Page 1 of 1

OpenVPN 2.5 client to SoftEther 4.34 server

Posted: Tue Sep 08, 2020 4:49 am
by ethanolson
I thought I'd post my OpenVPN config file to help people who want a successful connection with the new OpenVPN 2.5 client using the 'wintun' adapter. I built and tested this with OpenVPN 2.5 (beta 3) connecting to SoftEther 4.34 (9744).
# Obviously, a typical funkmeister config file.

# Let's start off with using the new wintun adapter
windows-driver wintun
ip-win32 dynamic

# Obviously, this is the client-side connection, so we define that

# Tunnel mode because this is a traditional Client-Server VPN connection
dev tun

# Use TCP instead of UDP
proto tcp

# Define VPN Server and Port
remote 5555

# Yep, TLS for sure.

# Define TLS 1.2 as minimum
tls-version-min 1.2

# Choose TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

# Choose TLS 1.2 cipher suites. Criteria are PFS, high encryption, AEAD, SHA2

# Define the symmetric encryption. Sadly, SE server doesn't support GCM for OpenVPN, so it will require CBC ciphers in the list.
data-ciphers AES-256-GCM:AES-192-GCM:ChaCha20-Poly1305:CAMELLIA-256-CBC:CAMELLIA-192-CBC:AES-256-CBC:AES-192-CBC

# Since the new OpenVPN 2.5 negotiation technique isn't implemented in SE, the fallback cipher needs to be stipulated. Some clients, especially mobile, need AES instead of Camellia. Alter as required.
data-ciphers-fallback CAMELLIA-192-CBC

# Define hash that fully accomodates encryption key (2x cipher length is ideal target)
auth SHA384

# Spend 9 seconds looking for the VPN server
resolv-retry 9

# Use dynamic port for packet return

# These next two lines reopen the tunnel if it collapses

# Not using compression (SE server doesn't support LZx compressions)
#compress lz4-v2

# How verbose are we going to be? 2.
verb 2

# Since SE is on the other end, it has to be username and password

# Don't cache credentials in memory (reduce credential theft from memory, but require reentry if tunnel reestablishes).

# Detect MITM... kind of a big deal. Use the SE server certificate's Common Name (CN) field data for this.
verify-x509-name '' "name"

# No MTU defined (certain techs, like PPPoE, break it anyway). Prefer MSS Fixing instead.
#link-mtu 1500

# Use the largest non-fragmenting packet size available.
mssfix max

# Don't bother with the client certificates. Though they are included so OpenVPN clients don't complain.
setenv CLIENT_CERT 0

# Routing rules that make a split tunnel instead of a full tunnel. Don't use this block if you want all traffic to flow through the VPN.
route net_gateway
route net_gateway
route net_gateway
route net_gateway

# Routing rules to define which subnets are accessed through the VPN tunnel.
route vpn_gateway 1
route vpn_gateway 1

# Provide DNS info for the connected network. Except 'wintun' doesn't support this, so ensure your DHCP server or SecureNAT config is pushing what's needed.
#dhcp-option DNS
#dhcp-option DOMAIN ''

# I hope you know what the rest of this is.
{whatever the CA cert is that issued your SoftEther server certificate}

# Filler certificate to keep clients from barking at you.

{whatever your public key is}

{whatever your private key is}