Security Concern with VPNAzure

[genesys]

I am using VPNAzure to connect to my VPN server since without VPNAzure a connection is not possible.

I understand that all my traffic is relayed through the VPNAzure server (since UDP hole punching seems to be unsuccessful in my case).
I also understand that this relayed traffic is encrypted and therefore the VPNAzure server is not able to sniff any content.
However, here comes the catch:

I know that for VPNAzure you can only establish connections using either SoftEther VPN client or using MS-SSTP (L2TP does not work, at least not for traffic relaying). I don't know how exactly the connection is established when the SoftEther client is usedd (what authentication method is used to establish the tunnel), however, when SSTP is used where I can specifically select the authentication method, I noticed that I can only establish a connection using PAP authentication. If I try to use CHAP or CHAP2, it doesn't work. This means while the VPN traffic being relayed through VPN azure is still encrypted, the VPN Azure server does see my VPN password as unencrypted clear text (since that's how PAP transmits passwords). This in turn means the people who are running VPNAzure could at any time access any VPN network that makes use of VPN azure. (again, I don't know how the connection is established in the case of using the SoftEther VPN client, but if only PAP works with SSTP, I could Imagine the SoftEther VPN client using the same authentication mechanism in that case).

Thoughts?

[OliverTejada]

The fact that unencrypted credentials may be sent to that server when using MS-SSTP may be true, I don't know much about that protocol, since I have completely ignored it. But when using SoftEther's own protocol, this doesn't happen. By default, the initial handshake is encrypted, and so is the rest. On the other hand, you shouldn't worry about your VPN server being tampered with... That server is managed by SoftEther themselves I believe.

[genesys]

I’m somewhat skeptical of the trustworthiness of VPNAzure because:
1. Contrary to the SoftEther Server and Client, the VPNAzure sourcecode does not seem to be open source
2. The documentation of VPNAzure clearly states that it does not relay actual data packets but only help in establishing a connection ( https://www.softether.org/4-docs/2-howt ... .VPN_Azure ) but I know now that this isn’t true and it does relay traffic at least in some cases. I do find the fact that this isn’t correctly documented somewhat suspicious.

[OliverTejada]

I totally understand, and you have a point. I am looking for solutions that could help us all relay our VPNs on servers of our own, servers that we control. Still haven't quite found what I wanted, but I am totally certain that it exists. I found this concept very interesting, and it's really something that comes in handy when setting up VPN servers on networks that we can't manage.

[tokutoku]

Insecure protocols like PAP and CHAP are encapsulated over HTTPS, that is SSL/TLS. So, even if the VPN azure server did a man-in-the-middle attack, it would never succeed, I think.