Introduction
SoftEther VPN is an open-source, multi-protocol VPN server that supports SSL-VPN, IPsec/L2TP, OpenVPN, L2TPv3, EtherIP, and Microsoft SSTP within a single daemon. Unlike solutions that require separate servers for different protocols, a single SoftEther instance handles all of them simultaneously, making it one of the most flexible VPN platforms available. It was originally developed at the University of Tsukuba and is distributed under the Apache 2.0 license.
This guide covers the complete setup process: installation on Ubuntu 24.04, initial server configuration using vpncmd, virtual hub creation, user authentication with local and LDAP backends, firewall configuration, client setup, and production deployment with systemd.
Installation on Ubuntu 24.04
Install Build Dependencies
SoftEther recommends compiling from source on Linux for maximum control:
sudo apt update
sudo apt install -y build-essential libssl-dev libreadline-dev \
zlib1g-dev libncurses5-dev gcc make
Download and Compile
# Download latest source (v4.43 as of 2026)
wget https://github.com/SoftEtherVPN/SoftEtherVPN/stable/v4.43.tar.gz
tar xzf v4.43.tar.gz
cd SoftEtherVPN-stable-v4.43
# Compile
./configure
make -j$(nproc)
# Install to /usr/local/
sudo make install
The build process compiles the server, client, and bridge binaries. After installation, confirm the binaries are in place:
ls /usr/local/vpnserver/
# Expected: vpnserver, vpncmd, vpnclient, hamcore.se2
Create a Dedicated System User
sudo useradd --system --home-dir /usr/local/vpnserver --shell /usr/sbin/nologin vpnserver
sudo chown -R vpnserver:vpnserver /usr/local/vpnserver
Initial Server Configuration
Start the server and configure it through the command-line management tool vpncmd:
# Start the server for first-time setup
sudo /usr/local/vpnserver/vpnserver start
# Open the management console (connecting to local server)
sudo /usr/local/vpnserver/vpncmd localhost:443 /SERVER /PASSWORD:password
Set Server Password and Create Virtual Hub
Inside the vpncmd interactive shell:
# Set the server administration password
ServerPasswordSet
# Enter: your-admin-password
# Create a virtual hub (each hub is an independent VPN network)
HubCreate
# Hub Name: MAIN
# Password: (optional, set or leave blank)
# Switch to the new hub
Hub MAIN
# Configure virtual hub settings
HubInfoSet
# Set descriptions, access control, etc.
Configure DHCP and IP Address Pool
# Enable Virtual DHCP Server on the hub
DhcpEnable
# Set DHCP lease range
DhcpSet
# Start IP: 192.168.30.10
# End IP: 192.168.30.200
# Subnet Mask: 255.255.255.0
# Default Gateway: 192.168.30.1
# DNS Server 1: 8.8.8.8
# DNS Server 2: 1.1.1.1
Create Users
# Create local users
UserCreate alice /GROUP:engineering /REALNAME:"Alice Johnson" /NOTE:"Engineering VPN access"
UserPasswordSet alice
# Enter password: secure-password-here
UserCreate bob /GROUP:devops /REALNAME:"Bob Smith" /NOTE:"DevOps admin access"
UserPasswordSet bob
Configure Secure NAT
The SecureNAT feature provides NAT and routing for the virtual hub:
# Enable SecureNAT
SecureNatEnable
# Configure SecureNAT (optional, defaults work for most setups)
SecureNatHostSet
# Virtual Network Adapter IP: 192.168.30.1
# Subnet Mask: 255.255.255.0
Configure Encryption and Protocol Settings
# Set the cipher for SSL-VPN connections
CipherSet
# Current cipher: AES-256-GCM (default, recommended)
# Enable or disable specific protocols
SstpEnable
OpenVpnEnable yes /PORTS:1194
IpsecEnable /L2TP:yes /L2TPRAW:yes /ETHERIP:yes /DEFAULTHUB:MAIN
Firewall Configuration
# Open required ports on Ubuntu with UFW
sudo ufw allow 22/tcp # SSH (always)
sudo ufw allow 443/tcp # SoftEther SSL-VPN (HTTPS)
sudo ufw allow 992/tcp # SoftEther SSTP
sudo ufw allow 1194/udp # OpenVPN
sudo ufw allow 500/udp # IKE (IPsec)
sudo ufw allow 4500/udp # IPsec NAT-T
sudo ufw allow 1701/tcp # L2TP
sudo ufw allow 5555/tcp # SoftEther administration
# Enable UFW
sudo ufw enable
Client Setup
SoftEther VPN Client (Windows/Linux GUI)
Download the SoftEther VPN Client from the official site. After installation:
# On the client machine, create a VPN connection profile
# Server: your-server-ip-or-hostname
# Port: 443 (default SSL-VPN)
# Virtual Hub: MAIN
# Username: alice
# Password: ****
# Enable "Use SSL-VPN Mode"
L2TP/IPsec Client (Built-in OS Support)
For devices without the SoftEther client (iPhones, Android, macOS):
# On the SoftEther server, IPsec is already enabled above
# Client configuration:
# Server: your-server-ip
# Type: L2TP/IPsec with pre-shared key
# PSK: (default is "softether" unless changed)
# Username: alice
# Password: ****
To change the IPsec pre-shared key:
# In vpncmd:
IpsecSet
# L2TP_DefaultHub: MAIN
# IPsec_Secret: your-custom-psk-here
Production Deployment with Systemd
Create a systemd service for automatic startup and recovery:
sudo tee /etc/systemd/system/softether-vpnserver.service << 'SERVICE'
[Unit]
Description=SoftEther VPN Server
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
ExecReload=/usr/local/vpnserver/vpnserver restart
User=vpnserver
Group=vpnserver
LimitNOFILE=1048576
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
SERVICE
# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable softether-vpnserver
sudo systemctl start softether-vpnserver
Verify Service Status
sudo systemctl status softether-vpnserver
journalctl -u softether-vpnserver -f
# Quick connectivity test (from client)
ping 192.168.30.1
LDAP/Active Directory Authentication
Integrate with enterprise identity providers for centralized user management:
# In vpncmd, on the virtual hub:
Hub MAIN
# Configure LDAP authentication
AuthServerSet
# Server: ldaps://ad.example.com:636
# Base DN: dc=example,dc=com
# Bind DN: cn=admin,dc=example,dc=com
# Bind Password: ****
# Set the hub to use LDAP auth
AuthSet
# Select: External Authentication (RADIUS or LDAP)
# Create users matching LDAP entries
# (usernames must match the LDAP sAMAccountName or uid attribute)
UserCreate alice /GROUP: /REALNAME: /NOTE:
Monitoring and Logging
# Check connected users
/usr/local/vpnserver/vpncmd localhost:443 /SERVER /PASSWORD:password \
/CMD:Hub MAIN /CMD:SessionList
# View real-time traffic statistics
/usr/local/vpnserver/vpncmd localhost:443 /SERVER /PASSWORD:password \
/CMD:Hub MAIN /CMD:TrafficGet
# Check server log
/usr/local/vpnserver/vpncmd localhost:443 /SERVER /PASSWORD:password \
/CMD:LogDetailGet
# Enable logging (set log levels)
/usr/local/vpnserver/vpncmd localhost:443 /SERVER /PASSWORD:password \
/CMD:Hub MAIN /CMD:LogEnable security
/usr/local/vpnserver/vpncmd localhost:443 /SERVER /PASSWORD:password \
/CMD:Hub MAIN /CMD:LogEnable packet
Troubleshooting Common Issues
| Symptom | Cause | Solution |
|---|---|---|
| Connection refused on port 443 | Server not running or firewall blocking | sudo systemctl status softether-vpnserver and check UFW rules |
| L2TP/IPsec connects but no traffic | IPsec not enabled or PSK mismatch | Verify IpsecEnable settings and PSK with IpsecGet |
| DNS not working after connecting | DHCP not configured on virtual hub | Run DhcpSet and SecureNatEnable in vpncmd |
| OpenVPN clients can’t connect | OpenVPN port not opened in firewall | Verify sudo ufw status includes port 1194/udp |
| Authentication fails with LDAP | LDAP server unreachable or incorrect bind DN | Test with ldapsearch from the VPN server |
Resources
- SoftEther VPN Official Site — Downloads, documentation, forums
- SoftEther GitHub Repository — Source code and releases
- vpncmd Server Management Manual — Complete command reference
- SoftEther VPN Server Configuration Examples
- SoftEether + LDAP Integration Guide
Comments