Install SoftEther VPN Server on CentOS

This is a guide for installing SoftEther VPN Server on CentOS. SoftEther VPN is a good choice for accessing your local network from a computer outside. It works much faster than other VPN services but you need a client tool for all advanced features.

Preparing

The server requirement:

  • Hardware:
    • A not so bad CPU. Intel Atom CPU is good enough.
    • 256MB RAM, 512MB will be better.
    • 2GB free disk space after OS installed.
  • CentOS
  • A Windows client for running configuration tool.

For who want to choose Ubuntu as server side: The recommended Linux for SoftEther is RHEL, Fedora and CentOS. I’ve tried to install SoftEther VPN Server on Ubuntu Server 14. Some technique problem about firewall (iptables) may occur.

For the people in China: A working VPN is required for installing SoftEther server. Some friends said the server will be blocked by GFW while installing oversea. But working with a configured SoftEther VPN Server is allowed.

For the people who need to install on Windows Azure: This server cannot support protocols other than TCP and UDP. PPTP (not supported by SoftEther either) and L2TP cannot be supported due to protocol GRE support is lacked. SSTP and SoftEther client software are supported well. And don’t forget to open the port 443 on the management webpage.

We will create a VPN server using a subnet 192.168.250.0/24. If this is not acceptable, you need to change all related IP addresses below.

The network interface name should be eth0. If not, you need to change related device name below.

CentOS environment adjusting

We need some tools to build and install SoftEther VPN Server.

First, please make sure all components are up to date.

yum update -y

Tools for building executable files are required:

yum groupinstall "Development Tools" -y

Some services for VPN clients should be installed:

yum install dhcp dnsmasq -y

Data forwarding should be enabled by set net.ipv4.ip_forward to 1 in /etc/sysctl.conf.

in file: /etc/sysctl.conf

net.ipv4.ip_forward = 1

Edit dhcpd configuration file to start dhcpd only for VPN clients. In CentOS 7, this step can be skipped.

in file: /etc/sysconfig/dhcpd

DHCPDARGS=tap_vpn

Don’t worry. The tap_vpn will be created by following steps soon.

Adjust dhcpd configuration file like this:

in file: /etc/dhcp/dhcpd.conf

option domain-name "myvpndomain.com";
option domain-name-servers 192.168.250.1, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;

subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.10 192.168.250.100;
option routers 192.168.250.1;
}

This dhcpd.conf should be edited carefully. Make sure all semicolons and quotes are written in the right position. The domain-name should be changed into your name specified. If you don’t want to change the default gateway for VPN clients, delete the option routers line. You may want to check the conf file provided by user sigma in the comment area of this article.

For CentOS 7 user: this document is prepared with iptables which is replaced by firewalld in CentOS 7 by default. You can follow this article to make the iptables back. Main commands are listed here.

yum install -y iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables

If required, add these commands to the end of /etc/sysconfig/iptables to open the ports for SoftEther. You need to change the port numbers below. Each line is for one port. Lines of port 53 are for DNS. You can remove all lines with REJECT and DROP if you want to make it easier.

in file: /etc/sysconfig/iptables

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

SoftEther VPN Server installing

First, you need to get the address for the right release. Navigate to SoftEther Download Center by your client computer, select the SoftEther VPN Server and your CPU type to get the URL of the latest release.

Download the file into your server by using wget or some other tool you like.

! For example only. You should choose the right CPU version. !

wget http://www.softether-download.com/files/softether/v4.10-9473-beta-2014.07.12-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz

Decompress the downloaded file by using tar.

! For example only. File name should be changed. !

tar zxvf softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz

A folder named vpnserver will be created after decompressing. Let’s make the executable files and change the permissions.

cd vpnserver/
make
cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd

By making process in current version, you need to answer 1 three times.

Check the NIC name of this server by typing ifconfig. It the name is not eth0, correct it in script below.

Create a script file named vpnserver for handling server instance start and stop.

new file: /etc/init.d/vpnserver

#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
ifconfig tap_vpn 192.168.250.1
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
service dhcpd restart
service dnsmasq restart
;;
stop)
iptables -t nat -D POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
$DAEMON stop
rm $LOCK
;;
restart)
iptables -t nat -D POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
ifconfig tap_vpn 192.168.250.1
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
service dhcpd restart
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Make sure the folder for lock is created.

mkdir /var/lock/subsys

Grant the permission of the file created.

chmod 755 /etc/init.d/vpnserver

Set vpnserver to auto start. There are two hyphens before “add”.

chkconfig --add vpnserver

Start the vpnserver.

service vpnserver start

Some errors will occur related to tap_vpn and dhcp. Don’t worry about that.

Now we set a password for remote management.

cd /usr/local/vpnserver
./vpncmd
... press 1 and press enter ...
... press 2 enters to get the prompt "VPN Server>" ...
ServerPasswordSet
exit

Let’s turn to Windows now. Don’t close the shell or reboot the server.

SoftEther VPN Remote Managing

Install SoftEther VPN Server Manager for Windows from SoftEther Download Center.

Create a new server by entering the remote server IP address.

After connected, delete the hub named DEFAULT and create a new one. Check “No Enumerate to Anonymous Users” to protect and hide your server.

Create at least one user account for the Hub created.

Click “Local Bridge Setting” button below. Select the Hub you’ve created, “Bridge with New Tap Device” and type the New Tap Device Name “vpn” (lowercase, without quotes) to create the “tap_vpn” we’ve mentioned twice above. Never use SecureNAT for this hub because it’s not compatible with bridge and sucks currently.

Now you need to go back to the server shell to reboot the whole system.

SoftEther VPN Client Optimizing

To make the VPN connection fast and stable, you may want to change some advanced settings in client side.

  • Number of TCP Connections: Set to 8 or above for broadband.
  • Set Connection Lifetime for Each TCP Connection: Check and set to 300.
  • Use Half-Duplex Mode: Check if you can.
  • Disable UDP Acceleration: Check.

Future Upgrading

When you need to update the server side, you need to:

Stop the service.

service vpnserver stop

Download the latest version of SoftEther VPN Server and build it.

wget brabrabrabra
tar zxvf brabrabrabra
cd vpnserver
make
chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd
cp -r * /usr/local/vpnserver/

And start the service again.

service vpnserver start

Normal Steps for Minimal Setup CentOS 6 on ESXi

1 Create a new VM as you wish. Install CentOS6 with minimal configuration. After installation, shutdown the VM.

shutdown –h now

2 Add a new E1000 network interface card (eth1 in this article, if not, change all related steps below).

3 Boot and login.

4 Setup a temporary network:

ifconfig eth1 <temporary ip> netmask <netmask> up
route add default gw <gateway>

  • if HTTP proxy is required: edit the yum configuration file.

vi /etc/yum.conf

and add these lines:

# The proxy server – proxy server:port number
proxy=http://mycache.mydomain.com:3128
# The account details for yum connections
proxy_username=yum-user
proxy_password=qwerty

  • if HTTP proxy is NOT required: edit DNS configuration file. See step 13.
  • if Route is required: edit route configuration file. See step 14.

5 Install perl, and update system.

yum install perl
yum update

6 Shutdown.

shutdown –h now

7 Remove the E1000 network interface card, which was inserted in step 2.

8 Boot and login.

9 Insert VMware Tools CD.

10 Install VMware Tools, and reboot. (NOTE: you may need to do this step every time after system update)

cd /
mount /dev/cdrom /media
tar –zvxf /media/VM*
cd vmware-tools-distrib/
./vmware-install.pl

follow the instructions on your screen.

umount /media
reboot

11 Wait for reboot and login.

12 Setup eth0

vi /etc/sysconfig/network-scripts/ifcfg-eth0

and add these lines:

ONBOOT=yes

  • if DHCP is enabled:

BOOTPROTO=dhcp

  • if static IP is preferred:

IPADDR=<IP>
NETMASK=255.255.255.0
BOOTPROTO=none

13 Setup DNS.

vi /etc/resolv.conf

and add these lines:

nameserver <1st DNS IP>
nameserver <2nd DNS IP>
domain <domain name> #your domain name, optional

14 Setup route.

vi /etc/sysconfig/network

and add these lines:

NETWORKING=yes
HOSTNAME=<value>
GATEWAY=<Gateway IP>
GATEWAYDEV=eth0

15 Reboot.

reboot

16 Disable SELINUX if you don’t like it.

vi /etc/sysconfig/selinux

find the line start with SELINUX=, and set it to disabled.

SELINUX=disabled

Install OpenVPN Server on CentOS 5.4

There are many guys asking me how to install OpenVPN on CentOS 5.2/5.4. I have a server with that system (minimal installation) exactly and I cannot find an all correct guide for this setup step. So I decide to write this post.

You cannot count on the post to explain what OpenVPN is. But if you just require a simple guide for installation, you’ve got it.

Preparation:

1 A server running with CentOS 5.2/5.4. I don’t know which services you’ve installed, so I have to install all necessary components by bash command. You can skip that command if you know that is installed.
2 A KVM, an SSH client or another way to connect to your server.
3 You must know how to use tool vi to edit file.

Setup guide:

All blue texts should be typed into bash command line, and press Enter after each command. All black texts are just commit. Read them as you wish.

Install some tools.

yum install -y wget Install a tool for downloading packages.
yum install -y iptables Install the controller for inputting firewall rules.

Configure yum to install OpenVPN

yum install -y yum-priorities Let your yum to install more packages.
cd /tmp
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm for x86 (32bit) only
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm for x64 (64bit) only
rpm -i rpmforge-release-0.5.1-1.el5.rf.*.rpm
yum check-update

Install OpenVPN

yum install -y openvpn

Configure OpenVPN Server

cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
. ../vars There is a space between the 1st and 2nd dot.
chmod +rwx *
source ./vars
vi ../vars Modify the last several lines of this file to match your location and org name.
vi vars Modify the last several lines of this file to match your location and org name.
./build-ca Input your location and org name.
source ./vars
./clean-all
./build-ca Always press enter directly. You can verify your infomation in this step.
./build-key-server server Answer y twice for the 2 questions in the end, press enter directly for others.

Configure OpenVPN Setting. Following this post, you will get a server running at port 1194 with UDP protocol, and the sub network for VPN clients is 10.0.0.0/24. You can modify this document with the rest commands synchronously.

vi /etc/openvpn/openvpn.conf Create setting file.

Type all green text below to the edit form of vi.

port 1194 Use port 1194.
proto udp Use udp protocol. You can change this into tcp as you wish. It seems that udp is faster. Tcp can be used when you are using a udp banned network.
dev tun Mode. You can choose tun or tap. I don’t wanna explain this.
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.0.0.0 255.255.255.0 Sub network for VPN clients
push "dhcp-option DNS 208.67.222.222" Use DNS of OpenDNS.
push "dhcp-option DNS 208.67.220.220" Use DNS of OpenDNS.
push "redirect-gateway" Let all traffic from client to go though with this VPN server. Remove this line if you don’t want it.
ifconfig-pool-persist ipp.txt Let OpenVPN server to record the last used IP for each client, which allows client to use the same IP when reconnected.
keepalive 10 120
comp-lzo Enable compression for saving bandwidth.
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client Allow clients to communicate with each others. Remove this line if you dont’t want it.

Save this file.

cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh This may take a while.
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start Service starts!
chkconfig --list | grep vpn

Create key for each client.

The working folder is /etc/openvpn/easy-rsa/2.0 and you can verify it by typing pwd if you like. If it’s not, type cd /etc/openvpn/easy-rsa/2.0 to change it. Run source ./vars if needed.

Run this command for each client.
./build-key <client name> Answer y twice for the 2 questions in the end, press enter directly for others. Change <client name> to client name.

Final steps and add some firewall rules

service iptables start Start the iptables service.
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be received from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be sent from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A INPUT -i tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A OUTPUT -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A FORWARD -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE Enable NAT.
/etc/init.d/iptables save Save iptables’ rules.
/etc/init.d/iptables restart Restart iptables service.
chkconfig iptables on Let iptables be started automatically.
chkconfig openvpn on So is openvpn.
vi /etc/sysctl.conf

Find a line with text net.ipv4.ip_forward = 0, change it into net.ipv4.ip_forward = 1, and save this file.

You’ve finished the configuration of server. Please restart it.

shutdown -r now

All certifications and key files can be found at /etc/openvpn/easy-rsa/2.0/keys. You should download ca.crt, <client name>.key and <client name>.crt to each client computer.

I’ll go on to create an OpenVPN client in Windows for example.

Download and install OpenVPN Windows Version.

Copy ca.crt, <client name>.key and <client name>.crt to its config folder (c:\Program Files (x86)\OpenVPN\config\ or c:\Program Files\OpenVPN\config\ by default). You can create a sub folder for each server to make it possible to connect to many servers, not at the same time.

Create a text file with extension “ovpn” in the folder which contains these 3 files with all green text below.

client
dev tun
proto udp
remote
<your server name or ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert
<client name>.crt
key
<client name>.key
ns-cert-type server
comp-lzo
verb 3

Save this file.

Start OpenVPN Client, right click the icon in the system tray and connect the server. If you are running Windows Vista / 7 or Windows Server 2008 / 2008 R2, you have to run this program as administrator coz Route.exe which will be run by OpenVPN need this.

I hope you get it though.
BTW, if you are using fedora, you may wanna check this post, which contains more commands to adjust firewall.

For CentOS 6.0: iptables’ commands need to be adjust. See your iptables configuration file for detail information.