Domain auth with certificates, pass saving and remote admin
Posted: Wed Jun 03, 2015 10:02 am
Hi,
I have been testing Softether and would like to move a number of servers off OpenVPN to softether however one concern I have is the authentication.
With OpenVPN we have it setup with a individual certificate for each user and also NT domain auth. So even if a hacker knows someone's password they still need a certificate to connect as well. And if they steal a PC with the VPN client on it they still need to know the password, plus we can revoke that certificate.
Softether seems to allow only one or the other. I don't want certificate only as then anyone who gets in front of that PC can log in. And if it is NT domain only then anyone in the world can try and connect if they know a password, or attempt brute force.
It would be more secure if it could do both at the same time.
From what I've read I don't think it can be done at the moment, but if so is it possibly something that could be added in the future?
Also I read a bug report somewhere confirming it but can't find it now - it seems setting the disallow password save does not work when using NT Domain auth, is this on the list to be fixed?
I think it is a big security issue allowing users to save their VPN password and really want to prevent it. Again I can do this with OpenVPN.
One last thing - remotely administrating the VPN client settings seems like a great idea, but it seems to me you have to have a direct TCP connection to the client, is that right?
e.g. many of our VPN users have the client installed on their home PCs to connect into their office server. In this scenario you've have to set port forwards on their home routers to allow us to remote administrate them wouldn't we? or am I missing something?
I guess if they are connected to the VPN at the time then you could remote admin them, but what if they can't connect due to wrong/old settings?
Otherwise I have to say I am really impressed by Softether - the excellent GUI is a big advantage over OpenVPN, where even seeing who is connected is difficult and limited. And the client works really well, and I really like the easy mode.
Thanks
I have been testing Softether and would like to move a number of servers off OpenVPN to softether however one concern I have is the authentication.
With OpenVPN we have it setup with a individual certificate for each user and also NT domain auth. So even if a hacker knows someone's password they still need a certificate to connect as well. And if they steal a PC with the VPN client on it they still need to know the password, plus we can revoke that certificate.
Softether seems to allow only one or the other. I don't want certificate only as then anyone who gets in front of that PC can log in. And if it is NT domain only then anyone in the world can try and connect if they know a password, or attempt brute force.
It would be more secure if it could do both at the same time.
From what I've read I don't think it can be done at the moment, but if so is it possibly something that could be added in the future?
Also I read a bug report somewhere confirming it but can't find it now - it seems setting the disallow password save does not work when using NT Domain auth, is this on the list to be fixed?
I think it is a big security issue allowing users to save their VPN password and really want to prevent it. Again I can do this with OpenVPN.
One last thing - remotely administrating the VPN client settings seems like a great idea, but it seems to me you have to have a direct TCP connection to the client, is that right?
e.g. many of our VPN users have the client installed on their home PCs to connect into their office server. In this scenario you've have to set port forwards on their home routers to allow us to remote administrate them wouldn't we? or am I missing something?
I guess if they are connected to the VPN at the time then you could remote admin them, but what if they can't connect due to wrong/old settings?
Otherwise I have to say I am really impressed by Softether - the excellent GUI is a big advantage over OpenVPN, where even seeing who is connected is difficult and limited. And the client works really well, and I really like the easy mode.
Thanks