Softether VPN

Softether VPN Remote Access with Duo Multi-Factor Authentication (MFA)

This guide assumes you have a working Softether VPN server configured for remote access along with Active Directory for remote user authentication and a Duo account with your users and their mobile devices pre-enrolled and the Duo app pre-installed and configured for your Duo account.

Please note this MFA implementation ONLY works by utilizing the Duo Mobile app Push Notifications.

If you don't have a Duo account, you can sign up for a free trial on the Duo website. Additionally, you also need to deploy a Duo Authentication Proxy server on your network using Linux or Windows.

This guide specifically focuses on a Duo Authentication Proxy on Linux but it can be easily adapted to a Windows based installation.

If you need to deploy a Softether VPN server you can take a look at our docker compose example to deploy using Docker, Traefik as the reverse proxy and Lets Encrypt support.

Configure Softether Application in Duo Admin Panel

Figure 1

image.png

Figure 2

image.png

Figure 3

image.png

Figure 4

image.png

Create an AD service account to enumerate users in Active Directory

Figure 5

image.png

Configure Duo Authentication Proxy

The Duo Authentication Proxy integrates with the Duo cloud to perform Duo push notifications, integrates with Active Directory to perform user authentication and it also serves as a RADIUS server which Softether utilizes to authenticate users. You could use a separate RADIUS server to integrate with Active Directory and configure Duo Authentication Proxy with it but that's outside the scope of this guide.

If you followed the Duo Authentication Proxy - Reference New Proxy Install for Linux, the proxy gets installed in the /opt/duoauthproxy directory by default. If you did a custom installation, adjust the paths below as necessary.

vi /opt/duoauthproxy/conf/authproxy.cfg
[ad_client]
host=<AD_DOMAIN_CONTROLLER>
service_account_username=<AD_DUO_SERVICE_ACCOUNT_USERNAME>
service_account_password=<AD_DUO_SERVICE_ACCOUNT_PASSWORD>
search_dn=DC=DOMAIN,DC=TLD

[radius_server_auto]
ikey=<DUO_INTEGRATION_KEY>
skey=<DUO_SECRET_KEY>
api_host=<DUO_API_HOSTNAME>
radius_ip_1=<SOFTETHER_VPN_SERVER_IP>
radius_secret_1=<RADIUS_SHARED_SECRET>
failmode=safe
client=ad_client
port=1812

Configure Softether VPN Server

Figure 6

image.png

Figure 7

image.png

Figure 8

image.png

Configure Softether VPN Server Users

When adding users in Softether VPN server to authenticate using Duo MFA, the username that you are adding in Softether VPN MUST match an existing username in the Duo Admin panel.

Figure 9

image.png

Figure 10

image.png

If everything is setup correctly, when this user connects to your Softether VPN they should be prompted by the Duo app on their mobile device to approve the login. There is a hard coded limit of 10 seconds for Softether to wait for authentication to complete. The user must approve the Duo MFA prompt within those 10 seconds or authentication will fail.