Softether VPN server on CentOS 7


SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge. 

Lets install SoftEther VPN Server on CentOS 7 without GUI.

In the beginning, lets update the system, install dependencies and disable SElinux, then we could restart our machine,

    yum update
    yum -y groupinstall "Development Tools"
    yum -y install gcc zlib-devel openssl-devel readline-devel ncurses-devel wget tar dnsmasq net-tools iptables-services system-config-firewall-tui nano iptables-services
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

 After the server boots up, disable both firewalls

systemctl disable firewalld
systemctl stop firewalld
systemctl status firewalld
service iptables save
service iptables stop
chkconfig iptables off 

Try to ping, if it doesn't works, use these codes :

echo DNS1= >> /etc/sysconfig/network-scripts/ifcfg-eth0 
echo DNS2= >> /etc/sysconfig/network-scripts/ifcfg-eth0
/etc/init.d/network restart 

After that we need to download, unpack and compile the package

cd /usr/src
tar xzvf softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-x64-64bit.tar.gz -C /usr/local
cd /usr/local/vpnserver
Compile will ask you three questions, Answer all with 1​, Next we need to make init script for softether,
sudo nano /etc/init.d/vpnserver 
Copy and paste these codes 
    # Provides: vpnserver
    # Required-Start: $remote_fs $syslog
    # Required-Stop: $remote_fs $syslog
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: Start daemon at boot time
    # Description: Enable Softether by daemon.

    test -x $DAEMON || exit 0
    case "$1" in
    $DAEMON start
    touch $LOCK
    sleep 1
    /sbin/ifconfig tap_soft $TAP_ADDR
    $DAEMON stop
    rm $LOCK
    $DAEMON stop
    sleep 3
    $DAEMON start
    sleep 1
    /sbin/ifconfig tap_soft $TAP_ADDR
    echo "Usage: $0 {start|stop|restart}"
    exit 1
    exit 0
Next we need to add the executable bit to the init script and start it
chmod +x /etc/init.d/vpnserver
/etc/init.d/vpnserver start
systemctl enable vpnserver 

 Don't mind that it complaints about tap interface, that is because we added it to init script and made it start with softether but didn't yet made the tap interface in softether config. We will come to that latter.

Congratulations ! Softether is installed, Lets configure it


Press 1 to select "Management of VPN Server or VPN Bridge", and then when it asks you which server to configure, just press ENTER

Next type "ServerPasswordSet" to assign a password on VPN Server, we can use this password to change VPN configuration remotely.

In order to use softether, virtual hub needs to be created. We will create one named MOB with following command

HubCreate MOB 

It will ask you to set password. Now we need to create local bridge.

BridgeCreate /DEVICE:"soft" /TAP:yes MOB 
Now we switch to hub MOB
Hub MOB 

 Its time to create a "test" user. 

Just Press "Enter" if it need more information's about our test user, 

Its just a simple test user

UserCreate test

​and Password for test user

UserPasswordSet test 

Now we setup L2TP/IPSec, Use these settings

VPN Server/MOB>IPsecEnable
IPsecEnable command - Enable or Disable IPsec VPN Server Function
Enable L2TP over IPsec Server Function (yes / no): yes

Enable Raw L2TP Server Function (yes / no): yes

Enable EtherIP / L2TPv3 over IPsec Server Function (yes / no): yes

Pre Shared Key for IPsec (Recommended: 9 letters at maximum): wooservers

Default Virtual HUB in a case of omitting the HUB on the Username: MOB 
That is it for IPsec, but we also want to have other protocols. For example OpenVPN​.
Argument passed to the command must be your server IP adress
ServerCertRegenerate <YOUR SERVER IP>
ServerCertGet ~/cert.cer 
We can now enable SSTP function with this command:
SstpEnable yes 

And to enable OpenVPN :

OpenVpnEnable yes /PORTS:1194
OpenVpnMakeConfig ~/ 
For maximal evasion of all blockages, we also need to enable VPN over ICMP and DNS:
VpnOverIcmpDnsEnable /ICMP:yes /DNS:yes 
Now exit the vpncmd because we need to stop the vpnserver and setup dnsmasq
service vpnserver stop 
Softether is now configured, but since we are not using SecureNAT and going with local bridge instead, will need a DHCP server.
echo interface=tap_soft >> /etc/dnsmasq.conf
echo dhcp-range=tap_soft,,,12h >> /etc/dnsmasq.conf
echo dhcp-option=tap_soft,3, >> /etc/dnsmasq.conf
echo port=0 >> /etc/dnsmasq.conf
echo dhcp-option=option:dns-server, >> /etc/dnsmasq.conf
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.d/ipv4_forwarding.conf

sysctl -n -e --system 

Check if it is applied, it must show 1

cat /proc/sys/net/ipv4/ip_forward 

​If its not do this

    echo 1 > /proc/sys/net/ipv4/ip_forward 
Its time Enable NAT and postrouting, Then we can restart vpn and dhcp servers with following commands and enable them to start at every boot: 
iptables -t nat -A POSTROUTING -s -j SNAT --to-source <YOUR SERVER IP ADDRESS>
iptables-save > /etc/sysconfig/iptables

service vpnserver start
systemctl start dnsmasq
systemctl enable dnsmasq
chkconfig vpnserver on

DDoS attacks and methods to prevent it
Install a LEMP Stack on Debian 9

Comments 2

hamed dadya on Sunday, 10 June 2018 04:23

vpn is faster on Windows server. Is not it?

vpn is faster on Windows server. Is not it?
Andrey WooServers on Sunday, 10 June 2018 14:52

no, i don't think it matters whether you use windows or linux for VPN

on Linux it's actually more stable...

no, i don't think it matters whether you use windows or linux for VPN on Linux it's actually more stable...
Already Registered? Login Here
Friday, 17 August 2018
Join WooServers Community and get an Instant $25 Bonus!