Setup Openvpn, L2TP/IPSec & SSTP VPN using Softether

Introduction

This guide explains how to setup a Openvpn, L2TP/IPSec and SSTP VPN using softether.

What is Softether?

SoftEther VPN is one of the world's most powerful and easy-to-use multi-protocol VPN software, made by the good folks at the University of Tsukuba, Japan. It runs on Windows, Linux, Mac, FreeBSD and Solaris and is freeware and open-source. You can use SoftEther for any personal or commercial use free of charge.

Prerequisites

First, you will have to create a server from vpsserver.com. Softether will work on any Linux distribution so its up to you whatever server you prefer. I have personally tried it on Ubuntu, CentOS, Debian and Fedora and it has worked well for me.

Update your distribution

Using the below commands, update your software.

Debian / Ubuntu:

apt-get update && apt-get upgrade

CentOS & Fedora:

yum upgrade

Download and Install Softether

Download the latest software package from their website:

http://www.softether-download.com/en.aspx?product=softether

Using wget you can get the latest version directly to your linux device. As of this writing, the latest version for a linux 64bit distribution is (Ver 4.21, Build 9613, beta).

wget http://www.softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.21-9613-beta-2016.04.24-linux-x64-64bit.tar.gz 

After extracting it, a directory named vpnserver will be created in the working folder. In order to compile SoftEther, the following tools and packages must be installed on your server:

make, gccbinutils (gcc), libc (glibc), zlib, openssl, readline, and ncurses

Make sure these are installed. You can install all the packages necessary to build SoftEther using the command below:

Debian / Ubuntu:

apt-get install build-essential -y

CentOS & Fedora:

yum groupinstall "Development Tools"

On Fedora, you will have to install gcc as a separate application so you would do: yum install gcc.

Now that we have all the necessary packages installed, we can compile SoftEther using the following command:

cd vpnserver

And run make to compile and install softether:

make

SoftEther will ask you to read and agree with its License Agreement. Select 1 to read the agreement, again to confirm read, and finally to agree to the License Agreement.

SoftEther is now compiled and made into executable files (vpnserver and vpncmd). If the process fails, check if you have all of the requirement packages installed.

After softether has compiled we can move vpnserver folder to a safer place, usually /usr/local.

mv vpnserver /usr/local

And change the file permissions:

chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd

To make softether start as a service you will have to create a startup file called vpnserver inside the folder /etc/init.d/.

Let us create the file first.

nano /etc/init.d/vpnserver

Then paste the following into the file:

#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Finally save and close the file.

We have to make a directory at /var/lock/subsys if one does not exist:

mkdir /var/lock/subsys

Now change the permission for the startup script and start vpnserver using command below:

chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start

Use the following commands below to make it run on startup:

Debian / Ubuntu:

update-rc.d vpnserver defaults

CentOS & Fedora:

chkconfig --add vpnserver 

or

sysctmcrl enable vpnserver.service

SoftEther VPN Server is now installed and configured to run at startup. Finally, we have to check if the VPN server is working:

cd /usr/local/vpnserver
./vpncmd

Now press 3 to choose Use of VPN Tools and then type:

check

If all of the checks pass, then your server is ready to be a SoftEther VPN server and you can move on to the next step. Type "exit" to exit VPN Tools.

Configuring Softether VPN

There are two ways to configure SoftEther VPN server: you can use the Windows based server manager to manage and configure any number of SoftEther VPN servers from remotely; or use the built-in vpncmd tool to configure your servers.

You can download SoftEther Server Manager for Windows using their website and do the configuration using the GUI that it provides, which is a preferable way if you are a Windows user.

But for this tutorial we will use vncmd to configure our vpn server.

Changing Admin Password

Now you have softether installed, you have to assign an admin password in order to use softether. You can do this via the vpncmd which is a softether command line administration tool.

./vpncmd

Press 1 to select "Management of VPN Server or VPN Bridge", then press Enter without typing anything to connect to the server and press again to connect to server admin mode.

Use the below command to set the admin pasword.

ServerPasswordSet

Creating a Virtual Hub

before we can use softether we will have to create a virtual hub. For this tutorial we will create a virtual hub called "myVpnHub".

HubCreate myVpnHub

Enter your administration password for the hub. This password will be used whenever you wil login to the virtual hub for management.

Select the virtual hub by the following command:

Hub myVpnHub  

Enabling SecureNAT

SecureNAT is a combination of Virtual NAT and DHCP Server function. You can enable SecureNAT using the command below:

SecureNatEnable    

Creating and Managing Users

By using command UserCreate we create a user named "john":

UserCreate john

The default type of authentication is Password but we can change it to a different type using commands below:

NT Domain Authentication

UserNTLMSet

PasswordNT Domain Authentication

UserPasswordSet

Anonymous Authentication

UserAnonymousSet

Radius Authentication

UserRadiusSet

Individual Certificate Authentication

UserCertSet

Signed Certificate Authentication

UserSignedSet

But for now we will use password authentication for user "john" so we will do:

UserPasswordSet john

Activate L2TP/IPSec

To enable L2TP/IPsec VPN server you can use the command below:

IPsecEnable

After entering the command you will be asked to configure the L2TP functions.

Enable L2TP over IPsec Server Function: Choose yes to enable L2TP VPN over IPSec with pre-shared key encryption. Now you can make VPN connections to this server using iPhone, Android, Windows, and Mac OS X devices.

Enable Raw L2TP Server Function: This will enable L2TP VPN for clients with no IPSec encryption.

Enable EtherIP / L2TPv3 over IPsec Server Function: Routers which are compatible with EtherIP / L2TPv3 over IPsec can connect to this server by enabling this function.

Pre Shared Key for IPsec: Enter a pre-shared key to use with L2TP VPN.

Default Virtual HUB in a case of omitting the HUB on the Username: Users must specify the Virtual Hub they are trying to connect to by using Username@TargetHubName as their username when connecting.

Activate SSTP & OpenVPN

before we can use SSTP or OpenVPN we have to generate an ssl certificate for our server and our clients. You can either use openssl or softethers default ssl command to generate the certificate.

For this guide we will use softether's default ssl commands for generating an individual certificate. The argument passed to command is CN (Common Name), and must be set to your host name (FQDN) or IP address:

ServerCertRegenerate [CN]

Now that we have created the certificate, we have to download the certificate to our clients and add them as trusted. Using the command below, we save the server certificate into a file named cert.cer:

ServerCertGet ~/cert.cer

Now you can distribute the certificate to your clients for installation into their system. To make the certificate trusted in Windows you will have to install it in a trusted Root Certificate store. You can check out this tutorial for installing a certificate into Windows Certificate Store.

Now that we have created and registered a SSL Certificate for our server, we can enable SSTP function with this command:

SstpEnable yes

And to enable OpenVPN:

OpenVpnEnable yes /PORTS:1194

After you enabled OpenVPN, you can download a sample configuration file for OpenVPN client. Here we create a sample OpenVPN configuration file and save it as openvpn_config.zip:

OpenVpnMakeConfig ~/openvpn_config.zip

In this guide we went through the process of installing Softether VPN-Server on various linux distribution and managing Softether VPN from the vpncmd command line tool. It is an easy guide to follow but the Softether VPN Server Manager is far more easier to use since it is a Graphical user interface that can show you various informations and configuration from basic to advanced setup. I recommend you to download the server manager windows gui so you can compare it from the command line tool.