Page 1 of 1

Is certificate login for admin supported? [workaround and recommendation provided]

Posted: Tue Aug 13, 2019 9:43 pm
by superleech
Hi all, there's login by RSA certificate for regular users but is there a way to enable certificate login for admin?

Re: Is certificate login for admin supported?

Posted: Thu Aug 15, 2019 7:57 am
by superleech
I found my answer. It's not supported but there's a workaround.

Option 1:

The admin mode only accepts the password authentication so make sure it's a very long password.

Option 2:

In addition to option 1, you can disable the Internet from connecting by creating an adminip.txt file in the same directory as vpnserver installation directory. This is the same directory as either vpnserver*.exe or ./vpnserver depending on Windows or Linux. The file content of adminip.txt should contain:

Option 3:

In addition to option 2, you can create a new HUB specifically for administration purpose. Create a new HUB and don't bridge it to any other network interface. Let this new HUB be isolated by itself. Enable Secure NAT and Secure DHCP. The DHCP should serve addresses from an unused subnet. Modify adminip.txt to allow only this subnet access. Add a new user and configure it to use certificate login.

Security warning:

Option 3 prevents the Internet from getting access to hack your administrative account but it can't prevent an attacker from inside your network from trying to hack your administrative account.

The SoftEther team should fix this so that you can specify only connections from a specific HUB may have administrative access. This leverages the existing infrastructure and lets you add global administrative users.