Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Alternative to OpenVPN: SoftEther VPN

Suprazz

Newbie
Joined
Oct 19, 2016
Messages
13
I tried to install OpenVPN and I found the process long and complicated and at the end, I had issues.

I searched on the forum for an alternative like hamachi, neorouter and found nothing useful. I was able to setup Neorouter but I had few issues and I discovered SoftEther so I decided to give it a try.

Here is what you need to do to install a SoftEther VPN that will give you access to the server remotely and securely or you can also create a VPN bridge that will give you access to the complete remote network.
I need feedback from FreeNAS guru for advice regarding the security and/or configuration.

More info here regarding the installation: https://www.softether.org/4-docs/1-manual/7._Installing_SoftEther_VPN_Server/7.3_Install_on_Linux_and_Initial_Configurations

First, I'll do that in a jail because it's easy to try again or disable if needed.

So create a jail with the FreeNAS GUI, jails, add jail and give a name.

When the jail is created, open a shell inside this jail.

Execute commands:
pkg update (maybe optional)
pkg upgrade (maybe optional)
pkg install wget
pkg install lang/gcc (this one takes a long time).

Then go to http://www.softether-download.com/en.aspx?product=softether, select softether VPN server, FreeBSD, x64 and copy download link:
http://www.softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/FreeBSD/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.21-9613-beta-2016.04.24-freebsd-x64-64bit.tar.gz

Execute:
cd /tmp
wget http://www.softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/FreeBSD/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.21-9613-beta-2016.04.24-freebsd-x64-64bit.tar.gz
tar zxvf softehter*
cd vpnserver
make
Select 1 for the license agreement, 1 for the understanding of the license agreement, and 1 to agree the license agreement.

Now move everything to /usr/local/
cd ..
mv vpnserver /usr/local

Double check permissions:
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpncmd
chmod 700 vpnserver

Now create a startup script at /etc/rc.d/vpnserver with nano (pkg install nano) or ee
Code:
#!/bin/sh
. /etc/rc.subr
name="softether"
rcvar="softether_enable"
start_cmd="softether_start"
stop_cmd="softether_stop"

softether_start(){
cd /usr/local/vpnserver
./vpnserver start
}
softether_stop() {
cd /usr/local/vpnserver
./vpnserver stop
}

load_rc_config $name
run_rc_command "$1"


change permissions:
chmod 755 /etc/rc.d/vpnserver

add in /etc/rc.conf
Code:
softether_enable="YES"


Restart Jail and open shell
execute:
ps aux to see if vpnserver is running.

Now on your computer, download and install the SoftEther VPN Server Manager at : http://www.softether-download.com/en.aspx?product=softether
http://www.softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.21-9613-beta-2016.04.24-windows-x86_x64-intel.exe

Everything else will be made with the server manager.
Start the SoftEther VPN Server Manager,

Connect to the IP address of the jail with no password. At first login, it will ask you to generate the password.

Then select Remote access VPN server


It will propose you to automatically create a DNS address for you at softether.net.

If you don't want to have any configuration to make on your router, you can also setup a VPN Azure cloud address for free. If not, you'll have to open port 442, 500, 4500 and maybe others.

Create your users at this screen and to not forget to setup the local bridge by selecting the epair adapter.


You can create users with password authentication only but certificate is a better idea.

After that, download the SoftEther VPN client, enter the VPN Azure cloud address or your DNS address, username and password and you're ready to go!
 
Last edited by a moderator:

captainkent

Newbie
Joined
Nov 12, 2016
Messages
10
Hey Suprazz,

Great guide, I managed to get everything installed, I got a problem though.

I get everything installed easily, and I can connect using SoftEther Server Manager. I set everything up using the VPN Azure Cloud and try to connect using a certificate, but it keeps saying I can't connect. I'm trying to do this from my Macbook Pro.

I've opened all my ports (all the ones I can find to open) but still can't connect.

Any ideas?
 

Suprazz

Newbie
Joined
Oct 19, 2016
Messages
13
I'm not sure. If you're using the Azure cloud, you don't need to open any port at all.
Maybe you can you try with simple password authentification to begin?!
 

captainkent

Newbie
Joined
Nov 12, 2016
Messages
10
Thanks for the reply.

I will try and see if I can connect using just a username and password.

The strange thing is, I can connect to the VPN when I'm inside my own network (from my desktop PC). But when I share my 4G connection from my phone to my Macbook, I can't connect.
 

captainkent

Newbie
Joined
Nov 12, 2016
Messages
10
I connected with a standard username and password (using the Azure cloud), still doesn't work.

I can connect to the VPN from my own network, receive an IP, but I have no access to the internet.



I can however, ping my NAS, my gateway etc.



Any ideas?
 
Joined
Feb 28, 2017
Messages
9
I have found even with the bridge in place the VIMAGE isn't allow the DHCP traffice of the local net to be routed into the VirtualHub.

With OpenVPN client this was returning an "authentication error" however the server logs we showing "IP address cannot be assigned"

Removing the VIMAGE setting from the jail has resolved the issue and I was able to connect with the above setup.

Update:
Have reactivated the VIMAGE setting and established the bridge between virtual hub and to the jail internal virtual interface (epair0b) .
I can see from the virtual hub all the traffic and IPs from the jail external virtual interface (epair0a)
This time it works so I am not sure why it didn't work the first time.
 
Last edited:
Joined
Mar 31, 2018
Messages
2
Suprazz, you are the best!
I have tried OpenVPN but it didnt work. I was able to install OpenVPN properly but I had this "TLS Error: cannot locate HMAC in incoming packet" lovely error and any advice didnt work form me. Bud with Soft ether everything works like a charm. THANK YOU!
 
Joined
Oct 4, 2014
Messages
8
I tried to install OpenVPN and I found the process long and complicated and at the end, I had issues.

.....

After that, download the SoftEther VPN client, enter the VPN Azure cloud address or your DNS address, username and password and you're ready to go!
Suprazz,

thanks for details. I usually use OpenVPN, however it is very temperamental (for me) as far as routing, plus it needs its own client.

Last straw was OpenVPN install for my in-laws, couldn't get routing work properly.

SoftEther, especially based on your guide, worked pretty much right away. Just one hiccup - Comodo blocked ARP packets from FreeNAS to SoftEther VPN Client Manager. Native Windows firewall prompted to add client software to the list.

One more issue - using build-in L2TP client on Android (Galaxy S9) vs OpenVPN on same device, SoftEther is about 100KB/sec slower. Not a dealbreaker, and so far easiness of config outweigh slightly slower link.

Also, need to see how it will behave on 3rd party networks. OpenVPN was easy - just use port 443.
L2TP needs more ports to be open.

From now on adding SoftEther to my arsenal of FreeNas tools.
 
Joined
Feb 16, 2016
Messages
4
Hey guys,

Just trying this on 11.2. I can't get the bridge online. I've tried enabling tun on the jail with "iocage set allow_tun=1 <jail-name> ". I've also got "allow.raw_sockets" and "allow.socket_af" enabled in the jail settings.

My jail config is I've bound the jail to a spare NIC on the server. Specifying a static IP address, with "VNET" and "Berkeley Packet Filter" both disabled.

Any help would be much appreciated.
 
Joined
Feb 28, 2017
Messages
9
I have been running successfully SoftEtherVPN on 11.1 for a while (actually within a 10.x warren-Jail).
However creating an 11.3 iocage Jail and manually migrating the vpnserver directory and rc.conf settings over the SoftEther Server fails

What happens is that
1. vpn client connections reach the server
2. the server initiates the VPN session and seeks for DHCP
3. the DHCP traffic isn't reaching the SERVER since the status of epair0b<->Hub is reported as "Error"
4. The server terminates the session since remote IP address cannot be granted

The same version/code of the SoftEtherVPN Server, both running (not at the same time) on latest 11.2-U7 FreeNAS host ...
a. ... cannot bind its hub on epair0b when on 11.3 jail
b. ... can bind its hub on epair0b when on 10.x jail

The only diff I can see is that epair0b in Jail 10.x is in PROMISC mode, not having a "hwaddr" value, not in group "pair".

Any ideas what could stop hub<->epair0b from forming a local bridge ?

[SOLUTION - Workaround until I find a fix to the local bridge session issue]
Given that you cannot establish a Local Bridge session
1. Delete your local bridges setup
2. Select your hub and click the "manage virtual hub" button
3. Click the "SecureNAT" settings and fill as below; nothing else

You should be fine

1575844040362.png
 
Last edited:

jgreco

Resident Grinch
Moderator
Joined
May 29, 2011
Messages
12,154
thanks for details. I usually use OpenVPN, however it is very temperamental (for me) as far as routing, plus it needs its own client.

Last straw was OpenVPN install for my in-laws, couldn't get routing work properly.
OpenVPN is the Swiss Army Knife of VPN tools, but this makes it very easy to misconfigure, and most people have a weak understanding of how a VPN engine fits into a network in the first place. You really do need to engineer a coherent routing environment or it is likely that there are things that won't work correctly. This isn't (usually) OpenVPN's fault, but rather a side effect of OpenVPN's siting on the network, a misconfiguration, or a naive routing topology. All of this gets even more complicated when you start adding multiple bridging technologies; all your i's need to be dotted and all your t's crossed.
 
Top