Table of Contents

SoftEther VPN Server Configuration

  • Use vpncmd to configure SoftEther VPN Server:
/opt/softether/vpncmd
  • Choose 1 to configure the VPN server,
  • The admin console is listening on port 5555. Enter 127.0.0.1:5555 to access the admin console.
  • Then press Enter to skip Virtual Hub selection.
  • By default, the password for the admin console is empty. Set a password by executing the ServerPasswordSet command.
  • Configure virtual hub in SoftEtherVPN. Use the default virtual hub named DEFAULT.
Hub DEFAULT
  • Create a VPN account (replace username with your preferred username), and set password:
UserCreate username
UserPasswordSet username

Config: SecureNAT

Follow these steps if SecureNAT is chosen instead of Virtual Hub:

  • Enable SecureNAT which is paired with DHCP:
SecureNatEnable
DhcpSet
  • You will be asked a series of configs. Use the following (example):
Start Point for Distributed Address Band: 192.168.30.10
End Point for Distributed Address Band: 192.168.30.200
Subnet Mask: 255.255.255.0
Lease Limit (Seconds): 7200
Default Gateway: 192.168.30.1
DNS Server 1: 192.168.30.1
DNS server 2: 8.8.8.8
Domain Name: Press Enter to skip.
Save Log: yes
  • Log out from the admin console:
exit

Config: Layer 2 VPN Bridge Mode

Follow these steps if Local Bridge Connection is chosen instead of SecureNAT. 

SecureNatDisable
  • Create the Bridge, EtherSoft will add tap_ prefix, and created tap_vpn for the tap device:
BridgeCreate YOUR_HUB_NAME /DEVICE:vpn /TAP:yes
  • Log out from the admin console:
exit
  • Assign IP address to the tap device using DHCP, follow this guide: DHCP Server
  • Enable IP Forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
  • Make it permanent by ensuring this parameter net.ipv4.ip_forward=1 on file /etc/sysctl.conf
  • On cloud server disable the Reverse Path Filtering (RPF), edit /proc/sys/net/ipv4/conf/ens3/rp_filter make sure the value is 0 (0=disable, 1=strict, 2=loose)
  • add this rule to IPTABLE:
sudo iptables -t nat -A POSTROUTING -s 192.168.40.0/24 -o ens3 -j MASQUERADE
sudo iptables -A FORWARD -i tap_vpn -o ens3 -j ACCEPT
sudo iptables -A FORWARD -i ens3 -o tap_vpn -j ACCEPT
  • check the IPTABLES rules:
sudo iptables -t nat -L -v -n
  • Install this to make the IPTABLES rules persistent:
sudo apt install netfilter-persistent -y
  • save the IPTABLES rules:
sudo netfilter-persistent save
  • Remember to enable ICMP on Windows if using Windows as the client for testing the ping!
  • Some clouds have reverse path filtering activated, check /proc/sys/net/ipv4/conf/tap_vpn/rp_filter
  • if the value is 2 (STRICT), set this off (temporary):
sudo sysctl -w net.ipv4.conf.tap_vpn.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
  • or permanently, by editing /etc/sysctl.conf and change to this:
net.ipv4.conf.tap_vpn.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
Edit this page