softEtherVPN server creates a self-signed TLS certificate during the installation process, but we will use Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it’s free, easier to set up, and trusted by VPN client software.

• Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository:

sudo apt install certbot

• Check the version number, run:

certbot --version

• If there’s no Web Server running on your Ubuntu 24.04 server and softEtherVPN server intended to use port 443, then we can use the standalone plugin to obtain TLS certificate from Let’s Encrypt:

 sudo certbot certonly --standalone --preferred-challenges http --agree-tos --key-type rsa --email you@yourdomain.com -d vpn.yourdomain.com

• If Ubuntu 22.04/20.04 server has a Web Server listening on port 80 and 443, then use the webroot plugin to obtain a certificate because the webroot plugin works with pretty much every web server and we don’t need to install the certificate in the web server.
• First, create a virtual host for vpn.example.com, in this example is using Apache:

sudo nano /etc/apache2/sites-available/vpn.example.com.conf
sudo ln -s /etc/apache2/sites-available/vpn.example.com.conf /etc/apache2/sites-enable/vpn.example.com.conf

• And paste the following lines into the file:

<VirtualHost *:80>        
    ServerName vpn.example.com
    DocumentRoot /var/www/vpn.example.com
    <Directory /var/www/vpn.example.com>
       Options Indexes FollowSymLinks
       AllowOverride All
       Require all granted
    </Directory>
</VirtualHost>

• Save and close the file. Then create the web root directory:

sudo mkdir /var/www/vpn.example.com

• Set www-data (Apache user) as the owner of the web root:

sudo chown -R www-data:www-data /var/www/vpn.example.com

• Enable this virtual host:

sudo a2ensite vpn.example.com

• Reload Apache for the changes to take effect:

sudo systemctl reload apache2

• Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin:

sudo certbot certonly --webroot --agree-tos --key-type rsa --email you@exmaple.com -d vpn.example.com -w /var/www/html

• Log into the VPN admin console as root:

sudo /opt/softether/vpncmd 127.0.0.1:5555

• Choose 1 to enter VPN Server Management, and run the following command to set TLS Certificate and private key:

ServerCertSet

• Enter the following path for the certificate.

/etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem

• Enter the following path for the private key.

/etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem

• Log out from the admin console.

exit

• Restart VPN server:

sudo systemctl restart softether-vpnserver