This guide details setting up your own VPN server by installing SoftEther VPN server on Ubuntu 24.04. SoftEther VPN is an open-source, multi-protocol VPN software package ideal for enabling individual users to connect to a remote network.
Why create your Own VPN Server?
-
It is crucial to set up your own VPN server if you’re a VPN service provider or system administrator.
-
You decide to self-host because you don’t trust VPN service providers’ no-logging policies.
-
You can use VPN to implement network security policies. For instance, if you run your own email server, you can require users to log in only from the IP address of the VPN server by creating an IP address whitelist in the firewall. As a result, your email server is secured to prevent hacking attempts.
-
Perhaps you are just interested in learning how VPN servers function.
Features of SoftEther VPN
-
Lightweight and fast: During testing, it was possible to stream YouTube 4K videos with SoftEther VPN.
-
Cross-platform: Runs on Linux, FreeBSD, macOS, Solaris, and Windows servers, with support for X86, AMD64, ARM, PowerPC, and MIPS architectures.
-
Supports multiple protocols: Including traditional protocols like OpenVPN, L2TP, IPSec, SSTP, and the in-house SoftEtherVPN protocol, which is an HTTPS-based VPN protocol.
-
SoftEther client software is available for Linux, macOS, and Windows, including support for ARM, PowerPC, and MIPS architectures.
-
NAT Traversal enables running SoftEther VPN server behind a NAT without port forwarding (enabled by default).
-
VPN over ICMP / VPN over DNS enables establishing a VPN connection using ICMP or DNS, even if the firewall or router blocks every TCP or UDP connection.
-
An HTML5-based modern admin console.
Requirements
To follow this tutorial, you will need a VPS (Virtual Private Server) that can freely access blocked websites.
Once you have a VPS running Ubuntu 24.04, follow the instructions below.
You also need a domain name to enable the HTTPS-based SoftEther VPN protocol.
Step 1: Install SoftEther VPN Server on Ubuntu 24.04 VPS
Run the following command to download the latest stable version of SoftEther VPN server.
wget https://www.softether-download.com/files/softether/v4.42-9798-rtm-2023.06.30-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.42-9798-rtm-2023.06.30-linux-x64-64bit.tar.gz
Step 2: Extract the archive.
tar xvf softether-vpnserver-*.tar.gz
Step 3: Change to the vpnserver directory.
cd vpnserver/
Step 4: Install the following dependency packages on the server.
sudo apt install -y gcc binutils gzip libreadline-dev libssl-dev libncurses5-dev libncursesw5-dev libpthread-stubs0-dev
Step 5: Then run the following command to start the build process.
make
Step 6: To keep the file system tidy and clean, it’s recommended to move the vpnserver directory to /opt/.
cd ..
sudo mv vpnserver /opt/softether
Step 2: Create Systemd Service Unit
Step 1: The VPN server can be started with:
sudo /opt/softether/vpnserver start
Step 2: Stop it with:
sudo /opt/softether/vpnserver stop
Step 3: To make SoftEther VPN server automatically start at boot time, create a systemd service unit for it.
sudo nano /etc/systemd/system/softether-vpnserver.service
Step 4: Add the following lines to this file.
[Unit]
Description=SoftEther VPN server
After=network-online.target
After=dbus.service
[Service]
Type=forking
ExecStart=/opt/softether/vpnserver start
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
Step 5: Press Ctrl+O, then Enter to save the file.
Step 6: Press Ctrl+X to exit the nano command line text editor.
Step 7: Then start the VPN server with the following command.
sudo systemctl start softether-vpnserver
Step 8: Enable auto-start at boot time.
sudo systemctl enable softether-vpnserver
Step 9: You can check its status with:
systemctl status softether-vpnserver
Step 10: If it’s not running, then you can check the journal to find out what’s wrong.
sudo journalctl -eu softether-vpnserver
Step 11: Check the listening ports.
sudo ss -lnptu | grep vpnserver
Step 3: Open Ports In the VPS Firewall
Step 1: If there’s a firewall running on your server, then you will need to open several ports.
Step 2: For example, if you use UFW, then run the following command.
sudo ufw allow 80,443,992,1194,555/tcp
sudo ufw allow 1194,51612,53400,56452,40085/udp
Step 4: Configure SoftEther VPN Server
Step 1: Now we need to use vpncmd to configure SoftEther VPN Server.
/opt/softether/vpncmd
Step 2: Choose 1 to configure the VPN server.
-
The admin console is listening on port 5555. Enter
127.0.0.1:5555to access the admin console. -
Then press
Enterto skip Virtual Hub selection. -
By default, the password for the admin console is empty. We need to set a password by executing the
ServerPasswordSetcommand.
Step 3: Next, configure a virtual hub in SoftEtherVPN. You can use the default virtual hub named DEFAULT.
Hub DEFAULT
Step 4: Create a VPN account with the following command. Replace username with your preferred username.
UserCreate username
You will be asked to enter a group name, full name and user description. You can press Enter to leave them empty.
Step 5: Set a password for this user.
UserPasswordSet username
Step 6: Run the following command to enable virtual NAT and DHCP server function, otherwise VPN clients won’t be able to get an IP address from the VPN server.
SecureNatEnable
Step 7: Next, configure the NAT for VPN users by executing the DhcpSet command.
DhcpSet
You will be asked a series of questions. Use the following settings.
-
Start Point for Distributed Address Band:
192.168.30.10 -
End Point for Distributed Address Band:
192.168.30.200 -
Subnet Mask:
255.255.255.0 -
Lease Limit (Seconds):
7200 -
Default Gateway:
192.168.30.1 -
DNS Server 1:
192.168.30.1 -
DNS server 2:
1.0.0.1 -
Domain Name: Press
Enterto skip. -
Save Log:
yes
Step 8: To log out from the admin console, run
exit
Step 5: Install a DNS Resolver on the Server
Step 1: Since we specify the VPN server as the DNS server for clients, we need to run a DNS resolver on the VPN server.
Step 2: Install the bind9 DNS server.
sudo apt install -y bind9
Step 3: Once it’s installed, BIND will automatically start. You can check its status with:
systemctl status named
Step 4: If it’s not running, start it with:
sudo systemctl start named
Step 5: Edit the BIND DNS server’s configuration file.
sudo nano /etc/bind/named.conf.options
Step 6: Add the following line to allow VPN clients to send recursive DNS queries.
allow-recursion { 127.0.0.1; 192.168.30.0/24; };
Step 7: Save and close the file.
Step 8: Then edit the /etc/default/named files.
sudo nano /etc/default/named
Step 9: Add -4 to the OPTIONS to ensure BIND can query root DNS servers.
OPTIONS="-u bind -4"
Step 10: Save and close the file.
Step 11: By default, BIND enables DNSSEC, which ensures that DNS responses are correct and not tampered with.
Step 12: To make it work properly, rebuild the managed key database with the following commands.
sudo rndc managed-keys destroy
sudo rndc reconfig
Step 13: Restart BIND9 for the changes to take effect.
sudo systemctl restart named
Step 14: Then you need to run the following command to allow VPN clients to connect to port 53.
sudo ufw insert 1 allow in from 192.168.30.0/24
Step 6: Obtain a Trusted TLS Certificate from Let’s Encrypt
Step 1: SoftEtherVPN server creates a self-signed TLS certificate during the installation process, but we will use Let’s Encrypt certificate.
Step 2: The advantage of using Let’s Encrypt certificate is that it’s free, easier to set up, and trusted by VPN client software.
Step 3: Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository.
sudo apt install -y certbot
Step 4: To check the version number, run
certbot --version
Step 5: Use the standalone or webroot plugin to obtain TLS certificate.
Standalone Plugin
Step 1: If there’s no web server running on your Ubuntu 24.04 VPS and you want SoftEther VPN server to use port 443, then use the standalone plugin to obtain TLS certificate from Let’s Encrypt.
Step 2: Go to your domain’s DNS editor and set DNS A record for the VPN sub-domain (vpn.example.com).
Step 3: Then run the following command on the server to obtain TLS certificate.
sudo certbot certonly --standalone --preferred-challenges http --key-type rsa --agree-tos --email you@example.com -d vpn.example.com
Where:
-
certonly: Obtain a certificate but don’t install it. -
--standalone: Use the standalone plugin to obtain a certificate -
--preferred-challenges http: Perform http-01 challenge to validate our domain, which will use port 80. -
--key-type rsa: Let’s Encrypt uses ECDSA key by default, but SoftEther currently supports RSA key. -
--agree-tos: Agree to Let’s Encrypt terms of service. -
--email: Email address is used for account registration and recovery. -
-d: Specify your domain name.
Using webroot Plugin
Step 1: If your Ubuntu 24.04 VPS has a web server listening on port 80 and 443, then use the webroot plugin to obtain a certificate.
Step 2: First, create a virtual host for vpn.example.com.
Apache
Step 1: If you are using Apache, then
sudo nano /etc/apache2/sites-available/vpn.example.com.conf
Step 2: Paste the following lines into the file.
<VirtualHost *:80>
ServerName vpn.example.com
DocumentRoot /var/www/html/
</VirtualHost>
Step 3: Save and close the file.
Step 4: Then create the web root directory.
sudo mkdir /var/www/html
Step 5: Set www-data (Apache user) as the owner of the web root.
sudo chown www-data:www-data /var/www/html -R
Step 6: Enable this virtual host.
sudo a2ensite vpn.example.com
Step 7: Reload Apache for the changes to take effect.
sudo systemctl reload apache2
Step 8: Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin.
sudo certbot certonly --webroot --agree-tos --key-type rsa --email you@exmaple.com -d vpn.example.com -w /var/www/html
Nginx
Step 1: If you are using Nginx, then
sudo nano /etc/nginx/conf.d/vpn.example.com.conf
Step 2: Paste the following lines into the file.
server {
listen 80;
server_name vpn.example.com;
root /var/www/html/;
location ~ /.well-known/acme-challenge {
allow all;
}
}
Step 3: Save and close the file.
Step 4: Then create the web root directory.
sudo mkdir -p /var/www/html
Step 5: Set www-data (Nginx user) as the owner of the web root.
sudo chown www-data:www-data /var/www/html -R
Step 6: Reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Step 7: Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin.
sudo certbot certonly --webroot --agree-tos --key-type rsa --email you@exmaple.com -d vpn.example.com -w /var/www/html
Step 7: Install the Let’s Encrypt TLS Certificate in SoftEther VPN Server
Step 1: Log into the VPN admin console as root.
sudo /opt/softether/vpncmd 127.0.0.1:5555
Step 2: Choose 1 to manage the VPN server.
Step 3: Then run the following command to set TLS Certificate and private key of VPN server.
ServerCertSet
Step 4: Enter the following path for the certificate.
/etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem
Step 5: Enter the following path for the private key.
/etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem
Step 6: Log out from the admin console.
exit
Step 7: Restart VPN server.
sudo systemctl restart softether-vpnserver
Step 8: Establish VPN Connection on Windows
Step 1: You can use the Windows’s built-in tools to establish VPN connection.
Step 2: Press Windows key + I to open the Settings app.
Step 3: Select Network & Internet → VPN → Add a VPN Connection.
Step 4: Enter the VPN Connection details:
-
VPN Provider:
Windows (Built-in) -
Connection Name:
SoftEther -
Server Name or Address:
vpn.example.com(Please don’t add thehttps://prefix). -
VPN Type:
Secure Socket Tunneling Protocol (SSTP) -
Type of Sign-in info:
username and password -
Username: Your SoftEther VPN username
-
Password: Your SoftEther VPN password
Step 5: Save the VPN settings, then select this VPN profile and click Connect.
Step 6: Once the VPN is connected, open Windows Powershell and enter the following command to check your VPN adapter.
ipconfig
Step 7: Go to https://icanhazip.com to check your public IP address.
Step 9: Install and Use SoftEtherVPN Client on Windows
Step 1: To use the SoftEther VPN protocol, install the SoftEther VPN client.
Step 2: Go to SoftEtherVPN download page to download the SoftEther VPN client software for Windows, then run the installer.
Step 3: When selecting software components, choose the first one (SoftEther VPN client).
Step 4: Once it’s installed, run the client software.
Step 5: Double click add VPN connection.
Step 6: You will be prompted to create a virtual network adapter. Click Yes to continue.
Step 7: Choose the default name for the virtual network adapter.
Step 8: Once the virtual network adapter is created, double click add VPN connection again.
Step 9: The VPN connection setting properties window will appear. You need to enter
-
the hostname of the VPN server: like
vpn.yourdomain.com. -
port number: You can use the default port
443. -
Virtual Hub name:
DEFAULT. -
VPN username and password.
Step 10: Save your settings.
Step 11: Then double-click the name of this VPN connection to establish a VPN connection to the VPN server.
Install SSTP VPN Client on Linux Desktop
Step 1: Debian/Ubuntu
sudo apt install sstp-client network-manager-sstp
Step 2: Fedora/CentOS/Rocky Linux/Alama Linux
sudo dnf install sstp-client NetworkManager-sstp
Step 3: Run the following command to establish VPN connection.
sudo sstpc --cert-warn --save-server-route --user vpn_username --password vpn_password vpn.example.com:443 usepeerdns require-mschap-v2 noauth noipdefault nobsdcomp nodeflate
Step 4: Open another terminal window and run the following command to check if there’s a network interface named ppp0.
ip addr
Step 5: If it exists, the VPN connections is successfully established.
Step 6: Run the following command to set the VPN server as the gateway.
sudo route add default ppp0
Step 7: Run the following command to check your public IP address.
curl https://icanhazip.com
Auto-Connect on System Startup (Linux Client)
Step 1: To make SoftEther VPN client automatically connect to the server at boot time, create a systemd service unit.
sudo nano /etc/systemd/system/softether-vpnclient.service
Step 2: Put the following lines to the file.
[Unit]
Description=SoftEther VPN Client
After=network-online.target systemd-resolved.service
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/sbin/sstpc --cert-warn --save-server-route --user vpn_username --password vpn_password vpn.example.com:443 usepeerdns require-mschap-v2 noauth noipdefault nobsdcomp nodeflate
ExecStartPost=/bin/bash -c 'sleep 7; route add default ppp0'
ExecStop=pkill sstpc
Restart=Always
[Install]
WantedBy=multi-user.target
Step 3: Save and close the file.
Step 4: Then enable this service so that it will start at boot time.
sudo systemctl enable softether-vpnclient.service
Step 5: To start this Systemd service immediately, run the following command.
sudo systemctl start softether-vpnclient.service
Step 6: To stop this Systemd service, run
sudo systemctl stop softether-vpnclient.service
Auto-Renew Let’s Encrypt Certificate
Step 1: Edit root user’s crontab file.
sudo crontab -e
Step 2: Add the following line at the end of the file.
@daily certbot renew --quiet; systemctl restart softether-vpnserver
Optimization
Enable TCP BBR to boost VPN speed. Please check out the following tutorial:
That’s it! Hopefully, this tutorial helped you install and configure SoftEther VPN on Ubuntu 24.04 VPS.