mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-09 03:00:41 +03:00
566 lines
36 KiB
Plaintext
566 lines
36 KiB
Plaintext
THE IMPORTANT NOTICES ABOUT SOFTETHER VPN
|
|
|
|
FUNCTIONS OF VPN COMMUNICATIONS EMBEDDED ON THIS SOFTWARE ARE VERY POWERFUL
|
|
THAN EVER. THIS STRONG VPN ABILITY WILL BRING YOU HUGE BENEFITS. HOWEVER, IF
|
|
YOU MISUSE THIS SOFTWARE, IT MIGHT DAMAGES YOURSELF. IN ORDER TO AVOID SUCH
|
|
RISKS, THIS DOCUMENT ACCOUNTS IMPORTANT NOTICES FOR CUSTOMERS WHO ARE WILLING
|
|
TO USE THIS SOFTWARE. THE FOLLOWING INSTRUCTIONS ARE VERY IMPORTANT. READ AND
|
|
UNDERSTAND IT CAREFULLY. ADDITIONALLY, IF YOU ARE PLANNING TO USE THE DYNAMIC
|
|
DNS, THE NAT TRAVERSAL OR THE VPN AZURE FUNCTIONS, READ THE SECTION 3.5
|
|
CAREFULLY. THESE FUNCTIONS ARE FREE SERVICES PROVIDED VIA THE INTERNET, ARE
|
|
NOT GUARANTEED, AND ARE NOT INTENDED TO BE USED FOR BUSINESS OR COMMERCIAL
|
|
USE. DO NOT USE THESE SERVICES FOR YOUR BUSINESS OR COMMERCIAL USE.
|
|
|
|
|
|
1. VPN Communication Protocols
|
|
1.1. SoftEther VPN Protocol
|
|
SoftEther VPN can perform VPN communication. Unlike traditional VPN protocols,
|
|
SoftEther VPN has an implementation of the newly-designed "SoftEther VPN
|
|
Protocol (SE-VPN Protocol)" . SE-VPN protocol encapsulates any Ethernet
|
|
packets into a HTTPS (HTTP over SSL) connection. Therefore SE-VPN protocol can
|
|
communicate beyond firewalls even if the firewall is configured to block
|
|
traditional VPN packets by network administrator. SE-VPN protocol is designed
|
|
and implemented to comply TLS 1.0 (RFC 5246) and HTTPS (RFC 2818). However, it
|
|
sometimes have different behavior to RFCs. If you are a network administrator
|
|
and want to block SE-VPN protocols on the firewall, you can adopt a
|
|
"white-list" policy on the firewall to filter any TCP or UDP packets on the
|
|
border except explicitly allowed packets towards specific web sites and
|
|
servers.
|
|
|
|
1.2. NAT Traversal Function
|
|
Generally, if you use traditional VPN systems you have to request a network
|
|
administrator to make the NAT or firewall to "open" or "relay" specific TCP or
|
|
UDP ports. However, there are demands somehow to eliminate such working costs
|
|
on network administrators. In order to satisfy such demands, SoftEther VPN has
|
|
the newly-implemented "NAT Traversal" function. NAT Traversal is enabled by
|
|
default. A SoftEther VPN Server running on the computer behind NAT or firewall
|
|
can accept VPN connections from the Internet, without any special
|
|
configurations on firewalls or NATs. If you want to disable the NAT Traversal
|
|
function, modify the "DisableNatTraversal" to "true" on the configuration file
|
|
of SoftEther VPN Server. In order to disable it on the client-side, append
|
|
"/tcp" suffix on the destination hostname.
|
|
|
|
1.3. Dynamic DNS Function
|
|
Traditional legacy VPN system requires a static global IP address on the VPN
|
|
server. In consideration of shortage of global IP addresses, SoftEther
|
|
Corporation implements the "Dynamic DNS Function" on SoftEther VPN Server.
|
|
Dynamic DNS is enabled by default. Dynamic DNS function notify the current
|
|
global IP address of the PC to the Dynamic DNS Servers which are operated by
|
|
SoftEther Corporation. A globally-unique hostname (FQDN) such as
|
|
"abc.softether.net" ( "abc" varies as unique per a user) will be assigned on
|
|
the VPN Server. If you tell this unique hostname to a VPN user, the user can
|
|
specify it as the destination VPN Sever hostname on the VPN Client and will be
|
|
able to connect the VPN Server. No IP addresses are required to know
|
|
beforehand. If the IP address of the VPN Server varies, the registered IP
|
|
address related to the hostname of Dynamic DNS service will be changed
|
|
automatically. By this mechanism, no longer need a static global IP address
|
|
which costs monthly to ISPs. You can use consumer-level inexpensive Internet
|
|
connection with dynamic IP address in order to operate an enterprise-level VPN
|
|
system. If you want to disable Dynamic DNS, specify "true" on the "Disabled"
|
|
items of the "DDnsClient" directive on the SoftEther VPN Server configuration
|
|
file. * Note for residents in People's Republic of China: If your VPN Server
|
|
is running on the People's Republic of China, the DNS suffix will be replaced
|
|
to "sedns.cn" domain. The "sedns.cn" domain is the service possessed and
|
|
operated by "Beijing Daiyuu SoftEther Technology Co., Ltd" which is a
|
|
Chinese-local enterprise.
|
|
|
|
1.4. VPN over ICMP / VPN over DNS functions
|
|
If you want to make a VPN connection between SoftEther VPN Client / Bridge and
|
|
SoftEther VPN Server, but if TCP and UDP packets are prohibited by the
|
|
firewall, then you can encapsulates payloads into "ICMP" (as known as Ping) or
|
|
"DNS" packets. This function can realize a VPN connection by using ICMP or DNS
|
|
even if the firewall or router blocks every TCP or UDP connections. VPN over
|
|
ICMP / VPN over DNS functions are designed to comply standard ICMP and DNS
|
|
specifications as possible, however it sometimes has a behavior not to fully
|
|
comply them. Therefore, few poor-quality routers may be caused a
|
|
memory-overflow or something troubles when a lot of ICMP or DNS packets are
|
|
passed, and such routers sometimes freezes or reboots. It might affects other
|
|
users on the same network. To avoid such risks, append the suffix "/tcp" on
|
|
the destination hostname which is specified on the VPN-client side to disable
|
|
VPN over ICMP / DNS functions.
|
|
|
|
1.5. VPN Azure Cloud Service
|
|
If your SoftEther VPN Server is placed behind the NAT or firwall, and by some
|
|
reason you cannot use NAT Traversal function, Dynamic DNS function or VPN over
|
|
ICMP/DNS function, you can use VPN Azure Clouse Service. SoftEther Corporation
|
|
operates VPN Azure Cloud on Internet. After the VPN Server makes a connection
|
|
to the VPN Azure Cloud, the hostname "abc.vpnazure.net" ( "abc" is a unique
|
|
hostname) can be specified to connect to the VPN Server via the VPN Azure
|
|
Cloud. Practically, such a hostname is pointing a global IP address of one of
|
|
cloud servers which are operated by SoftEther Corporation. If A VPN Client
|
|
connects to such a VPN Azure host, then the VPN Azure host will relay all
|
|
traffics between the VPN Client and the VPN Server. VPN Azure is disabled by
|
|
default. You can activate it easily by using VPN Server Configuration Tool.
|
|
|
|
1.6. UDP Acceleration
|
|
SoftEther VPN has the UDP Acceleration Function. If a VPN consists of two
|
|
sites detects that UDP channel can be established, UDP will be automatically
|
|
used. By this function, throughput of UDP increases. If direct UDP channel can
|
|
be established, direct UDP packets will be used. However, if there is
|
|
something obstacles such as firewalls or NATs, the "UDP Hole Punching"
|
|
technology will be used, instead. The "UDP Hole Punching" uses the cloud
|
|
servers which SoftEther Corporation operates on Internet. UDP Acceleration can
|
|
be disabled anytime by setting up so on the VPN-client side.
|
|
|
|
|
|
2. VPN Software
|
|
2.1. SoftEther VPN Client
|
|
If you use SoftEther VPN Client on Windows, the Virtual Network Adapter device
|
|
driver will be installed on Windows. The Virtual Network Adapter is
|
|
implemented as a kernel-mode driver for Windows. The driver is
|
|
digitally-signed by a certificate issued by VeriSign, Inc. and also sub-signed
|
|
by Symantec Corporation. A message to ask you want to sure install the driver
|
|
might be popped up on the screen. SoftEther VPN Client may response the
|
|
message if possible. SoftEther VPN Client also optimizes the configuration of
|
|
MMCSS (Multimedia Class Scheduler Service) on Windows. You can undo the
|
|
optimizations of MMCSS afterwards.
|
|
|
|
2.2. SoftEther VPN Server / Bridge
|
|
If you use SoftEther VPN Server / Bridge on Windows with "Local Bridge"
|
|
functions, you have to install the low-level Ethernet packet processing driver
|
|
on the computer. The driver is digitally-signed by a certificate issued by
|
|
VeriSign, Inc. and also sub-signed by Symantec Corporation. SoftEther VPN
|
|
Server / Bridge may disable the TCP/IP offloading features on the physical
|
|
network adapter for Local Bridge function. In Windows Vista / 2008 or greater
|
|
version, VPN Server may inject a packet-filter driver which complies Windows
|
|
Filter Platform (WPF) specification into the kernel in order to provide IPsec
|
|
function. The packet-filter driver will be loaded available only if IPsec
|
|
function is enabled. Once you enables IPsec function of SoftEther VPN Server,
|
|
the built-in IPsec function of Windows will be disabled. After you disabled
|
|
IPsec function of SoftEther VPN Server, then the built-in IPsec function of
|
|
Windows will revive. In order to provide the Local Bridge function, SoftEther
|
|
VPN Server / Bridge disables the TCP/IP offloading function on the operating
|
|
system.
|
|
|
|
2.3. User-mode Installation
|
|
You can install SoftEther VPN Server and SoftEther VPN Bridge as "User-mode"
|
|
on Windows. In other words, even if you don't have Windows system
|
|
administrator's privileges, you can install SoftEther VPN as a normal user.
|
|
User-mode install will disable a few functions, however other most functions
|
|
work well. Therefore, for example, an employee can install SoftEther VPN
|
|
Server on the computer in the office network, and he will be able to connect
|
|
to the server from his home. In order to realize such a system by user-self,
|
|
no system administrative privileges are required in the view-point of
|
|
technical. However, breaking rules of the company to install software on the
|
|
computer without authority might be regarded as an unfavorable behavior. If
|
|
you are an employee and belong to the company, and the company-policy
|
|
prohibits installing software or making communications towards Internet
|
|
without permission, you have to obtain a permission from the network
|
|
administrator or the executive officer of your company in advance to install
|
|
SoftEther VPN. If you install VPN Server / Bridge as User-mode, an icon will
|
|
be appeared on the Windows task-tray. If you feel that the icon disturbs you,
|
|
you can hide it by your operation. However, you must not exploit this hiding
|
|
function to install VPN Server on other person's computer as a spyware. Such
|
|
behavior might be an offence against the criminal law.
|
|
|
|
2.4. Keep Alive Function
|
|
SoftEther VPN Server and SoftEther VPN Bridge has Keep Alive Function by
|
|
default. The purpose of this function is to sustain the Internet line active.
|
|
The function transmits UDP packets with a random-byte-array-payload
|
|
periodically. This function is useful to avoid automatic disconnection on
|
|
mobile or dial-up connections. You can disable Keep Alive Function anytime.
|
|
|
|
2.5. Uninstallation
|
|
The uninstallation process of SoftEther VPN software will delete all program
|
|
files. However, non-program files (such as files and data which are generated
|
|
by running of programs) ) will not be deleted. For technical reason, the exe
|
|
and resource files of uninstaller might remain. Such remaining files never
|
|
affects to use the computer, however you can delete it manually. Kernel-mode
|
|
drivers might not be deleted, however such drivers will not be loaded after
|
|
the next boot of Windows. You can use "sc" command of Windows to delete
|
|
kernel-mode drivers manually.
|
|
|
|
2.6. Security
|
|
You should set the administrator's password on SoftEther VPN Server / Bridge
|
|
after installation. If you neglect to do it, another person can access to
|
|
SoftEther VPN Server / Bridge and can set the password without your
|
|
permission. This caution might be also applied on SoftEther VPN Client for
|
|
Linux.
|
|
|
|
2.7. Automatic Update Notification
|
|
SoftEther VPN software for Windows has an automatic update notification
|
|
function. It accesses to the SoftEther Update server periodically to check
|
|
whether or not the latest version of software is released. If the latest
|
|
version is released, the notification message will be popped up on the screen.
|
|
In order to achieve this purpose, the version, language settings, the unique
|
|
identifier, the IP address of your computer and the hostname of VPN Server
|
|
which is connected to will be sent to the SoftEther Update server. No personal
|
|
information will be sent. Automatic Update Notification is enabled by default,
|
|
however you can disable it on the configuration screen. The setting whether
|
|
turned on or turned off will be saved individually corresponding to each
|
|
destination VPN server, by VPN Server Manager.
|
|
|
|
2.8. Virtual NAT Function
|
|
A Virtual Hub on SoftEther VPN Server / Bridge has "Virtual NAT Function" .
|
|
Virtual NAT Function can share a single IP address on the physical network by
|
|
multiple private IP address of VPN Clients. There are two operation mode of
|
|
Virtual NAT: User-mode and Kernel-mode. In the user-mode operation, Virtual
|
|
NAT shares an IP address which is assigned on the host operating system.
|
|
Unlike user-mode, the kernel-mode operation attempts to find DHCP servers on
|
|
the physical network. If there are two or more physical networks, a DHCP
|
|
server will be sought automatically for each segments serially. If a DHCP
|
|
server found, and an IP address is acquired, the IP address will be used by
|
|
the Virtual NAT. In this case, an IP entry as a DHCP client will be registered
|
|
on the IP pool of the physical DHCP Server. The physical default gateway and
|
|
the DNS server will be used by the Virtual NAT in order to communicate with
|
|
hosts in Internet. In kernel-mode operation, a Virtual Hub has a virtual MAC
|
|
address which is operating on the physical Ethernet segment. In order to check
|
|
the connectivity to Internet, SoftEther VPN periodically sends DNS query
|
|
packet to resolve the IP address of host "www.yahoo.com" or "www.baidu.com" ,
|
|
and attempts to connect to the TCP port 80 of such a resulted IP address for
|
|
connectivity check.
|
|
|
|
2.9. Unattended Installation of Kernel-mode Components
|
|
When SoftEther VPN will detect a necessity to install the kernel-mode
|
|
components on Windows, a confirmation message will be appeared by Windows
|
|
system. In this occasion, SoftEther VPN software will switch to the Unattended
|
|
Installation mode in order to respond "Yes" to Windows. This is a solution to
|
|
prevent dead-locks when a remote-administration is performed from remote
|
|
place.
|
|
|
|
2.10. Windows Firewall
|
|
SoftEther VPN software will register itself as a safe-program. Such an entry
|
|
will be remain after the uninstallation. You can remove it manually from the
|
|
Control Panel of Windows.
|
|
|
|
|
|
3. Internet Services
|
|
3.1. Internet Services which are provided by SoftEther Corporation
|
|
SoftEther Corporation provides Dynamic DNS, NAT Traversal and VPN Azure server
|
|
services on the Internet. These services are free of charge. Customers can
|
|
access to the services by using SoftEther VPN software, via Internet. These
|
|
service will be planned to be available from Open-Source version of "SoftEther
|
|
VPN" which will be released in the future.
|
|
|
|
3.2. Sent Information and Privacy Protection
|
|
SoftEther VPN software may send an IP address, hostname, the version of VPN
|
|
software on the customer's computer to the cloud service operated by SoftEther
|
|
Corporation, in order to use the above services. These sending of information
|
|
are minimal necessary to use the services. No personal information will be
|
|
sent. SoftEther Corporation records log files of the cloud service servers for
|
|
90 days at least with the received information. Such logs will be used for
|
|
troubleshooting and other legitimate activities. SoftEther Corporation may
|
|
provide logs to a public servant of Japanese government who are belonging to
|
|
courts, police stations and the prosecutor's office, in order to comply such
|
|
authorities' order. (Every Japanese public servants are liable by law to keep
|
|
the information close.) Moreover, the IP addresses or other information will
|
|
be processed statistically and provided to the public, not to expose the each
|
|
concrete IP address, in order to release the release of research activities.
|
|
|
|
3.3. Communication Data via VPN Azure Service
|
|
Regardless of the above 3.2 rule, if the customer sends or receives VPN
|
|
packets using VPN Azure Cloud Service, the actual payloads will stored and
|
|
forwarded via the volatile memory of the servers for very short period. Such a
|
|
behavior is naturally needed to provide the "VPN relay service" . No payloads
|
|
will be recorded on "fixed" storages such as hard-drives. However, the
|
|
"Wiretapping for Criminals Procedures Act" (The 137th legislation ruled on
|
|
August 18, 1999 in Japan) requires telecommunication companies to allow the
|
|
Japanese government authority to conduct a wire-tapping on the line. VPN Azure
|
|
Servers which are physically placed on Japan are subjects of this law.
|
|
|
|
3.4. Comply to Japanese Telecommunication Laws
|
|
SoftEther Corporation complies with Japanese Telecommunication Laws as
|
|
necessary to provide online services via Internet.
|
|
|
|
3.5. Free and Academic Experiment Services
|
|
SoftEther provides Dynamic DNS, NAT Traversal and VPN Azure as academic
|
|
experiment services. Therefore, there services can be used for free of charge.
|
|
These services are not parts of "SoftEther VPN Software Products" . These
|
|
services are provided without any warranty. The services may be suspended or
|
|
discontinued by technical or operational matters. In such occasions, users
|
|
will not be able to use the services. A user have to understand such risks,
|
|
and to acknowledge that such risks are borne by a user-self. SoftEther will
|
|
never be liable to results or damages of use or unable-to-use of the service.
|
|
Even if the user has already paid the license-fee of the commercial version of
|
|
SoftEther VPN, such paid fees don't include any fees of these services.
|
|
Therefore, if the online services will stop or be discontinued, no refunds or
|
|
recoveries of damages will be provided by SoftEther Corporation.
|
|
|
|
3.6. DNS Proxy Cloud Servers
|
|
In some regions, when a user uses Internet, a DNS query sometimes broken or
|
|
lost when it is passing through the ISP line. If SoftEther VPN Server, Client
|
|
or Bridge detects a possibility that the accessing to the actual VPN server
|
|
might be unstable, then DNS queries will be also transferred to the DNS proxy
|
|
cloud servers which are operated by SoftEther Corporation. A DNS proxy cloud
|
|
server will respond DNS queries with answering correct a IP address.
|
|
|
|
|
|
4. General Cautions
|
|
4.1. Needs an Approval from Network Administrator
|
|
SoftEther VPN has powerful functions which don't require special settings by
|
|
network administrators. For example, you need not to ask the administrator to
|
|
configure the existing firewall in order to "open" a TCP/UDP port. Such
|
|
characteristic features are for the purpose to eliminate working times and
|
|
costs of network administrators, and avoid misconfiguration-risks around the
|
|
tasks to open specific exception ports on the firewall. However, any employees
|
|
belong to the company have to obtain an approval from the network
|
|
administrator before installs SoftEther VPN. If your network administrator
|
|
neglects to provide such an approval, you can consider to take an approval
|
|
from an upper authority. (For example, executive officer of the company.) If
|
|
you use SoftEther VPN without any approvals from the authority of your
|
|
company, you might have disadvantage. SoftEther Corporation will be never
|
|
liable for results or damages of using SoftEther VPN.
|
|
|
|
4.2. Observe Laws of Your Country
|
|
If your country's law prohibits the use of encryption, you have to disable the
|
|
encryption function of SoftEther VPN by yourself. Similarly, in some countries
|
|
or regions, some functions of SoftEther VPN might be prohibited to use by
|
|
laws. Other countries' laws are none of SoftEther Corporation's concern
|
|
because SoftEther Corporation is an enterprise which is located and registered
|
|
in Japan physically. For example, there might be a risk that a part of
|
|
SoftEther VPN conflicts an existing patent which is valid only on the specific
|
|
region. SoftEther Corporation has no interests in such specific region outside
|
|
Japan's territory. Therefore, if you want to use SoftEther VPN in regions
|
|
outside Japan, you have to be careful not to violate third-person's rights.
|
|
You have to verify the legitimacy of the use of SoftEther VPN in the specific
|
|
region before you actually use it in such region. By nature, there are almost
|
|
200 countries in the World, and each country's law is different each other. It
|
|
is practically impossible to verify every countries' laws and regulations and
|
|
make the software comply with all countries' laws in advance to release the
|
|
software. Therefore SoftEther Corporation has verified the legitimacy of
|
|
SoftEther VPN against the laws and regulations of only Japan. If a user uses
|
|
SoftEther VPN in a specific country, and damaged by public servants of the
|
|
government authority, SoftEther Corporation will never be liable to recover or
|
|
compensate such damages or criminal responsibilities.
|
|
|
|
|
|
5. VPN Gate Academic Experiment Project
|
|
(This chapter applies only on SoftEther VPN software package which contains
|
|
the extension plug-in for VPN Gate Academic Experiment Project.)
|
|
5.1. About VPN Gate Academic Experiment Project
|
|
VPN Gate Academic Experiment Project is an online service operated for just
|
|
the academic research purpose at the graduate school of University of Tsukuba,
|
|
Japan. The purpose of this research is to expend our knowledge about the
|
|
"Global Distributed Public VPN Relay Server" (GDPVRS) technology. For details,
|
|
please visit http://www.vpngate.net/.
|
|
|
|
5.2. About VPN Gate Service
|
|
SoftEther VPN Server and SoftEther VPN Client may contain "VPN Gate Service"
|
|
program. However, VPN Gate Service is disabled by default.
|
|
VPN Gate Service should be activated and enabled by the voluntary intention of
|
|
the owner of the computer which SoftEther VPN Server or SoftEther VPN Client
|
|
is installed on. After you activate VPN Gate Service, the computer will be
|
|
start to serve as a part of the Global Distributed Public VPN Relay Servers.
|
|
The IP address, hostname and related information of the computer will be sent
|
|
and registered to the directory server of VPN Gate Academic Experiment
|
|
Project, and they will be published and disclosed to the public. This
|
|
mechanism will allow any VPN Gate Client software's user to connect to the VPN
|
|
Gate Service running on your computer. While the VPN session between a VPN
|
|
Gate Client and your VPN Gate Service is established, the VPN Gate Client's
|
|
user can send/receive any IP packets towards the Internet via the VPN Gate
|
|
Service. The global IP address of the VPN Gate Service's hosing computer will
|
|
be used as the source IP address of such communications which a VPN Gate
|
|
Client initiates.
|
|
VPN Gate Service will send some information to the VPN Gate Academic
|
|
Experiment Service Directory Server. The information includes the operator's
|
|
information which described in section 5.5, logging settings, uptime,
|
|
operating system version, type of protocol, port numbers, quality information,
|
|
statistical information, VPN Gate clients' log history data (includes dates,
|
|
IP addresses, version numbers and IDs) and the version of the software. These
|
|
information will be exposed on the directory. VPN Gate Service also receives a
|
|
key for encoding which is described on the chapter 5.9 from the directory
|
|
server.
|
|
|
|
5.3. Details of VPN Gate Service's Behavior
|
|
If you enable VPN Gate Service manually, which is disabled by default, the
|
|
"VPNGATE" Virtual Hub will be created on the SoftEther VPN Server. If you are
|
|
using SoftEther VPN Client and attempt to active VPN Gate Service on it, an
|
|
equivalent program to SoftEther VPN Server will be invoked on the same process
|
|
of SoftEther VPN Client, and the "VPNGATE" Virtual Hub will be created. The
|
|
"VPNGATE" Virtual Hub contains a user named "VPN" by default which permits
|
|
anyone on the Internet to make a VPN connection to the Virtual Hub. Once a VPN
|
|
Client connects to the "VPNGATE" Virtual Hub, any communication between the
|
|
user and the Internet will pass through the Virtual Hub, and
|
|
transmitted/received using the physical network interface on the computer
|
|
which SoftEther VPN Server (or SoftEther VPN Client) is running on. This will
|
|
cause the result that a destination host specified by the VPN Client will
|
|
identify that the source of the communication has initiated from the VPN Gate
|
|
Service's hosting computer's IP address. However, for safety, any packets
|
|
which destinations are within 192.168.0.0/255.255.0.0, 172.16.0.0/255.240.0.0
|
|
or 10.0.0.0/255.0.0.0 will be blocked by the "VPNGATE" Virtual Hub in order to
|
|
protect your local network. Therefore, if you run VPN Gate Service on your
|
|
corporate network or private network, it is safe because anonymous VPN Client
|
|
users will not be permitted to access such private networks. VPN Gate Service
|
|
also serves as relay for accessing to the VPN Gate Directory Server.
|
|
In order to make VPN Gate Service familiar with firewalls and NATs, it opens
|
|
an UDP port by using the NAT Traversal function which is described on the
|
|
section 1.2. It also opens and listens on some TCP ports, and some TCP and UDP
|
|
ports will be specified as the target port of Universal Plug and Play (UPnP)
|
|
Port Transfer entries which are requested to your local routers. UPnP request
|
|
packets will be sent periodically. Some routers keep such an opened TCP/UDP
|
|
port permanently on the device. If you wish to close them, do it manually.
|
|
VPN Gate Service also provides the mirror-site function for www.vpngate.net.
|
|
This is a mechanism that a copy of the latest contents from www.vpngate.net
|
|
will be hosted by the mirror-site tiny HTTP server which is running on the VPN
|
|
Gate Service program. It will register itself on the mirror-sites list in
|
|
www.vpngate.net. However, it never relays any other communications which are
|
|
not towards www.vpngate.net.
|
|
|
|
5.4. Communication between Internet via VPN Gate Service
|
|
VPN Gate Service provides a routing between users and the Internet, by using
|
|
the Virtual NAT Function which is described on the section 2.8. VPN Gate
|
|
Service sends polling Ping packets to the server which is located on
|
|
University of Tsukuba, and the Google Public DNS Server which is identified as
|
|
8.8.8.8, in order to check the latest quality of your Internet line. VPN Gate
|
|
Service also sends and receives a lot of random packets to/from the Speed Test
|
|
Server on University of Tsukuba. These quality data will be reported to VPN
|
|
Gate Directory Server, automatically and periodically. The result will be
|
|
saved and disclosed to the public. These periodical polling communication are
|
|
adjusted not to occupy the Internet line, however in some circumstances they
|
|
might occupy the line.
|
|
|
|
5.5. Operator's Information of VPN Gate Service
|
|
If you activate VPN Gate Service on your computer, the computer will be a part
|
|
of the Global Distributed Public VPN Relay Servers. Therefore, the Operator's
|
|
administrative information of your VPN Gate Service should be reported and
|
|
registered on the VPN Gate Service Directory. Operator's information contains
|
|
the name of the operator and the abuse-reporting contact e-mail address. These
|
|
information can be inputted on the screen if the VPN Gate configuration.
|
|
Inputted information will be transmitted to the VPN Gate Directory Server,
|
|
stored and disclosed to the public. So you have to be careful to input
|
|
information. By the way, until you specify something as the operator's
|
|
information, the computer's hostname will be used automatically as the field
|
|
of the name of the operator, by appending the "'s owner" string after the
|
|
hostname.
|
|
|
|
5.6. Observe Laws to Operate VPN Gate Service
|
|
In some countries or regions, a user who is planning to activate and operate
|
|
VPN Gate Service, he are mandated to obtain a license or register a service
|
|
from/to the government. If your region has such a regulation, you must fulfill
|
|
mandated process before activating VPN Gate Service in advance. Neither the
|
|
developers nor operators of the VPN Gate Academic Experiment Project will be
|
|
liable for legal/criminal responsibilities or damages which are occurred from
|
|
failure to comply your local laws.
|
|
|
|
5.7. Protect Privacy of Communication
|
|
Most of countries have a law which requires communication service's operators,
|
|
including VPN Gate Service operators, to protect the privacy of communication
|
|
of third-persons. When you operate VPN Gate Service, you must always protect
|
|
user's privacy.
|
|
|
|
5.8. Packet Logs
|
|
The packet logging function is implemented on VPN Gate Service. It records
|
|
essential headers of major TCP/IP packets which are transmitted via the
|
|
Virtual Hub. This function will be helpful to investigate the "original IP
|
|
address" of the initiator of communication who was a connected user of your
|
|
VPN Gate Service, by checking the packet logs and the connection logs. The
|
|
packet logs are recorded only for such legitimate investigates purpose. Do not
|
|
peek nor leak packet logs except the rightful purpose. Such act will be
|
|
violate the section 5.7.
|
|
|
|
5.9. Packet Logs Automatic Archiving and Encoding Function
|
|
The VPN Gate Academic Experiment Service is operated and running under the
|
|
Japanese constitution and laws. The Japanese constitution laws demand strictly
|
|
protection over the privacy of communication. Because this service is under
|
|
Japanese rules, the program of VPN Gate Service implements this "Automatic Log
|
|
File Encoding" protection mechanism, and enabled by default.
|
|
The VPN Gate Service is currently configured to encode packet log files which
|
|
has passed two or more weeks automatically, by default. In order to protect
|
|
privacy of communication, if a packet log file is once encoded, even the
|
|
administrator of the local computer cannot censor the packet log file. This
|
|
mechanism protects privacy of end-users of VPN Gate Service.
|
|
You can change the VPN Gate Service setting to disable this automatic encoding
|
|
function. Then packet log files will never be encoded even after two weeks
|
|
passed. In such a configuration, all packet logs will remain as plain-text on
|
|
the disk. Therefore you have to take care not to violate user's privacy.
|
|
If you are liable to decode an encoded packet log files (for example: a VPN
|
|
Gate Service's user illegally abused your VPN Gate Service and you have to
|
|
decode the packet logs in order to comply the laws), contact the administrator
|
|
of the VPN Gate Academic Experiment Service at Graduate School of University
|
|
of Tsukuba, Japan. You can find the contact address at
|
|
http://www.vpngate.net/. The administrator of VPN Gate Service will respond to
|
|
decode the packet logs if there is an appropriate and legal request from court
|
|
or other judicial authorities, according to laws.
|
|
|
|
5.10. Caution if You Operate VPN Gate Service in the Japan's Territories
|
|
When a user operates VPN Gate Service in the Japan's territories, such an act
|
|
may be regulated under the Japanese Telecommunication Laws if the operation is
|
|
a subject to the law. However, in such a circumstance, according to the
|
|
"Japanese Telecommunication Business Compete Manual [supplemental version]" ,
|
|
non- profitable operations of communications are not identified as a
|
|
"telecommunication business" . So usual operators of VPN Gate Service are not
|
|
subjects to "telecommunication business operators" , and not be mandated to
|
|
register to the government. Even so, legalities to protect the privacy of
|
|
communication still imposed. As a conclusion, if you operate VPN Gate Service
|
|
in the Japan's Territories, you must not leak the secrets of communications
|
|
which are transmitted via your operating VPN Gate Service.
|
|
|
|
5.11. VPN Gate Client
|
|
If SoftEther VPN Client contains the VPN Gate Client plug-in, you can use it
|
|
to obtain the list of current operating VPN Gate Service servers in the
|
|
Internet, and make a VPN connection to a specific server on the list.
|
|
VPN Gate Client always keeps the latest list of the VPN Gate Services
|
|
periodically. Be careful if you are using a pay-per-use Internet line.
|
|
When you start the VPN Gate Client software, the screen which asks you
|
|
activate or not VPN Gate Service will be appeared. For details of VPN Gate
|
|
Service, read the above sections.
|
|
|
|
5.12. Caution before Joining or Exploiting VPN Gate Academic Experiment
|
|
Project
|
|
The VPN Gate Academic Experiment Service is operated as a research project at
|
|
the graduate school on University of Tsukuba, Japan. The service is governed
|
|
under the Japanese laws. Other countries' laws are none of our concerns nor
|
|
responsibilities.
|
|
By nature, there are almost 200 countries in the World, with different laws.
|
|
It is impossible to verify every countries' laws and regulations and make the
|
|
software comply with all countries' laws in advance to release the software.
|
|
If a user uses VPN Gate service in a specific country, and damaged by public
|
|
servants of the authority, the developer of either the service or software
|
|
will never be liable to recover or compensate such damages or criminal
|
|
responsibilities.
|
|
By using this software and service, the user must observe all concerned laws
|
|
and rules with user's own responsibility. The user will be completely liable
|
|
to any damages and responsibilities which are results of using this software
|
|
and service, regardless of either inside or outside of Japan's territory.
|
|
If you don't agree nor understand the above warnings, do not use any of VPN
|
|
Gate Academic Experiment Service functions.
|
|
VPN Gate is a research project for just academic purpose only. VPN Gate was
|
|
developed as a plug-in for SoftEther VPN and UT-VPN. However, all parts of VPN
|
|
Gate were developed on this research project at University of Tsukuba. Any
|
|
parts of VPN Gate are not developed by SoftEther Corporation. The VPN Gate
|
|
Research Project is not a subject to be led, operated, promoted nor guaranteed
|
|
by SoftEther Corporation.
|
|
|
|
5.13. The P2P Relay Function in the VPN Gate Client to strengthen the
|
|
capability of circumvention of censorship firewalls
|
|
VPN Gate Clients, which are published since January 2015, include the P2P
|
|
Relay Function. The P2P Relay Function is implemented in order to strengthen
|
|
the capability of circumvention of censorship firewalls. If the P2P Relay
|
|
Function in your VPN Gate Client is enabled, then the P2P Relay Function will
|
|
accept the incoming VPN connections from the VPN Gate users, which are located
|
|
on mainly same regions around you, and will provide the relay function to the
|
|
external remote VPN Gate Servers, which are hosted by third parties in the
|
|
free Internet environment. This P2P Relay Function never provides the shared
|
|
NAT functions nor replaces the outgoing IP address of the VPN Gate users to
|
|
your IP addresses because this P2P Relay Function only provides the
|
|
"reflection service" (hair-pin relaying), relaying from incoming VPN Gate
|
|
users to an external VPN Gate Server. In this situation, VPN tunnels via your
|
|
P2P Relay Function will be finally terminated on the external VPN Gate Server,
|
|
not your VPN Gate Client. However, the VPN Gate Server as the final
|
|
destination will record your IP address as the source IP address of VPN
|
|
tunnels which will be initiated by your P2P Relay Function. Additionally, user
|
|
packets which are transmitted via your P2P Relay Function will be recorded on
|
|
your computer as packet logs as described on the section 5.8. After you
|
|
installed the VPN Gate Client, and if the P2P Relay Function will be enabled
|
|
automatically, then all matters on the 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9,
|
|
5.10, 5.11 and 5.12 sections will be applied to you and your computer, as same
|
|
to the situation when you enabled the VPN Gate Service (the VPN Gate Server
|
|
function). If your P2P Function is enabled, then your computer's IP address
|
|
and the default operator's name which is described on the section 5.5 will be
|
|
listed on the VPN Gate Server List which is provided by the VPN Gate Project.
|
|
You can change these strings by editing the "vpn_gate_relay.config" file
|
|
manually. Note that you need to stop the VPN Client service before editing it.
|
|
The VPN Gate Client will automatically enable the P2P Relay Function on your
|
|
computer if the VPN Gate Client detects that your computer might be located in
|
|
regions where there are existing censorship firewalls. If you want to disable
|
|
the P2P Relay Function, you must set the "DisableRelayServer" flag to "true"
|
|
on the "vpn_client.config" file which is the configuration file of the VPN
|
|
Client. Note that you need to stop the VPN Client service before editing it.
|
|
The VPN Gate Client does not recognize the particular regulation of your
|
|
country or your region. The VPN Gate Client activates the P2P Relay Function
|
|
even if your country or your region has the law to restrict running P2P relay
|
|
functions. Therefore, in such a case, you must disable the P2P Relay Function
|
|
on the VPN Gate Client manually by setting the "DisableRelayServer" flag if
|
|
you reside in such a restricted area, in your own responsibility.
|
|
|