Configuring Virtual Hub Access Control in SoftEther VPN Print

Hello there! I’m Corels from Emmanuel Corels Creatives. In today’s guide, we’ll explore how to secure and control access to your SoftEther VPN Server by configuring Virtual Hub Access Control. By setting up access control policies and restrictions, you can decide which users or devices are allowed to connect and what resources they can access, ensuring a safer and more manageable VPN environment.

What Are Virtual Hub Access Controls?

Virtual Hub Access Control in SoftEther VPN allows you to define security policies within your Virtual Hub. With access control lists (ACLs) and policy settings, you can:

• Restrict Connections: Limit VPN access to specific users or IP ranges.
• Enforce Authentication Policies: Ensure that only authorized users gain access.
• Control Resource Access: Define what internal network segments can be accessed via the VPN.
• Enhance Security: Reduce the risk of unauthorized access by tightly controlling who can connect.

This approach is especially useful for multi-user environments where different departments or user groups need varying levels of access.

Step 1: Accessing the SoftEther VPN Server Management Console

1. Launch vpncmd:

   sudo /usr/local/softether/vpncmd
   

2. Select VPN Server Mode:
   Choose option 1 when prompted.
3. Connect to Your Virtual Hub:
   If your Virtual Hub is named “MyVPNHub,” enter:

   Hub MyVPNHub
   

4. Set an Administrator Password:
   If not already set, run:

   ServerPasswordSet
   

   Follow the prompts to secure your Virtual Hub.

Step 2: Configuring User Authentication and Access Policies

Access control starts with user authentication. You can manage which users have permission to access the Virtual Hub and assign them to groups for further policy enforcement.

1. Create User Groups (Optional): To organize users by access level, create groups:

   UserGroupCreate SalesGroup
   UserGroupCreate ITGroup
   

   This allows you to later assign policies specific to each group.

2. Create Users and Assign Groups: For each user, create an account and specify their group:

   UserCreate alice /GROUP:SalesGroup /REALNAME:"Alice Smith"
   UserPasswordSet alice
   

   And for a different user:

   UserCreate bob /GROUP:ITGroup /REALNAME:"Bob Johnson"
   UserPasswordSet bob
   

   These commands ensure that users are identified and grouped accordingly.

3. Wildcard User for RADIUS Integration: If you’re integrating with an external RADIUS server (as described in our previous guide), you can create a wildcard user to delegate authentication entirely to RADIUS:

   UserCreate * /AUTHENTICATION:radius
   

   Note: Do not set a password for this user. This configuration allows any login attempt for a username not present in SoftEther’s local database to be authenticated via your external RADIUS server.

Step 3: Defining Virtual Hub Access Policies

Now that you have users and groups, configure policies that control access within your Virtual Hub.

1. Setting Session Timeouts: To limit how long users can stay connected, run:

   UserPolicySet alice /SESSIONTIMEOUT:3600
   

   This command sets Alice’s session timeout to 3600 seconds (1 hour). Repeat for other users or set a default policy for a group.

2. Restricting Access by IP or MAC: You can define policies that restrict access to specific IP ranges or MAC addresses. For example, to allow only devices from a specific IP range:

   AccessControlAdd /TYPE:IP /VALUE:192.168.10.0/24 /ACTION:allow
   

   And to block a particular MAC address:

   AccessControlAdd /TYPE:MAC /VALUE:00-11-22-33-44-55 /ACTION:deny
   

   Note: These commands (or their GUI equivalents) vary slightly by version. Consult the SoftEther documentation for the exact syntax on your version.

3. Enforcing Group-Specific Policies: You can apply settings for an entire group, ensuring that all users within that group adhere to the same limitations. For instance, setting an idle timeout for the SalesGroup:

   UserGroupSet SalesGroup /IDLETIMEOUT:600
   

   This sets a 10-minute idle timeout for all users in the SalesGroup.

Step 4: Configuring Logging and Monitoring for Access Control

Robust access control includes monitoring attempts to connect, both successful and failed. Logging helps you spot unauthorized attempts or configuration issues.

1. Enable Detailed Logging: In vpncmd, you can configure logging for authentication events. For example:

   LogLevelSet /LEVEL:4
   

   This sets a higher verbosity level for VPN logs.

2. Review Logs: Periodically, run:

   LogPrint
   

   to view recent authentication attempts and any access control events. Analyzing these logs helps you adjust your policies and identify potential security threats.

Step 5: Testing Your Access Control Configuration

1. User Login Test: Have users (or test accounts) connect to the VPN and verify that their session parameters (timeouts, IP assignment) match your configuration.
2. Wildcard User Test: Try logging in with a username that doesn’t exist in SoftEther’s database but is defined on your external RADIUS server. The connection should be authenticated via RADIUS without a local account.
3. Policy Enforcement: Test restrictions by attempting to connect from a device outside your allowed IP range or with a blocked MAC address. Ensure the access control policies deny the connection as expected.

Final Thoughts

Effective user and group management, combined with well-defined access control policies, is key to securing your SoftEther VPN Server. By organizing users into groups, setting session and idle timeouts, and integrating wildcard user authentication for external RADIUS support, you can streamline administration and enhance security across your VPN environment.

Take time to experiment with these settings, monitor your logs, and adjust policies based on your organization’s needs. If you have any questions or need further assistance, feel free to reach out. Happy managing, and here’s to a secure, well-organized VPN environment!

Explained with clarity by
Corels – Admin, Emmanuel Corels Creatives