softether_vpn_server_configuration [How is KdeK the one?]

This is an old revision of the document!

SoftEther VPN Server Configuration

Use vpncmd to configure SoftEther VPN Server:

/opt/softether/vpncmd

Choose 1 to configure the VPN server,
The admin console is listening on port 5555. Enter 127.0.0.1:5555 to access the admin console.
Then press Enter to skip Virtual Hub selection.
By default, the password for the admin console is empty. Set a password by executing the ServerPasswordSet command.
Configure virtual hub in SoftEtherVPN. Use the default virtual hub named DEFAULT.

Hub DEFAULT

Create a VPN account (replace username with your preferred username), and set password:

UserCreate username
UserPasswordSet username

Config: SecureNAT

Follow these steps if SecureNAT is chosen instead of Virtual Hub:

Enable SecureNAT which is paired with DHCP:

SecureNatEnable
DhcpSet

You will be asked a series of configs. Use the following (example):

Start Point for Distributed Address Band: 192.168.30.10
End Point for Distributed Address Band: 192.168.30.200
Subnet Mask: 255.255.255.0
Lease Limit (Seconds): 7200
Default Gateway: 192.168.30.1
DNS Server 1: 192.168.30.1
DNS server 2: 8.8.8.8
Domain Name: Press Enter to skip.
Save Log: yes

Log out from the admin console:

exit

Config: SecureNAT disable

Follow these steps if OS NAT is chosen instead of SecureNAT:

Disable SecureNAT if it's active:

SecureNatDisable

Create the Bridge, EtherSoft will add tap_ prefix, and created tap_vpn for the tap device:

BridgeCreate YOUR_HUB_NAME /DEVICE:vpn /TAP:yes

Log out from the admin console:

exit

Assign IP address to the tap device using DHCP, follow this guide: DHCP Server
Enable IP Forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Make it permanent by ensuring this parameter net.ipv4.ip_forward=1 on file /etc/sysctl.conf
On cloud server disable the Reverse Path Filtering (RPF), edit /proc/sys/net/ipv4/conf/ens3/rp_filter make sure the value is 0 (0=disable, 1=strict, 2=loose)

add this rule to IPTABLE (only VPN-to-VPN not get NATed):

sudo iptables -t nat -A POSTROUTING -s 192.168.40.0/24 ! -d 192.168.40.0/24 -o ens3 -j SNAT --to-source 10.28.138.200

check the IPTABLES rules:

sudo iptables -t nat -L -v -n

Edit this page