Install Softether VPN and create a Destination NAT (D-NAT) Rule to access the private Client VPN Node on a Debian 12 OS Rumi, February 14, 2026February 14, 2026 This installation is a bit long, hence split into 6 chapters. Part I: Install Softether VPN Server on a Freshly Installed Debian Server Part II: Install Webmin Part III: Configuring DNSMasq Part IV: Configuring SoftETher VPN Server using Softether VPN Manager Client Part V: Updating Interfaces Part VI: Iptables Part I: Install Softether VPN Server on a Freshly Installed Debian Server Prepare your server for SoftEther VPN Before you can actually install SoftEther, you are going to need to prepare your server for the installation. Start off by logging into your server through SSH. This is absolutely crucial as you are going to need to access the terminal in order to execute the required commands. When you have successfully logged in, you first need to run the following commands: apt update && apt install -y build-essential libreadline-dev libssl-dev zlib1g-dev net-tools iptables iptables-persistent dnsmasq How to install SoftEther VPN on a cloud server Once you have prepared your server, you can begin installing the software. Start by navigating to the /usr/local folder as this is the place where you will need to download SoftEther VPN. In order to find the directory, you can use the following command: cd /usr/local/ Once you are at the correct place, you will then need to actually download the VPN software with this command: wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.44-9807-rtm/softether-vpnserver-v4.44-9807-rtm-2025.04.16-linux-x64-64bit.tar.gz Next up, you are going to have to extract the files from the downloaded file: tar -xf softether-vpnserver-* Finally, in order to start the installation process, you will need to navigate to the folder directory and compile the installation: cd vpnserver && make When the SoftEther installation concludes, you will need to make sure that the VPN server will boot alongside your operating system. To do so, you will need to create a new file in the /etc/init.d folder with this command: nano /etc/init.d/vpnserver Press i to enter INSERT mode and paste the following: #!/bin/sh # description: SoftEther VPN Server DAEMON=/usr/local/vpnserver/vpnserver LOCK=/var/lock/subsys/vpnserver test -x $DAEMON || exit 0 case "$1" in start) $DAEMON start touch $LOCK ;; stop) $DAEMON stop rm $LOCK ;; restart) $DAEMON stop sleep 3 $DAEMON start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0 Next, press Esc and type 😡 to save and exit the editor. After that, you will need to set up file permissions. You can do so with this command: chmod 755 /etc/init.d/vpnserver Then, start the SoftEther VPN server: /etc/init.d/vpnserver start To ensure that the server boots with the OS, you will need to use the following command: update-rc.d vpnserver defaults That’s it! You have successfully installed SoftEther VPN on your cloud server! You can now begin configuring your server. How to configure a SoftEther VPN Server To start configuring your VPN server, you will first need to navigate to the /usr/local/vpnserver folder cd /usr/local/vpnserver/ Once there, you need to type the following command: ./vpncmd Press 1 and then press Enter. You will then be prompted to enter a hostname. Do not enter anything, simply press Enter. After that, you will also be asked to enter a Virtual Hub Name as well – leave it empty and again press Enter. You will then enter the VPN Server Admin console. The next command you have to type is ServerPasswordSet You will then be asked to enter a VPN Server Administrator password. Type a secure password, press Enter and confirm the selected password. You will also need to create a Hub (you can replace your_hub_name with anything you want): HubCreate your_hub_name Then, you will need to enter a hub password. Type it in, press Enter and confirm the password. Now you will need to enter the hub you’ve just created in order to start managing it: Hub your_hub_name IMPORTANT: You have to replace your_hub_name with the hub name you created. You will now need to create your first user profile: UserCreate user1 IMPORTANT: You can replace user1 with anything you want. That’s the username of your user. You will be prompted to enter data, which you can skip by pressing Enter three times. Next, you will also need to set a password for the user that you’ve just created: UserPasswordSet user1 IMPORTANT: You have to replace user1 with the username of the user you have created. Enter the password for this user and confirm it. You will then need to disable the security logs: LogDisable You will be asked which log you’d like to disable. Enter Security and press Enter. After that you will need to disable the packet logs: LogDisable Again, enter Packet and press Enter. That’s it – you have created your first user profile and you have configured your SoftEther VPN server! PART-II: Install Webmin Run the following commands: curl -o webmin-setup-repo.sh https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh sudo sh webmin-setup-repo.sh after run as per console guided command or as below- sudo apt-get install webmin --install-recommends Once you’re webmin is installed- make sure you create- Act as a router from Network Configuration > Routing and Gateways Add more public IPs using virtual network from Network Configuration > Network Interfaces Use Linux Firewall- you can use the sample firewall 1:1 NAT rule from later section. PART-III Configuring DNSMasq In our previous Part-I, that actually contained installation of DNSMasq. So for Softether in our specific use cases we’ll not using its own SecureNAT and DHCP instead, we’ll be relying on iptables and DNSMasq. So here is what DNSMasq can do- Dnsmasq is a lightweight, easy-to-configure network infrastructure tool designed for small networks, providing DNS forwarding, caching, DHCP, and router advertisement services. So let’s sstart configuring it- nano /etc/dnsmasq.conf Add the below lines at the end of configuration file- interface=tap_soft no-dhcp-interface=ens18 bind-interfaces dhcp-range=tap_soft,10.10.10.2,10.10.10.254,12h dhcp-option=tap_soft,3,10.10.10.1 server=8.8.8.8 server=8.8.4.4 no-resolv dhcp-option=6,8.8.8.8,8.8.4.4 dhcp-host=5E:3B:28:98:7F:63,10.10.10.10,server1 dhcp-host=5e:7e:f5:5a:23:0c,10.10.10.4,rumi_ekuria_ubuntu dhcp-host=5E:7E:E8:11:73:15,10.10.10.5,rumi_ekuria dhcp-host=5E:5D:B9:D8:6A:9E,10.10.10.7,rumi_home *Note: Notice on the bolded texts. Update them as per your own settings. Regarding interface=tap_soft, you’ll be learning into the next PART-IV. Save the file and exit. PART-IV Configuring SoftETher VPN Server using Softether VPN Manager Client. Enter the admin password. I do the setting on a windows client. It is running. Install it, run it, click New setting. Input ip and password. Then connect to it. On successful login, it will pop up Easy Setup easy setupCheck Remote Access Server and Next Yes Enter Virtual Hub name OK Setup L2TPCheck Enable L2TP Server Function and input your own pre-share key OK AzureWe disable Azure VPN From here we go to the “Local Bridge Setting” First we choose the Virtual Hub. It should be only one for normal setup. Then we check the tap device box. After that we type in the name of the tap device(I use soft here for simplicity). Create Local Bridge After the creation of the local bridge we jump back to our server. And run # ifconfig tap_soft It should show you something similar to this Check on the server. PART-V: Updating Interfaces: Here’s a sample /etc/network/interfaces file: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo ens18 ens18:0 ens18:1 ens18:2 ens18:3 tap_soft iface lo inet loopback # The primary network interface #allow-hotplug ens18 iface ens18 inet static address 114.130.51.2/24 gateway 114.130.51.1 iface tap_soft inet static address 10.10.10.1/24 iface ens18:0 inet static address 114.130.51.10 netmask 255.255.255.0 network 114.130.51.0 iface ens18:1 inet static address 114.130.51.3 netmask 255.255.255.0 network 114.130.51.0 iface ens18:2 inet static address 114.130.51.4 netmask 255.255.255.0 network 114.130.51.0 iface ens18:3 inet static address 114.130.51.5 netmask 255.255.255.0 network 114.130.51.0 PART-VI IPTables You can use a samle iptables file for the DNAT rule- which you can replace in- /etc/iptables/rules.v4 # Oct 28 23:57:58 2014 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i ens18 -j ACCEPT COMMIT # Completed on Tue Oct 28 23:57:58 2014 # Generated by iptables-save v1.3.5 on Tue Oct 28 23:57:58 2014 *mangle :PREROUTING ACCEPT [24964:3178001] :INPUT ACCEPT [9150:1450474] :FORWARD ACCEPT [11426:731834] :OUTPUT ACCEPT [4655:374193] :POSTROUTING ACCEPT [15415:1060335] COMMIT # Completed on Tue Oct 28 23:57:58 2014 # Generated by iptables-save v1.3.5 on Tue Oct 28 23:57:58 2014 *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -m state -i ens18 --state RELATED,ESTABLISHED -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source 114.130.51.2 -A POSTROUTING -s 10.10.10.0/24 -o ens18 -j MASQUERADE -A POSTROUTING -s 10.10.10.10 -o ens18 -j SNAT --to-source 114.130.51.10 -A PREROUTING -d 114.130.51.3 -i ens18 -j DNAT --to-destination 10.10.10.3 -A POSTROUTING -s 10.10.10.3 -o ens18 -j SNAT --to-source 114.130.51.3 -A PREROUTING -d 114.130.51.4 -i ens18 -j DNAT --to-destination 10.10.10.4 -A POSTROUTING -s 10.10.10.4 -o ens18 -j SNAT --to-source 114.130.51.4 -A PREROUTING -d 114.130.51.5 -i ens18 -j DNAT --to-destination 10.10.10.5 -A POSTROUTING -s 10.10.10.5 -o ens18 -j SNAT --to-source 114.130.51.5 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Tue Oct 28 23:57:58 2014 Apply this firewall rule and make it permanent. Now you need to restart- systemctl restart vpnserver systemctl restart iptables systemctl restart networking systemctl restart dnsmasq Note: The restarting order might depend on certain case. Src: https://www.vpsbg.eu/docs/how-to-install-softether-vpn-on-ubuntu-22 https://www.softether-download.com/en.aspx?product=softether Softether with DNSMasq on Debian 11 Administrations Configurations (Linux) DebianDebian 12iptablesSoftethervpnVPN DNAT