Tag Archives: Networking

How to bypass NET::ERR_CERT_INVALID on Chrome

Locked out of accessing my firewall

After I changed my Antivirus software I used to access a remote firewall publicly on the internet. This firewall has a local selfsigned certificate that no web browser trusts.

Although I added the root certificate to my root store but still none of the browsers would allow me to access it and result in the below error:

Your connection is not private
Attackers might be trying to steal your information from myapp.domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_INVALID
myapp.domain.com normally uses encryption to protect your information. When Brave tried to connect to myapp.domain.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be myapp.domain.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Brave stopped the connection before any data was exchanged.

You cannot visit myapp.domain.com right now because the website sent scrambled credentials that Brave cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

On Chrome

image

On Firefox

image

I searched the web for many work arounds but none of them almost worked including this one which says you can use “Thisisunsafe” or “badidea” on chrome but it did not work.

https://medium.com/@dblazeski/chrome-bypass-net-err-cert-invalid-for-development-daefae43eb12

Using Fiddler

Since I use fiddler to sniff packets and troubleshoot issues on my computer, I remembered that Fiddler has the feature of decrypting traffic (MITM). Fiddler inserts its own root certs and force the traffic to go through it first which makes all the websites trusted even in the case of this error ::ERR_CERT_INVALID

Solution:

So to make this work even temporarily so you can access whatever page you lost access to. All you have to do is:

  • Install Fiddler
  • Let Fiddler Decrypt traffic: To do this go to Tools> Options > HTTPS and select “Capture HTTPS Connects and Decrypt Traffic”
  • Accept and import the root certificates.
  • Click Ok
  • Start Capturing traffic by clicking on the left corner icon image

image

  • Now try to browse the page you couldn’t access previously and you’ll get a prompt to accept its certificate. Click Yes if you’re sure of the page and continue.

image

Here we go, I got back access to my Pfsense but notice you’ll only be able to access the URL if the capturing is on.

The moment you turn Capturing off the page will not be accessible again.

clip_image001

SoftEther – Fixing connecting to localhost 5555

SoftEther VPN Server Manager Connection Issue:

I have used SoftEther VPN for a long time to connect securely to my cloud server for almost 2 years without any single issue and I am using my Laptop, iPad, Phone and everything without an issue.

But one day I tried to connect to the connection settings and I got this error

Softether VPN Connection Error

Connection to the server failed. Check network connection and make sure that address and port number of destination server are correct.

clip_image001

Attempts to solve the issue

I have tried couple of things that came to my mind maybe that would solve the issue.

  1. Uninstall and Reinstall Softether VPN.
  2. Uninstall and Restart
  3. Tried to create a new connection with different ports.
  4. Disabling Microsoft Firewall.

clip_image002

All of these attempts lead to failure and none worked eventually. So I started searching for a different solution and checked the configuration file of the Softether VPN server which is located in

File Location and Configuration

C:\Program Files\SoftEther VPN Server

You can open the file in Notepad and start looking for the default port 5555 which is how you could normally connect to the connection settings.

Solution:

The solution is in the configuration changes, but in order to change/amend the config file you need to take a backup and make sure you stop the service before doing so.

clip_image003

Go to the configuration file location C:\Program Files\SoftEther VPN Server

clip_image004

Right click and open this file with Notepad

clip_image005

Search for uint Port 5555

On top of that, you’ll see bool Enabled false

clip_image006

Change that to Bool Enabled True

Save the file and start the service

clip_image007

Try to connect again

clip_image008

Now it works and will ask you for the old password which you had set previously

clip_image009

If you cannot remember the password, you can also find that in open text (Of course it is a vulnerability) then take it from there.

clip_image010

That’s it. You should be able to access your server settings now

Setting up SoftEther VPN with Most Secure Settings:

Why VPN?

Before reading this article or going through it maybe you want to know why you’re supposed to use VPN wherever you go ?

If you use one of the following on your computer/Phone/Tablet then you must use VPN

  • Online Banking?
  • Paying Bills?
  • Purchasing online Services?
  • Checking Private Emails?
  • Connecting to work Email?

The list goes on and on and won’t probably end with only those, But the most important thing to acknowledge that nowadays there is absolutely nothing safe on the Internet World. Your data could be exposed, hacked at anytime anywhere and esp if you go to public Internet places e.g. (Starbucks, University, Your Friend’s home even).

So what is SoftEther VPN Server/Client?

As introduced by Softether itself, SoftEther VPN (“SoftEther” means “Software Ethernet”) is one of the world’s most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.

SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge.

clip_image001

Clients

SoftEther VPN is an optimum alternative to OpenVPN and Microsoft’s VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function.

Use:

SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN’s L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN’s L2TP VPN Server has strong compatible with Windows, Mac, iOS and Android.

Download

Download the Windows Server version of Softether from the following Page:

https://www.softether-download.com/en.aspx?product=softether

Installation Requirements:

  • Windows Server/Windows 10
  • 4GB RAM
  • 100 GB Disk
  • 2 VCPU

These resources are estimated and not calculated, It’s only in case of small amount of users (Max 100 User). If you’re going to use more than that you’ll have to check depending on how many concurrent connections are there going to be.

Installation Steps:

As soon as you start Softether VPN – Create new Connection and set the password for the Administrator

clip_image002

clip_image003

Configure Softether as Remote Access VPN Server

I am going to setup new Remote Access VPN Server:

clip_image004

clip_image005

This will create a new Virtual Hub, Give it whatever name you want.

clip_image006

If you have no Static Public IP address

Set a dynamic DNS function name, This is useful in case the IP you have keeps changing like in the case of ADSL connections at home ..etc

clip_image007

VPN Type:

In the IPSEC/L2TP/EtherIP /L2TPv3 Server settings, you’ll need to choose the most secure VPN connection to allow your users to safely and securely browse the internet. This needs L2TP server function to be enabled along with setting the Ipsec Pre-Shared key to provide the most secure VPN connectivity.

clip_image008

AZURE Settings:

If you don’t have access to Firewall to configure NAT, or configure your firewall access to the Softthere VPN Server you must enable this feature (VPN Azure Cloud VPN Service (Free) by the Japanese University of Subuka.

clip_image009

We have set the Azure hostname previously already so no need to change it unless you wanna use something else.

clip_image010

Creating Users

clip_image011

I will create a user, assign it to my admins group, then Create a Certificate for this user to login to make sure I have the maximum security and authentication methods offered.

Creating Certificate

Since I already have created the root certificate, I Am going to create a client certificate for this particular user from the root certificate.

clip_image012

clip_image013

Finally user is created

clip_image014

Choosing the right connection to set as Local Bridge

I need to make sure to choose the NIC which reflects my internet outbound NIC in order to connect properly (In my case it’s going to be Ethernet 2)

clip_image015

clip_image016

clip_image017

Using the most secure Encryption Algorithm for our connection

By default Softether uses AES128-SHA, while this is considered secured and used by most common VPN service providers it’s always better to use something that’s level or more secure. So we are going to change the default changes to AES256-GCM-SHA384

To change those settings, Navigate to the main menu of Softether VPN Server Manager and click on “Encryption and Network”

clip_image018

Change the “Encryption Algorithm Name:” to AES256-GCM-SHA384

AES256-GCM-SHA384 is based on the cipher suite TLSv 1.3 which is considered the most recent and secure cipher suite that’s being used right now.

Default Setting:

clip_image019

Change to

clip_image020

Client Configuration:

  • In the setting name: we are going to enter a random name.
  • The hostname: will be the name which we created previously for Dynamic IP cases. This will be useful to remember even If you have a static Public IP address.
  • User Authentication Setting: We will be using the certificate which I created before (I copied this cert to my client computer where I am going to connect via the VPN client manager).
  • Virtual Hub Name: Here you’ll need to copy the exact name of the Virtual Hub name which you have created on the server side.

clip_image021

clip_image022

Connectivity Test:

After settings everything, I am going to try and connect with my user using Certificate and the Password I set.

clip_image023

Ref:

https://www.softether.org/

https://wiki.mozilla.org/Security/Server_Side_TLS

https://www.softether.org/4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.3_VPN_Server_Administration#3.3.6_Listener_Ports

https://www.iplocation.net/encryption