Installing SoftEther VPN on Ubuntu 22.04


BACKGROUND

A virtual private network (VPN) extends a private network across a public network (the internet) and enables users to send and receive data as if their computing devices were directly connected to the private network. Basically, it allows your computer (or other devices such as smart phones) to connect to a home, corporate, or 3rd party network and access those resources or connect to the wider internet from there.

Reasons for using a VPN:

  • Security on public Wi-Fi
  • Data privacy from ISP, governments, and nosy apps.
  • Remote work
  • Content access (personal, professional, or geo-restrictioned)

A good quote I pulled from Wikipedia: “A VPN is not in itself a means for good internet privacy. The burden of trust is simply transferred from the ISP to the VPN service provider.” That means you aren’t hiding from the internet. It’s just that you are able to choose where the internet or network “thinks” you are.

SoftEther VPN is a free, open-source, multi-protocol VPN client and VPN server software, developed at the University of Tsukuba (pronounced suh-koo-buh). Supported VPN protocols: SSL-VPN, L2TP/IPsec, OpenVPN, and Microsoft’s SSTP. All are provided in a single VPN server. Below are the instructions. Good luck!


INSTALLATION

You can choose to install SoftEther wherever you want as long as it’s accessible by the internet. Home, office, family/friend’s house, or VPS in a datacenter. I’m choosing a Linode VPS. Once you create an account or sign in, select “Create” across the top then select “Linode” from the drop-down.

We’ll use the following settings: Images = Ubuntu 22.04 LTS; Region = [whatever’s closest to you]; Linode Plan = Nanode 1GB; Linode Label = [whatever you want, it’s just the label you’ll see]; Root Password = [something secure that you’ll remember]. We won’t worry about the other options at this time.

Log in using PuTTy. We’ll start with updating our server.

apt-get update && apt-get upgrade -y

Install necessary dependencies.

apt-get install build-essential && apt-get install net-tools

Download the latest version of SoftEther. (Latest at the time of this writing)

wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.39-9772-beta/softether-vpnserver-v4.39-9772-beta-2022.04.26-linux-x64-64bit.tar.gz

Extract the installer. You can autocomplete the line by pressing “Tab” when typing “softether”.

tar -xvzf softether-vpnserver-v4.39-9772-beta-2022.04.26-linux-x64-64bit.tar.gz

Navigate to new directory and install SoftEther.

cd vpnserver
make

Go back to your home directory, move the extracted directory to /usr/local directory, navigate to the new vpnserver location, and set the permissions of it.

cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpncmd
chmod 700 vpnserver

Perform a final check to see whether VPN Server can operate properly on your computer system before starting vpnserver. Then exit the test.

./vpncmd
3
check
exit

Create a systemd service file to manage the SoftEther VPN service.

nano /etc/init.d/vpnserver

Copy this configuration.

#!/bin/sh
### BEGIN INIT INFO
# Provides: myscript
# Required-Start:
# Required Stop:
# Default-Start: 2 3 4 5
# Default Stop: 1 0 6
# Short-Description: simple description.
### END INIT INFO
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

To save the config, hit “Ctrl + X” keys together to exit, “Y” to save the changes to the buffer, then the “Enter” key to save the file.

Set proper permission to the systemd service file.

chmod 755 /etc/init.d/vpnserver

Add script to system startup.

update-rc.d vpnserver defaults

Start VPN service.

/etc/init.d/vpnserver start

Just as a note: you can stop the service using this command [NOT NEEDED NOW]

/etc/init.d/vpnserver stop



SOFTETHER VPN CONFIGURATION USING THE SERVER MANAGER

We need to configure SoftEther. I’m using the Server Manager for Windows. Click “New Setting”. Setting Name = whatever you want; Host Name = [Your VPS’s address or, optionally, a domain name if you wish to set that up]. Leave the password field blank. Press OK.

Once you hit Connect, it’ll ask you to input a new password for the SoftEther VPN server software. This should be different from your Linode VPS password.

Select Remote Access VPN Server. Yes, you do want the settings initialized. Name the virtual hub. Enable L2TP server function with IPsec and edit (and REMEMBER) the IPsec pre-shared key (PSK) at the bottom. Disable VPN Azure. Create a new user(s) and set the password(s). Press “Close”.

Now, there are a lot of settings to poke around in. One option in here is called SecureNAT that operates as a virtual router (DHCP & DNS) within SoftEther but don’t use it. It’s easy to set up BUT HORRIBLY SLOW!!! You may get only 10% of the speed. We’ll easily create a new network interface named “soft” and install dnsmasq on the Linux machine instead. On the main page of the server manager, press “Local Bridge Setting”.

From the Virtual Hub drop down, select yours. Click “Bridge with New Tap Device” and type “soft”. Click “Create Local Bridge”. A prompt may come up for “Using Local Bridge Function on VM” but just press ok. You should see the new device in the list as “Operating”.

DHCP AND DNS ON LOCAL BRIDGE

Go back to the Linux machine using PuTTY. Show to the new “soft” network interface we created.

ifconfig tap_soft

List open processes with IP sockets and do not resolve hostnames or port names.

lsof -i -P -n | grep LIST

systemd-resolved stops port 53 from being used by dnsmasq, which it needs. Stop the systemd-resolved service and make a change to it’s configuration.

systemctl stop systemd-resolved
nano /etc/systemd/resolved.conf

Add this to the end of the config file.

DNSStubListener=no

To save the config, hit “Ctrl + X” keys together to exit, “Y” to save the changes to the buffer, then the “Enter” key to save the file. Start the service.

systemctl start systemd-resolved

Install dnsmasq for DCHP and DNS. Then edit the config.

apt-get install dnsmasq
nano /etc/dnsmasq.conf

Add this to the end of the config file. Press “Ctrl + / ” then “Ctrl + V” to go to the end quickly.

interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1
server=1.1.1.1

To save the config, hit “Ctrl + X” keys together to exit, “Y” to save the changes to the buffer, then the “Enter” key to save the file. Edit the SoftEther VPN service.

nano /etc/init.d/vpnserver

Remove the old config and copy this one.

#!/bin/sh
# BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable Softether by daemon.
# END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.7.1

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

To save the config, hit “Ctrl + X” keys together to exit, “Y” to save the changes to the buffer, then the “Enter” key to save the file. Update the startup script.

update-rc.d vpnserver defaults

Create the file “/etc/sysctl.d/ipv4_forwarding.conf” and add the following. This sends a network packet from one network interface to another one on the same device.

nano /etc/sysctl.d/ipv4_forwarding.conf
net.ipv4.ip_forward = 1

Apply these changes.

sysctl --system

Add rule to the firewall. Basically this is saying that anything coming in with that 192.168.7.X address (which your computer/smartphone will get once you connect to the VPN) to forward it out through the VPS’s normal internet connection. Add your own IP address between the brackets.

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [YOUR VPS IP ADDRESS]

Install iptables-persistent so that these firewall changes aren’t lost after reboot.

apt-get install iptables-persistent

Restart services.

/etc/init.d/vpnserver restart
/etc/init.d/dnsmasq restart

Typing in this list command should show dnsmasq using port 53.

lsof -i -P -n | grep LIST

Save currently-loaded iptables rules to persistent storage.

service netfilter-persistent save



Now you can connect to it using the Mac, Windows, and Linux desktop clients. You can also connect to it using your Android or Apple smartphones using L2TP and IPsec or OpenVPN. Not too bad for a 1st post, huh? LOL. Please leave comments below or on the YouTube video with any questions, suggestions, or corrections. If there’s a better way of doing a few of the configurations, I’m open to implementing those. Thank you!


42 responses to “Installing SoftEther VPN on Ubuntu 22.04”

  1. hello
    Thank you for your in detail decription.
    I installed the server as per your description and I am able to connect with softether client.
    But I’m unable to connect with iphone, android or windows using sstp or openvpn.
    is there any thing else I should be aware of that?
    best regards

    • Hi! Thank you for your comment! With iPhone and Android, you should probably use the L2TP/IPSec VPN connection that’s built into the phones. You can also connect that way with Windows but I’ve never used the SSTP function. You can use the OpenVPN clients on any of those platforms but you’ll have to download the OpenVPN file from using SoftEther VPN Server Manager and change a few settings on it for it to work.

  2. Hi! I tried many others… with my zero knowlge of ubuntu and no luck,
    but you describe it clearly and I could connect and run, but windows SSTP certifacate dosent match with SoftEther self certifacate! and I stopped here!
    anyway I appracaite your efforts man.
    Cheers

  3. I find it out why …

    due SoftEther has self-in certificate… and we don’t buy the ssl sertificate…
    so we can not use the app “Open SSTP Client” But there is another app:

    “SSTP Max”

    which dont check the certificate so you can use it on Android,
    not sure on iOS but I gess if you buy the app “SSTP connec”

    • I’ve found a way of connecting via SSTP. The problem occurs because there’s no valid certificate in the Windows cert store. Log into the SoftEther VPN Server Manager, click “Encryption and Network”, click “Export” in the Server Certificate Settings, then import that cert manually into Windows. https://youtu.be/9_oTTGyVmtA?t=900. The connection should work after that.

  4. hi
    thanks for your great tutorial. can you please make another tutorial about how to install softether vpn client for ubuntu 22?
    I’d tried many tutorial but couldn’t connect it to my server. most of them was for ubuntu 18 or older versions and couldn’t figure out how to do it.
    I’m totally new on ubuntu.
    thanks.

  5. The training is wonderful

    thanks a lot

    As you mentioned, the speed in SecureNAT mode is very low, but now I have a problem, I have 100 users and they can’t connect at the same time with open vpn. Any user who connects earlier, other users can’t connect, please help. ?

    Of course, I have no knowledge of Linux at all, and I have set it up step by step with your instruction. Please provide this help for me, which may be needed for others, in the form of a video on YouTube.

    I will explain to you some information about my architecture that may be necessary

    I use 2 vps and users are connected to vps 1 through openvpn

    vps 1 is connected to vps 2 through cascade connection

    I have implemented your training settings in VPS 2

    In both vps, the SecureNAT mode is disabled and the connection is exactly based on your instruction

    It works, but there is a problem that I said, please help

        • If you set up your VPN exactly like the tutorial, then you’d only have 11 IP addresses. At the 17:29 mark in the video, I edited how many IPs you have to use. Adjust your DCHP range to add more concurrent connections.

  6. Hi.

    Very nice presentation on the video and explanation as well. Up to the dnsmasq part. There you tent to be less descriptive within each paragraph and here is why.
    Before i explain the why let me tell you that even without using the dnsmasq service, vpn can still work. Actually since I have it for 3 years active but in a Windows environment, didn t have to configure it at all and didnt have the SecureNAT enabled as well. By the way there are some confilcts like
    -Disabling DNSStubListener causes VM cannot resolve domain names
    -DNSStubListener=no should update a dynamic resolv.conf automatically but it doesn t
    …..etc which are well documented in github pages (you could raise awareness about that)
    Now for the …. less descriptive part.
    – you could refer that udp 53 is being used from DNS (as you see most of the readers/viewers are below average and just follow blindly). Since you start informative about everything you re doing and why, keep it that way.
    -<<>> Here you just say to list the processes ok and the <> stays on the air. I cant understand what you mean by dont.
    – /etc/dnsmasq.conf file configuration
    interface=tap_soft (the prefix tap_) isnt being used on the gui during creation of the virtual hub on that network interface. So is tap Linux’s way of saying virtual network interface?
    dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
    what is the 12h at the end?
    also here you could (even the word range describes it) that each user could narrow down or spread the range as he needs accordingly.
    dhcp-option=tap_soft,3,192.168.7.1
    what is the 3 in the middle stands for?
    I guess here …7.1 stands for the virtual hub itself since it acts as a gateway?
    -nano /etc/init.d/vpnserver
    you could explain a bit about the new configuration what it does differently than the original.
    In conclusion for my opinion this guide is half a way there to explain a plain user what it does and why. Take into consideration that since we re are from different countries and probably you ll misunderstand my intentions, this was my way of constructive criticism and I had by any means the intention to be rude or anything.

    Thank you in advance for any response.

  7. Answering here the questions you ve asked me on youtube since they are keep being deleted.

    you asked
    1. Was your Windows environment at home or somewhere that there was a separate router/DHCP server? Or did your Windows machine itself house the DNS/DHCP service? If so, that may be what was giving you DNS/DCHP.
    2. Since we want dnsmasq to handle DNS queries, we edit DNSStubListener in systemd-resolved to stop.
    3. The 12h is how long the DHCP lease lasts (12 hours).
    4. TAP is a type of interface in Linux and must be specified in the config. https://en.wikipedia.org/wiki/TUN/TAP
    5. The “3” is a designation that it’s the default route. You can run “dnsmasq –help dhcp” to see all IPv4 options. https://www.rfc-editor.org/rfc/rfc2132#section-3.5 You are correct about the 192.168.7.1 address assumptions.
    6. The new configuration mostly just adds the TAP interface settings to the softether service.

    Hopefully I answered your questions sufficiently and thanks again!

    My answers

    1.No it is in a production level environment so different router/DHCP server (WinServ2019 AD DS actes as DHCP).
    2.ok
    3.nice!
    4.nice as well
    5.ok again about the 3 option but here I think there will be a problem if the client gets something of 7.0 segment, then the erp program which expects him to have something on 1.0 segment wont load. In my mind there has to be NAT translation on both sides in order to …. inside the tunnel communicate via 7.0 and on both sides that 7.0 will be converted to 1.0 via a mac/ip table or something and the ERP program will load.
    6.ok but why it needs extra interface and dnsmasq can t run on the default one?

    My main question remains though ….
    <<>>
    In a VM or a physical machine what needs to be filled in there? The private ip of the softether server or the public one?
    If it is the public one, and no static ip can it be used the dns name instead of the dynamic dns function of softether like 12323r455gfdy.softether.net ?
    New edit: Tries the dynamic dns name softether provides and as it seems only ip addresses are valid in this option.

    By the way in Containers (I m not sure if it is because of it being unprivileged) you can t create a new virtual interface. It just errors out and stays like that (even after restart). In VMs it lets you.
    Also the speed is horrible for the remote client in download side (Upload is maxed out-of course the download of the client is the upload of the server and vis versa). In a physical machine with the same specs as the VM is wayyyy better. This is what I am trying to figure out now if the problem is teh virio drivers, the vmbr based on 2 ports in LASP mode….etc (New edit neither that I tried without the lasp mode and still same lame performance )

    PS Sorry for bringing that up, but this guide is the translation of a korean-Chinese one someone mentioned inside a post on softether forum. At least you made the video and cleared out some concepts of the procedure.Kudos on that.

  8. Hi, this command did not work for me:
    iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT –to-source [YOUR VPS IP ADDRESS]

    I had to write MASQUERADE after -j and delete the rest.

  9. i followed step by step but i cant connect from any device.

    when run this command I get error:

    /etc/init.d/dnsmasq restart
    Restarting dnsmasq (via systemctl): dnsmasq.serviceJob for dnsmasq.service failed because the control process exited with error code.
    See “systemctl status dnsmasq.service” and “journalctl -xeu dnsmasq.service” for details.

  10. Hi there thanks for your good tutorial

    I have a problem. Speed over SecureNAT is so low how can I resolve it ?

  11. This is great CJ! Helped me a lot. A suggestion: consider adding the installation of init-system-helpers in that second install help. I was doing this on both Debian 10 and 11 and update-rc.d is not installed by default, that package is needed. For anybody that already has it the addition won’t hurt.

  12. Hello, I have problem with authentization on ad, I have in username * and select ad/nt but it is not working, it only connect with administrator (it have same password at sofether). Can you help me? I did not find any how to. Thanks

    • Hello,

      I’d need a bit more info about your setup. Where is SoftEther being hosted? Where is your AD/NT being hosted? If they are in 2 different environments, how are they communicating?

      Also, when you say that it only connects with administrator, are you referring to the AD administrator or the SoftEther local administrator? If you’re not sure, the passwords will need to be different to verify which one is connecting.

      • I have ubuntu 22.04, on it I have ad dc and sofether, its on the same computer, on real computer. Ive think its softether admin. In softether docs say it must be conect in domain or hostin domain, so it is and something else is not say in docs. Thank you.

        • Since it’s on a Linux machine, what software is handling Active Directory? Also, are these in separate VMs or just applications running on a single machine with no virtualization?

          • Honestly, I know about Samba but I haven’t worked with it. I can only give a few pointers. Make sure the VM environments have the ability to communicate with each other. Make sure all the firewall ports needed for communication are open on each machine. Make sure Samba is configured correctly and verify with a 3rd device that you can access AD/Kerberos in the same manner that you are trying to use SoftEther. Other than that, I really can’t think of other ways of troubleshooting. If you make a YouTube video explaining your setup and demonstrating the problem, I may be able to help more.

          • Thank you, but i search on internet it not worked no linux with ad, so i can have radius with ad, but it not worked well because of conf winbind (other things didnt make friend with winbind) so i have certificates and it work. Or i must have it on another pc/virtual.

  13. Thank you, but i search on internet it not worked no linux with ad, so i can have radius with ad, but it not worked well because of conf winbind (other things didnt make friend with winbind) so i have certificates and it work. Or i must have it on another pc/virtual.

  14. I have a VPS where i followed all instructions step by step on your tutorial.
    Unfortunately when trying to connect straight from my router client (L2TP) is also asking me for l2TP password. Any ideas how to sort it out ;D?

    • when i try to connect from VPN client on mac keep getting
      “The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.”

      • It’s tough when you are the administrator. Lol. Ensure that you aren’t on a network/ISP that blocks the ports that you need to connect to. Make sure you are using all the credentials you used during set up.

    • when i type lsof -i -P -n | grep LIST
      i have
      dnsmasq 1247515 dnsmasq 5u IPv4 21374070 0t0 TCP *:53 (LISTEN)
      dnsmasq 1247515 dnsmasq 7u IPv6 21374072 0t0 TCP *:53 (LISTEN)

  15. Hi. Thanks to your efforts, I have a good VPN connection and am using it.

    However, I have a problem. My speed is limited to 100mbps. Currently my system is ubuntu and softether is in one of the lxd containers. The ubuntu system and the lxd container itself are getting 1Gbps, but when I connect the vpn it drops to 100mbps.

    It looks to me like the speed bottleneck is happening when the tap NIC and the vpn client NIC are communicating with each other, but as a non-technical person I’m not sure how to approach and troubleshoot this.

    How do I fix this?

Leave a Reply

Your email address will not be published. Required fields are marked *