2FA on SoftEther VPN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
gert_62
Posts: 4
Joined: Sun Nov 14, 2021 10:03 am

2FA on SoftEther VPN

Post by gert_62 » Sun Nov 14, 2021 10:06 am

I love the idea and the wide variety of possibilities of SoftEther. The main thing I am missing is MFA (or 2FA) in whatever way possible.

Can you tell me if there are any possibilities or if you have plans to implement this in the near future? It would make the product perfect.

I don't think in 2021 a VPN that gives access to critical resources without 2FA is no longer acceptable from a security point of view.

Thanks.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: 2FA on SoftEther VPN

Post by nobody12 » Sun Nov 14, 2021 6:05 pm

SE already supports SmartCard authentication.
If you rather like a softer solution: I have successful setup SE with radius and a mOTP server (dont mix up TOTP and mOTP).
Password generator on mobile phone, and initialzed with a secret. User knows a pin.

I have not made a manual for installation, but documented the needed things:
viewtopic.php?f=7&t=66667

Works good. The only mildly annoying thing is that the SE client is not able to ask for the password first. Instead it immediately connects using the last known passord, then before the next attempt you are able to type in the OTP.

gert_62
Posts: 4
Joined: Sun Nov 14, 2021 10:03 am

Re: 2FA on SoftEther VPN

Post by gert_62 » Tue Nov 16, 2021 8:48 pm

OK, I appreciate your answer. It seems quite some setup work. I was rather referring to an officially supported option. It's a mystery to me why SoftEther is not setting this higher on the list supporting it out of the box by using something like Google Authenticator.

Is anyone from SoftEther reading these messages?

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: 2FA on SoftEther VPN

Post by eddiewu » Wed Nov 17, 2021 4:53 am

gert_62 wrote:
Sun Nov 14, 2021 10:06 am
I don't think in 2021 a VPN that gives access to critical resources without 2FA is no longer acceptable from a security point of view.
Could you please name any open source VPN that has native 2FA? To my knowledge OpenVPN and Wireguard does not. There are forks doing that though.

gert_62
Posts: 4
Joined: Sun Nov 14, 2021 10:03 am

Re: 2FA on SoftEther VPN

Post by gert_62 » Sun Jan 16, 2022 12:00 pm

I didn't say there are open-source VPNs that support this. I was just asking it.

OpenVPN seems to support OTP with Google Authenticator
https://openvpn.net/vpn-server-resource ... ntication/

I am just hoping that SE will support this option in the future because like I said earlier these days I don't consider a VPN without 2FA as an option. I think it is too dangerous. Having 2FA in their offering would make it an even more outstanding product than it already is.

netdoctor
Posts: 1
Joined: Mon May 18, 2020 10:15 pm

Re: 2FA on SoftEther VPN

Post by netdoctor » Wed Mar 16, 2022 1:10 am

This is a requirement for SoftEther now. We're currently uninsurable due to no MFA on VPN.

rp-approvedfood
Posts: 3
Joined: Mon Mar 21, 2022 1:31 pm

Re: 2FA on SoftEther VPN

Post by rp-approvedfood » Mon Mar 21, 2022 1:37 pm

Hello
Same thing just happened here -- nothing built in so instead, I used Duo (https://duo.com/product/multi-factor-authentication-mfa).

How many users do you have? We have 40 so costs us 120 USD/Month but worth it vs the problems no insurance would bring! I don't work for Duo by the way lol, but I found it the easiest and best bang-per-buck too! Up to 10 users are free as well so there's that!

DEAD EASY to set up ...

Create an AD Group ("VPN Users") and add members that need MFA to it.
Set up Duo with an AD Sync and tell it to use that group

Once all users are on
Install something called the Duo Authentication Proxy and configure it. This then acts as a RADIUS server!
Simply go to your SoftEther control panel thing and set the users to RADIUS Auth.

Users need to install a small app on their phones but it's tiny and does nothing other than pop up asking "Is this you trying to connect to [service]" so I've not encountered anyone who doesn't have a company phone complaining about having to install it!

Anyway, good luck!!

gert_62
Posts: 4
Joined: Sun Nov 14, 2021 10:03 am

Re: 2FA on SoftEther VPN

Post by gert_62 » Mon Nov 07, 2022 9:13 am

Cool, thank you so much. I will try this. So basically any RADIUS service that supports MFA will work with this, right?

But if I understand it correctly: all users can do is approve it? There is no option that you can force users to enter some kind of OTP (one time password) like for example Google Authenticator generates?

Is there something that supports an "real" OTP solution (like Google Authenticator) out-of-the-box?

Can someone from the dev-team comment on this maybe? Do you have any plans to support this in the future? It is such a great VPN solution. This is the one thing (I think) that still misses it to make it perfect.

Rgds,

Post Reply