vpncmd Issues

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
3ronco
Posts: 5
Joined: Sun Oct 07, 2018 10:21 am

vpncmd Issues

Post by 3ronco » Sun Oct 07, 2018 11:03 am

First of all, thank you for providing such a powerful software as OSS to the community. Currently i'm working on a softether docker container where several 'install taks' should be done automatically especially providing certs for the instance. I've encountered some problems trying to configure a softether server via console:
  1. Code: Select all

    vpncmd localhost /SERVER /HUB:VAone /CMD CAAdd path/to/mycertfile
    fails when a filename is provided although the help implicitly states that a filename is expected. However calling the same command without a filename and entering one doesn't work either with the same error msg.
    Calling it again without a filename and pressing enter once gives a prompt text for the file, after entering an adequate path to a file it works!
    I don't think this is intendend.
  2. Softether doesn't honor the default CA store of a host eg. CA certs installed in /etc/ssl/certs on debian based systems. Is that intended?
    In that case any installed softether instance expects certs installed in /usr/local/libexec/softether/chain_certs (assuming here the path of make install)?
    ...or to be embedded in the vpn_server.config file by using the Manager or vpncmd to add a CA with CAAdd?
    If both are in use which one is checked first?
    For what scenario exactly do i need to place chained CA certs in /usr/local/libexec/softether/chain_certs?
  3. Code: Select all

    vpncmd localhost /SERVER /CMD ServerCertSet /LOADCERT:/path/to/myCert /LOADKEY:/path/to/myKey
    import of PKCS12 certs (which requires a password) doesn't work although the GUI client is doing it the correct way by prompting for a password so the procedure of decoding it must be somewhere buried in there. For a docker build it would be convenient if certs are rather kept encrypted instead of decrypting them to a file beforehand.
  4. Is it possible to get into the server by using vpncmd without providing a password eg: connecting via localhost?
    Trying to give the /PASSWORD arg fails when chars (eg: exclamation mark) are contained which are interpreted by bash before vpncmd is executed. A hint in "--help" would be nice. Providing a password somewhere in a script isn't a good idea anyway but the docker build process doesn't allow any interaction like inputting a password. Would be nice if the password could be supplied by an env variable.
Thanks & kind regards from Hanover

3ronco
Posts: 5
Joined: Sun Oct 07, 2018 10:21 am

Re: vpncmd Issues

Post by 3ronco » Mon Oct 08, 2018 6:55 am

Forget about 2. was my fault. In Debian new certs added to the store can exist but not utilized anyway, they need to be activated and mine was not.

3ronco
Posts: 5
Joined: Sun Oct 07, 2018 10:21 am

Re: vpncmd Issues

Post by 3ronco » Fri Oct 12, 2018 5:46 am

Well it seems this was a waste of time.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: vpncmd Issues

Post by cedar » Thu Oct 25, 2018 8:27 am

What error code did you see?
What OS are you using?

3ronco
Posts: 5
Joined: Sun Oct 07, 2018 10:21 am

Re: vpncmd Issues

Post by 3ronco » Sun Nov 18, 2018 10:02 pm

Ok, i'm on debian using Buster, here's how i solved most of the problems:

I have a docker multistage build with softether buidling from a recent source, most of that stuff isn't interesting but here's the essential part:

Code: Select all

	... other stuff happending here ...
	# install and activate CA (currently only for debian-style systems)
RUN set +x; \
	rpm -ivh --nodeps /usr/src/SoftEtherVPN/*.rpm; \
	if [ -n "$SELFSIGNED_CA" ]; then \
		p="/usr/local/share/ca-certificates"; \
		ay=($SELFSIGNED_CA); \
		if [ ! -f "$p/${ay[0]}" ]; then \
			mkdir -p $p; \
			echo ${ay[1]} | base64 -d 2>/dev/null >$p/${ay[0]}; \
			update-ca-certificates; \
		fi; \
		vpnserver start; (( $? != 0 )) && exit 10; \
		p="/usr/local/libexec/softether/vpnserver/chain_certs"; \
		mkdir -p $p; \
		ay=($SELFSIGNED_CA); \
		echo ${ay[1]} | base64 -d 2>/dev/null >$p/${ay[0]}; \
		printf "$p/${ay[0]}\n" | vpncmd localhost /SERVER /HUB:myHub /CMD CAAdd; \
		ay=($SELFSIGNED_HOST_CERT); \
		echo ${ay[1]} | base64 -d 2>/dev/null >$p/${ay[0]}; \
		echo ${ay[3]} | base64 -d 2>/dev/null >$p/${ay[2]}; \
		vpncmd localhost /SERVER /CMD ServerCertSet /LOADCERT:$p/${ay[0]} /LOADKEY:$p/${ay[2]}; \
		chmod -R 600 $p; \
		vpncmd localhost /SERVER /CMD BridgeCreate myHub /DEVICE:$LOCAL_BRIDGE_DEV /TAP:no; \
		sz=$(echo $PASS | base64 -d); \
		printf "%s\n%s\n" $sz $sz | vpncmd localhost /SERVER /HUB:myHub /CMD ServerPasswordSet; \
		vpnserver stop; \
	fi
The docker container is provided with the most essential stuff for getting softether up and running that is:
~ A standalone CA
~ A server cert for the DNS name softether is running on.
~ The bridge device used.
~ ... and a password for controlling the server

Although it's debian it seems somehow strange to use rpm but make -C tmp package produces only RPMs:

Code: Select all

rpm -ivh --nodeps /usr/src/SoftEtherVPN/*.rpm; \
So when building on a debian machine i assume the dependencies won't be a problem at all. For security reason i can't deliver certs, keys and pass in clear text but since we're in the build stage of docker going through localhost it's ok, the only thing i want to avoid is to be able to read clear text from the console when running docker build ..., i know base64 is not secure but for this task sufficient. I need just a way to pass the args from the Makefile to the docker build without a human to be able to read it right from the screen.

1) set CA certificate

Code: Select all

printf "$p/${ay[0]}\n" | vpncmd localhost /SERVER /HUB:myHub /CMD CAAdd; \
Using vpncmd is not consistent some args allow your to use the ARG:value syntax (like /LOADCERT:your_path) but not when using CAAdd command, so i had to pipe it through, is there a reason for doing that?

2) set server FQDN certs

Code: Select all

vpncmd localhost /SERVER /CMD ServerCertSet /LOADCERT:$p/${ay[0]} /LOADKEY:$p/${ay[2]}; \
That's the example where i can use ARG:value syntax. Works!
The only reason i can think of is that once you are using /CMD argument passing eg: CAAdd and the other is that /LOADCERT is an argument on it's own. How about using some kind of /FROM_FILE arg then?

Code: Select all

vpncmd localhost /SERVER /HUB:myHub /CMD CAAdd /FROM_FILE:/blah/meeh/mooh/myCA.crt
3) set bridge device

Code: Select all

vpncmd localhost /SERVER /CMD BridgeCreate myHub /DEVICE:$LOCAL_BRIDGE_DEV /TAP:no; \
The interface arg is passed from my Makefile and should be set when docker build is run. Works fine!

4) Setting the server password

Code: Select all

sz=$(echo $PASS | base64 -d); \
printf "%s\n%s\n" $sz $sz | vpncmd localhost /SERVER /HUB:myHub /CMD ServerPasswordSet; \
Now here's the problem, i need to pipe the pass because an option is missing to pass it as an arg, twice to confirm. I get the following result:

Code: Select all

vpncmd command - SoftEther VPN Command Line Management Utility Developer Edition
SoftEther VPN Command Line Management Utility (vpncmd command)
Developer Edition
Version 5.01 Build 9663   (English)
Compiled 2018/11/18 20:51:42 by blah at myHost
Copyright (c) SoftEther VPN Project. All Rights Reserved.

Connection has been established with VPN Server "localhost" (port 443).

You have administrator privileges for Virtual Hub 'myHub' on the VPN Server.

VPN Server/myHub>ServerPasswordSet
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.

Password: ********
Confirm input: ********

Error occurred. (Error code: 52)
Not enough privileges.
As you can see on the astrisk chars the pass is piped correctly although passing arg through stdin can be time-critical. I would prefer a way of passing args directly. First it says 'You have administrator privileges for Virtual Hub 'myHub' on the VPN Server.' and then:

Code: Select all

Error occurred. (Error code: 52)
Not enough privileges.
What am i doing wrong?

Kind regards
3ronco

davidebeatrici
Posts: 33
Joined: Tue Aug 28, 2018 6:44 am

Re: vpncmd Issues

Post by davidebeatrici » Mon Nov 19, 2018 9:01 pm

Hi,

Thank you very much for the detailed steps!

Code: Select all

You have administrator privileges for Virtual Hub 'myHub' on the VPN Server.
It means that you have administrator privileges for the virtual hub you're managing, but ServerPasswordSet requires you to have administrator privileges for the server.

You should login as server administrator, without specifying the hub.

Kind regards.

3ronco
Posts: 5
Joined: Sun Oct 07, 2018 10:21 am

Re: vpncmd Issues

Post by 3ronco » Tue Nov 20, 2018 7:52 pm

Nice, thank you. At the moment when i read your sentence it fell on my head. Of course, i wanna set a server password not one for a hub.

Code: Select all

[...]
VPN Server>ServerPasswordSet
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.

Password: ********
Confirm input: ********


The command completed successfully.

davidebeatrici
Posts: 33
Joined: Tue Aug 28, 2018 6:44 am

Re: vpncmd Issues

Post by davidebeatrici » Tue Nov 20, 2018 9:19 pm

You're welcome.

Post Reply