Ubuntu 16.04: SoftEther VPN

Install prerequisites

apt-get install -y build-essential

Download the latest build

wget -O /tmp/softether-vpnserver.tar.gz https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.29-9680-rtm/softether-vpnserver-v4.29-9680-rtm-2019.02.28-linux-x64-64bit.tar.gz

Extract tarball into /usr/local

tar xfz /tmp/softether-vpnserver.tar.gz -C /usr/local

Install VPN software

# CD into correct location
cd /usr/local/vpnserver
# Build executables
make

Create a non-login user for softether

# Adding a service account for softether
sudo adduser softether -s /sbin/nologin

Setup necessary permissions

chown -R softether:softether /usr/local/vpnserver
find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;
chmod +x /usr/local/vpnserver/vpncmd
chmod +x /usr/local/vpnserver/vpnserver

Create /etc/systemd/system/softether.service SystemD Service

[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run
[Service]
Type=forking
TasksMax=16777216
User=softether
Group=softether
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure
# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID
[Install]
WantedBy=multi-user.target

Enable and Start the Service

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service

Remove temp files

rm -f /tmp/softether-vpnserver.tar.gz

In order to add a static route, navigate to Manage Virtual Hub > Virtual NAT and Virtual DHCP Server (SecureNAT) > SecureNAT Configuration > Edit the static routing table to push and add it as below.

# Format:
<VPC Network>/<VPC Netmask>/<VPN Gateway IP>
# Example:
10.125.0.0/255.255.0.0/10.130.30.1

You can manage this VPN using SoftEther VPN Server Manager. The initial administrator password will be blank.

Note: DO NOT enable both local bridge and SecureNAT at the same time. Packets will loop infinitely and it makes your server hang.

How to make SoftEther to follow default system routes on SecureNAT mode

  1. Connected via "SE-VPN Server Manager" GUI

  2. Select target Virtual Hub

  3. Click Properties button

  4. Click Edit Virtual Hub Extended Option List around the lower left corner

  5. Scroll down and find DisableKernelModeSecureNAT and DisableIpRawModeSecureNAT, set these values to 1

  6. Click Save

  7. Click OK