Hello there! I’m Corels from Emmanuel Corels Creatives. In today’s guide, we’re focusing on bolstering the security of your SoftEther VPN Server. We’ll cover advanced certificate management and firewall policy configuration to ensure that your VPN environment is locked down and protected against unauthorized access. By the end of this tutorial, you’ll understand how to secure your VPN server using robust encryption and fine-tuned access controls.
Securing Your SoftEther VPN Server with Certificates
Certificates are at the heart of VPN security, providing encryption and verifying the identity of your server. Here’s how to manage certificates effectively in SoftEther VPN:
- Generating a Certificate:
- Launch vpncmd on your SoftEther VPN Server:
sudo /usr/local/softether/vpncmd - Choose 1 for VPN Server mode and connect locally.
- Create a new certificate by typing:
CertificateCreate ovpn-server-cert /COMMONNAME:"vpn.mydomain.com" /KEYSIZE:2048 - COMMONNAME: Use your domain name (e.g.,
vpn.mydomain.com) or a descriptive name that clients will verify against. - KEYSIZE: A value of
2048bits is standard for good security; use4096for even stronger encryption if desired.
- Launch vpncmd on your SoftEther VPN Server:
- Signing the Certificate:
- Sign your certificate to make it valid for SSL/TLS connections:
CertificateSign ovpn-server-cert /LIFETIME:365 - LIFETIME: Set in days (e.g.,
365for one year). This determines how long the certificate remains valid.
- Sign your certificate to make it valid for SSL/TLS connections:
- Exporting the Certificate and Key:
- If you need to distribute client files, export the certificate:
CertificateExport ovpn-server-cert /EXPORTPASS:"YourExportPass" - The exported files (certificate and private key) are required for configuring clients. Keep these files secure.
- If you need to distribute client files, export the certificate:
Enhancing Security with Firewall Policies
Securing your VPN isn’t just about certificates—it’s also essential to control network traffic through proper firewall configuration.
- Identifying VPN Traffic:
- SoftEther VPN typically listens on specific ports (e.g., TCP 443, 5555, or a custom port for OpenVPN mode). Determine which port your server uses.
- Creating Firewall Rules:
- Allow Necessary Traffic:
In your router’s firewall (or the VPS hosting your SoftEther VPN), create a rule to allow incoming VPN traffic. For example, to allow TCP connections on port 1194 (if using OpenVPN mode):/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN traffic" - Block Unwanted Traffic:
To enhance security, add a default rule to drop any traffic not explicitly allowed. Be careful with the order of rules, as they are processed top-to-bottom:/ip firewall filter add chain=input action=drop comment="Drop all unsolicited traffic"
- Allow Necessary Traffic:
- Restricting Management Access:
- Limit access to SoftEther’s management interface (vpncmd/GUI) to trusted IP addresses only. For example, if your management workstation is on
192.168.1.50:/ip firewall filter add chain=input protocol=tcp dst-port=5555 src-address=192.168.1.50 action=accept comment="Allow VPN management from trusted host" - Follow this with a rule to drop management access from other sources:
/ip firewall filter add chain=input protocol=tcp dst-port=5555 action=drop comment="Block VPN management from untrusted sources"
- Limit access to SoftEther’s management interface (vpncmd/GUI) to trusted IP addresses only. For example, if your management workstation is on
- Enabling Logging for Critical Rules:
- Add logging to your firewall rules to monitor any suspicious activity. For instance:
/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept log=yes log-prefix="VPN-Access: " comment="Allow and log VPN traffic"
- Add logging to your firewall rules to monitor any suspicious activity. For instance:
Testing Your Security Setup
- Certificate Verification:
- Use vpncmd’s
CertificateListcommand to verify your certificate is signed and active.
- Use vpncmd’s
- Firewall Rule Check:
- Use
/ip firewall filter printto ensure your rules are in the correct order.
- Use
- Client Connection Test:
- Configure a SoftEther VPN client using the exported certificate files and connect to your server. Verify that the connection is secure by checking that the client can only access allowed resources.
- Review Logs:
- Check firewall logs using
/log printto see if there are any unauthorized access attempts or misconfigurations.
- Check firewall logs using
Final Thoughts
By effectively managing certificates and configuring precise firewall policies, you can significantly enhance the security of your SoftEther VPN Server. This dual approach not only ensures encrypted and authenticated connections but also tightly controls access to your VPN service. With these practices in place, your VPN environment becomes much more resilient against unauthorized access and potential threats.
Take your time to test and refine these settings in your environment. If you have any questions or need further assistance, don’t hesitate to reach out. Enjoy the robust security and flexibility that SoftEther VPN brings to your network!
Explained with clarity by
Corels – Admin, Emmanuel Corels Creatives
