SoftEtherVPN server creates a self-signed TLS certificate during the installation process, but we will use Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it’s free, easier to set up, and trusted by VPN client software.

• Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository:

sudo apt install certbot

• Check the version number, run:

certbot --version

• If there’s no Web Server running on your Ubuntu 24.04 server and SoftEther VPN server intended to use port 443, then we can use the standalone plugin to obtain TLS certificate from Let’s Encrypt:

sudo certbot certonly –standalone –preferred-challenges http –agree-tos –key-type rsa –email you@yourdomain.com -d vpn.yourdomain.com

• If Ubuntu 22.04/20.04 server has a Web Server listening on port 80 and 443, then use the webroot plugin to obtain a certificate because the webroot plugin works with pretty much every web server and we don’t need to install the certificate in the web server.
• First, create a virtual host for vpn.example.com, we assume using Apache:

sudo nano /etc/apache2/sites-available/vpn.example.com.conf

• And paste the following lines into the file:

<VirtualHost *:80>        
      ServerName vpn.example.com

      DocumentRoot /var/www/html/
</VirtualHost>

• Log into the VPN admin console as root:

sudo /opt/softether/vpncmd 127.0.0.1:5555

• Choose 1 to enter VPN Server Management, and run the following command to set TLS Certificate and private key:

ServerCertSet

• Enter the following path for the certificate.

/etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem

• Enter the following path for the private key.

/etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem

• Log out from the admin console.

exit

• Restart VPN server:

sudo systemctl restart softether-vpnserver