NAS + SoftetherVPN = Universal VPN Server
I think I’m not mistaken if I assume that from time to time any user has to get access to any network resource (IP camera, network drive, computer, refrigerator, etc.) inside the home or office network via the Internet. Well, by itself, this access should be:
A) universal, i.e. from any computer or gadget;
B) protected from unauthorized access by unwanted persons.
There are a lot of options, but some are unavailable due to insufficient user skills, some do not correspond to the two points, some are too expensive ... In general, “BUT” can be listed for a long time.
The most suitable for the required technology was, is and will be a VPN for a long time. But with VPN, too many questions arise: crypto-resistant, vzlompozaschischennost, multiplatform clients, do you have enough knowledge to install and configure the server, etc.
')
Recently, I was introduced to a truly magical software called Softether VPN. What is it so magical? Here is part of what he can do:
• Many virtual hubs. Those. within one VPN server there can be more than one virtual VPN server with its own rules and access rights;
• Remote-Access (client-to-LAN) and Site-to-Site (combining two or more LANs into one) tunnels;
• Support for L2TP over IPsec, IPSec, OpenVPN, MS-SSTP, L2TPv3, EtherIP (bridge) and its own SSL-VPN protocol;
• VPN via ICMP or via DNS (only through its own protocol), which allows you to bypass the protection of even the most "persistent" firewalls;
• Detailed logging;
• Built-in firewall for each virtual hub separately;
• IPv6 support in L3 mode (well, in L2, of course, too);
• Traffic shaping by user groups or by specific users;
• SecureNAT (user-space NAT and DHCP server). Conveniently on non-server Windows;
• VLAN support;
• QoS support with automatic prioritization;
• Well, what units of VPN servers can do - Dynamic DNS and NAT Traversal via a free relay.
The last point will be of particular interest to many users of home networks. For example, you are lucky with the provider, which gives a free “white” (routable IP address, i.e. accessible from anywhere on the Internet) connection, but not fixed, but dynamic. In this case, you can use any VPN server, but you need to know what IP address the provider has given you at the moment. This is not a problem, it is solved through the use of Dynamic DNS services. But most of these services are paid for today. And how nice the word "ball"! Softether VPN has its own Dynamic DNS service and is completely free of charge. The second option is that you are not lucky with the provider and for some reason he cannot give you a “white” IP address, even a dynamic one, or you just press a toad, to pay for a “white” IP address. In this case, access to your home network you can not get any simple regular means. Softether VPN solves this problem using the NAT Traversal function via a free relay. Those. You access your VPN server through an intermediary server. This, of course, to some extent violates the security requirements, but the provider might as well intercept your traffic and try to open the contents. It all depends on the level of your paranoia;) You can use multi-key keys, which will reduce the likelihood of “opening” virtually to zero, but at the same time will increase the load on the server and client processors and, as a result, a possible decrease in speed in the tunnel. There is already a user to decide.
Well, now back to what I actually wanted to write. There are such wonderful NAS companies D-Link - DNS-320L, DNS-325, DNS-327L, DNS-345 and DNS-340L. Of course there are many “well-wishers” who say “D-Link” and “wonderful” ones are not consistent. I will not enter into such discussions, because they always end in the same way - everyone stays with his opinion. I can only say that the ideal simply does not exist, each has its own advantages and disadvantages. The main thing from my personal experience - NAS D-Link fully meet its cost, in contrast to NAS of some other manufacturers, the price of which is unreasonably high.
And so, we have NAS D-Link, one of the above models. Go to the site with Add-Onami and download Softether VPN for your model http://dlink.vtverdohleb.org.ua/Add-On/#SoftetherVPN .
Next, install the Add-On on your NAS and run it.
SoftetherVPN has a web interface, but it is not very functional, it can only be used for obtaining statistical information. Server tuning is best done using “SoftetherVPN Server Manager for Windows”
Take here http://www.softether-download.com/
It can be configured using the vpncmd utility included in the Add-On package, but this requires at least a basic knowledge of Linux and installing Add-On utelnetd or sshd. I recommend reading about setting through vpncmd here http://habrahabr.ru/post/211136/
The interface “SoftetherVPN Server Manager for Windows” is well described here http://habrahabr.ru/post/208782/
If you intend to use the L2TP over IPSec VPN protocol, you need to add a user and enter a passphrase for IPSec. Click the “IPSec / L2TP Settings” button, turn on “Enable L2TP ...” and enter the Pre-Shared Key. After that, go to the “Manage Virtual Hub” section and click on “Manage Users”.
Create a user, enter the password, “Auth Type”, select “Password Authentication” and click OK. After that, go to "Virtual NAT and Virtual DHCP Server (Secure NAT)", click "SecureNAT Configuration", turn on the "Use Virtual NAT Function" and "Use Virtual NAT DHCP Server Function" checkboxes and OK. After that, you need to activate these functions with the “Enable SecureNAT” button.
If you have a “white” IP address, you need to “configure forwarding” of ports for L2TP and IPSec on the router. How this is done - read the user manual for your router. For example, so "Frequently asked questions and answers . " Ports 1701, 500 and 4500, UDP protocol. You can use the DDNS name that was generated by Softether VPN or set your own “Dynamic DNS Setting” section.
If you have a “gray” IP address, go to the “VPN Azure Setting” section and activate this service.
Accordingly, from the Internet in the first case you will connect to "your_name.softether.net", in the second case, "your_name.vpnazure.net".
Examples of client settings for Android , Linux , MAC , Windows .
No less interesting for more advanced users will be the OpenVPN protocol. But more about that in the next article. Although I already discussed the configuration of the OpenVPN client in the article “One of the simplest options for protecting VoIP” , there only D-Link DSR series router and Android smartphone are considered as clients.
Interface oh-oh-very detailed on the site http://www.softether.org/ . True in English, but with a variety of online translators , I think anyone can figure it out.
If, nevertheless, have any questions about the work, please contact.
A) universal, i.e. from any computer or gadget;
B) protected from unauthorized access by unwanted persons.
There are a lot of options, but some are unavailable due to insufficient user skills, some do not correspond to the two points, some are too expensive ... In general, “BUT” can be listed for a long time.
The most suitable for the required technology was, is and will be a VPN for a long time. But with VPN, too many questions arise: crypto-resistant, vzlompozaschischennost, multiplatform clients, do you have enough knowledge to install and configure the server, etc.
')
Recently, I was introduced to a truly magical software called Softether VPN. What is it so magical? Here is part of what he can do:
• Many virtual hubs. Those. within one VPN server there can be more than one virtual VPN server with its own rules and access rights;
• Remote-Access (client-to-LAN) and Site-to-Site (combining two or more LANs into one) tunnels;
• Support for L2TP over IPsec, IPSec, OpenVPN, MS-SSTP, L2TPv3, EtherIP (bridge) and its own SSL-VPN protocol;
• VPN via ICMP or via DNS (only through its own protocol), which allows you to bypass the protection of even the most "persistent" firewalls;
• Detailed logging;
• Built-in firewall for each virtual hub separately;
• IPv6 support in L3 mode (well, in L2, of course, too);
• Traffic shaping by user groups or by specific users;
• SecureNAT (user-space NAT and DHCP server). Conveniently on non-server Windows;
• VLAN support;
• QoS support with automatic prioritization;
• Well, what units of VPN servers can do - Dynamic DNS and NAT Traversal via a free relay.
The last point will be of particular interest to many users of home networks. For example, you are lucky with the provider, which gives a free “white” (routable IP address, i.e. accessible from anywhere on the Internet) connection, but not fixed, but dynamic. In this case, you can use any VPN server, but you need to know what IP address the provider has given you at the moment. This is not a problem, it is solved through the use of Dynamic DNS services. But most of these services are paid for today. And how nice the word "ball"! Softether VPN has its own Dynamic DNS service and is completely free of charge. The second option is that you are not lucky with the provider and for some reason he cannot give you a “white” IP address, even a dynamic one, or you just press a toad, to pay for a “white” IP address. In this case, access to your home network you can not get any simple regular means. Softether VPN solves this problem using the NAT Traversal function via a free relay. Those. You access your VPN server through an intermediary server. This, of course, to some extent violates the security requirements, but the provider might as well intercept your traffic and try to open the contents. It all depends on the level of your paranoia;) You can use multi-key keys, which will reduce the likelihood of “opening” virtually to zero, but at the same time will increase the load on the server and client processors and, as a result, a possible decrease in speed in the tunnel. There is already a user to decide.
Well, now back to what I actually wanted to write. There are such wonderful NAS companies D-Link - DNS-320L, DNS-325, DNS-327L, DNS-345 and DNS-340L. Of course there are many “well-wishers” who say “D-Link” and “wonderful” ones are not consistent. I will not enter into such discussions, because they always end in the same way - everyone stays with his opinion. I can only say that the ideal simply does not exist, each has its own advantages and disadvantages. The main thing from my personal experience - NAS D-Link fully meet its cost, in contrast to NAS of some other manufacturers, the price of which is unreasonably high.
And so, we have NAS D-Link, one of the above models. Go to the site with Add-Onami and download Softether VPN for your model http://dlink.vtverdohleb.org.ua/Add-On/#SoftetherVPN .
Next, install the Add-On on your NAS and run it.
SoftetherVPN has a web interface, but it is not very functional, it can only be used for obtaining statistical information. Server tuning is best done using “SoftetherVPN Server Manager for Windows”
Take here http://www.softether-download.com/
It can be configured using the vpncmd utility included in the Add-On package, but this requires at least a basic knowledge of Linux and installing Add-On utelnetd or sshd. I recommend reading about setting through vpncmd here http://habrahabr.ru/post/211136/
The interface “SoftetherVPN Server Manager for Windows” is well described here http://habrahabr.ru/post/208782/
If you intend to use the L2TP over IPSec VPN protocol, you need to add a user and enter a passphrase for IPSec. Click the “IPSec / L2TP Settings” button, turn on “Enable L2TP ...” and enter the Pre-Shared Key. After that, go to the “Manage Virtual Hub” section and click on “Manage Users”.
Create a user, enter the password, “Auth Type”, select “Password Authentication” and click OK. After that, go to "Virtual NAT and Virtual DHCP Server (Secure NAT)", click "SecureNAT Configuration", turn on the "Use Virtual NAT Function" and "Use Virtual NAT DHCP Server Function" checkboxes and OK. After that, you need to activate these functions with the “Enable SecureNAT” button.
If you have a “white” IP address, you need to “configure forwarding” of ports for L2TP and IPSec on the router. How this is done - read the user manual for your router. For example, so "Frequently asked questions and answers . " Ports 1701, 500 and 4500, UDP protocol. You can use the DDNS name that was generated by Softether VPN or set your own “Dynamic DNS Setting” section.
If you have a “gray” IP address, go to the “VPN Azure Setting” section and activate this service.
Accordingly, from the Internet in the first case you will connect to "your_name.softether.net", in the second case, "your_name.vpnazure.net".
Examples of client settings for Android , Linux , MAC , Windows .
No less interesting for more advanced users will be the OpenVPN protocol. But more about that in the next article. Although I already discussed the configuration of the OpenVPN client in the article “One of the simplest options for protecting VoIP” , there only D-Link DSR series router and Android smartphone are considered as clients.
Interface oh-oh-very detailed on the site http://www.softether.org/ . True in English, but with a variety of online translators , I think anyone can figure it out.
If, nevertheless, have any questions about the work, please contact.
Source: https://habr.com/ru/post/251123/
All Articles