OpenVPN Signed Certificate Authentication on specific VHUB

[julian]

Hello everyone!

I am currently trying to setup a softether server using stable version 4.42-9798. I want to create several VHUBs and connect using OpenVPN client. However, I couldn't figure out, how to connect to a specific VHUB, as the server would always try to connect to the "DEFAULT" VHUB.
After some research, I found out, that in the newest unstable version 5.02.5187, it is possible to set the VHUB within the certificate Subject CN (username@VHUB).
Is there anyway I can accomplish this with a stable version of softether?

Many thanks for your help and best regards,
Julian

[solo]

No need for certificates.

If there are two or more Virtual HUBs on the VPN Server, you have to specify the username as:
"Username@Virtual-HUB-Name"
or:
"Virtual-HUB-Name\Username"

v4.x\src\bin\hamcore\openvpn_readme.txt

[julian]

Hello solo,

Thank you for your fast reply. I do have already successfully tested authentication using "password authentication" method. However we explicitly want to use authentication using certificates signed by a CA.
Now I have also already tested including a credentials file in my open vpn profile, specifying username@vhub and a "dummy_password" (since you can not set a password in SE if you select certificate based auth for a user). Altough this leads to the server selecting the correct VHUB when connecting, it would also change the authentication method to password auth. again which will obviously fails since certitficate based auth. was set.

Any other ideas how we can use signed certificate authentication method for a multi VHUB setup on the latest stable version?

Regards,
Julian

[solo]

Hi, new features will not be backported to v4. There are bugs in v5 but if they do not affect your particular configuration then consider it stable enough.

[julian]

Ok, so in v4 there's simply no way to get this working right?

[julian]

Anybody else an idea on this topic?

[solo]

You are beating a dead horse.

[spp]

Anybody else an idea on this topic?

Use original openvpn instead of softether's openvpn implementation and include openvpn interface to same network trough bridge.

I run this configuration, it's works with signed cert.

[julian]

Sounds interesting! How do you handle a multi VHUB setup in this case. E.g. Users want to connect to different, isolated networks on multiple VHUBs.

[mendoza_lt]

Hello,

I am trying to find almost exactly same solution, in my case i need client to authorize with Yubikey (so, basically - certificate). I just got a suggestion (well, that was chat GPT :D, but it is worth to consider :)) to use RADIUS as authentication server. That is just a theory, based on ChatGPT, but it might work :)

[julian]

Hy,

Yes i was also considering this, but decided against it since we didn't want to have to deal with another server. Currently just sticking to password authentication. Would be happy though if you could share if this approach worked for you and how much effort it has been.

Regards Julian