SoftEther VPN 4.29

Softether VPN is a modern multi-protocol VPN manager and client. The program ensures the highest level of confidentiality by independently creating L-2 and L-3 tunnels and professionally encrypting traffic. It is open source and freely distributed, powered by a multinational team of volunteers. The only difficulty will be caused by assembling the utility from components and its further configuration in the absence of a Russified interface. The product is intended for connoisseurs and experts and will be difficult for ordinary users.

About the product

The program was created in Japan; in 2003, Daiyu Nobori, a student at one of the universities, developed the first version of the product and immediately came under the close attention of the government. The authorities considered its development unsafe, suggesting that it could “damage the image of other VPN products.” The student proposed the program to Mitsubishi Materials Corporation, losing the rights to it, but in 2014 he again released it to the market, this time as open source. Currently, the issue of exclusive rights has not been fully resolved.

Softether VPN servers are located only in the East of Eurasia; this, as well as the creation technology, provides high speed work for users from Russia living close to the localization region, as well as for clients from Central Asian countries. The program has a built-in firewall. The proprietary SSL-VPN data transfer protocol used is identical in appearance to regular HTTPS traffic, this allows you to hide the fact of using VNP and makes the program popular in China; it can cope with DPI (Deep Packet Inspection) technologies that block some protocols. The program works through the rarely used port 433. Traffic is masked very successfully; sometimes ICMP (ping) and DNS requests are imitated for data transfer purposes.

When answering the question of how to use Softether VPN, it should be noted that the program is designed for all operating systems, but requires certain technical knowledge. It is multicomponent and consists of the following elements:

Softether VPN server. It consists of Server, Bridge and VPN Server Manager (in the version offered for Windows);
Bridge. The option connects local networks to VPN tunnels;
Softether VPN server manager. It is installed separately and allows you to administer remote VPN servers; you will also need to download Softether VPN manager separately from other program blocks;
Vpncmd is designed for command line administration; it is actually a program management console;
Softether VPN client - the client is required to connect to the VPN network.

The price of the current version of Softether VPN client manager 4.22 does not depend on the number of components, since the program is distributed under an open license; you can download it on the developer’s website by selecting the necessary components or use already assembled packages offered by experts.

Privacy Policy

Users who decide to download the Softether VPN client will be most concerned about how well it provides anonymity on the Internet and by what means the traffic is encrypted. The system uses AES 256-bit and RSA 4096-bit encryption. But since the product team positions itself as a team of volunteers without stating its real goals, some experts do not recommend choosing this offer. Using client computers, with their consent, as proxy servers does not guarantee security.

Advantages and disadvantages

Softether VPN manager has both pros and cons, and since the product is specific and unusual for the VPN market, its characteristics will be just as unusual.

Advantages

the ability to use several protocols, these include L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP servers, the developer also proposed their own “SSL-VPN” protocol;
unlimited traffic;
the product is distributed under a free license;
The technology for creating the program eliminates the possibility of blocking its use in Russia.

Flaws

Most servers are located in the Far East, Japan and South Korea, the data transfer speed will not be very high. At the same time, users note frequent connection dropouts;
difficulty of installation. Users often cannot understand what is better, download the Softether VPN gate plugin or install the client; many operations when assembling a system from components must be performed manually, using the command line;
there are suspicions that the program contains spyware;
It is not obvious from the user manual how to use Softether VPN client manager to connect remote VPN servers.

Installation and configuration

You can download Softether VPN in Russian on the developer’s website. Softether VPN is configured differently, depending on what software is installed on the computer; for Windows, vpncmd will be bundled with VPN Server Manager; on UNIX, it is installed with the server. By going to the developer’s website, you need to select the necessary components, get a link, download Softether VPN client manager in Russian and unpack the archive.

Next, the system will ask the user a series of questions, all of which must be answered “yes”. In the vpncmd management console, you need to check the compatibility of your system with Softether VPN. After confirming its functionality, you need to launch the program and configure the Softether VPN client.

Users in Russia are in no hurry to choose this program, despite the fact that with its help you can build your own local secure networks. Even the support of Pavel Durov had no impact on her popularity. The widespread use of the software is hampered by the complexity of installation and configuration and low connection speed.

If Softether VPN does not interest you, we present to your attention the TOP 3 VPN services according to our editors

Network modes of SoftEther VPN Server

SoftEther has two traffic transfer mechanisms: SecureNAT and Local Bridge.

SecureNAT

SecureNAT is SoftEther's own technology, which creates a closed network and consists of two parts: a virtual NAT and a virtual DHCP server.

SecureNAT is not demanding on the type of virtualization of VPS/VDS servers, as it works without TUN/TAP. SecureNAT does not require setting up iptables or any other firewall, other than opening the port on which connections from clients will be accepted.

Traffic routing is carried out without affecting the system core. All processes are fully virtualized. This gives rise to the disadvantages of the mode, increased CPU load and loss of speed when compared with Local Bridge.

The user only needs to turn on the mode, connect the client, after which he can start using the VPN.

Activating SecureNAT mode

To enable SecureNAT mode, go to the hub management console and run the SecureNatEnable .

VPN Server/VPN_1>SecureNatEnable SecureNatEnable command — Enable the Virtual NAT and DHCP Server Function (SecureNat Function) The command completed successfully.

You can find out the current status using the SecureNatStatusGet .

VPN Server/VPN_1>SecureNatStatusGet SecureNatStatusGet command — Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function) Item |Value ————————-+———- Virtual Hub Name |VPN_1 NAT TCP/ IP Sessions |40 Session NAT UDP/IP Sessions |5 Session NAT ICMP Sessions |0 Session NAT DNS Sessions |0 Session Allocated DHCP Clients |1 Client Kernel-mode NAT is Active|Yes Raw IP mode NAT is Active|Yes The command completed successfully.

The command shows the number of sessions, connected clients and the current SecureNAT status. Values “Yes” indicate that SecureNAT mode is now active.

As I wrote above, SecureNAT does not require setting up a firewall to route traffic. You just need to open the port on which vpnserver will accept incoming connections from clients.

Let's add an iptables rule that opens port 443 (or any other).

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

You can install the client, connect to the server, and start using VPN or read a little about SecureNAT network settings.

Overview of SecureNAT network settings

I warn you, you shouldn’t change the default settings if you don’t know what you’re doing. Everything is already set up there without you. Otherwise, you may face unpleasant consequences.

The current network settings can be found using the SecureNatHostGet .

VPN Server/VPN_1>SecureNatHostGet SecureNatHostGet command — Get Network Interface Setting of Virtual Host of SecureNAT Function Item |Value ————+—————— MAC Address|5E-98-F1-B0-E4-9E IP Address | 192.168.30.1 Subnet Mask|255.255.255.0 The command completed successfully.

By default, SecureNAT uses a subnet 192.168.30.0/24.

This subnet does not apply only to SecureNAT; it is also used in Local Bridge mode. This is the virtual hub's own subnet. So if there is a need to change the subnet for the bridge, then it is done here.

The subnet address can be changed with the SecureNatHostSet .

VPN Server/VPN_1>SecureNatHostSet SecureNatHostSet command — Change Network Interface Setting of Virtual Host of SecureNAT Function MAC Address: IP Address: 192.168.100.1 Subnet Mask: 255.255.255.0 The command completed successfully.

Now we are using a subnet 192.168.100.0/24.

VPN Server/VPN_1>SecureNatHostGet SecureNatHostGet command — Get Network Interface Setting of Virtual Host of SecureNAT Function Item |Value ————+—————— MAC Address|5E-98-F1-B0-E4-9E IP Address | 192.168.100.1 Subnet Mask|255.255.255.0 The command completed successfully.

A client connecting to the hub receives an IP address from the range of its subnet. The distribution of addresses is controlled by a virtual DHCP server. You can view your current DHCP settings using the DhcpGet .

Let's change the current settings for the new 192.168.100.0/24 subnet ( DhcpSet) .

VPN Server/VPN_1>DhcpSet DhcpSet command — Change Virtual DHCP Server Function Setting of SecureNAT Function Start Point for Distributed Address Band: 192.168.100.10 End Point for Distributed Address Band: 192.168.100.100 Subnet Mask: 255.255.255.0 Lease Limit (Seconds): 7200 Default Gateway ('none' to not set this): 192.168.100.1 DNS Server 1 ('none' to not set this): 192.186.100.1 DNS Server 2 ('none' to not set this): 8.8.8.8 Domain Name : myvpn Save Log (yes / no): no The command completed successfully.

I set the range of issued addresses from 192.168.100.10 to 192.168.100.100 , subnet mask, gateway and DNS server. Lease Limit was left as default.

The new DHCP settings now look like this.

If you now connect to the VPN, open the Windows command line and run the ipconfig , you will see the following picture.

The computer now has the address 192.168.100.10, the gateway is 192.168.100.1, the network is called “myvpn”. As was specified during setup.

The DHCP server can be disabled using the DhcpDisable .

If you forget to enable DHCP, then addresses will not be issued to clients, but the client will still be connected to the server. In this case, the traffic will come from your main address. An inattentive user will be sure that he is hiding his IP, but in reality this is not the case. By default, DHCP is always enabled and it is better to leave it alone.

Disabling SecureNAT

To disable SecureNAT, use the SecureNatDisable .

VPN Server/VPN_1>SecureNatDisable SecureNatDisable command — Disable the Virtual NAT and DHCP Server Function (SecureNat Function) The command completed successfully.

SecureNAT disabled.

VPN Server/VPN_1>SecureNatStatusGet SecureNatStatusGet command — Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function) Item |Value ————————-+——— Virtual Hub Name |VPN_1 NAT TCP/IP Sessions |0 Session NAT UDP/IP Sessions |0 Session NAT ICMP Sessions |0 Session NAT DNS Sessions |0 Session Allocated DHCP Clients |0 Client Kernel-mode NAT is Active|No Raw IP mode NAT is Active|No The command completed successfully .

Local Bridge

Local Bridge is completely different from SecureNAT. This mode requires support for TUN/TAP devices, so it can not be used on all VPS/VDS, but only on those that have the ability to boot them. In addition, the entire Local Bridge setup, from start to finish, is done manually.

The advantages of Local Bridge are higher speed, reliability and security.

Local Bridge connects the hub to a physical or tap adapter. Traffic routing occurs in the system core using netfilter/iptables.

DHCP for Local Bridge

Local Bridge does not have its own DHCP server, so you also have to install a DHCP server. CentOS installs dhcp, Ubuntu/Debian installs isc-dhcp-server.

Let's install dhcp for CentOS.

yum install -y dhcp

Let's install isc-dhcp-server for Ubuntu/Debian.

apt-get install -y isc-dhcp-server

Let's edit the dhcp server settings file, it is the same everywhere.

nano /etc/dhcp/dhcpd.conf

Contents of the dhcpd.conf file.

option domain-name "myvpn"; option domain-name-servers 192.168.30.1; default-lease-time 43200; max-lease-time 86400; log-facility local7; subnet 192.168.30.0 netmask 255.255.255.0 { range 192.168.30.10 192.168.30.200; option routers 192.168.30.1; } # If you need to give the client a permanent IP address # You can bind by MAC # Uncomment the lines, set the desired ip # Enter the MAC address of the adapter that will be created after installing the client #host home { #hardware ethernet XX:XX:XX: XX:XX:XX; #fixed-address XXX.XXX.XXX.XX; #}

If you read about SecureNAT network settings, you most likely understood where I got the values for the dhcp server, since the subnet is the same for both modes.

Based on the address of the default subnet (192.168.30.0/24), I set the following values:

domain-name — network name, can be anything.
domain-name-servers - DNS addresses, you can specify the gateway address or the direct address of the preferred server. (192.168.30.1)
default-lease-time — the lease period for the IP address by the client, if the client does not independently specify the lease period for the address.
max-lease-time — maximum lease period for the address by the client.
subnet — subnet address (192.168.30.0)
netmask — subnet mask (255.255.255.0)
range — range of addresses for issuance (from 192.168.30.10 to 192.168.30.200)
option routers - gateway (192.168.30.1)

The “lease-time” values are set in seconds, I set them to 12 and 24 hours, respectively. If you set small values, then after the expiration date the connection will be broken, which is not good for long-term operation.

tap_vpn interface a subnet gateway, assigning it the address 192.168.30.1

ifconfig tap_vpn 192.168.30.1

Let's check the interface.

Let's start the dhcp server.

CentOS systemctl start dhcpd Ubuntu/Debian systemctl start isc-dhcp-server

Let's check how it works in CentOS (systemctl status dhcpd)

systemctl status dhcpd ● dhcpd.service - DHCPv4 Server Daemon Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2018-05-10 22: 46:40 MSK; 40s ago Docs: man:dhcpd(8) man:dhcpd.conf(5) Main PID: 2297 (dhcpd) Status: “Dispatching packets…” CGroup: /system.slice/dhcpd.service └─2297 /usr/sbin/ dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd —no-pid Sep 26 05:14:06 tech dhcpd[2297]: Sending on LPF/tap_vpn/00:ac:4d:2f: c8:3f/192.168.30.0/24

Let's check how it works in Debian/Ubuntu (systemctl status isc-dhcp-server)

systemctl status isc-dhcp-server ● isc-dhcp-server.service — ISC DHCP IPv4 server Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset: enabled) Active: active ( running) since Thu 2018-05-10 22:46:40 MSK; 40s ago Docs: man:dhcpd(8) Main PID: 2936 (dhcpd) Tasks: 1 Memory: 9.0M CPU: 33ms CGroup: /system.slice/isc-dhcp-server.service └─2936 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf

Autostart DHCP when vpnserver starts

Let's make the DHCP server loading dependent on the vpnserver loading. Firstly, so as not to assign the address of the tap interface manually, and, secondly, so as not to manually start the dhcp server after each reboot or turn on the machine.

To do this, add two commands directly to the vpnserver autostart script.

ifconfig tap_vpn 192.168.30.1 systemctl restart dhcpd or isc-dhcp-server

Let's edit the script /etc/init.d/vpnserver.

nano /etc/init.d/vpnserver

We bring the contents of the script to the following form in CentOS.

#!/bin/sh # chkconfig: 2345 99 01 # description: SoftEther VPN Server DAEMON=/usr/local/vpnserver/vpnserver LOCK=/var/lock/subsys/vpnserver test -x $DAEMON || exit 0 case "$1" in start) $DAEMON start touch $LOCK sleep 3 ifconfig tap_vpn 192.168.30.1 systemctl restart dhcpd ;; stop) $DAEMON stop rm $LOCK ;; restart) $DAEMON stop sleep 3 $DAEMON start sleep 3 ifconfig tap_vpn 192.168.30.1 systemctl restart dhcpd ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0

We bring the contents of the script to the following form in Ubuntu/Debian.

#!/bin/sh ### BEGIN INIT INFO # Provides: vpnserver # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start daemon at boot time # Description: Enable Softether by daemon. ### END INIT INFO DAEMON=/usr/local/vpnserver/vpnserver LOCK=/var/lock/subsys/vpnserver test -x $DAEMON || exit 0 case "$1" in start) $DAEMON start touch $LOCK sleep 3 ifconfig tap_vpn 192.168.30.1 systemctl restart isc-dhcp-server ;; stop) $DAEMON stop rm $LOCK ;; restart) $DAEMON stop sleep 3 $DAEMON start sleep 3 ifconfig tap_vpn 192.168.30.1 systemctl restart isc-dhcp-server ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0

We run systemctl daemon-reload to accept the changes in the scripts.

systemctl daemon-reload

Reboot vpnserver or system.

systemctl restart vpnserver or reboot

Immediately after downloading/rebooting, we check the interface and dhcp.

ifconfig tap_vpn tap_vpn: flags=4163 mtu 1500 inet 192.168.30.1 netmask 255.255.255.0 broadcast 192.168.30.255 inet6 fe80::2ac:4dff:fe2f:c83f prefixlen 64 scopeid 0x20 ether 00:ac:4d:2f :c8:3f txqueuelen 1000 (Ethernet) RX packets 12 bytes 1032 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 38 bytes 3132 (3.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 systemctl status isc-dhcp-server ● isc -dhcp-server.service — ISC DHCP IPv4 server Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-05-10 23:10:33 MSK; 1min 11s ago Docs: man:dhcpd(8) Main PID: 1417 (dhcpd) Tasks: 1 Memory: 9.0M CPU: 16ms CGroup: /system.slice/isc-dhcp-server.service └─1417 dhcpd -user dhcpd - group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf

Setting up VPN clients.

On the client computer, we will configure a connection using the L2TP/IPsec protocol with a shared key.

By default, clients are assigned IP addresses in the same range of the DHCP server to which the VPN server is connected.

It should be noted that SoftEther VPN has its own VPN client, which, according to the developer, works faster and encrypts traffic using SSL. Thus, it is difficult to distinguish from HTTPS, therefore, VPN will work even on networks where other protocols are blocked. Installing and configuring your own client is quite simple. After standard client installation, click Add VPN Connection and agree to create a virtual network adapter.

Next we write the name of the adapter.

Then a window for creating a new VPN connection will appear; here we indicate the server address, port, name of the virtual hub on the server and user credentials.

If suddenly, when connecting a VPN connection, the local network becomes unidentified, then you need to click Advanced Settings (see the picture above) and check the No Adjustments of Route Table checkbox. You can also change the priorities of network connections, more details in the article.

That's all, thanks for your attention.

Principles

On each side of SoftEther VPN you can (need) define a virtual hub and establish a connection between the virtual hub and the physical Ethernet segment using the Local Bridge function. To use it, you can bind two or more remote physical Ethernet segments into one combined Ethernet segment. This is something like a very long Ethernet cable over the entire required area. However, building and storing a long Ethernet cable will require a large initial investment and then monthly expenses. In contrast, the SoftEther VPN virtual network cable does not require additional costs beyond the usual and cheap Internet connections through local Internet providers in each branch.

Step 1. Set up SoftEther VPN Server in the central office At the main office or data center of your corporate network, install SoftEther VPN Server as the central VPN server.

Step 2: Create users for each branch Office User authentication is required for security purposes so that only an authenticated VPN bridge can connect to the central office. Add users for each branch on SoftEther VPN Server.

Step 3. Configure SoftEther VPN Bridge in each branch Install SoftEther VPN Bridge in each branch and configure them so that they establish a cascade connection to the central VPN server.

Step 4: The LAN-LAN bridge is now ready to use Congratulations! Each network segment, which was originally isolated from other segments, is now associated with a single Ethernet segment. All servers, computers and other network devices with Ethernet ports, such as printers, faxes, scanners and teleconferencing systems, can now communicate with each other without any protocol restrictions. They are in the same situation as if all these devices were connected to the same physical local network.

Principles

An ad-hoc network allows communication only with computers that are directly connected to the VPN. However, if there are many computers on your company's corporate network, it is not practical to install and configure VPN clients on all of your company's PCs. This is the reason why remote VPN access is essential for organizations with medium to large enterprise networks. Remote access VPN is an advanced ad-hoc network topology. The difference between ad-hoc VPN and remote access VPN is similar to the difference between Wi-Fi Ad-hoc and Wi-Fi Infrastructure. In Wi-Fi Ad-hoc mode, all computers must be connected only to the wireless (Wi-Fi) segment. In contrast, Wi-Fi Infrastructure allows you to connect computers in both the wireless WI-Fi segment and the wired Ethernet segment. To create a remote VPN access, you can use the Local Bridge feature to connect between a virtual private network segment and a physical Ethernet network segment. After this, any remote computers connected to the virtual hub via VPN will become part of the existing physical Ethernet segment.

Step 1. Set up SoftEther VPN server You can set up SoftEther VPN server on a computer on the corporate network. It is recommended to set up a VPN server on a computer with two network cards, one of which is connected to the corporate network and the other to the Internet. However, if you cannot find such a server that meets these requirements, you can try SoftEther VPN Server on a PC that has only one network card connected to the local network. Since SoftEther VPN Server has dynamic DNS and NAT-Traversal functions, you will be able to connect to such a PC from the Internet. Installation is very easy using the GUI installer and initial setup wizard.

Step 2: Define a local bridge between the virtual hub and the physical network card To allow remote access from client PCs to the corporate network, you need to create a local bridge between the virtual hub and the physical network adapter connected to the corporate network. Creating a local bridge is easy using the Initial Setup Wizard, or you can add it manually after the initial setup.

Step 3. Creating users On the SoftEther VPN server, you must add several users to the virtual hub. Each user has a password. After this, distribute username and password pairs to each employee who will connect via VPN.

Step 4. Install the VPN client on each participant's PC. Install SoftEther VPN Client on each participant's PC. Enter the server address, username and password. If the VPN member is Mac OS X, iPhone or Android, configure an L2TP/IPsec VPN client on each PC instead of SoftEther VPN. Another solution is to use the OpenVPN client on Mac OS X, iPhone or Android to connect to SoftEther VPN Server.

Step 5. Now the remote access VPN is ready for use. Now each employee’s PC on which the VPN client is configured can connect to the corporate network. Once the VPN connection is established, the client computer will be part of the network. You can then use any LAN applications on your PC, such as community software, SAP, SQL clients and enterprise systems.

Installing a VPN server on Windows

Installing SoftEther VPN Server is quite simple. I will illustrate it with pictures with small comments. Download the SoftEther VPN Server distribution from the official website and launch it. Select the installation option - VPN Server and click “Next”.

Then we accept the terms of the agreement and select the standard installation.

After starting the VPN server, the administration window will appear, click the “Connect” button. Set the server administrator password.

Specify the server type - Site-to-Site VPN Server. (Center)

Next, you need to specify the name of the virtual hub.

Then the dynamic DNS function is configured, click Exit. You can later disable it by changing the line in the configuration file to: “declare DDnsClient { bool Disabled true “ .

Next, you need to specify a physical network card to connect the virtual hub to the local network. The connection is made at the OSI data link layer, so the virtual hub does not receive any IP address on the network. However, some routers may notice the appearance of the IP address of the subnet 172.31.0.0/16 on the local network. This address is used to track whether ARP entries match IP addresses or something similar.

Next, you are asked to configure L2TP access and enable Azure VPN. Let's skip these steps because... they do not participate in this scheme. Azure VPN can be disabled if you have a white IP. If the address is gray, then do not disable it and use the Azure VPN domain address instead of the IP.