Friday, August 24, 2018

How to install SoftEther VPN Server

This tutorial covers setting up Softether VPN on a NAT machine AS WELL AS a regular machine with IPv4/IPv6.  without SecureNAT using dnsmasq dhcp service.

Since I did not have a NAT VPS, I bought a LES machine for the sake of this tutorial from LowEndSpirit.com
I chose a 128mb machine in US.
A server in Europe is way faster and closer to me but since I have enough machines in Europe, US seemed more appealing to me.
The VPS has the following specs:
  • 1 vCPU Core
  • 128MB RAM
  • 128MB vSwap
  • 3GB SSD-Cached HDD
  • 500GB @ 1Gbit
  • 20 NAT IPv4 Ports + 1 SSH Port
  • /80 IPv6 Subnet
  • OpenVZ/NanoCP
For a price of €3 per year I say this is a good deal.
Turns out I mistakenly selected Kansas City location instead of my intended Lenoir, NC location.
It’s fine though, as long as I can use it…
Let me warn you, unfortunately I couldn’t make this to work with a pure ipv6 only server.
I mean, I did. But since I have no native IPv6, without a vpn I can’t get to test it without a second VPN connection.
Also since they only have IPv6, they are not able to resolve ipv4 sites. So if your intention is to set a VPN on your IPv6 only machine, you can still follow this tutorial and make it work but can’t help you out anymore than that..
In this tutorial we will be creating a VPN with Local Bridge and NAT IPv4 and optionally we will distribute IPv6 addresses to all who connects to our virtual private network. Easy peasy…

Did someone say IPv6?

Assigning a unique IPv6 address to all VPN clients.

Though it might be an overkill for most, I enjoy digging deeper and knowing that there’s always a second option for those who want to broaden their horizons.
In this case, I won’t be content with only NAT IPv4 since I only get the host machine’s IP address and the IPv6 addresses they assigned me to. There are so many possibilities that pops up my mind that I have to keep it short. But in summary they’re somewhere along the lines of:
  • What if I need more IPv6 addresses? Sure you can always open a ticket
    and ask for more. They may or may not allocate a few more to you. But
    what if I want to give a unique IPv6 address to all my clients? This
    includes other servers that I connected through VPN.
  • This is not VPN related but, what if I were to host every other site on my server
    with their own IPv6?
  • What if after setting up so many things I want to move my host? Do I have to start over, change all dns addresses and all those config files?
  • What if I am hosting sites on my VPN computer
    or communicating within my virtual private network with those IPv6
    addresses?
If I were to change my host or somehow got kicked out that’ld be a drag, wouldn’t it?
So, I need my own IPv6 block then. Since no host will just give it to you, the best way to achieve it is through tunnelling.
Now I won’t get into creating an IPv6 tunnel or How to open a TunnelBroker.net account or How to create Hurricane Electric tunnel on OpenVZ/KVM/XENand I will assume you already have one. That topic is for another day.
Of course, if your host did actually provide you a similor block, you’re free to use it.
For distributing IPv6 addresses to our clients we need:
  • working IPv6 tunnel
  • Editing DNSMasq
  • Some ip6tables rules
  • Editing sysctl
It is just like the VPN setup above. Other than the IPv6 Tunnel, we only need to change a few settings in order to assign every other machine a real IPv6 address route it through our virtual private network.
The best part of this setup is that if you connect from behind a router, though your IPv4 address may be blocked by the router; as long as you’re within the VPN, your IPv6 address will be publicly accessible.

Download Softether VPN Server

Reading the welcoming mail from the provider, I connected to my NAT IPv4 with IPv6 VPS using Xshell5. The mail stated a connection IPv4 address along with a port for SSH.
Connecting to NAT VPS
Now I need to download Softether VPN Server to the VPS from the URL:
Softether Download
I need to select the component, platform and cpu architecture from this page to run on my VPS.
Since I wasn’t sure what I had on my 5-minute-old machine I ran the command lscpu and confirmed what I had.
CPU Info
Next I’m confirming my cpu and getting the latest Softether VPN Server for Linux.
SoftEther Download Links
Right click on the first link and copy the download link. (By the time you’re installing this, the software may already been updated. So better download the updated one from the link above instead of this one)
http://www.softether-download.com/files/softether/v4.14-9529-beta-2015.02.02-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.14-9529-beta-2015.02.02-linux-x64-64bit.tar.gz
Installing Softether VPN Server
Now, head over to your SSH Client and wget the file.
wget http://www.softether-download.com/files/softether/v4.14-9529-beta-2015.02.02-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.14-9529-beta-2015.02.02-linux-x64-64bit.tar.gz
After downloading the file let’s extract it with the command:
tar xzf softether-vpnserver-*
It extracts to a folder called vpnserver.
Now let’s get inside the folder.
cd vpnserver/
Before moving to next step we must have GNU Gcc Compiler and Developement Environment tools in order to make and make install this package.
Since this is a brand new installation I don’t have those.
So let’s install it with the commands below:
apt-get update
apt-get install build-essential libssl-dev g++ openssl chkconfig libpthread-stubs0-dev gcc-multilib
Now we can continue and install Softether VPN Server to our VPS.

Compiling and Installing SoftEther VPN Server

After installing GNU Gcc compiler and it’s dependent packages now we can finally make our package by running the command
cd vpnserver
make
When you run the command, it will ask you several questions. Choose yes for each instance otherwise the installation will halt. I had to choose “Yes” 3 times
In seconds the compilation was complete.
Now, if you see something like below, your installation was a success:
Let’s start SoftEther VPN Server Services with the command:
./vpnserver start
If you see the message below now we started SoftEther with success:
The SoftEther VPN Server service has been started.
Now, we have two alternative ways to manage our services.
You can run ./vpncmd command and configure SoftEther via command line interface. But… That’ld be a drag. It is not that user friendly after all and you might miss some stuff.
So instead I will be using SoftEther VPN Server Manager tools from my Windows.
First of all, let’s create a password for the VPN before connecting to it with the Server Manager.
So let’s run
./vpncmd
It will ask you what you want to do.
The choices are:
  1. Management of VPN Server or VPN Bridge
  2. Management of VPN Client
  3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
Choose 1 and press enter. Press enter 3 more times. Preferably after reading.
Once you’re in, let’s first setup a password for our server with this command:
ServerPasswordSet
You’ll be asked twice to input your password. This will be used for admin interface so don’t miss it.

Optional Step, Only for NAT VPS’es

This step is a bit tricky and except for this step the rest of the tutorial is the same for everyone.
For this step I either had to have an IPv6 address, otherwise I couldn’t connect to the VPN server behind the NAT IPv4 since I don’t know how, or setup my VPS to be able to accept my connections.
So my first approach was connecting to my VPS with the IPv6 I had which resulted in success.
But when I tried to connect IPv4 way, it was a failure. Softether wasn’t listening the port range I was given.
I had to create a Listener. The welcoming email stated that I was given a port range of 14000-14020.
Port #14000 being the SSH port, I decided to create a listener for 14001
So in vpncmd, I ran this command:
ListenerCreate 14401
Only then I had success connecting to my VPS for managing SoftEther VPN Server.
You can change this 14401 port to a port from within your own range.

SoftEther VPN Server Manager for Windows

Since we have enabled ways of connecting to our VPN Server, let’s launch SoftEther VPN Server Manager for Windows and create a connection to our IPv6 only VPS.
You should download and install SoftEther VPN Server Manager for Windows from the same download URL:
After installation, fire it up and on the main screen click New Setting to create a new connection.
Now, as you can see you have 3 boxes you need to edit.
  • Server IP
  • Server Port
  • Server Password
Edit these accordingly and click OK.
We will beback to the SoftEther VPN Server Manager window.
Here you can see the connection you now created.
Choose it and click connect

Configure SoftEther VPN Server

Creating Local Bridge

Right at this moment, I realized that I didn’t enable TUN/TAP on my VPS client. So creating a local bridge resulted with error.
Reading the welcoming email again, and checking FAQ of the host provider I saw that I can do it myself from the SolusVM control panel.
So I did.
But that resulted me losing my SSH connection to the VPS server. It restarted.
After reconnecting to SSH and I had to restart my vpnserver with the commands below:
cd vpnserver
./vpnserver start
Since we didn’t create an init file for SoftEther yet, so we need to start it manually to continue where we left at.
Then I re-connected to SoftEther VPN Server Manager again,
So, next step is creating the local bridge for VPN connection.
Bridge Easy Setup: Check Remote Access VPN Server then click next.
Decide the Virtual Hub Name: Here, you have to enter a name for your hub. I prefer using nmd
Dynamic DNS Function: Here you will be given a dynamic dns url for your VPN Server. You can change it or just accept it.
You’ll see that your IP addresses are also listed here.
VPN Azure Service Settings: You can enable or disable VPN Azure service. It’s upto you
VPN Easy Setup Tasks: On this next screen, let’s click on Create Users and create ourselves a user to connect VPN with.
VPN Create New User: Here, filling only the username and password sections is sufficient, you can always edit it later. For now a Password Authentication is OK for my installation. You can change this to Individual Certificate Authentication, RADIUS Authentication or NT Domain Authentication whenever you want. You can even have a mixed environment where each user have different ways of connecting.
Local Bridge Settings: Now, due to a connection error I had to reconnect the VPN Server Manager, so I clicked the “Local Bridge Settings” from the main window in order to continue with installation.
Here we will create a tap bridge. When you first enter and there’s no bridge available, you’re greeted with a notification window.
Read it and click OK to continue.
Create Local Bridge: Choose your previously created hub from Virtual Hub dropdown selection box. Choose Bridge New Tap Device As for New Tap Device Name enter softether and Create Local Bridge.
IPSec / L2TP / EtherIP / L2TPv3 Settings: Next, on the main window, click on this settings.
Make sure these are checked:
Enable L2TP Server Function (L2TP over IPsec)
and
Enable L2TP Server Function (Raw L2TP with No Encryptions)
Also change your IPSec Pre-Shared Key to something of your preferance. This will only be required when we’re connecting to SoftEther from an IPSec/OpenVPN client.
OpenVPN / MS-STP Settings: In this window, enable all if you want to enable OpenVPN Clone Server function. If you’re planning on using VPN with your mobile, you’ll mostly need it.
We’re mostly done with our SoftEther VPN Server setup.
This much is enough for new starters. You can always change every setting and climb your way up to an advanced user in time.
Now that we have setup our VPN server, we need means to connect to it.
Thus we have SoftEther VPN Client.

Installing Softether VPN Client

From the SoftEther download links above, Softether VPN Client from Softether site.
When you first install it, it should ask you for your permission to create a Virtual Network Adapter, say yes and move on.
Since I already have it installed I can’t put some screenshots for the installation phase.
Also you need to run it as administrator.
After the installation, open it up. (If some seconds has past and you still don’t see it on your screen, check the tray.)
You will be greeted with a window like this.
Of course, yours will be an empty one.
Now let’s create a new vpn connection. You can either ctrl+N or choose New VPN Connection Setting from the Connect menu.
Or like this:

Creating a SoftEther VPN Connection

Fill it up according to my example.
Did you notice that after you fill Host Name and Port Number your Virtual Hub Name is pulled from the server?
Choose your Virtual Network Adapter and edit your User Authentication Settings.
If you click on Advanced Settings you might want to enable Use Data Compression.
Also increase the number of your TCP Connections.
Click OK,
Click OK.

Connecting to SoftEther VPN Server

Now that you have created your VPN Connection successfully. you’re thinking that if you click connect on your SoftEther VPN Client, you will be able to connect right?
You’re wrong my friend…
Indeed, you will be able to connect. But unless you enabled SecureNAT from within the Hub Properties you won’t be able to get an IP from the server thus it will result in not being able to resolve any website.
So now we need another piece of software!
In order to get an internal IP address within the VPN, we will install DNSMasq. A lightweight and fast DNS + DHCP Server. Also I’l like to mention this that using DNSMasq is way lighter and better on your resources than using the builtin SecureNAT function. Also it gives us many more functionalities.

Next step, configuring DNSMasq.

Install DNSMasq with the command:
apt-get install dnsmasq
After installing it we need to configure it to listen to our SoftEther bridge and only to it.
This will be our DNS Forwarder as well as DHCP server.
For DNSMasq, I have prepared two config files. Use one depending on your needs.
The first one is for those who want nothing to do with IPv6:
If you are doing everything according to the tutorial, you don’t need to change anything.
First let’s move original DNSMasq config file, just in case:
mv /etc/dnsmasq.conf /etc/dnsmasq.backup
Next, let’s create a new one:
If you don’t plan on using IPv6, you don’t need to change anything.
If not, and if you have an IPv6 tunnel, you have to edit this accordingly, by enabling some disabled sections.
Now, to save you have to CTRL + o
Also to exit from nano press CTRL + x
Second one is for those who also want to give IPv6 addresses to every connecting client. This can be your native IPv6 OR a tunneled IPv6 subnet.
If you want IPv6 connectivity on your SoftEther VPN Server and if you want to route advertise your DHCPv6 server on your virtual private network you don’t need any other software. DNSMasq is capable enough to handle both.
If you already installed your VPN with the config above, just back it up and use the one below for a dual stack.
This configuration allows your dnsmasq to serve both IPv4 and IPv6.
Get the file above. Now, unlike the ipv4 only file this time you need to make some little changes.
Go to line where we define the dhcp range we want our connecting clients to get an IP address from:
2001:XXX:YYY:ZZZ
to whatever your subnet is. Remember, there’s two of them.
The reason we have so many zeros in this is because in newer versions of dnsmasq we’re not allowed to simply state this range as:
2001:XXX:YYY:ZZZ::32,2001:XXX:YYY:ZZZ::ff,slaac,ra-only,64,4W
This is how I did it till dnsmasq v2.72, but now it doesn’t work. Also, as a sidenote I’ld like to add that if the config above doesn’t work for your tunneled ipv6 subnet, simply try adding “constructor:he-ipv6″ after ra-only.
Anyway, this is the only change we have to do. Change the subnet and the range if you’ld like and we’re done with it. You don’t need to edit anything else in this config. Now let’s save it and continue.

SYSCTL Settings

In order to allow IP routing from the VPN connection to the outer world, we need to set a few things. One of these is done by sysctl.
To edit it:
nano /etc/sysctl.conf
add these lines for both IPv4 and IPv6. If you don’t want IPv6 disregard the second part.
net.core.somaxconn=4096
net.ipv4.ip_forward=1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 1 
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.proxy_arp = 0

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.tap_softether.accept_ra=2 # IF you named your tap interface other than softether, change this value.
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_source_route=1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.proxy_ndp = 1
And save it.
CTRL + O
CTRL + X
Run sysctl -f to load the new values.

iptables

In order to route it correctly, we also need some iptables rules.
This rules are already embedded to the /etc/init.d/vpnserver file I provide in this post. You better use it.
The rules I write here won’t just run with a copy paste and just for your reference. I repeat, I embedded these rules to the /etc/init.d/vpnserver file. Use it directly.
#######################################################################################
# Rules for IPTables. You can remove and use these iptables-persistent if you want 
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# Forward all VPN traffic that comes from VPN_SUBNET through $NET_INTERFACE interface for outgoing packets.
iptables -t nat -A POSTROUTING -o $NET_INTERFACE -s $VPN_SUBNET -j SNAT --to-source $YOUREXTERNALIP
# Alternate rule if your server has dynamic IP
#iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
#
# Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# 
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT 
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT 
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT 
# 
# IPv6
# This is the IP we use to reply DNS requests.
ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
# Let's define forwarding rules for IPv6 as well...
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

# You can enable this for kernels 3.13 and up
# ip6tables -t nat -A POSTROUTING -o $TAP_INTERFACE -j MASQUERADE
#######################################################################################
# End of IPTables Rules
#######################################################################################
If you have checked the iptables rules and figured out what they are, good for you. Now forget these, you don’t need to learn those here. Let’s continue and install Softether VPN Server as a service. So that you can stop and restart it with ease. As well as enabling it to start at your VPS reboot.

Installing SoftEther VPN Server as a service

In order to do so, let’s run the commands below.
Considering you extracted the vpnserver file to your home directory, this commands will move your vpnserver folder to /usr/local folder.
mv ~/vpnserver/ /usr/local
Now, as a last touch we have to create an init file.
For this, we will download and edit:
If you want to change the location of vpnserver or the IP addresses, edit it in your favorable editor.
If you have Native IPv6 subnet or using a  Sixxs/Hurricane Electric IPv6 tunnel, or you plan on giving clients an IPv6 address  use the config file below:
Did you realize that iptables rules are embedded in the file?
If you want you can extract them out and use with iptables-persistent. But using it like this is better if you don’t know how.
OK, copy the contents of vpnserver file to your notepad, and EDIT the section called ConfigurationI tried to explain everything, so you won’t have any problem editing stuff, I hope.
Now, once you edited the file let’s now create the init file and paste the edited vpnserver init file.
nano /etc/init.d/vpnserver
And save it.
Last but not least, we should make it executable, add to system startup and restart it.
chmod +x /etc/init.d/vpnserver
update-rc.d vpnserver defaults

/etc/init.d/vpnserver stop
/etc/init.d/vpnserver start
Now, try connecting your VPS from your computer via SoftEther VPN Client. If you didn’t mess it up, you should be able to connect your VPN Server without any problems.
After connecting, check your Network Connections for Network Connection Details.
If your details seem like below, you’re good to go.
Now, your computer is redirecting all dns requests to your vps as well as accessing all sites from your vpn.
(This screenshot is for an IPv4 only configuration)

IPv6 Rules for Softether

You better use this for reference. We already have them in our config.
https://github.com/nomadturk/vpn-adblock/blob/master/etc/init.d/vpnserver
# IPv6
# This is the IP we use to reply DNS requests.
ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
# Let's define forwarding rules for IPv6 as well...
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

# You can enable this for kernels 3.13 and up
# ip6tables -t nat -A POSTROUTING -o $TAP_INTERFACE -j MASQUERADE

Logrotate for DNSMasq

By default DNSMasq saves it’s logs to /var/log/daemon.log
In our config we told dnsmasq to use /var/log/dnsmasq.log to save all. This is better.
But we need to add this to logrotate or otherwise we might end up having a huge log file. To do it add this code to
/etc/logrotate.d/dnsmasq
/var/log/dnsmasq.log {
monthly
missingok
notifempty
delaycompress
sharedscripts
postrotate
[ ! -f /var/run/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq.pid`
endscript
create 0640 dnsmasq dnsmasq
}
That should be it.
I know, this looks more complex than I intended. Sorry for that but it really is not.
If you have any questions, feel free to ask. BTW, I do update this post from time to time, whenever I can spare time. So be sure to check in again…
Enjoy your secure line.
PS: Actually this setup might not be for shared/public use. With this setup I can connect all my devices together in the private network thus I can access my Plex Media Server on ServerB when I connect to my host ServerA. Meaning everything in the network can work as if it were a local network. This might bring some security issues so you might want to isolate people with additional config to SoftEther, DNSMasq and iptables.

Possible errors:

Problem: I am connected to VPN but I still see my home IP
Possible cause: Check /etc/init.d/vpnserver AND ensure that all the configuration is correct, including YOUREXTERNALIP where you have to write the external IP of your system.
Otherwise you will end up getting an IP that starts with 169.254…
Problem: I can’t connect to VPN
Possible cause: If you are behind NAT, ensure that you have created a Listener Port and make sure that vpnserver is running. You can check if it’s running or not by command:
ps aux | grep vpnserver
Problem: I get assigned an IPv6 address but ipv6-test.com OR test-ipv6.com says I don’t have an IPv6 connection.
Possible cause: Try checking if IPv6 is running correctly on your server. Try
ping6 he.net
In most cases I had problems due to faulty IPv6 configuration on the server side. You may try checking for the dhcp-range we set at dnsmasq.conf file.

Notes for OpenVZ users

Ensure that you have changed the network adapters name on
/etc/dnsmasq.conf
and
/etc/init.d/vpnserver

On openVZ systems you should change eth0 entries to venet0
Also on systems that does have eth0 under a different name