SoftEtherVPN server creates a self-signed TLS certificate during the installation process, but we will use Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it’s free, easier to set up, and trusted by VPN client software.

• Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository:

sudo apt install certbot

• Check the version number, run:

certbot --version

• Use the standalone plugin to obtain TLS certificate (if SoftEther VPN server will use port 443, no Webserver installed):

sudo certbot certonly --standalone --preferred-challenges http --agree-tos --key-type rsa --email you@yourdomain.com -d vpn.yourdomain.com

If your Ubuntu 22.04/20.04 server has a web server listening on port 80 and 443, then it’s better to use the webroot plugin to obtain a certificate because the webroot plugin works with pretty much every web server and we don’t need to install the certificate in the web server.

• Log into the VPN admin console as root:

sudo /opt/softether/vpncmd 127.0.0.1:5555

• Choose 1 to enter VPN Server Management, and run the following command to set TLS Certificate and private key:

ServerCertSet

• Enter the following path for the certificate.

/etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem

• Enter the following path for the private key.

/etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem

• Log out from the admin console.

exit

Restart VPN server:

sudo systemctl restart softether-vpnserver