum -y groupinstall "Development Tools"
Alternatively, you can install only what is needed which is advisable for a perimeter and/or security mechanism. So, filtering out existing packages installed by CentOS 6.5 Minimal distribution and not restating packages that are dependencies, i.e. glibc which is a dependency for gcc, results with the following:
# yum install gcc zlib-devel openssl-devel readline-devel ncurses-devel
Note: libpcap is cited from a number of different buld examples from third parties. I successfully built without it.
Results with:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: repos.lax.quadranet.com
* extras: centos.mirror.facebook.net
* updates: mirrordenver.fdcservers.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.4.7-4.el6 will be installed
--> Processing Dependency: libgomp = 4.4.7-4.el6 for package: gcc-4.4.7-4.el6.x86_64
--> Processing Dependency: cpp = 4.4.7-4.el6 for package: gcc-4.4.7-4.el6.x86_64
--> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-4.el6.x86_64
--> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-4.el6.x86_64
--> Processing Dependency: libgomp.so.1()(64bit) for package: gcc-4.4.7-4.el6.x86_64
---> Package ncurses-devel.x86_64 0:5.7-3.20090208.el6 will be installed
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.14 will be installed
--> Processing Dependency: krb5-devel for package: openssl-devel-1.0.1e-16.el6_5.14.x86_64
---> Package readline-devel.x86_64 0:6.0-4.el6 will be installed
---> Package zlib-devel.x86_64 0:1.2.3-29.el6 will be installed
--> Running transaction check
---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed
--> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
--> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
---> Package cpp.x86_64 0:4.4.7-4.el6 will be installed
--> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-4.el6.x86_64
---> Package glibc-devel.x86_64 0:2.12-1.132.el6_5.2 will be installed
--> Processing Dependency: glibc-headers = 2.12-1.132.el6_5.2 for package: glibc-devel-2.12-1.132.el6_5.2.x86_64
--> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.132.el6_5.2.x86_64
---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be installed
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.10.3-15.el6_5.1.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.10.3-15.el6_5.1.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.10.3-15.el6_5.1.x86_64
---> Package libgomp.x86_64 0:4.4.7-4.el6 will be installed
--> Running transaction check
---> Package glibc-headers.x86_64 0:2.12-1.132.el6_5.2 will be installed
--> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.132.el6_5.2.x86_64
--> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.132.el6_5.2.x86_64
---> Package keyutils-libs-devel.x86_64 0:1.4-4.el6 will be installed
---> Package libcom_err-devel.x86_64 0:1.41.12-18.el6 will be installed
---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6_4.1 will be installed
--> Processing Dependency: libsepol-devel >= 2.0.32-1 for package: libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed
---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed
--> Running transaction check
---> Package kernel-headers.x86_64 0:2.6.32-431.20.3.el6 will be installed
---> Package libsepol-devel.x86_64 0:2.0.41-4.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
gcc x86_64 4.4.7-4.el6 base 10 M
ncurses-devel x86_64 5.7-3.20090208.el6 base 642 k
openssl-devel x86_64 1.0.1e-16.el6_5.14 updates 1.2 M
readline-devel x86_64 6.0-4.el6 base 134 k
zlib-devel x86_64 1.2.3-29.el6 base 44 k
Installing for dependencies:
cloog-ppl x86_64 0.15.7-1.2.el6 base 93 k
cpp x86_64 4.4.7-4.el6 base 3.7 M
glibc-devel x86_64 2.12-1.132.el6_5.2 updates 978 k
glibc-headers x86_64 2.12-1.132.el6_5.2 updates 608 k
kernel-headers x86_64 2.6.32-431.20.3.el6 updates 2.9 M
keyutils-libs-devel x86_64 1.4-4.el6 base 28 k
krb5-devel x86_64 1.10.3-15.el6_5.1 updates 495 k
libcom_err-devel x86_64 1.41.12-18.el6 base 32 k
libgomp x86_64 4.4.7-4.el6 base 118 k
libselinux-devel x86_64 2.0.94-5.3.el6_4.1 base 136 k
libsepol-devel x86_64 2.0.41-4.el6 base 64 k
mpfr x86_64 2.4.1-6.el6 base 157 k
ppl x86_64 0.10.2-11.el6 base 1.3 M
Transaction Summary
================================================================================
Install 18 Package(s)
Total download size: 23 M
Installed size: 45 M
Is this ok [y/N]:
##Additional Packages Not requirements, but I install for ease of administration.
# yum install system-config-network-tui system-config-firewall-tui
Results with:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: repos.lax.quadranet.com
* extras: centos.mirror.facebook.net
* updates: mirrordenver.fdcservers.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package system-config-firewall-tui.noarch 0:1.2.27-5.el6 will be installed
---> Package system-config-network-tui.noarch 0:1.6.0.el6.2-1.el6 will be installed
--> Processing Dependency: usermode for package: system-config-network-tui-1.6.0.el6.2-1.el6.noarch
--> Processing Dependency: python-iwlib for package: system-config-network-tui-1.6.0.el6.2-1.el6.noarch
--> Processing Dependency: python-ethtool for package: system-config-network-tui-1.6.0.el6.2-1.el6.noarch
--> Processing Dependency: pciutils for package: system-config-network-tui-1.6.0.el6.2-1.el6.noarch
--> Processing Dependency: dbus-python for package: system-config-network-tui-1.6.0.el6.2-1.el6.noarch
--> Running transaction check
---> Package dbus-python.x86_64 0:0.83.0-6.1.el6 will be installed
---> Package pciutils.x86_64 0:3.1.10-2.el6 will be installed
---> Package python-ethtool.x86_64 0:0.6-5.el6 will be installed
--> Processing Dependency: libnl.so.1()(64bit) for package: python-ethtool-0.6-5.el6.x86_64
---> Package python-iwlib.x86_64 0:0.1-1.2.el6 will be installed
--> Processing Dependency: wireless-tools >= 28-0.pre8.5 for package: python-iwlib-0.1-1.2.el6.x86_64
--> Processing Dependency: libiw.so.29()(64bit) for package: python-iwlib-0.1-1.2.el6.x86_64
---> Package usermode.x86_64 0:1.102-3.el6 will be installed
--> Running transaction check
---> Package libnl.x86_64 0:1.1.4-2.el6 will be installed
---> Package wireless-tools.x86_64 1:29-5.1.1.el6 will be installed
--> Processing Dependency: crda for package: 1:wireless-tools-29-5.1.1.el6.x86_64
--> Running transaction check
---> Package crda.x86_64 0:1.1.1_2010.11.22-1.el6 will be installed
--> Processing Dependency: iw for package: crda-1.1.1_2010.11.22-1.el6.x86_64
--> Running transaction check
---> Package iw.x86_64 0:3.10-1.1.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
system-config-firewall-tui noarch 1.2.27-5.el6 base 37 k
system-config-network-tui noarch 1.6.0.el6.2-1.el6 base 1.2 M
Installing for dependencies:
crda x86_64 1.1.1_2010.11.22-1.el6 base 23 k
dbus-python x86_64 0.83.0-6.1.el6 base 204 k
iw x86_64 3.10-1.1.el6 base 55 k
libnl x86_64 1.1.4-2.el6 base 121 k
pciutils x86_64 3.1.10-2.el6 base 85 k
python-ethtool x86_64 0.6-5.el6 base 31 k
python-iwlib x86_64 0.1-1.2.el6 base 14 k
usermode x86_64 1.102-3.el6 base 187 k
wireless-tools x86_64 1:29-5.1.1.el6 base 94 k
Transaction Summary
================================================================================
Install 11 Package(s)
Total download size: 2.1 M
Installed size: 7.3 M
Is this ok [y/N]:
##Configure SELinux
Reference:
https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html
https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable-enforcement.html
Initially, we want to change the default from enforcing to permissive.
$ sudo vi /etc/selinux/config
Update the SELINUX value to permissive
SELINUX=permissive
For this session set SELinux to permissive or reboot.
$ sudo setenforce 0
Perhaps with a bit of searching, someone has created a module or one already exists. If not, see my guide for an example on how to create an SELinux module. needs work
https://github.com/rharmonson/richtech/wiki/SELinux-&-Building-Security-Modules
##Firewall As with SELinux, we will want to disable the host firewall until testing is complete. Update iptables
# service iptables save
# service iptables stop
# chkconfig iptables off
or use the system-config-firewall-tui to disable.
# system-config-firewall-tui
##Download SoftEther
Selecting "download" from https://www.softether.org/ will display a web page to select the component and architecture. Copy or type the link location as follows to download using curl or wget. Note that wget is not installed by default so yum install wget.
# cd ~
# wget http://www.softether-download.com/files/softether/v4.10-9473-beta-2014.07.12-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz
Results with:
--2014-07-20 12:51:44-- http://www.softether-download.com/files/softether/v4.10-9473-beta-2014.07.12-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz
Resolving www.softether-download.com... 27.121.46.57
Connecting to www.softether-download.com|27.121.46.57|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5638726 (5.4M) [application/x-gzip]
Saving to: “softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz”
100%[======================================>] 5,638,726 1.53M/s in 3.5s
2014-07-20 12:51:51 (1.53 MB/s) - “softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz” saved [5638726/5638726]
##Unpack SoftEther
tar xzvf <package> -C /usr/local/
For some ungodly reason, the permissions are set to 777 for all files and directories. Unclear if 744 is appropriate--not put much thought into it, but it is an improvement of 777.
chmod -R 744 /usr/local/vpnserver
##Compile SoftEther Time to compile or make SoftEther.
# cd /usr/local/vpnserver
# make
Observe the output and hopefully you will not have errors. If you do, review the instructions above and research as necessary.
##Start SoftEther Verify operations before continuing by starting SoftEther from command-line. Did it work? If not review and research.
# cd /usr/local/vpnserver
# ./vpnserver start
Use ctrl-c to close vpnserver.
##Create Init Script Create an init script to auto-start/stop SoftEther and to manage via chkconfig and service command.
# vi /etc/init.d/vpnserver
Copy and paste the following:
#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
##Enable init script & Start SoftEther
# chkconfig vpnserver on
Verify it is set for appropriate runlevels.
# chkconfig --list | grep vpnserver
Reboot or execute below to start SoftEther
# service vpnserver start
##Configure SoftEther Next step is to use vpncmd command-line or the SoftEther VPN Server Manager for Windows to configure SoftEther. There are some very good documents at softether.org web site. Using the URL below, determine your topography and configure.
https://www.softether.org/4-docs/2-howto
I would advise looking at Remote Access to LAN for most folks.
https://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/2.Remote_Access_VPN_to_LAN
##Other Considerations
How many interfaces to use? My personal preference is to use two physical or logical interfaces. The separation will not only improve security--done correctly, it makes for much easier administration. The only real challenge is understanding routing and routing tables.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-static-routes.html
https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-networkscripts-static-routes.html
https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-networkscripts-static-routes.html
http://wingloon.com/2013/09/13/how-to-add-persistent-or-static-routes-to-centos-5-9-and-6-4/
Use system-config-network-tui to configure interfaces or edit the network configuration files directly.
Did you enable the firewall? Don't forget chkconfig iptables on or use system-config-firewall-tui enable the firewall and to open the appropriate ports.
Disable root ssh access utilizing sudo.
https://github.com/rharmonson/richtech/wiki/sudo-on-CentOS-6.5
Create a SELinux module?
https://github.com/rharmonson/richtech/wiki/SELinux-&-Building-Security-Modules