How to limit access of managment sessions?

[vavy]

Hello!
I've installed SoftEther VPN server. It works.
It's listening on port 443 for Softether VPN clients what going from internet.
How can I limit managment admin sessions access by Managment Console to my 443 port what's opened for incoming connections?
May be it is possible to configure allowed only ip-addresses ranges for admin connections?
Or may be it is possible to create special listener on different port for admin connections only and disable admin connections at other listening standard VPN ports?
Or may be it is possible to authenticate admin not only on passwords basis, but instead of that - on certificates and on usb token basis?
Thank you.
I think it is nearly compulsory to have some seperated way for "out-of-band" administration of SoftEther VPN Server.

[exciter0]

Refer to the manual: https://www.softether.org/4-docs/1-manu ... Source_IPs


vavy wrote:
> Hello!
> I've installed SoftEther VPN server. It works.
> It's listening on port 443 for Softether VPN clients what going from
> internet.
> How can I limit managment admin sessions access by Managment Console to my
> 443 port what's opened for incoming connections?
> May be it is possible to configure allowed only ip-addresses ranges for
> admin connections?
> Or may be it is possible to create special listener on different port for
> admin connections only and disable admin connections at other listening
> standard VPN ports?
> Or may be it is possible to authenticate admin not only on passwords basis,
> but instead of that - on certificates and on usb token basis?
> Thank you.
> I think it is nearly compulsory to have some seperated way for
> "out-of-band" administration of SoftEther VPN Server.

[vavy]

Thank you very much! It works.
And is it possible to set up permitted ip ranges for every single VPN client?

[kh_tsang]

Whitelisting IP can be done on the Virtual Hub but no idea for specific user.

[vavy]

Well, how to do it on HUB basis ?

[kh_tsang]

You can configure rules after entering that menu.

[vavy]

Thank you!

[dissoft]

Suggestions:

1. Enabling use of partial wildcards, e.g. 192.168.1.*

2. Enable the configuration of ports
A. Use for both VPN & management
B. Use only for VPN
C. Use only for management

Thanks.

[kh_tsang]

I forget one thing. The admin IP and virtual hub admin IP should be defined in adminip.txt.

[dissoft]

yes, but if use the same port for both vpn + admin interface, it expose the port to outside and you are forced to use a very strong passowrd or limit the ip address. but on an internal network sometimes the ip is asssign by dhcp, so this should be changed.

[kh_tsang]

dissoft wrote:
> yes, but if use the same port for both vpn + admin interface, it expose the
> port to outside and you are forced to use a very strong passowrd or limit
> the ip address. but on an internal network sometimes the ip is asssign by
> dhcp, so this should be changed.

A temporary workaround is to use DHCP reservation.

[dissoft]

thanks.

knowing there are workarounds. could you suggest to the softadmin team to implement a better function in future versions?

[kh_tsang]

We have to wait the administrator to see this topic.

[dissoft]

is there a bug tracker or something like that?

edit: okay done

https://github.com/SoftEtherVPN/SoftEtherVPN/issues/173

[dissoft]

Issue is being ignored by the developer... : (

[dissoft]

Is there any way to get into contact with the dev and voice this concern?

Opening the port to world doesn't sound like a very brilliant idea. People will bruteforce the admin password, no?

[dissoft]

......................

[fenice]

dissoft wrote:
> ......................

Now you've decided to post the same rubbish in the forums as in the issues section on github? The developer(s) will see your reports on github and make comments as and when necessaryn You've already had a reasonable answer from meganerd on github and you do nobody any favours by posting the same stuff in these forums, give it a rest and wait for an answer instead of filling the forums with useless posts.