SoftEther VPN on AWS

Some of VPN UseCases

1. Restrict certain administrative portals to ‘internal’ network by not exposing to wider public internet for security purposes.
2. Ability to locally access dev and test RDS database provisioned in private subnets i.e without public access (for developers to access DB from local in non-prod environments).
3. Ability to directly access AWS resources provisioned in private subnets in a vpc. (Access kibana endpoint of an ES cluster provisioned in a vpc?)
4. Applications which were intranet in nature to be available on cloud.

Install & Configure VPN Server

1. Pre-requisites
2. Download & Install SoftEther VPN server
3. Run vpnserver as a service
4. Establish connectivity to VPN server
5. Configure VPN server admin password
6. Configure virtual hub
7. Create VPN users
8. Set up L2TP/IPSec on the VPN server
9. Configure vpc resolver and set static routes
10. VPN client to connect to VPN

Let’s see these steps in detail.

Step1: Pre-requisites

1. Provision an EC2 instance to act as a VPN Server.
   [Most application infrastructure setups running on AWS would have an ec2 instance running as the jump server, if the internal traffic is minor to moderate we can utilise the same ec2 instance for setting up the vpn server.]
2. SSH to your AWS EC2 instance make sure the following softwares are installed and enabled:

• gcc, binutils software
• tar, gzip or other software for extracting package files
• chkconfig system utility
• libc (glibc), zlib, openssl, readline, ncurses, pthread libraries

If you’re using an AWS Linux AMI, you should have most of them, the only thing you need to install is gcc.

$ sudo yum install -y gcc

Step2: Download & Install SoftEther vpn server

Download the linux distribution of SoftEther server at the download link to the ec2 instance and install using below steps

• Select Software: Softether VPN(freeware)
• Select Component: Softether VPN Server
• Select Platform: Linux
• Select CPU: Intel x64 / AMD64 (64 bit)

$ wget -O softether-vpnserver.tar.gz <download_link_address_above>
$ tar -zxvf softether-vpnserver.tar.gz
$ cd vpnserver
$ make

Agree to the license agreement and you will get the vpnserver executable when the make command is completed successfully.

Move the location of the whole folder to the /usr/local/ directory

$ cd ..
$ sudo mv vpnserver /usr/local
$ sudo chown -R root:root /usr/local/vpnserver
$ ls -la /usr/local/vpnserver/

Perform a check using the vpncmd command line to see whether SoftEther VPN server can operate properly on your system.

$ cd /usr/local/vpnserver
$ ./vpncmd

vpnserver installation check

Step3: Run vpnserver as a service

Configure below control script at /etc/init.d/ to be able to start, stop, reload & restart vpnserver

$ sudo vi /etc/init.d/vpnserver
#! /bin/bash
#
# vpnserver     softether vpn server
#
# chkconfig: 2345 10 90
# description: Activates/Deactivates VPN Server
#
### BEGIN INIT INFO
# Default-Start:     2 3 4 5
# Should-Start: iptables ip6tables NetworkManager-wait-online NetworkManager $network-pre
# Short-Description: Bring up/down vpnserver
# Description: Bring up/down vpnserver
### END INIT INFO
# Source function library.
#. /etc/init.d/functions
# Check that networking is up.
[ "${VPNSERVER}" = "no" ] && exit 6
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
# if the ip configuration utility isn't around we can't function.
[ -x ${DAEMON} ] || exit 1
CWD=$(pwd)
# See how we were called.
case "$1" in
start)
    [ "$EUID" != "0" ] && exit 4
    rc=0
    if [ -x ${DAEMON} ]; then
      ${DAEMON} start
      touch ${LOCK}
    fi
    ;;
stop)
    [ "$EUID" != "0" ] && exit 4
    rc=0
    if [ -x ${DAEMON} ]; then
      ${DAEMON} stop
      rm ${LOCK}
    fi
    ;;
restart|reload|force-reload)
    cd "$CWD"
    $0 stop
    $0 start
    rc=$?
    ;;
*)
    echo $"Usage: $0 {start|stop|restart|reload}"
    exit 2
esac
exit $rc

Configure vpnserver as a service to startup on server reboot and run the vpn server.

$ sudo chmod +x /etc/init.d/vpnserver
$ sudo chkconfig vpnserver on
$ sudo service vpnserver start

Step4: Establish connectivity to vpn server

vpn client communicates with vpn server on ports 4500 , 500 using udp protocol. For the vpn server administration we can connect on ports 22 or 443 using tcp protocol. Hence we need to add below inbound rules to the security group associated with the ec2 instance.

Security Group Inbound Rules

Step5: Configure vpn server admin password (Command Line — vpncmd)

1. Goto vpnserver directorycd /usr/local/vpnserver, type ./vpncmd
2. Choose option 1Management of VPN Server or VPN Bridge and hit Enter
3. For the hostname IP, input the IP address of the EC2 server instance followed by a colon and port 443. You can find the IP of your server instance on the EC2 dashboard. The input should look like this: 123.123.123.123:443
4. In the next step, leave the input blank and hit Enter to connect from the Server Admin node.
5. The prompt should now read “VPN Server>”. Enter ServerPasswordSet and hit Enter
6. Enter a password of your choice and type it again to confirm. Keep a note of the password.

Step6: Set up L2TP/IPSec on the VPN server

1. While at “VPN Server>” prompt, enter IPsecEnable
2. (Optional) In case you already exited the “VPN Server>” prompt, follow Step5:1–4. This time you will be prompted for the server admin password set in Step5
3. Next you are given a series of configuration prompts. Choose as per below

Enable L2TP over IPsec Server Function (yes / no): yes 
(To enable the VPN for use on multiple devices including Windows PC, Mac OSX, iOS, and Android)
Enable Raw L2TP Server Function (yes / no): no 
(do not allow connections without encryption)
Enable EtherIP / L2TPv3 over IPsec Server Function (yes / no): yes
(allow routers with this built-in function to connect)

4. Next comes the pre-shared key. This is a password with a maximum of nine characters. Enter whatever you like and make a note of it.

5. For “Default Virtual HUB in a case of omitting the HUB on the Username:”, simply enterSITVPN (The name of the virtual hub)

Step7: Configure virtual hub (Command Line — vpncmd)

1. While at the “VPN Server>” prompt, type HubCreate SITVPN and enter a new password that you will use to log in when you are not in Server Admin mode. Keep a note of the password.
2. (Optional) In case you already exited the “VPN Server>” prompt, follow Step5:1–4. This time you will be prompted for the server admin password set in Step5
3. Type Hub SITVPN and hit Enter. The prompt should read “VPN Server/SITVPN>”
4. Type SecureNatEnable

We use Secure NAT as the means to connect hubs to the server network. Another option is Local Bridge connection, but it’s more complicated and requires setting up a DHCP server. Secure NAT takes care of the DHCP server.

Step8: Create vpn users (Command Line — vpncmd)

1. Goto vpnserver directorycd /usr/local/vpnserver, type ./vpncmd
2. Choose option 1Management of VPN Server or VPN Bridge and hit Enter
3. For the hostname IP, input the IP address of the EC2 server instance followed by a colon and port 443. You can find the IP of your server instance on the EC2 dashboard. The input should look like this: 123.123.123.123:443
4. In the next step, enter the virtual hub name Specify Virtual Hub Name: SITVPN and hit Enter to connect to the server by Virtual Hub Admin Mode.
5. The prompt should now read “VPN Server/SITVPN>”. Type UserCreate sitvpnuser, replacing “sitvpnuser” with a username of your choice.
6. You will be asked to enter a Group Name, Full Name, and Description for the new user. Leave the Group Name blank, and use whatever you want for the other two.
7. Type UserPasswordSet sitvpnuser, replacing sitvpnuser with the username you just created. Enter and confirm a password for that user.
8. Repeat steps 1–3 for as many users as you wish.

Step9: Configure Virtual DHCP Server Settings

The Virtual DHCP Server will be enabled when you enabled the SecureNAT in Step6.4. A couple of additional settings are needed

1. Stop the vpn server service and edit the vpn_server.config file to set the DhcpDnsServerAddress to the DNS address of the VPC (x.x.0.2) in the VirtualDhcpServer configuration block under the virtual hub.
2. Reload the config and start vpn serverservice vpnserver start

Before:
declare VirtualDhcpServer
{
  string DhcpDnsServerAddress 192.168.30.1
  ...
  string DhcpPushRoutes $
}
After:
declare VirtualDhcpServer
{
  string DhcpDnsServerAddress 10.192.0.2
  ...
  string DhcpPushRoutes 10.192.0.0/255.255.255.0/192.168.30.1
}

1. Stop the vpn server service and edit the vpn_server.config file to add routes for each subnet of the vpc in which the resources will be accessed in the VirtualDhcpServer configuration block under the virtual hub. Set the DhcpPushRoutes as below
2. Reload the config and start vpn serverservice vpnserver start

declare VirtualDhcpServer
{
  string DhcpDnsServerAddress 10.192.0.2
  ...
  string DhcpPushRoutes 10.192.0.0/255.255.255.0/192.168.30.1, <public_subnet_1>/255.255.255.0/192.168.30.1, <public_subnet_2>/255.255.255.0/192.168.30.1,<private_subnet_1>/255.255.255.0/192.168.30.1,<private_subnet_2>/255.255.255.0/192.168.30.1
}

Step10: VPN client to connect to vpn

We can use any open vpn client to connect to your vpn. SoftEther has its own client which can be downloaded from <link>

If you are a MacOS user, it has a built-in support to IPsec/L2TP VPN so you do not have to install a client.

1. Open System Preferences -> Network
2. Click “+” to create a new service
3. Select interface VPN , and VPN type L2TP over IPSec and give any name for the Service Name and click Create

Server Address: <Set it to the public IP of the ec2 instance>
Account Name:   <Set it to the VPN User>
In Authentication Settings, set
Password:       <Set it to password of the VPN User>
Shared Secret:  <Set it to the pre-shared key>

Finally, Apply & Connect to the vpn!

Whats Next?

Automate this whole process into an AMI, Cost Comparision

References:

http://blog.wumuxian1988.com/2016/10/26/softether-vpn/

https://www.comparitech.com/blog/vpn-privacy/how-to-set-up-your-own-free-vpn-with-softether-and-amazon-web-services/