===== SoftEther VPN Server Configuration ===== * Use vpncmd to configure SoftEther VPN Server: /opt/softether/vpncmd * Choose 1 to configure the VPN server, * The admin console is listening on port 5555. Enter **127.0.0.1:5555** to access the admin console. * Then press Enter to skip Virtual Hub selection. * By default, the password for the admin console is empty. Set a password by executing the **ServerPasswordSet** command. * Configure virtual hub in SoftEtherVPN. Use the default virtual hub named DEFAULT. Hub DEFAULT * Create a VPN account (replace username with your preferred username), and set password: UserCreate username UserPasswordSet username ==== Config: SecureNAT ==== Follow these steps if SecureNAT is chosen instead of Virtual Hub: * Enable SecureNAT which is paired with DHCP: SecureNatEnable DhcpSet * You will be asked a series of configs. Use the following (example): Start Point for Distributed Address Band: 192.168.30.10 End Point for Distributed Address Band: 192.168.30.200 Subnet Mask: 255.255.255.0 Lease Limit (Seconds): 7200 Default Gateway: 192.168.30.1 DNS Server 1: 192.168.30.1 DNS server 2: 8.8.8.8 Domain Name: Press Enter to skip. Save Log: yes * Log out from the admin console: exit ==== Config: Layer 2 VPN Bridge Mode ==== Follow these steps if Local Bridge Connection is chosen instead of SecureNAT. * Disable SecureNAT if it's active: SecureNatDisable * Create the Bridge, EtherSoft will add **tap_** prefix, and created **tap_vpn** for the tap device: BridgeCreate YOUR_HUB_NAME /DEVICE:vpn /TAP:yes * Log out from the admin console: exit * Assign IP address to the tap device using DHCP, follow this guide: [[DHCP Server]] * Enable IP Forwarding: sudo sysctl -w net.ipv4.ip_forward=1 * Make it permanent by ensuring this parameter **net.ipv4.ip_forward=1** on file **/etc/sysctl.conf** * On cloud server disable the Reverse Path Filtering (RPF), edit **/proc/sys/net/ipv4/conf/ens3/rp_filter** make sure the value is **0** (0=disable, 1=strict, 2=loose) * add this rule to IPTABLE: sudo iptables -t nat -A POSTROUTING -s 192.168.40.0/24 -o ens3 -j MASQUERADE sudo iptables -A FORWARD -i tap_vpn -o ens3 -j ACCEPT sudo iptables -A FORWARD -i ens3 -o tap_vpn -j ACCEPT * check the IPTABLES rules: sudo iptables -t nat -L -v -n * Install this to make the IPTABLES rules persistent: sudo apt install netfilter-persistent -y * save the IPTABLES rules: sudo netfilter-persistent save ---- * Remember to enable ICMP on Windows if using Windows as the client for testing the ping! * Some clouds have reverse path filtering activated, check /proc/sys/net/ipv4/conf/tap_vpn/rp_filter * if the value is 2 (STRICT), set this off (temporary): sudo sysctl -w net.ipv4.conf.tap_vpn.rp_filter=0 sudo sysctl -w net.ipv4.conf.all.rp_filter=0 * or permanently, by editing /etc/sysctl.conf and change to this: net.ipv4.conf.tap_vpn.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0