Page 1 of 1

private dyndns // connection details sharing

Posted: Tue Oct 01, 2019 7:33 pm
by KennyS
Hi,

My goal is to use an azure/aws/private docker service running a site where team members could login and choose from a pool of vpn servers to connect to in order for them to manage remote installations. Sharing the connections information between people is a cumbersome task, which i want to avoid as much as possible.

Maybe as a in between solution i would like to see if there is something we can do to create a "shared addressbook" which we could share and dynamicallly update with the team and contain the connection information

Secondly I would like to know if there is any information on how to change the dyndns to a private server ( instead of vpnxxxxx.softether.net)

So any information somebody would be greatly appreciated

Thx
Kenny

Re: private dyndns // connection details sharing

Posted: Tue Oct 01, 2019 8:59 pm
by ozone
Hi,

What do you exactly mean by "teammembers"?

Reason:
What I would HATE to see is that connection details of ALL softether DDNS users would be listed on ANY site, as many of them use it for PRIVATE-only tunnels. NO ONE else needs to know their connection details.
Moreover, listing even just their DDNS-name and IP-data on ANY website is inviting/enabling hackers to those sites. After all, they will KNOW what server is listening on that address, and therefore it's vulnerabilities.
Every connection detail you add will make that easier for them and even worse for the owner of the vpn.
And also, many governments would be very interested in those "team" sites too....

As far as I know, currently the DDNS data is handled only by SE. Barring being hacked or a court-order, this data is private to only them.
(please correct me if I'm wrong)

So if "teammembers" means a new set, or a clear and unambiguous subset, of SE DDNS-users: Ok. I have no issue with it.
But if you mean "all" SE DDNS-users, I must CLEARLY object to the idea.

Btw: you can change the vpnXXXXXX.softether.net to YYYYYYYYYY.softether.net if you like.
(so you can create a virtual "team" by instructing "teammembers" to change their vpn ddnsname to (for instance) a "teamZZZZZ.softether.net" namingscheme)


Please elaborate on your meaning and intentions of "teammembers".

Thank You.

Re: private dyndns // connection details sharing

Posted: Wed Oct 02, 2019 6:32 pm
by KennyS
I think you misunderstood my question.

My goal is to replicatie the SE server for a private purpose,not being depended on a Third party service.
This would in no way be for public access. The software can off course be open source but for my private instance of it only a few ppl that i would grant access would be able to see my pool of connections.
Something like this example

Hope this clears out some misunderstandings

Greetz kenny

Re: private dyndns // connection details sharing

Posted: Wed Oct 02, 2019 9:37 pm
by ozone
Hi,

Sorry that I misunderstood you.
I read it as: "the address book" and the ddns service would be for one and the same purpose.
And as such, it would be beneficial (for you) to create the address book based on softether DDNS service data.

But I guess I should see them as 2 separate entities.

1)You would like to have some kind of DB of your teammembers' connection data to create a centrally managed new service like "MOXA".
(but based on SE)
Correct?

2)The DDNS is a completely different matter, and there is no desire for you to use the SE DDNS-db to create an "address book"?
Correct?
(this was the part I was disagreeing on)

3)But you would like to have this DDNS service to have a domain of your own instead of "softether.net".
Correct?


Just brainstorming on this....

If the first is <yes>, I could picture something like an vpncmd-script that you can distribute to your "members". This can either be used to distribute a setup for a SE link TO your central point (lets call it: "YourMoxa") on an existing remote SE install, or even an complete SE software install script including the OUTGOING link config. (connection data is then supplied by YOU)
Or
Another way is to create a VPNCMD script that -reads- or -sets-up- an INCOMING link on an already configured remote SE-server.
If it just "reads" info, the info needs to be send back to you.
(a good moment to remind the sender that he hands you the "keys to the castle") :)
If it "sets-up", connection data is again supplied by YOU.

Of course, if you supply the remote sites with a preconfigured appliances like MOXA does, You would also know the connection data and have it on file.


If Q3 is <yes>, I think you have to register your own DNS domainname (if not done so already).
You can then use the dns service of that provider to create aliases for the registered "softether.net" names to something nice.
SE cannot register that name for you, nor can it hand out names in domains not of their own.
Or
Like I mentioned earlier, you could just change the prefix, and leave the "softether.net". So eg. "YourMoxaClient001.softhether.net", "YourMoxaClient002.softhether.net", and "YourMoxaRemote001.softhether.net" etc.
(I would do so regardless...much easier then vpnxxxxx names)
Or
Just set up your own DDNS service in azure and link it to the registered domainname.


Yes, I could see this happening. But it will take some work....
That is... if I understood correctly this time :)

Sorry for the long post... You got me interested in the idea, I got a bit carried away.

Oz

Re: private dyndns // connection details sharing

Posted: Thu Oct 03, 2019 6:37 pm
by KennyS
Hi Oz

Thanks for taking the time for the elaborate answer.

In short :

Q1:almost, It would rather be the other way around, I would have eg 20 SE servers setup ( and growing continuously) and i would hand out the credentials to a master file/website where they could simply choose the remote server to connect to.

Q2: indeed the SE DDNS-db is of no interest to me with all of its details. I would like to create a private SE DDNS-db on a private cloud service/ a local server in a company or wathever.

Q3: Indeed.

The long version:

Maybe I should have lead with this: you could look at it as a company teamviewer account.

Anybody can add a SE server to the pool. and anyone who has the credentials can connect to any of the vpn's in the DB. That DB would be privatly hosted (cloud/on premise). My idea was that the pool could be grabed from the private SE-DDNS db.

to further explain.
- a user opens SE client software on pc ( required to login to pull the connections information from the DB) That user would have to need a login privided by me (the admin)
- The SE Client software shows all the connections available ( so all the registered SE Servers in the private SE DDNS -db)
- the users chooses to connect to "Site A"
- SE Clients creates the vpn as normal ( login creds for "Site A" are allready supplied from the DB) So user would not be required to know the password for server "SiteA")

Creating an install script would be the easy part :)
Setting up the ddns db would be a next step ( I have no clue to how to do this ATM, that why is was looking for some information how SE handles this now)
Integrating this with the SE client software would be the hard part i guess. ( Or maybe creating a new GUI whichdoes the auth with the DDNS-DB via api and returns the info that runs a vpncmd in the background for creation of the connection.)

The "address book" sharing idea I only mention as maybe an intermediate solution to the same problem.

As a side note I'would reffer to this topic posted today: PLC Access
but instead of having 4 clients on the 4G it would be 4 servers. Then the setup i had in my mind would be a perfect solution to this problem.

So maybe somebody can point a some starting points or tips how to do this.

Grts Kenny

Re: private dyndns // connection details sharing

Posted: Mon Oct 07, 2019 10:18 pm
by ozone
Hi,

Thank You for the explanation. I think I understand now.
A very interesting yet specific purpose for this software.

I don't know how big the percentage is of SE-users that might want to use your new function, but I guess the incentive to implement it in the normal client would be dependent on that percentage.
In view of that, a separate "extra" front-end might have a higher chance with the developers.
(in a way, a bit like the vpngate)

Also, I understand that someone can now propose self-written code.
And also, original source is available.
In that sourcecode maybe it can be seen how the DDNS is working client-side. (there are however other opensource DDNS options)

My roots are in electronics (low level), so programming for me usually means "scripting".
If I would have to tackle this challenge, I would therefore try to do it using ready-made opensource components (like a DDNS), and script a bunch of datafiles together into a rudimentary Webif frontend, with VPNCMD-command backend.
Not very slick ofcourse, but hopefully sufficient.

But I guess if one is adept enough with the sourcecode itself, that would be possible too.

Keep the forum informed about your progress... It is certainly of interest to more of us.

Oz