se VPN Integration
Posted: Fri Jul 10, 2015 6:38 pm
I'd like to pose the topic of integrating SoftEther VPN services with others on the same IP and port.
For example, many here would be familiar with how Apache' VHOST configurations use SNI to permit multiple HTTPS or HTTP domains to share the same physical IP address and port.
Consider a possible configuration:
* Apache Server runs a number of HTTPS (443) VHOST sections, all sharing the same public IP address
* Each VHOST serves a different domain, identified by a unique DNS name via SNI
* It is desired that SoftEtherVPN be offered as another of these
Objectives would be that no special compile of SoftEther VPN or Apache' be required, and thus the integration be performed by a combination of more or less "standard" existing options. These desires could be set aside if some other means was a part of the SoftEther VPN planning.
One method that comes to mind is to configure an additional Apache VHOSTs as an SSL Reverse Proxy. The Apache' server process is separate from the SoftEther VPN process and runs on a different physical host machine.
This integrates well, but requires some adaptation of the traditional SoftEther VPN configuration. Namely, that SoftEther VPN's SSL functions be offloaded to the Apache' VHOST, perhaps even to the point where SoftEther VPN sees the tunnel as unencrypted. This would have the side benefit of potentially increased encryption strength (not presently offered by SoftEther VPN) and enable employment of hardware assisted crypto solutions.
However, some ambiguities arise. For example - It's not entirely clear how the SSL Client Certificate issues would be handled in this instance. Ideally, SoftEther VPN would retain Client related duties.
I am curious if anyone on the development team (or elsewhere) foresaw this Integration issue in thought or fact, and come to any solutions or can offer comments.
Thank you.
For example, many here would be familiar with how Apache' VHOST configurations use SNI to permit multiple HTTPS or HTTP domains to share the same physical IP address and port.
Consider a possible configuration:
* Apache Server runs a number of HTTPS (443) VHOST sections, all sharing the same public IP address
* Each VHOST serves a different domain, identified by a unique DNS name via SNI
* It is desired that SoftEtherVPN be offered as another of these
Objectives would be that no special compile of SoftEther VPN or Apache' be required, and thus the integration be performed by a combination of more or less "standard" existing options. These desires could be set aside if some other means was a part of the SoftEther VPN planning.
One method that comes to mind is to configure an additional Apache VHOSTs as an SSL Reverse Proxy. The Apache' server process is separate from the SoftEther VPN process and runs on a different physical host machine.
This integrates well, but requires some adaptation of the traditional SoftEther VPN configuration. Namely, that SoftEther VPN's SSL functions be offloaded to the Apache' VHOST, perhaps even to the point where SoftEther VPN sees the tunnel as unencrypted. This would have the side benefit of potentially increased encryption strength (not presently offered by SoftEther VPN) and enable employment of hardware assisted crypto solutions.
However, some ambiguities arise. For example - It's not entirely clear how the SSL Client Certificate issues would be handled in this instance. Ideally, SoftEther VPN would retain Client related duties.
I am curious if anyone on the development team (or elsewhere) foresaw this Integration issue in thought or fact, and come to any solutions or can offer comments.
Thank you.