This is a guide for installing SoftEther VPN Server on CentOS. SoftEther VPN is a good choice for accessing your local network from a computer outside. It works much faster than other VPN services but you need a client tool for all advanced features.
Preparing
The server requirement:
- Hardware:
- A not so bad CPU. Intel Atom CPU is good enough.
- 256MB RAM, 512MB will be better.
- 2GB free disk space after OS installed.
- CentOS
- A Windows client for running configuration tool.
For who want to choose Ubuntu as server side: The recommended Linux for SoftEther is RHEL, Fedora and CentOS. I’ve tried to install SoftEther VPN Server on Ubuntu Server 14. Some technique problem about firewall (iptables) may occur.
For the people in China: A working VPN is required for installing SoftEther server. Some friends said the server will be blocked by GFW while installing oversea. But working with a configured SoftEther VPN Server is allowed.
For the people who need to install on Windows Azure: This server cannot support protocols other than TCP and UDP. PPTP (not supported by SoftEther either) and L2TP cannot be supported due to protocol GRE support is lacked. SSTP and SoftEther client software are supported well. And don’t forget to open the port 443 on the management webpage.
We will create a VPN server using a subnet 192.168.250.0/24. If this is not acceptable, you need to change all related IP addresses below.
The network interface name should be eth0. If not, you need to change related device name below.
CentOS environment adjusting
We need some tools to build and install SoftEther VPN Server.
First, please make sure all components are up to date.
yum update -y
Tools for building executable files are required:
yum groupinstall "Development Tools" -y
Some services for VPN clients should be installed:
yum install dhcp dnsmasq -y
Data forwarding should be enabled by set net.ipv4.ip_forward to 1 in /etc/sysctl.conf.
in file: /etc/sysctl.conf
net.ipv4.ip_forward = 1
Edit dhcpd configuration file to start dhcpd only for VPN clients. In CentOS 7, this step can be skipped.
in file: /etc/sysconfig/dhcpd
DHCPDARGS=tap_vpn
Don’t worry. The tap_vpn will be created by following steps soon.
Adjust dhcpd configuration file like this:
in file: /etc/dhcp/dhcpd.conf
option domain-name "myvpndomain.com";
option domain-name-servers 192.168.250.1, 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.10 192.168.250.100;
option routers 192.168.250.1;
}
This dhcpd.conf should be edited carefully. Make sure all semicolons and quotes are written in the right position. The domain-name should be changed into your name specified. If you don’t want to change the default gateway for VPN clients, delete the option routers line. You may want to check the conf file provided by user sigma in the comment area of this article.
For CentOS 7 user: this document is prepared with iptables which is replaced by firewalld in CentOS 7 by default. You can follow this article to make the iptables back. Main commands are listed here.
yum install -y iptables-services systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables
If required, add these commands to the end of /etc/sysconfig/iptables to open the ports for SoftEther. You need to change the port numbers below. Each line is for one port. Lines of port 53 are for DNS. You can remove all lines with REJECT and DROP if you want to make it easier.
in file: /etc/sysconfig/iptables
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
SoftEther VPN Server installing
First, you need to get the address for the right release. Navigate to SoftEther Download Center by your client computer, select the SoftEther VPN Server and your CPU type to get the URL of the latest release.
Download the file into your server by using wget or some other tool you like.
! For example only. You should choose the right CPU version. !
wget http://www.softether-download.com/files/softether/v4.10-9473-beta-2014.07.12-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz
Decompress the downloaded file by using tar.
! For example only. File name should be changed. !
tar zxvf softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz
A folder named vpnserver will be created after decompressing. Let’s make the executable files and change the permissions.
cd vpnserver/ make cd .. mv vpnserver /usr/local cd /usr/local/vpnserver/ chmod 600 * chmod 700 vpnserver chmod 700 vpncmd
By making process in current version, you need to answer 1 three times.
Check the NIC name of this server by typing ifconfig. It the name is not eth0, correct it in script below.
Create a script file named vpnserver for handling server instance start and stop.
new file: /etc/init.d/vpnserver
#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
ifconfig tap_vpn 192.168.250.1
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
service dhcpd restart
service dnsmasq restart
;;
stop)
iptables -t nat -D POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
$DAEMON stop
rm $LOCK
;;
restart)
iptables -t nat -D POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
ifconfig tap_vpn 192.168.250.1
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
service dhcpd restart
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Make sure the folder for lock is created.
mkdir /var/lock/subsys
Grant the permission of the file created.
chmod 755 /etc/init.d/vpnserver
Set vpnserver to auto start. There are two hyphens before “add”.
chkconfig --add vpnserver
Start the vpnserver.
service vpnserver start
Some errors will occur related to tap_vpn and dhcp. Don’t worry about that.
Now we set a password for remote management.
cd /usr/local/vpnserver ./vpncmd ... press 1 and press enter ... ... press 2 enters to get the prompt "VPN Server>" ... ServerPasswordSet exit
Let’s turn to Windows now. Don’t close the shell or reboot the server.
SoftEther VPN Remote Managing
Install SoftEther VPN Server Manager for Windows from SoftEther Download Center.
Create a new server by entering the remote server IP address.
After connected, delete the hub named DEFAULT and create a new one. Check “No Enumerate to Anonymous Users” to protect and hide your server.
Create at least one user account for the Hub created.
Click “Local Bridge Setting” button below. Select the Hub you’ve created, “Bridge with New Tap Device” and type the New Tap Device Name “vpn” (lowercase, without quotes) to create the “tap_vpn” we’ve mentioned twice above. Never use SecureNAT for this hub because it’s not compatible with bridge and sucks currently.
Now you need to go back to the server shell to reboot the whole system.
SoftEther VPN Client Optimizing
To make the VPN connection fast and stable, you may want to change some advanced settings in client side.
- Number of TCP Connections: Set to 8 or above for broadband.
- Set Connection Lifetime for Each TCP Connection: Check and set to 300.
- Use Half-Duplex Mode: Check if you can.
- Disable UDP Acceleration: Check.
Future Upgrading
When you need to update the server side, you need to:
Stop the service.
service vpnserver stop
Download the latest version of SoftEther VPN Server and build it.
wget brabrabrabra tar zxvf brabrabrabra cd vpnserver make chmod 600 * chmod 700 vpnserver chmod 700 vpncmd cp -r * /usr/local/vpnserver/
And start the service again.
service vpnserver start