OpenVPN 2.5 client to SoftEther 4.34 server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
ethanolson
Posts: 50
Joined: Mon Dec 02, 2019 6:29 am

OpenVPN 2.5 client to SoftEther 4.34 server

Post by ethanolson » Tue Sep 08, 2020 4:49 am

I thought I'd post my OpenVPN config file to help people who want a successful connection with the new OpenVPN 2.5 client using the 'wintun' adapter. I built and tested this with OpenVPN 2.5 (beta 3) connecting to SoftEther 4.34 (9744).
----------
# Obviously, a typical funkmeister config file.

# Let's start off with using the new wintun adapter
windows-driver wintun
ip-win32 dynamic

# Obviously, this is the client-side connection, so we define that
client

# Tunnel mode because this is a traditional Client-Server VPN connection
dev tun

# Use TCP instead of UDP
proto tcp

# Define VPN Server and Port
remote example.softether.net 5555

# Yep, TLS for sure.
tls-client

# Define TLS 1.2 as minimum
tls-version-min 1.2

# Choose TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

# Choose TLS 1.2 cipher suites. Criteria are PFS, high encryption, AEAD, SHA2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

# Define the symmetric encryption. Sadly, SE server doesn't support GCM for OpenVPN, so it will require CBC ciphers in the list.
data-ciphers AES-256-GCM:AES-192-GCM:ChaCha20-Poly1305:CAMELLIA-256-CBC:CAMELLIA-192-CBC:AES-256-CBC:AES-192-CBC

# Since the new OpenVPN 2.5 negotiation technique isn't implemented in SE, the fallback cipher needs to be stipulated. Some clients, especially mobile, need AES instead of Camellia. Alter as required.
data-ciphers-fallback CAMELLIA-192-CBC

# Define hash that fully accomodates encryption key (2x cipher length is ideal target)
auth SHA384

# Spend 9 seconds looking for the VPN server
resolv-retry 9

# Use dynamic port for packet return
nobind

# These next two lines reopen the tunnel if it collapses
persist-key
persist-tun

# Not using compression (SE server doesn't support LZx compressions)
#compress lz4-v2

# How verbose are we going to be? 2.
verb 2

# Since SE is on the other end, it has to be username and password
auth-user-pass

# Don't cache credentials in memory (reduce credential theft from memory, but require reentry if tunnel reestablishes).
auth-nocache

# Detect MITM... kind of a big deal. Use the SE server certificate's Common Name (CN) field data for this.
verify-x509-name 'example.vpnazure.net' "name"

# No MTU defined (certain techs, like PPPoE, break it anyway). Prefer MSS Fixing instead.
#link-mtu 1500

# Use the largest non-fragmenting packet size available.
mssfix max

# Don't bother with the client certificates. Though they are included so OpenVPN clients don't complain.
setenv CLIENT_CERT 0

# Routing rules that make a split tunnel instead of a full tunnel. Don't use this block if you want all traffic to flow through the VPN.
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

# Routing rules to define which subnets are accessed through the VPN tunnel.
route 192.168.136.0 255.255.255.0 vpn_gateway 1
route 192.168.145.0 255.255.255.0 vpn_gateway 1

# Provide DNS info for the connected network. Except 'wintun' doesn't support this, so ensure your DHCP server or SecureNAT config is pushing what's needed.
#dhcp-option DNS 192.168.136.10
#dhcp-option DOMAIN 'example.com'

# I hope you know what the rest of this is.
<ca>
-----BEGIN CERTIFICATE-----
{whatever the CA cert is that issued your SoftEther server certificate}
-----END CERTIFICATE-----
</ca>

# Filler certificate to keep clients from barking at you.

<cert>
-----BEGIN CERTIFICATE-----
{whatever your public key is}
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
{whatever your private key is}
-----END PRIVATE KEY-----
</key>

Post Reply