Integrating SoftEther VPN with Active Directory for Centralized Authentication Print

Hello there! I’m Corels from Emmanuel Corels Creatives. In this guide, we’ll explore how to integrate SoftEther VPN Server with Active Directory (AD) to centralize user authentication. By connecting SoftEther VPN to AD, you can manage user credentials, permissions, and policies from a single directory service. This simplifies administration and enhances security for large deployments or environments that already rely on Active Directory.

What Is Active Directory Integration?

Active Directory is a directory service developed by Microsoft that stores information about users, groups, and devices in an organization. When you integrate SoftEther VPN Server with AD, VPN user authentication is handled by your AD server. This means that users can log in with their existing domain credentials, and you can enforce centralized security policies without maintaining separate user databases in SoftEther.

Prerequisites

Before you begin, ensure that:

• Your SoftEther VPN Server is installed and running (on Linux or Windows).
• You have access to your Active Directory domain controller.
• Your VPN server can reach the AD server over the network.
• You have administrative privileges on both the SoftEther VPN Server and the AD server.
• Basic command-line knowledge for using vpncmd is helpful.

Step 1: Prepare Your Active Directory Environment

1. Create a Service Account:
   On your Active Directory server, create a dedicated service account for VPN authentication (for example, VPNService). Assign it a strong password and note down these credentials.

2. Ensure DNS Resolution:
   Confirm that your SoftEther VPN Server can resolve the AD domain name. If necessary, configure your VPN server’s DNS settings to use your AD DNS servers.

Step 2: Configure SoftEther VPN Server for LDAP Authentication

Active Directory integration with SoftEther VPN is typically done via LDAP. Follow these steps using the vpncmd utility:

1. Launch vpncmd:
   Open your terminal on the VPN Server and run:

   sudo /usr/local/softether/vpncmd
   

   Select option 1 for VPN Server mode and connect locally.

2. Access Your Virtual Hub:
   If your Virtual Hub is named “MyVPNHub,” enter:

   Hub MyVPNHub
   

3. Enable LDAP Authentication:
   At the vpncmd prompt, type:

   LDAPEnable
   

   You will be prompted to enter several parameters:

   • LDAP Server: Enter the IP address or hostname of your AD server (for example, ad.yourdomain.com).
   • Port: The default LDAP port is 389 (use 636 for LDAPS if you have a valid certificate configured).
   • Distinguished Name (DN): Specify the base DN for user searches. For example:

     DC=yourdomain,DC=com
     

   • Bind DN: Enter the distinguished name of the service account created earlier. For example:

     CN=VPNService,CN=Users,DC=yourdomain,DC=com
     

   • Bind Password: Type the password for your service account.
   • Authentication Mode: Set this to “LDAP.”
   • Confirm and proceed with the settings.

4. Save and Exit:
   Once configured, the VPN Server will use LDAP to authenticate users. You can verify the LDAP settings with:

   LDAPStatusGet
   

Step 3: Creating a Wildcard User for AD-Only Authentication

To allow users that exist only in Active Directory to authenticate without needing separate accounts in SoftEther, create a wildcard user:

1. Create the Wildcard User:
   At the vpncmd prompt, type:

   UserCreate * /AUTHENTICATION:ldap
   

   Important: Do not set a password for this user.
   This configuration ensures that any login attempt with a username not found in SoftEther’s local database is forwarded to your Active Directory via LDAP.

Step 4: Testing the AD Integration

1. Configure a VPN Client:
   On a client device, set up a connection to your SoftEther VPN Server using your preferred VPN protocol (e.g., OpenVPN, L2TP/IPsec, or SoftEther’s native protocol).

   • Use your AD credentials (for example, jdoe@yourdomain.com and the corresponding password) when prompted.

2. Connect to the VPN:
   Initiate the VPN connection. The authentication request should be forwarded to your Active Directory, and if successful, the user will be granted access.

3. Verify Connection:
   In vpncmd, check active sessions with:

   UserList
   

   This will display the currently connected users. Additionally, review your AD server logs to confirm that authentication requests were processed.

Final Thoughts

Integrating SoftEther VPN with Active Directory via LDAP centralizes user management and streamlines authentication. By configuring LDAP settings on your VPN server and creating a wildcard user with /AUTHENTICATION:ldap, you enable seamless authentication for users defined in AD without the need for redundant SoftEther accounts.

Take your time to verify each configuration step and test thoroughly. With this integration, managing VPN access becomes simpler and more secure, leveraging your existing AD infrastructure. If you have any questions or need further assistance, feel free to reach out.

Enjoy the convenience and enhanced security of centralized authentication!

Explained with clarity by
Corels – Admin, Emmanuel Corels Creatives