Install SoftEther VPN on Ubuntu 16.04
Install prerequisites
apt-get install -y build-essential
Download the latest build
wget -O /tmp/softether-vpnserver.tar.gz https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.29-9680-rtm/softether-vpnserver-v4.29-9680-rtm-2019.02.28-linux-x64-64bit.tar.gz
Extract tarball into /usr/local
tar xfz /tmp/softether-vpnserver.tar.gz -C /usr/local
Install VPN software
# CD into correct location
cd /usr/local/vpnserver
# Build executables
make
Create a non-login user for softether
# Adding a service account for softether
sudo useradd --system --no-create-home softether
Setup necessary permissions
chown -R softether:softether /usr/local/vpnserver
find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;
chmod +x /usr/local/vpnserver/vpncmd
chmod +x /usr/local/vpnserver/vpnserver
Create /etc/systemd/system/softether.service SystemD Service
[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run
[Service]
Type=forking
TasksMax=16777216
User=softether
Group=softether
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure
# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID
[Install]
WantedBy=multi-user.target
Enable and Start the Service
systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service
Remove temp files
rm -f /tmp/softether-vpnserver.tar.gz
In order to add a static route, navigate to Manage Virtual Hub > Virtual NAT and Virtual DHCP Server (SecureNAT) > SecureNAT Configuration > Edit the static routing table to push and add it as below.
# Format:
<VPC Network>/<VPC Netmask>/<VPN Gateway IP>
# Example:
10.125.0.0/255.255.0.0/10.130.30.1
You can manage this VPN using SoftEther VPN Server Manager. The initial administrator password will be blank.
Note: DO NOT enable both local bridge and SecureNAT at the same time. Packets will loop infinitely and it makes your server hang.
How to make SoftEther to follow default system routes on SecureNAT mode
- Connected via "SE-VPN Server Manager" GUI
- Select target Virtual Hub
- Click Properties button
- Click Edit Virtual Hub Extended Option List around the lower left corner
- Scroll down and find DisableKernelModeSecureNAT and DisableIpRawModeSecureNAT, set these values to 1
- Click Save
- Click OK