Hello there! I’m Corels from Emmanuel Corels Creatives, and today we’re going to enhance your SoftEther VPN setup by integrating it with an external RADIUS server. This integration centralizes user authentication and accounting, making it easier to manage a large number of VPN users and adhere to enterprise-level security practices. One particularly powerful feature is the use of a wildcard user—by creating a user with a username of * and setting its authentication type to radius (without a local password), any login attempt for a username not present in SoftEther’s database will be authenticated solely through your external RADIUS server.
What Is RADIUS and Why Integrate It with SoftEther VPN?
RADIUS (Remote Authentication Dial-In User Service) is a protocol for centralized authentication, authorization, and accounting. Integrating RADIUS with SoftEther VPN allows you to manage user credentials and policies from a single location. This approach enhances security by ensuring that all user verification happens in a centralized, controlled manner—ideal for organizations with many users or complex access requirements.
By using a wildcard user in SoftEther VPN, you eliminate the need to create individual local accounts. Instead, any user whose credentials exist only on your external RADIUS server can log in seamlessly without a matching record in SoftEther’s own database.
Prerequisites
Before you begin, make sure you have:
- A SoftEther VPN Server installed and running (on Linux or Windows).
- An external RADIUS server set up (such as FreeRADIUS on Linux or a Windows-based NPS).
- Administrative access to both the SoftEther VPN Server and the RADIUS server.
- Basic command-line skills to work with
vpncmd(for SoftEther) and the RADIUS server’s configuration tools.
Tip: If you’re new to RADIUS, start with a simple FreeRADIUS installation on a test server before integrating it into your SoftEther VPN environment.
Step 1: Configuring the External RADIUS Server
For this guide, we’ll assume you’re using FreeRADIUS on a Linux system.
-
Install FreeRADIUS (if needed):
sudo apt update && sudo apt install freeradius freeradius-mysql -yThis command installs FreeRADIUS and, optionally, its MySQL module if you want to store user data in a database.
-
Configure the RADIUS Client: Edit the configuration file (typically
/etc/freeradius/3.0/clients.conf) to add your SoftEther VPN Server as a client. For example:client softether { ipaddr = 192.168.88.1 secret = MyRADIUSSecret! require_message_authenticator = no nas_type = other }- ipaddr: Replace with your SoftEther VPN Server’s IP address.
- secret: Choose a strong shared secret (e.g.,
MyRADIUSSecret!)—this must match what you configure in SoftEther.
-
Restart FreeRADIUS:
sudo systemctl restart freeradiusTip: Test the RADIUS server using a tool like
radtestto ensure it accepts your test credentials.
Step 2: Configuring SoftEther VPN Server to Use RADIUS
-
Launch vpncmd: Open your terminal and run:
sudo /usr/local/softether/vpncmdWhen prompted, select 1 for VPN Server mode and connect locally.
-
Access Your Virtual Hub: If you already have a Virtual Hub (e.g.,
MyVPNHub), enter:Hub MyVPNHub -
Enable RADIUS Authentication: At the vpncmd prompt within your Virtual Hub, type:
RadiusEnableYou will then be prompted to provide:
- RADIUS Server IP: e.g.,
192.168.1.100 - Port: Default is
1812 - Shared Secret: Use the same secret you set in the RADIUS server (e.g.,
MyRADIUSSecret!) Accept the default retry times and timeouts unless you need custom values.
- RADIUS Server IP: e.g.,
-
(Optional) Enable RADIUS Accounting: To have usage data forwarded to your RADIUS server, type:
RadiusAccountingEnableThen enter the RADIUS Accounting server IP (typically the same as your authentication server), the default port (usually
1813), and the shared secret.
Step 3: Creating a Wildcard User for RADIUS-Only Authentication
One of the best features in SoftEther VPN is the ability to use a wildcard user to delegate authentication entirely to your external RADIUS server. This means you don’t need to create individual user accounts in SoftEther for every VPN user.
- Create the Wildcard User: At the vpncmd prompt, type:
Important:UserCreate * /AUTHENTICATION:radius- Do not set a password for this user.
- The
/AUTHENTICATION:radiusparameter specifies that authentication for any user not present in the SoftEther database should be forwarded to the RADIUS server.
Step 4: Testing the RADIUS Integration
- Configure a VPN Client: On your client device (whether Windows, macOS, or Linux), set up a VPN connection using SoftEther VPN Client or an OpenVPN client (if you’ve generated an OpenVPN configuration file). Enter:
- Server Address: Your SoftEther VPN Server’s public IP or DDNS hostname.
- User Name: Use a username that exists on your RADIUS server (it does not need to exist in SoftEther, thanks to the wildcard user).
- Password: Enter the corresponding RADIUS password.
- Connect and Verify: Initiate the VPN connection and check for a successful login. In vpncmd, use:
to view active VPN sessions. Additionally, check your FreeRADIUS logs (usually located atUserList/var/log/freeradius/radius.log) to ensure that authentication requests are being processed.
Final Thoughts
Integrating SoftEther VPN with an external RADIUS server streamlines user management and enhances security by centralizing authentication and accounting. By creating a wildcard user with the authentication type set to radius (using the command UserCreate * /AUTHENTICATION:radius), you allow users that exist only in your RADIUS database to log in without requiring a matching SoftEther account. This approach simplifies administration and makes your VPN environment more dynamic.
Follow these steps carefully, test your setup thoroughly, and adjust parameters as needed. If you have any questions or need further assistance, feel free to reach out. Enjoy the enhanced security and streamlined management that RADIUS integration brings to your SoftEther VPN setup!
Explained with clarity by
Corels – Admin, Emmanuel Corels Creatives
