Setting up a SoftEther VPN server for personal use

Having your own VPN server can be very useful for watching TV from home while travelling, and plenty of other reasons too. With Microsoft Azure putting servers in London I decided to have a go at building my own automated VPN server so I could learn more about Azure (I work for SwiftKey, now part of Microsoft). My team at work had suggested using SoftEther and I quickly agreed with them after seeing it in use.

I had built SoftEther on other cloud providers but not built it in a way that survived reboots and automatically starting the VPN. As Ubuntu has changed to using systemd in Ubuntu 16.04 I thought I'd give that a go. I've documented what I've done below so I can remember and others might find helpful. I'm assuming basic knowledge of Linux, and also that you can work out how to use Azure or your preferred provider. As a side note I also configured this server while in Windows 10 using the new bash functionality and ssh from there which was pretty cool.

First of all create a server. You don't need a particularly big server and choosing a magnetic hard drive rather than SSD will save you money. A VPN server does everything in memory apart from the configuration and booting etc. I'd also use a LTS version of Ubuntu so that you have security support for five years. I'd recommend using an SSH key with passphrase for extra security, compared to straight username and password. Now to the setup:


  • Install make and gcc - e.g. sudo apt install make gcc
  • Download SoftEther using something like wget http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz - Check the servers for latest version
  • Extract the tar and change into the directory and type ./install.sh
  • Start softether so that we can connect to it and configure it - sudo ./vpnserver start
  • Run the admin utility by typing ./vpncmd and then issue the following commands:
    • ServerPasswordSet (don't forget to save this somewhere secure like LastPass)
    • HubCreate - I just created one called internet
    • Hub internet
    • SecureNatEnable
    • UserCreate - you can press Enter over the group creation
    • UserPasswordSet - again make sure to save this
    • DynamicDNSGetStatus - this will give you a hostname that you can use to configure VPN clients. I also reserved a static IP address in Azure but you can just use the dynamic name shown by this command
    • IPSecEnable - change the default secret from vpn if you want. Make sure that you save this also as your VPN client will need this.
  • Now stop softether - sudo ./vpnserver stop
  • Open up UDP port 500 and UDP port 4500
Now that it's configured we want to make it run automatically by turning it into a systemd service:
  • Move the vpnserver directory you created to under /opt e.g. sudo mv vpnserver /opt
  • Change this directory to be owned by root - sudo chown root:root /opt/vpnserver
  • Copy the file at https://github.com/hsaito/SoftEtherVPN/blob/master/systemd/softether-vpnserver.service into /lib/systemd/system and change ownership to root:root. NB This file hasn't been upstreamed yet so not in main SoftEther repo. I've also made a copy on my Github account - imcdnzl if this file disappears
  • Create the service by sudo systemctl enable softether-vpnserver
  • Do a reboot to verify that vpn service is still running after a reboot
As a side note if you're a systemd guru you might wonder why I've registered the systemd service in this way. It's because of this issue in Ubuntu 16.04 which gives the error "Failed to execute operation: Too many levels of symbolic links" if you try to do a systemctl enable in the recommend manner...

Most operating systems (e.g. iOS, Android, OS X, Windows) should just work with this now if you configure to use L2TP.

If you want to contact me to clarify anything or you think I can improve this post then email me on imcdnzl at outlook dot com. Other blog posts I might write (or might not) are how to create Azure server, how to get this to run on port 443 - enables working on tighter networks with the OpenSSL VPN client.

Comments

Popular posts from this blog

Getting Apple USB Ethernet adapter working with Windows 8.1 (or Windows 10)

Setting up a Raspberry Pi 2 as an Access Point