Here we will be installing Softether VPN server on Ubuntu/Debian. After this is done you will be able to use this server as a VPN node and optionally open/forward ports to static internal IP’s.

We now have a custom Softether VPN install script to make this easy to install on any Debian/Ubuntu VPS. See here for simple installation.
https://whattheserver.com/softether-vpn-install-script_for-ubuntu/

Requirements

  • VPS with static IP
  • Ubuntu/Debian Server
  • root or sudo access

Login to the server as root. Note the public IP and the network adapter. Note in the example below it is “ens18” and IP is “93.158.203.113”. This will be needed for later steps.

Update the OS if not already done.

sudo apt-get update && sudo apt-get upgrade

Install essentials

apt-get install build-essential libssl-dev g++ openssl libpthread-stubs0-dev gcc-multilib

Grab latest Softether link for Linux x64 from here

Use wget to copy it directly onto the server.

wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.29-9680-rtm/softether-vpnserver-v4.29-9680-rtm-2019.02.28-linux-x64-64bit.tar.gz

Extract it. Enter directory and run make and agree to all license agreements:

tar xvf softether-vpnserver-v*
cd vpnserver
make

Move up and then copy Softether libs to /usr/local

cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpncmd
chmod 700 vpnserver

Set the server admin password

./vpncmd
1
enter
enter
VPN Server>ServerPasswordSet

Enter the admin password twice to save. Then type exit to quit.

I use the windows Softether VPN Server Manager Client for doing the settings. It actually works great in Wine/PlayonLinux for those running Linux for daily use. Can find latest version here

Install it, run it, click New setting. Input ip and password.

Name the VPS node. Fill in Public IP/or hostname and the admin password set earlier during installation.
Connect to your newly created server.
Select Remote Access VPN and click next
Create Hub named “VPN”.
adjust the dynamic DNS name if desired.
Enable L2TP Server function and IPsec preshared key as desired.
Disable VPN Azure mode if not using on Azure cloud.
Select your Ethernet adapter and then click to create user.
specify new user and password and then click OK
Click Local bridge setting.
Create a tap device “soft” bridged to VPN HUB this ends up becoming “tap_soft” which is needed for later steps and click exit.
Click OpenVPN/MS-SSTP Setting
Add port 443 as listening port for OpenVPN. This helps evade firewall blocks on some networks. You can then download the Sample Configuration file if planning to use the VPN with an OpenVPN client. Can then click ok and exit the server manager.

Create systemd init file for Softether VPN service. This will control start, stop, and restart Softether service IPtables and DNSmasq service.

sudo nano /lib/systemd/system/vpnserver.service

Paste in the below to create systemd script for managing Softether VPN with Iptables and Dnsmasq

[Unit]
Description=SoftEther VPN Server
After=network.target



[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
ExecStartPost=/bin/sleep 05
ExecStartPost=/bin/bash /root/softether-iptables.sh
ExecStartPost=/bin/sleep 03
ExecStartPost=/bin/systemctl start dnsmasq.service
ExecReload=/bin/sleep 05
ExecReload=/bin/bash /root/softether-iptables.sh
ExecReload=/bin/sleep 03
ExecReload=/bin/systemctl restart dnsmasq.service
ExecStopPost=/bin/systemctl stop dnsmasq.service
Restart=always

[Install]
WantedBy=multi-user.target

ctrl-o ret ctrl-x

To grab this file ready to go:

wget -O /lib/systemd/system/vpnserver.service https://whattheserver.me/softether-scripts/vpnserver.service

Setup Iptables by creating bash script to automate the iptables needed for VPN.

nano /root/softether-iptables.sh

Paste in the below code. Make sure “NET_INTERFACE=ens18” matches your net interface and “VPNEXTERNALIP=93.158.203.113” has your public IPv4 instead of the example “93.158.203.113” noted from the beginning of the tutorial.

#!/bin/bash
##########################################################################################################################################
### Configuration
#############################

TAP_ADDR=192.168.30.1                              # Main IP of your TAP interface
TAP_INTERFACE=tap_soft                     # The name of your TAP interface.
VPN_SUBNET=192.168.30.0/24                         # Virtual IP subnet you want to use within your VPN
NET_INTERFACE=ens18                              # Your network adapter that connects you to the world.In OpenVZ this is venet0 for example.
#IPV6_ADDR=2B00:1DA7:002B:0007:0000:0000:0000:0001      # You can also assign this as DNS server in dnsmasq config.
#IPV6_SUBNET=2B00:1DA7:2B:7::/64               # Used to assign IPv6 to connecting clients. Remember to use the same subnet in dnsmasq.conf
VPNEXTERNALIP=93.158.203.113                  # Your machines external IPv4 address. 
                                                # Write down you IP or one of the IP adresses if you have more than one.
                                                # Warning! NAT Machine users, here write the local IP address of your VPS instead of the external IP.
#############################
### End of Configuration
##########################################################################################################################################

#Flush Current rules
iptables -F && iptables -X
#######################################################################################
# Base SoftEther VPN Rules for IPTables. You can remove and use these iptables-persistent if you want 
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# Forward all VPN traffic that comes from VPN_SUBNET through $NET_INTERFACE interface for outgoing packets.
iptables -t nat -A POSTROUTING -s $VPN_SUBNET -j SNAT --to-source $VPNEXTERNALIP
# Alternate rule if your server has dynamic IP
#iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
#
# Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# 
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT 
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT 
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT 
# 
# IPv6
# This is the IP we use to reply DNS requests.
#ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
#ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
# Let's define forwarding rules for IPv6 as well...
#ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ip6tables -A FORWARD -j ACCEPT
#ip6tables -A INPUT -j ACCEPT
#ip6tables -A OUTPUT -j ACCEPT

# You can enable this for kernels 3.13 and up
#ip6tables -t nat -A POSTROUTING -o tap_soft -j MASQUERADE
#######################################################################################
#	End of Base IPTables Rules
#######################################################################################

Make script executable.

chmod +x /root/softether-iptables.sh

Install DNSmasq DHCP server. This is required for the tutorial and helps improve the speed over using the SecureNat/DHCP builtin function of Softether. This is also needed if wanting to open or forward ports and set internal static IP’s.

apt-get install dnsmasq

Backup the default dnsmasq.conf

mv /etc/dnsmasq.conf /etc/dnsmasq.conf-bak

Create new /etc/dnsmasq.conf. Make sure your Tap Adapter matches “interface=tap_soft” and Interface “except-interface=ens18”. If you have been following the rest of the tutorial the rest of the stuff is already setup to match network.

nano /etc/dnsmasq.conf

paste in the below

################################################################################## Interface Settings

# Listen to interface
# In this case it is the Softether bridge
interface=tap_soft

# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=ens18

# In case you have bind on your server and doesn't want dnsmasq to use the default dns port #53:
# port=5353

listen-address=192.168.30.1
bind-interfaces
################################################################################## Options

# Let's give the connecting clients an internal IP
dhcp-range=tap_soft,192.168.30.10,192.168.30.200,720h

# Default route and dns
dhcp-option=tap_soft,3,192.168.30.1

# enable dhcp
dhcp-authoritative

# enable IPv6 Route Advertisements
enable-ra

#  have your simple hosts expanded to domain
expand-hosts

# Let dnsmasq use the dns servers in the order you chose.
strict-order

# Let's try not giving the same IP to all, right?
dhcp-no-override

# Let's assign a unique and real IPv6 address to all clients.
# Here, we are using the IPv6 addresses from the he-ipv6 interface (Hurricane Electric ipv6 tunnel)
# You should replace it with your own IP range.
# This way even if you have only 1 shared IPv4
# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless in case you have trouble connecting
#dhcp-range=tap_soft,2B00:1DA7:002B:0007:0000:0000:0000:0001,2B00:1DA7:002B:0007:FFFF:FFFF:FFFF:FFFF,ra-advrouter,slaac,64,infinite

# For tunnelbroker, assign your 1f14 ip address to the tunnel interface and use 1f15 routable addresses in softether and dnsmasq
#dhcp-range=tap_soft,2001:0470:1f15:XXXX:0000:0000:000:0011,2001:0470:1f15:XXXX:0000:0000:0000:ffff,slaac,ra-stateless,64,2d


# Let's advertise ourself as a DNSSec server.
# Since we're running in the VPN network this shouldn't be any problem.
# Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.
# This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network
# between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
#proxy-dnssec

# The following directives prevent dnsmasq from forwarding plain names (without any dots)
# or addresses in the non-routed address space to the parent nameservers.
domain-needed

# Never forward addresses in the non-routed address spaces
bogus-priv


# blocks probe-machines attack
stop-dns-rebind
rebind-localhost-ok

# Set the maximum number of concurrent DNS queries. The default value is 150. Adjust to your needs.
dns-forward-max=300

# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
# but from below
no-resolv
no-poll

# Prevent Windows 7 DHCPDISCOVER floods
# http://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html
dhcp-option=252,"\n"

################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=208.67.222.222
server=208.67.220.220
server=8.8.4.4

# Use these IPv6 DNS Servers for lookups/ Google and OpenDNS
server=2620:0:ccd::2
server=2001:4860:4860::8888
server=2001:4860:4860::8844
#########################################


################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 and IPv6 addresses that are already assigned to the tap_soft
# So that everything runs through us.
# This is good for caching and adblocking.

# Set IPv4 DNS server for client machines # option:6
dhcp-option=option:dns-server,192.168.30.1,176.103.130.130

# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_soft if you 
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2a00:5a60::ad2:0ff],[2a00:5a60::ad1:0ff]
#########################################



######################################### TTL & Caching options

# How many DNS queries should we cache? By defaults this is 150
# Can go up to 10k.
cache-size=10000

# Negative caching allows dnsmasq to remember 'no such domain' answers from the parent nameservers,
# so it does not query for the same non-existent hostnames again and again.
# This is probably useful for spam filters or MTA services.
#no-negcache

# The neg-ttl directive sets a default TTL value to add to negative replies from the parent nameservers,
# in case these replies do not contain TTL information.
# If neg-ttl is not set and a negative reply from a parent DNS server does not contain TTL information,
# then dnsmasq will not cache the reply.
neg-ttl=80000
local-ttl=3600

# TTL
dhcp-option=23,64
#########################################


################################################################################## MISC
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
dhcp-option=vendor:MSFT,2,1i

#########################################
## 44-47 NetBIOS
dhcp-option=44,192.168.30.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,192.168.30.1 # netbios datagram distribution server
dhcp-option=46,8         # netbios node type
dhcp-option=47


# IF you want to give clients the same static internal IP,
# you should create and use use /etc/ethers for static hosts;
# same format as --dhcp-host
# <hwaddr> [<hostname>] <ipaddr>
read-ethers


# Additional hosts, for adblocking.
# You can create that file yourself or just download and run:
# https://github.com/nomadturk/vpn-adblock/blob/master/updateHosts.sh
#addn-hosts=/etc/hosts.supp

log-facility=/var/log/dnsmasq.log
log-async=5


################################################################################## Experimental
log-dhcp
quiet-dhcp6
#dhcp-option=option:router,192.168.30.1
#dhcp-option=option:ntp-server,192.168.30.1

# With settings below, you can ping other clients on your lan.
#dhcp-option=option:domain-search,lan
#dhcp-option=option6:domain-search,lan
#domain=YOURDOMAINHERE
# Gateway
dhcp-option=3,192.168.30.1

Setup Sysctl for IPv4 and optional Ipv6 forwarding.

To grab this file ready to go and execute it for IPv4:

wget -O /root/sysctl-forwarding.sh https://whattheserver.me/softether-scripts/sysctl-forwarding.sh; chmod a+x sysctl-forwarding.sh && bash sysctl-forwarding.sh;

Or alternatively this can be done manually via nano.

nano /etc/sysctl.conf

Paste in the below block for IPv4 and optionally IPv6 if setting up dualstack IPv6 VPN.

net.core.somaxconn=4096
net.ipv4.ip_forward=1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 1 
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.proxy_arp = 0

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.tap_softether.accept_ra=2 # IF you named your tap interface other than softether, change this value.
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_source_route=1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.proxy_ndp = 1
And save it.
CTRL + O
CTRL + X

Run the below to apply the rules. A Reboot also may be required in some cases.

sysctl -f

Alright now for the fun part. We are going to enable and startup up the Softether VPN service we created earlier.

To enable, start,and check status of the systemd Softether vpn service.

systemctl enable vpnserver
systemctl enable dnsmasq
systemctl start vpnserver
systemctl status vpnserver
To enable, start,and check status of the systemd dnsmasq dhcp service.
systemctl start dnsmasq
systemctl status dnsmasq
systemctl restart dnsmasq

Check Iptables.

iptables --list

It should look like this.

root@softethervpn:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.30.0/24      anywhere             state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.30.0/24      anywhere             state NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.30.0/24      anywhere             state NEW
root@softethervpn:~#

Now the VPN server is working and should be accessible. Please install SoftEther VPN client or your Openvpn client and connect at this time. Grab the SoftEther VPN client installer from here. Install it create a new connection see the below recommended settings. Replace the IP from our example with your VPN server’s IP and name it something and input the username and password from previous step.

Now you have an adblocking Softether VPN Server setup which can be used from 6 protocols.

To setup Softether to be logless see our other article about that here.

To setup static IP’s for port forwarding the dnsmasq DHCP server will need to use the Mac address of the VPN network adapter. This can be found via “ifconfig /all” or “ip a” on Linux. Once the Mac Address is known we need to pick an internal IP to set as static. The easiest way to find one to assign is to connect and then view the DHCP assigned IP. Then note that down and then disconnect from the VPN. It should be something like “192.168.30.x”

We will then need to create a file called “/etc/ethers”

nano /etc/ethers

Paste in the MAC Address and the internal IP to assign in the format below

macaddress internalip

So if the Mac Address is “5e:04:e5:79:e9:fa” and desired internal IP is “192.168.30.145” It would look like the below.

5e:04:e5:79:e9:fa 192.168.30.145

This Mac address is autogenerated by the VPN client in most cases and can be manually specified or changed in most OS’s. Once you have this assigned and saved. We need to reload the systemctl daemon via the below command sequence and restart the VPN service.

systemctl daemon-reload; systemctl stop dnsmasq.service; systemctl start dnsmasq.service;systemctl restart vpnserver;

Once that is done and you have connected again check to ensure its assigning this internal IP each time from this device. If that is good then we can move onto the next step which is opening the desired ports.

#Example "93.158.203.114" is VPN node IP. Port to forward is "2634". Client's static internal IP "192.168.30.145"
#iptables -t nat -A PREROUTING -d 93.158.203.114 -p tcp --dport 2634 -j DNAT --to-dest 192.168.30.145:2634
#iptables -t filter -A INPUT -p tcp -d 192.168.30.145 --dport 2634 -j ACCEPT

#iptables -t nat -A PREROUTING -d $YOUREXTERNALIP -p tcp --dport $port -j DNAT --to-dest $ClientInternalIP:$port
#iptables -t filter -A INPUT -p tcp -d $ClientInternalIP --dport $port -j ACCEPT

The $ClientInternalIP and $port will need to be filled in and then appended to the /root/softetheriptables.sh file so the rule/s are added on start/stop/reboot of the softether vpn service automatically. Once the rules are added the bash script can be run to add the new rules to IPtables and then the port checked by starting the app that is listening or opening that port and using an online port checker tool like https://portchecker.co/

bash /root/softether-iptables.sh

Then check Iptables

iptables --list

It will show that its forwarded in the Iptables like the below example if executed properly.

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.30.0/24      anywhere             state NEW
ACCEPT     tcp  --  anywhere             192.168.30.145       tcp dpt:2634


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.30.0/24      anywhere             state NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.30.0/24      anywhere             state NEW
:~#

Well we hope you enjoyed the tutorial. If your looking for a quality KVM VPS to run your own VPN server or other hosting needs we offer Proxmox SSD based VPS’s in amsterdam with excellent peering Ipv4/Ipv6 support at amazing prices. See our lineup here

KVM VPS HostingPrivacyProxySoftEtherUncategorized

Leave a Reply