Vpn server iso

SoftEther VPN Project develops and distributes  SoftEther VPN

,

An Open-Source Free ​Cross-platform Multi-protocol VPN Program
,

as an academic project from  University of Tsukuba
, under the Apache License 2.0.

What is SoftEther VPN

SoftEther VPN

(“SoftEther” means “Software Ethernet”)
is one of the world’s most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.

SoftEther VPN is open source
. You can use SoftEther for any personal or commercial use for free charge.

SoftEther VPN is an optimum alternative to OpenVPN
and Microsoft’s VPN servers
. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN
. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function.

SoftEther VPN can be used to realize BYOD
(Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN’s L2TP/IPsec server function
 will help you to establish a remote-access VPN from your local network. SoftEther VPN’s L2TP VPN Server has strong compatible with Windows
, Mac
, iOS
and Android
.

SoftEther VPN is not only an alternative VPN server to existing VPN products (OpenVPN, IPsec and MS-SSTP). SoftEther VPN has also original strong SSL-VPN protocol
to penetrate any kinds of firewalls. Ultra-optimized SSL-VPN Protocol of SoftEther VPN has very fast throughput, low latency and firewall resistance.

Easy to imagine, design and implement your VPN topology with SoftEther VPN. It virtualizes Ethernet by software-enumeration
. SoftEther VPN Client implements Virtual Network Adapter
, and SoftEther VPN Server implements Virtual Ethernet Switch
. You can easily build both Remote-Access VPN
and Site-to-Site VPN
, as expansion of Ethernet-based L2 VPN. Of course, traditional IP-routing L3 based VPN
can be built by SoftEther VPN.

SoftEther VPN has strong compatibility to today’s most popular VPN products  among the world
. It has the interoperability with OpenVPN, L2TP, IPsec, EtherIP, L2TPv3, Cisco VPN Routers and MS-SSTP VPN Clients. SoftEther VPN is the world’s only VPN software which supports SSL-VPN, OpenVPN, L2TP, EtherIP, L2TPv3 and IPsec, as a single VPN software.

SoftEther VPN is free software because it was developed as Daiyuu Nobori’s Master Thesis research
in the University. You can download
and use it
 from today. The source-code
of SoftEther VPN is available under the Apache License 2.0.

Features of SoftEther VPN

Architecture of SoftEther VPN

Virtualization of Ethernet devices is the key of the SoftEther VPN architecture. SoftEther VPN virtualizes Ethernet devices in order to realize a flexible virtual private network for both remote-access VPN
and site-to-site VPN
. SoftEther VPN implements the Virtual Network Adapter program as a software-emulated traditional Ethernet network adapter. SoftEther VPN implements the Virtual Ethernet Switch program (called Virtual Hub
) as a software-emulated traditional Ethernet switch. SoftEther VPN implements VPN Session as a software-emulated Ethernet cable between the network adapter and the switch.

You can create one or many Virtual Hub
with SoftEther VPN on your server computer. This server computer will become a VPN server
, which accepts VPN connection requests from VPN client
computers.

You can create one or many Virtual Network Adapter
with SoftEther VPN on your client computer. This client computer will become a VPN client, which establishes a VPN connections to the Virtual Hub on the VPN server.

You can establish VPN sessions, as called ‘VPN tunnels’, between VPN clients and VPN servers. A VPN session is the virtualized network cable. A VPN session is realized over a TCP/IP connection. The signals through the VPN session is encrypted by SSL. Therefore, you can safely establish a VPN session beyond the Internet. A VPN session is established by SoftEther VPN’s “VPN over HTTPS” technology
. It means that SoftEther VPN can create a VPN connection beyond any kinds of firewalls and NATs
.

The Virtual Hub exchanges all Ethernet packets from each connected VPN session to other connected sessions. The behavior is same to traditional Ethernet switches. The Virtual Hub has a FDB (forwarding database) to optimize the transmission of Ethernet frames.

You can define a local bridge
between the Virtual Hub and the existing physical Ethernet segment by using the Local Bridge function. The Local Bridge exchanges packets between the physical Ethernet adapter and the Virtual Hub. You can realize a remote-access VPN
from home or mobile to the company network by using the Local Bridge function.

You can define a cascading connection
between two or more remote Virtual Hubs. With cascading, you can integrate two or more remote Ethernet segments to a single Ethernet segment. For example, after you establish cascading connections between the site A, B and C, then any computers in the site A will be able to communicate with the computers in the site B and the site C. This is a site-to-site VPN
.

SoftEther VPN Server supports additional VPN protocols, including L2TP/IPsec
, OpenVPN
, Microsoft SSTP
, L2TPv3
and EtherIP
. These realizes the interoperability with built-in L2TP/IPsec VPN clients on iPhone, iPad, Android, Windows and Mac OS X
, and also with Cisco’s VPN routers
and other vendors VPN products.

How to Use SoftEther VPN ?

SoftEther VPN is an essential infrastructure to build-up IT systems on enterprises and small-businesses.

SoftEther VPN can build-up flexible and dependable virtual network around Clouds. Amazon EC2, Windows Azure and most of other Clouds are supporting SoftEther VPN.

SoftEther VPN supports several mobile devices including iPhone and Android. Your smartphone is now a part of your on-premise or Cloud network by using SoftEther VPN.

SoftEther VPN is also an ultra-convenient tool for effective system management by IT professionals on enterprises and system integrators.

IPsec-based VPN protocols which are developed on 1990’s are now obsoleted. I Psec-based VPN are not familiar with most of firewalls, NATs or proxies. Unlike IPsec-based VPN, SoftEther VPN is familiar with any kind of firewalls. Additionally SoftEther VPN requires no expensive Cisco or other hardware devices. You can replace your Cisco or OpenVPN to SoftEther VPN today.

Screenshots

SoftEther VPN consists of three software: VPN Client, VPN Server and VPN Bridge.

SoftEther VPN Client

В этот раз я расскажу как сделать собственный VPN сервер за границей. Где я взял дешевый сервер за 109 рублей в месяц. А так же подробно как защитить этот сервер от атак из интернета.

Регистрируйтесь по ссылке
и получите бонус  15%
 к пополнению баланса, который будет действовать  24 часа
.

Введение

До 2022 года я не пользовался VPN серверами и они мне были не нужны. Ни один из заблокированных сайтов в РФ мне был не нужен. Но в 2023 году ситуация поменялась. Теперь не мы запрещаем доступ, а нам запрещают доступ. Целый ряд мелких и средних, а так же несколько больших корпораций закрыли доступ к своим ресурсам для Российского сегмента интернета. Решить эту задачу можно используя VPN за границей.

Можно взять услугу VPN, таких сервисов сейчас много. Но вот незадача, они с 99% долей вероятности сливают ваши данные заграничным спецслужбам. А те уже и другим неблагоприятным отморозкам. Это нужно для совершения атак на вас. Взлома пароля, аккаунта или просто подсовывания вам информации, которая настроит вас против своей страны. Поэтому нужен именно свой VPN, неподконтрольный никому.

To solve this problem, you need to use a common service VPS
(Virtual Private Server). Those. you take a virtual machine with a Linux server (it is cheaper than on Windows and works more stable) located abroad and with a white static IP address of some country, the main thing is not from the Russian segment. And many such companies, having servers abroad (I probably tried 20-30 of these), issue IP addresses from the Russian segment and consider this normal.

But this is not normal and it completely makes such VPN and VPS pointless.

Also, another criterion for choosing a hosting is payment by Russian cards, since all foreign hosters do not allow this.

I found one hoster that provides VPS service in Germany for very cheap from 99 rubles per month and gives out IP addresses of Luxembourg. This is hosting Aéza
. This is a referral link that will support my work, please follow it. If you follow my link, then
get a bonus 15%
to replenish the balance, which will be valid 24 hours
.

Hosting rates at the time of this writing are:

Register via link
and get a bonus 15%
to replenish the balance, which will be valid 24 hours
.

At the time of writing, this plan is not available, but the hosting manager promised to launch it in the near future, as soon as they receive and set up new equipment.

The tariff for 109 rubles per month is perfect for a VPN server for a family or a small group of people. But there is a limit of 100Mb / s in it. If you need a speed higher up to 1Gb / s, then you need to take a more expensive tariff. However, 391 rubles a month is also not at all expensive for a VPN service with unlimited traffic. Discounts when paying for a long period.

So follow the link
, register, choose a tariff, and I will show you how to set up this very VPN on VPS hosting.

Connection

When buying a VPS, I recommend choosing the Ubuntu 22.04 or later operating system, depending on the time when you are reading this article and I will show all the actions in this OS,

When you purchase and pay for the service in the hosting control panel, you can see the following window in active services:

To connect to the server via SSH, open:

• PowerShell – if you have Windows 10 or newer
• Terminal – if you have MacOS or linux
• Download Putty – if you have another Windows similar OS

Enter the command in this utility:

 ssh root@IP address 

Then the system will ask you to enter a password, you also need to take it in the control panel as in the picture above.

Let me remind you that when entering a password, this input itself is not visible, you just enter the password and press inter. In Putty, pasting from the clipboard is by default the right mouse button.

Also, the first time you connect, the system will ask you to confirm and save the public key, agree by entering yes. There will be no such issue in the future.

That’s it, you got to your newly purchased VPS server for VPN

If it will not connect in the future due to a key validity error

 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:huHJw3Je35sBKdW9IFdBmj+qNqAnGn8+Y3der/ZhiyA.
Please contact your system administrator.
Add correct host key in C:\\Users\\alexandrlinux/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\alexandrlinux/.ssh/known_hosts:15
Host key for 185.149.146.205 has changed and you have requested strict checking.
Host key verification failed.
  

And this is the screenshot itself:

Then you need to remove the key from the known_host file with such a command, as shown in the picture above

 ssh-keygen -R host
  

Where host

is it an IP address or domain name

Initial setup

First of all, we enter such commands

 apt update
apt upgrade
apt install dialog tasksel ntpdate net-tools
tasksel --new-install 

Answer yes to all questions and do the following for the last one:

Remove all extra checkboxes with a space and set only the last two. This is necessary to install all the necessary utilities on the server, since initially hosters use a very minimalist OS assembly.

After that, you need to reboot the server with the command reboot

and after 1-2 minutes connect to it again via SSH

Configuring WireGuard with a script

WireGuard
is a VPN server(service) that has gained a lot of popularity lately. Therefore, I will start with it, especially since the method that I will show will be very simple. And there are clients for WireGuard for all devices and operating systems.

To install and configure the WireGuard server, we will use a ready-made script from GitHub
and enter the following commands:

 curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh 

The first command will download the installation script to the server in the folder where you are. The second one will make the script executable, and the third one will run the script and this window will appear.

First of all, you need to specify the white static address of your VPS. In my case, this is a virtual machine on Synology VMM, but as a rule, the script itself substitutes the correct data perfectly, you just need to check. In general, all questions can be clicked on or corrected, for example, I would not use DNS server 1.1.1.1 but use some other one, but everything will work well with this.

As you can see, everything is quite simple.

However, some clients, such as those on MacOS or Mikrotic, will not work properly with this configuration. Therefore, it would be a good idea to add in the Peer section at the end of PersistentKeepalive equal to, say, 5. Then it will work stably and if the connection is interrupted, the connection will also break after 5 seconds, which will positively affect the operation of the Internet on the client device.

 PersistentKeepalive = 5
  

Now, if you need to add, remove or see which users have been created, then just run the installation script again with the command ./wireguard-install.sh

The script will offer options, and you just need to select the one you need. Very comfortably.

On this, the WireGuard server is configured and you can connect to it with all the necessary data for connecting.

On MacOS, the Wireguard client is buggy. Sometimes it connects, but the Internet disappears, and the following appears in the MacOS logs:

 2023-05-13 16:20:44.155 [NET] Routine: handshake worker 1 - stopped
2023-05-13 16:20:44.155 [NET] Routine: handshake worker 5 - stopped
2023-05-13 16:20:44.157 [NET] Routine: handshake worker 7 - stopped
2023-05-13 16:20:44.157 [NET] Routine: encryption worker 8 - stopped
2023-05-13 16:20:44.157 [NET] Routine: encryption worker 3 - stopped
  

To solve this problem in MacOS, turn off WIFI and turn it on after 5-10 seconds. If a wired connection is used, disable and enable it.

Configuring OpenVPN with a script

OpenVPN
is a freely distributed open source protocol that is loved by millions of users around the world and has come to be used on almost any kind of network devices.

To install and configure the OpenVPN server, use the ready-made script from GitHub
and enter the following commands:

 curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh 

The first command will download the installation script to the server in the folder where you are. The second one will make the script executable, and the third one will run the script and this window will appear.

1. Enter the IP address of your server. Usually the script finds it by itself. This is a white VPS address
2. Domain name or IP address through which clients will connect to the server
3. IPv6 support is optional (usually)
4. The port on which the OpenVPN server will run. Better replace non non standard
5. It is recommended to use UDP protocol
6. You can choose DNS servers from the list, default adguard is a good choice
7. Turning on compression is not recommended, but if you have a slow Internet connection, you can turn it on. Will be valid for all clients.
8. Better not change the default encryption
9. Press any button to finish setting

The process of installing the necessary components and setting them up will begin. And at the end, the script will ask you to enter the data of the first user

1. Username
2. You can encrypt the user’s key file with a password. Not all clients support this, so I chose 1

You can view the file with the cat command like this:

 root@vds:~# cat /home/sbaf/user1.ovpn
client
proto udp
explicit-exit-notify
remote vds.domen.ru 1194
dev tune
resolv-retry infinite
nobind
persist key
persist-tun
remote-cert-tls server
verify-x509-name server_eGGuvsq4ftvTKnbs name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
. 

If you run the script again, it will offer to create a new user, delete an existing user, or delete the entire OpenVPN server with configuration.

On this, the OpenVPN server is configured and you can connect to it with all the necessary connection data.

Configuring IKEv2 with a script

IKEv2
is a new protocol developed by Microsoft and Cisco for a secure and reliable VPN connection. This protocol is used on all modern platforms. For example, Android 13 will only have this protocol built into the system.

There is an excellent article about IKEv2 on Habr https://habr.com/ru/companies/ruvds/articles/498924/
e.

To install and configure the IKEv2 server, we will use a ready-made script from GitHub
and enter the following commands:

 wget https://raw.githubusercontent.com/jawj/IKEv2-setup/master/setup.sh
chmod u+x setup.sh
./setup.sh 

The principle of this script is the same as the others above, but there are some peculiarities. For example, the IKEv2 protocol necessarily needs a domain to bind a certificate. Therefore, get this in advance.

Also, this script does not support creating and deleting users. But you can edit them in the file yourself

 sudo nano /etc/ipsec.secrets 

To exit nano is Ctrl + O
, then Ctrl + X
to apply the changes, enter the command:

 sudo ipsec secrets
  

On this IKEv2 server is configured and you can connect to it with all the necessary connection data.

SoftEther VPN L2TP and OpenVPN setup

To configure L2TP and OpenVPN protocols, I will use SoftEther VPN
. It is an open source server and client that supports all protocols required for VPN

If you want to use this solution, then you need to remove the OpenVPN server and IKEv2 that was installed by the script above.

It is installed on the server with one command

 apt install softether-vpnserver 

At the first launch, you need to create a new session with the New Setting button

In the window that opens, come up with a session name and enter the white static IP address of your server, which was issued by the host. You can also change the port to 5555 from the list of ports. Useful for the future.

When you connect for the first time, the system will ask you to create a password. Come up with a complex password and remember it. It will be needed for further connection to the server.

Also, when connecting for the first time, you need to go through the initial setup procedure. Check the box as in the picture below or choose your option. This can be changed later.

Come up with a name for the first hub, there can be many of them. This is sufficient for our task.

SoftEther VPN has its own DDNS service, come up with a name or use the default, then you can turn it off.

Now enable the L2TP\IpSec protocol, create a password for the public key in English and remember it.

I suggest disabling Azure Cloud VPN service. It is needed when the server is behind NAT or firewall. In our case, we have a white static IP address on a VPS hosting.

Now it’s time to create the first user

1. Create a login
2. Add a description so you don’t forget who it is
3. Create a complex password
4. Repeat complex password
5. Press OK to create user

In the future, to manage users, follow the numbers as in the picture below

You also need to enable NAT and DHCP in SothEther VPN itself, in order not to do this in Linux. To do this, open SecureNAT where circled in the picture above

In the window that opens, first configure SecureNAT

You can change the network in the settings, but this is not necessary. But be sure to change the DNS server. You can choose as I have in the picture below or any others. For example, here are their list

Apply the changes and enable SecureNAT as shown in one of the pictures above.

Now it remains to perform one more very important setting. Since we installed the server on a VPS, and not inside the local network, we need to enable NAT at the system kernel level, as shown in the picture below. DisableKernelModeSecureNAT must be 1.

On this SofthEther VPN is configured and ready to go. You can connect via L2TP on Windows, Mac, Android and iPhone. To connect via the OpenVPN protocol, you need a configuration file with keys. To generate it, open the OpenVPN\MS-SSTP Settings and click the generate OpenVPN configuration button as shown in the picture below

Checking internet speed on VPS

To check the speed on the VPS server, you can use the following commands:

 wget -O /dev/null https://speedtest.selectel.ru/100MB 

wget -O /dev/null https://speed.hetzner.de/100MB.bin 

The first will check the speed to the Russian segment of the Internet, and the second to the foreign one in Germany.

Please note that the speed will be in Mega Bytes and to get Mega bits you need to multiply Mega Bytes by 8. This is a computer science course at school.

And here is the speed that the phone shows through a VPN with the Wireguard protocol. I think the result is very good.

Extras

Since the VPS usually has little RAM, I recommend creating a 1 gigabyte swap file to protect the server from freezing when there is not enough memory.

 fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
free -m
  

Then write this to the fstab file to apply after reboot

 nano /etc/fstab
/swapfile none swap sw 0 0
  

To install important security updates in automatic mode, I recommend doing this

 dpkg-reconfigure -plow unattended-upgrades

nano /etc/apt/apt.conf.d/50unattended-upgrades
  

Then paste into the configuration file 50unattended-upgrades

next

 Unattended-Upgrade::Mail "ваша почта яндекс";
Unattended-Upgrade::MailReport "on-change";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "now";
  

Mail will not be delivered to Yandex until the necessary changes are made in postfix. These options will not be covered in this article.

By default, Ubuntu Server uses an alternative iptables, I recommend returning the normal one with the command

  update-alternatives --all
  

Answer all questions by default, only one point set the answer to 1 as shown below

 Press <enter> to keep the current choice[*], or type selection number: 
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
  

Password protection

I’m afraid if I describe this moment in the same detail, the article will become very large. Therefore, this item will only be in the video clip. As well as setting up a firewall, changing the SSH port and taking care of disk space on the video.

Employed resources

Since I have a tariff for 109 rubles and the amount of resources there is very limited: 1 processor core, 1 gigabyte of RAM and 10 gigabytes of disk, it’s interesting to see how much it will take when I install, configure and use everything.

Now I have 3 active VPN users and 5 more have been created, but they use it periodically, not constantly. There are 8 users in total. At the same time, there are enough resources on the VPS server for it to work correctly.

Processor
: CPU load depends on the user’s protocol and whether they download or not. In general, 1 processor core does an excellent job, there is no huge load.

RAM
: Out of 1 gigabyte of memory, 315 megabytes have been used. This is 33% of the total.

Disc
: The disk is the bottleneck here. It took me over 6 gigabytes. This is 62% of the total volume of 10 gigabytes. The stock is still there and will last for a long time. Basically, the space will be engaged in various logs. Standard logs will clean themselves, but others will have to be cleaned manually. To do this, I prepared an article “ How to delete old log files in Linux
But don’t be in a hurry to do it. Wait, you may not need it. Look in half a year or a year.

Of course, I can describe how to connect to a VPN from various operating systems and devices, but this will obviously be superfluous, since this information is already too much on the Internet. Recommend Keenetic help
, where everything is detailed for each platform. You only need to take into account that you do not have Keenetic, but your own VPN on VPS and make the appropriate edits.

Total

As a result, you will get a full-fledged VPN server to bypass blocking by unfriendly countries and services, and even for a very modest fee. Moreover, you can do this instruction on any VPS from any hoster. I suggested Aéza
, as the cheapest of those that gives real IP addresses of the foreign segment of the Internet.

And if you were looking for an anonymous VPN server, then I want to disappoint you that this one is not like that, since you will always go to one static IP address and, accordingly, foreign intelligence agencies will easily find you. And you need to hide from them, your own will not do anything bad to you if you do not violate the law of the Russian Federation.

Register via link
and get a bonus 15%
to replenish the balance, which will be valid 24 hours
.

As part of this blog, there was a note about installing SoftEther VPN on FreeBSD
.
I thought it would be interesting to describe how to install this product on Ubuntu.

A few words about the program

SoftEther is an open and freely distributed product (under the Apache 2.0 license).
Written by a student at the Japanese University of Tsukuba as part of an academic project.
The project is a multi-platform solution (MacOS, Linux, Windows and BSD).
In addition, the solution is a multi-protocol VPN server (l2tp, ipsec, openvpn)

We will consider the installation and initial configuration of a VPN server with the l2tp/ipsec protocol.
The advantage of this protocol is native support for Windows operating systems.

Task

Provide remote users with secure access to the organization’s terminal server.
The server has a direct IP address.
In this note, the use of Microsoft Azur to organize a VPN server behind NAT will remain behind the scenes.

Network Diagram

We will do the installation in the terminal, setting up SoftEther VPN using its client in Windows.

Installation

Update repositories and install compilers

 sudo apt update
sudo apt install build-essential 

Getting distribution kit

Unlike FreeBSD, where SoftEther is available in ports and packages, Ubuntu does not have it in the standard repositories 🙂
Therefore, choose a platform on this page
and copy the link to the distribution.

Download, unzip and compile

 mkdir ~/tmp
cd ~/tmp
wget https://www.softether-download.com/files/softether/v4.34-9745-rtm-2020.04.05-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.34-9745-rtm -2020.04.05-linux-x64-64bit.tar.gz
tar zxf softether-vpnserver-v4.34-9745-rtm-2020.04.05-linux-x64-64bit.tar.gz
cd vpnserver
make && cd ./ 

At the time of compilation, we accept the conditions three times by entering the number 1

Transfer compiled SoftEther, assign rights to its files

 sudo mv ~/tmp/vpnserver /opt
sudo chmod 600 /opt/vpnserver/*
sudo chmod 700 /opt/vpnserver/vpncmd
sudo chmod 700 /opt/vpnserver/vpnserver 

Create autorun via systemctl

 sudo vi /lib/systemd/system/vpnserver.service 

 [Unit]
Description=SoftEther VPN Server
After=network.target

[Service]
Type=forking
ExecStart=/opt/vpnserver/vpnserver start
ExecStop=/opt/vpnserver/vpnserver stop

[Install]
WantedBy=multi-user.target 

Allow service start

 sudo systemctl enable vpnserver 

Launching

 sudo systemctl start vpnserver 

Check:

 sudo systemctl status vpnserver
● vpnserver.service - SoftEther VPN Server
 Loaded: loaded (/lib/systemd/system/vpnserver.service; enabled; vendor preset: enabled)
 Active: active (running) since Thu 2020-11-05 11:23:05 MSK; 20s ago
 Process: 5179 ExecStart=/opt/vpnserver/vpnserver start (code=exited, status=0/SUCCESS)
 Main PID: 5227 (vpnserver)
 Tasks: 36 (limit: 629145)
 Memory: 105.1M
 CGroup: /system.slice/vpnserver.service
 ├─5227 /opt/vpnserver/vpnserver execsvc
 └─5228 /opt/vpnserver/vpnserver execsvc
  

Create an administrative password

 sudo /opt/vpnserver/vpncmd 

Choose Management of VPN Server or VPN Bridge

by entering the number 1 and pressing Enter twice

• Hostname of IP Address of Destination:
• Specify Virtual Hub Name:

 VPN Server > ServerPasswordSet 

Download and install SoftEther VPN Server Manager for Windows

From this page
by selecting the desired platform and bit depth

Installing this client

Launch SoftEther VPN Server Manager

Click on the button New Setting

and fill in the fields:

• Setting Name
• Address (host name)
• The password we set (Password)

Press OK

and connect
We get into the initial setup wizard:

Press Next

we get a warning window:

Press Yes

, and a window appears asking you to create a virtual hub ( Virtual Hub

), give it a name and press OK

The next window will be Dynamic DNS Function

Press Exit

and get into the IPsec settings

Enable lt2tp/IPsec and set IPsec Pre-Shared key

Press OK

and get into the setting Azure


I turn off this setting, because. I have a direct IP address

Enable Secure NAT

Set up VPN client as l2tp/IPsek without forgetting to specify the passphrase

Connecting




That’s all I wanted to say 🙂

A few words about security

First
, in windows clients (in network properties, IPv4) disable the function “ Use default gateway on remote network”

.
So that only local resources are given to clients via VPN.

Second
, as a rule, computers of remote users are their personal tangible asset 🙂
With the whole zoo of programs, including anti-virus software.
If remote users only need to connect to a terminal server, close other ports.
First of all, close the SMB protocol.
SoftEther VPN has a firewall on its board, it is configured in the Virtual Hub setting —> Manage Access List

Third
, limit the user to the number of concurrent sessions.
Configured in user account policies.
It will be correct to drop users into groups and edit policies in groups.

That’s all 🙂

Today, VPN technology is gaining more and more popularity. V PN is used by ordinary users to access the Internet. Using this service allows you to bypass regional blocking of resources and protect yourself from possible tracking from the outside. When connecting to a VPN server, a secure tunnel is created between the user’s computer and the server, which is inaccessible from the outside, and the VPN server itself becomes the Internet access point. There are many paid and free VPN services on the web, but if for some reason third-party services do not suit you, you can set up a VPN server yourself.

To create your own VPN, you need to rent a suitable virtual server
. To create a VPN connection, there are various software that differ in the supported operating systems and the algorithms used. The article discusses two independent ways to implement a VPN server. The first is based on the PPTP protocol, which today is considered outdated and insecure, but at the same time very easy to set up. The second uses modern and secure OpenVPN software, but requires a third-party client application and more advanced settings.

In the test environment, a virtual server running the Ubuntu Server 18.04 operating system is used as a server. The firewall on the server is disabled because its configuration is not covered in this article. The configuration of the client part is described using the example of Windows 10.

Preparatory operations

Regardless of which VPN server option you prefer, clients’ access to the Internet will be implemented by standard means of the operating system. In order to open Internet access from the internal network through the external interface of the server, it is necessary to allow packet forwarding between interfaces (packet forwarding), and configure address translation.

To enable packet forwarding, open the file “/etc/sysctl.conf”
and change the value of the parameter “net.ipv4.ip_forward”
on 1
.

To apply the changes without restarting the server, run the command

sudo sysctl -p /etc/sysctl.conf

Address translation is configured using iptables
. First, specify the name of the external network interface by executing the command “ip link show”
, you will need it in the next step. In our case, the interface name is “ens3”
.

Enable address translation on the external interface for all nodes of the local network.