Page 1 of 1

Domain auth with certificates, pass saving and remote admin

Posted: Wed Jun 03, 2015 10:02 am
by thomasrw
Hi,

I have been testing Softether and would like to move a number of servers off OpenVPN to softether however one concern I have is the authentication.
With OpenVPN we have it setup with a individual certificate for each user and also NT domain auth. So even if a hacker knows someone's password they still need a certificate to connect as well. And if they steal a PC with the VPN client on it they still need to know the password, plus we can revoke that certificate.

Softether seems to allow only one or the other. I don't want certificate only as then anyone who gets in front of that PC can log in. And if it is NT domain only then anyone in the world can try and connect if they know a password, or attempt brute force.
It would be more secure if it could do both at the same time.
From what I've read I don't think it can be done at the moment, but if so is it possibly something that could be added in the future?

Also I read a bug report somewhere confirming it but can't find it now - it seems setting the disallow password save does not work when using NT Domain auth, is this on the list to be fixed?
I think it is a big security issue allowing users to save their VPN password and really want to prevent it. Again I can do this with OpenVPN.

One last thing - remotely administrating the VPN client settings seems like a great idea, but it seems to me you have to have a direct TCP connection to the client, is that right?
e.g. many of our VPN users have the client installed on their home PCs to connect into their office server. In this scenario you've have to set port forwards on their home routers to allow us to remote administrate them wouldn't we? or am I missing something?
I guess if they are connected to the VPN at the time then you could remote admin them, but what if they can't connect due to wrong/old settings?

Otherwise I have to say I am really impressed by Softether - the excellent GUI is a big advantage over OpenVPN, where even seeing who is connected is difficult and limited. And the client works really well, and I really like the easy mode.


Thanks

Re: Domain auth with certificates, pass saving and remote ad

Posted: Wed Dec 30, 2015 1:01 am
by thomasrw
Hi,

I just wanted to bump this as it never got a response but it is quite important to me.

Firstly I don't understand why we can't use certificate along with username/password authentication (local or NT).
Using a Certificate only is dodgy because someone else can get onto the PC and just connect the VPN, and often these are home PCs with multiple users, or laptops that can get stolen.
And password only isn't ideal at all, but I prefer it as someone on the PC can't just connect without knowing the password.
But the problem with that is at least with NT authentication enabled you cannot have softether clients reuse to save the password. So again anyone gaining access to that PC can just connect the VPN if the user has saved the password.

A first simple fix that would make me much happier is if the policy setting named "Disallow Password save in VPN client" actually worked when using NT authentication. I believe it works with 'password authentication' but not 'NT Domain authentication'.
Surely this has to be a bug? I can't see why it couldn't work for NT Auth.

But also I'd really like to see the option to create individual client certificates as well as using password or NT Authentication. This is standard in OpenVPN and I don't understand why Softether doesn't support it, it would have to be easy to implement as both methods are already there, you just can't choose both at the same time.


Thanks

Re: Domain auth with certificates, pass saving and remote admin

Posted: Fri Apr 13, 2018 9:52 am
by rkheria
Any solution to use both client certificates and passwords? Or is OpenVPN the only option?

Re: Domain auth with certificates, pass saving and remote admin

Posted: Wed May 23, 2018 1:01 am
by dmarlow
I too would like multiple auth capabilities.