2FA on SoftEther VPN
-
- Posts: 4
- Joined: Sun Nov 14, 2021 10:03 am
2FA on SoftEther VPN
I love the idea and the wide variety of possibilities of SoftEther. The main thing I am missing is MFA (or 2FA) in whatever way possible.
Can you tell me if there are any possibilities or if you have plans to implement this in the near future? It would make the product perfect.
I don't think in 2021 a VPN that gives access to critical resources without 2FA is no longer acceptable from a security point of view.
Thanks.
Can you tell me if there are any possibilities or if you have plans to implement this in the near future? It would make the product perfect.
I don't think in 2021 a VPN that gives access to critical resources without 2FA is no longer acceptable from a security point of view.
Thanks.
-
- Posts: 139
- Joined: Sat Feb 13, 2021 10:22 pm
Re: 2FA on SoftEther VPN
SE already supports SmartCard authentication.
If you rather like a softer solution: I have successful setup SE with radius and a mOTP server (dont mix up TOTP and mOTP).
Password generator on mobile phone, and initialzed with a secret. User knows a pin.
I have not made a manual for installation, but documented the needed things:
viewtopic.php?f=7&t=66667
Works good. The only mildly annoying thing is that the SE client is not able to ask for the password first. Instead it immediately connects using the last known passord, then before the next attempt you are able to type in the OTP.
If you rather like a softer solution: I have successful setup SE with radius and a mOTP server (dont mix up TOTP and mOTP).
Password generator on mobile phone, and initialzed with a secret. User knows a pin.
I have not made a manual for installation, but documented the needed things:
viewtopic.php?f=7&t=66667
Works good. The only mildly annoying thing is that the SE client is not able to ask for the password first. Instead it immediately connects using the last known passord, then before the next attempt you are able to type in the OTP.
-
- Posts: 4
- Joined: Sun Nov 14, 2021 10:03 am
Re: 2FA on SoftEther VPN
OK, I appreciate your answer. It seems quite some setup work. I was rather referring to an officially supported option. It's a mystery to me why SoftEther is not setting this higher on the list supporting it out of the box by using something like Google Authenticator.
Is anyone from SoftEther reading these messages?
Is anyone from SoftEther reading these messages?
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: 2FA on SoftEther VPN
Could you please name any open source VPN that has native 2FA? To my knowledge OpenVPN and Wireguard does not. There are forks doing that though.
-
- Posts: 4
- Joined: Sun Nov 14, 2021 10:03 am
Re: 2FA on SoftEther VPN
I didn't say there are open-source VPNs that support this. I was just asking it.
OpenVPN seems to support OTP with Google Authenticator
https://openvpn.net/vpn-server-resource ... ntication/
I am just hoping that SE will support this option in the future because like I said earlier these days I don't consider a VPN without 2FA as an option. I think it is too dangerous. Having 2FA in their offering would make it an even more outstanding product than it already is.
OpenVPN seems to support OTP with Google Authenticator
https://openvpn.net/vpn-server-resource ... ntication/
I am just hoping that SE will support this option in the future because like I said earlier these days I don't consider a VPN without 2FA as an option. I think it is too dangerous. Having 2FA in their offering would make it an even more outstanding product than it already is.
-
- Posts: 1
- Joined: Mon May 18, 2020 10:15 pm
Re: 2FA on SoftEther VPN
This is a requirement for SoftEther now. We're currently uninsurable due to no MFA on VPN.
-
- Posts: 3
- Joined: Mon Mar 21, 2022 1:31 pm
Re: 2FA on SoftEther VPN
Hello
Same thing just happened here -- nothing built in so instead, I used Duo (https://duo.com/product/multi-factor-authentication-mfa).
How many users do you have? We have 40 so costs us 120 USD/Month but worth it vs the problems no insurance would bring! I don't work for Duo by the way lol, but I found it the easiest and best bang-per-buck too! Up to 10 users are free as well so there's that!
DEAD EASY to set up ...
Create an AD Group ("VPN Users") and add members that need MFA to it.
Set up Duo with an AD Sync and tell it to use that group
Once all users are on
Install something called the Duo Authentication Proxy and configure it. This then acts as a RADIUS server!
Simply go to your SoftEther control panel thing and set the users to RADIUS Auth.
Users need to install a small app on their phones but it's tiny and does nothing other than pop up asking "Is this you trying to connect to [service]" so I've not encountered anyone who doesn't have a company phone complaining about having to install it!
Anyway, good luck!!
Same thing just happened here -- nothing built in so instead, I used Duo (https://duo.com/product/multi-factor-authentication-mfa).
How many users do you have? We have 40 so costs us 120 USD/Month but worth it vs the problems no insurance would bring! I don't work for Duo by the way lol, but I found it the easiest and best bang-per-buck too! Up to 10 users are free as well so there's that!
DEAD EASY to set up ...
Create an AD Group ("VPN Users") and add members that need MFA to it.
Set up Duo with an AD Sync and tell it to use that group
Once all users are on
Install something called the Duo Authentication Proxy and configure it. This then acts as a RADIUS server!
Simply go to your SoftEther control panel thing and set the users to RADIUS Auth.
Users need to install a small app on their phones but it's tiny and does nothing other than pop up asking "Is this you trying to connect to [service]" so I've not encountered anyone who doesn't have a company phone complaining about having to install it!
Anyway, good luck!!
-
- Posts: 4
- Joined: Sun Nov 14, 2021 10:03 am
Re: 2FA on SoftEther VPN
Cool, thank you so much. I will try this. So basically any RADIUS service that supports MFA will work with this, right?
But if I understand it correctly: all users can do is approve it? There is no option that you can force users to enter some kind of OTP (one time password) like for example Google Authenticator generates?
Is there something that supports an "real" OTP solution (like Google Authenticator) out-of-the-box?
Can someone from the dev-team comment on this maybe? Do you have any plans to support this in the future? It is such a great VPN solution. This is the one thing (I think) that still misses it to make it perfect.
Rgds,
But if I understand it correctly: all users can do is approve it? There is no option that you can force users to enter some kind of OTP (one time password) like for example Google Authenticator generates?
Is there something that supports an "real" OTP solution (like Google Authenticator) out-of-the-box?
Can someone from the dev-team comment on this maybe? Do you have any plans to support this in the future? It is such a great VPN solution. This is the one thing (I think) that still misses it to make it perfect.
Rgds,
-
- Posts: 9
- Joined: Sun Apr 09, 2023 2:06 am
Re: 2FA on SoftEther VPN
I know this is an ancient thread, but the solution I found to working with 2FA/MFA and OTP is with a RADIUS provider miniOrange
Once you have all the RADIUS, 2FA, and users configured in the portal and SEVPN server+client, the trick is to enable the "...include both a password and an MFA factor in the same login request..." option in the miniOrange RADIUS app config, then users enter their password as "MyPassword123456", where "123456" is the OTP from whatever MFA method you're using.
Bit of a hacky workarouind, but it works!
Edit: correction, the password for the RADIUS user should be entered in the SEVPN client user setup, then enter just the MFA OTP in the password prompt when connecting.
Once you have all the RADIUS, 2FA, and users configured in the portal and SEVPN server+client, the trick is to enable the "...include both a password and an MFA factor in the same login request..." option in the miniOrange RADIUS app config, then users enter their password as "MyPassword123456", where "123456" is the OTP from whatever MFA method you're using.
Bit of a hacky workarouind, but it works!
Edit: correction, the password for the RADIUS user should be entered in the SEVPN client user setup, then enter just the MFA OTP in the password prompt when connecting.