Softether Linux Client using Bridged with Softether VPN Server

It’s assumed that you already have a vpn server deployed in your network, created user, password and enabled bridged network during vpn server configuration. A sample snippet of VPN Server Bridge enabled is below-

So here’re the setup value-

  • On Softether Server IP- 103.146.221.30/24 and Gateway- 103.146.221.1
  • Client Server IP- 123.49.47.245/24, Gateway- 123.49.47.1 Once the server is connected to the vpn, it will be using 103.146.221.5 as bridged IP.

Let’s start.

My setup was done on Debian-10 fresh installation, should work on any linux distro though, it’s simple. The dependency packages that I needed were development tools/build-essentials and few other which were installed as below-

apt-get update
apt-get install build-essential gcc openssl apt-transport-https

Step-1 Download Softetehr Client

SoftEther VPN Client installation process on Mint require advanced linux skills.
Download SoftEther VPN Client from the official site selecting your platform and CPU: http://www.softether-download.com/en.aspx?product=softether

* current selection is for linux 64bit OS.

Uncompress the tar.gz file and enter into the unzipped directory. Mine was located-

cd /root/vpnclient/

Step-2 Install SoftEther

  • Run the .install.sh script that is provided with the client
  • Start the VPN Client:  ./vpnclient start

Step-3 Configure a VPN account

The vpncmd utility is used to configure accounts and to connect to a VPN. This utility connects to the VPN client running on your local machine.

  • Run ./vpncmd and choose option 2.
  • Press ENTER to connect to the client running on your local machine.
  • enter command "check" to test your installation.
  • "NicCreate ktl" to create a virtual VPN interface on your computer
  • "AccountCreate rumi" to create your account. You will be prompted with the following information:
  • User Name- in my case it was rumi
  • Account Name- in my case it was rumi
  • VPN server URL- in my case it was 103.146.221.30
  • port number for the VPN server- in my case it was 443
  • Virtual hub to connect to- in my case it was VPN
  • Virtual Network Adapter Name (You created this earlier - ktl)

Note: during account creation, when asked, Desination VPN Server Host Name and Port Number:, enter the information as follows:103.146.221.30:443

  • AccountPassword [accountName] to enter your VPN account password. Specify Standard when requested.
    
    Connect to SoftEther VPN
  • Run ./vpncmd if you have not already done so.
  • Select option 2 and press ENTER to connect to your local VPN Client.
  • AccountConnect [accountName] to connect to the VPN server
  • AccountList shows connection settings. Look for Connected under Status
  • For Auto Connect once the vpnclient service is running- use the command, "AccountStartupSet rumi"
  • I wanted to keep the connection always on with unlimited retrey. used this command- "AccountRetrySet" followed by number of retry- I entered 999 and again followed by Interval to connect- I used 60
  • Enter  ctrl+D to exit the vpncmd utility

Step-4 Modify Route Table

Now that you are connected to the VPN and have an IP address, you must modify your IP route table to send traffic through the VPN. There are two procedures below. The first will route ALL traffic from your computer through the VPN, including traffic destined for the Internet. The second will route traffic from your computer throught the VPN and on to the VPN network, but leaves your default route in place so that traffic destined for the Internet still uses your local network interface.

Option-1 Route ALL traffic from your computer through the VPN (in my case I applied it):

N.B. you will lose connectivity to local devices on your network such as printers. (I am short on time – if anyone using this can submit a PR with commands to restore routing for local devices, please do so.)

cat /proc/sys/net/ipv4/ip_forward to check if IP Forwarding is enabled. If ‘1’ is returned then skip the next step
(You may need to sudo su to perform some of the next commands)

nano /etc/sysctl.conf

uncomment

net.ipv4.ip_forward=1

save the file and apply 

sysctl -p

The following section is for those who want a DHCP IP (typically behind secureNAT or TAP Nat, however, my intended setup didn’t require so, it’s an option for those who needs)

  • dhclient vpn_ktl to obtain an IP address from the VPN DHCP server
  • ip a to show the vpn_ktl interface and the assigned IPv4 address
  • netstat -rn to show the route table prior to modification.

The following assumes that your local network is 123.49.47.245/24 and your default gateway is 123.49.47.1, and that the IP address of the remote VPN server is 103.146.221.30.

Here goes the script that I made as net.sh and saved it in /root/vpnclient

#!/bin/bash
# Set environment
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

sleep 20s

su -

ifconfig vpn_ktl 103.146.221.5 netmask 255.255.255.0 up &&
ip route add 103.146.221.30/32 via 123.49.47.1 &&
ip route del default via 103.146.221.1 &&
route add default gw 103.146.221.1

Here basically the default route is deleted and made the VPN server as default gateway. Review the new route table with netstat -rn

Ping google’s nameservers at 8.8.8.8 ping 8.8.8.8 -c4

Check your public IP address 

wget -qO- http://ipecho.net/plain ; echo 

<- note that in this line, O is “capital letter O”.

N.B: I made 2 crons to execute:

  1. @reboot su - && cd /root/vpnclient && ./vpnclient start
  2. @reboot bash /root/vpnclient/net.sh

Option-2 Route only VPN traffic through the VPN interface (To whom it may concern- I didn’t need that)

cat /proc/sys/net/ipv4/ip_forward to check if IP Forwarding is enabled. If ‘1’ is returned then skip the next step
(You may need to sudo su to perform some of the next commands)

echo 1 > /proc/sys/net/ipv4/ip_forward
  • dhclient vpn_ktl to obtain an IP address from the VPN DHCP server
  • ip a to show the vpn_se interface and the assigned IPv4 address
  • netstat -rn to show the route table prior to modification The following assumes that your local network is 192.168.0.0/24 and your default gateway is 192.168.0.1, and that the IP address of the remote VPN server is 15.48.223.55.
  • Delete the default route added by the dhclient command you issued earlier. sudo ip route del default via 192.168.0.1
  • Review the new route table with netstat -rn

Ping google’s nameservers at 8.8.8.8 ping 8.8.8.8 -c4

Ping the remote gateway at 192.168.0.1 ping 192.168.0.1 -c4

Check your public IP address wget -qO- http://ipecho.net/plain ; echo <- note that in this line, O is “capital letter O”. The IP address returned should be your local public IP address.

Route issues on cloud computers (again for those it may concern!)

Be aware that the dhclient command will install a deafult route to the gateway received via DHCP over the VPN.
If you are using a cloud Linux instance, you will loose your ssh (or other) Internet connectivity to your cloud Linux instance.

In such as case, you may want to create a script with the following commands:

dhclient vpn_ktl
route add default gw X.Y.Z.J eth0

Where X.Y.Z.J is the IP address of your cloud Linux instance Internet gateway, and eth0 is the Internet facing network interface.

Use netstat -nr to ensure that the desired route to the VPN subnet IPs is properly being routed over the VPN interface vpn_ktl.

Disconnect from VPN and restore route table (Flush/restore to original settings)

vpnclient stop
ip route del 103.146.221.30/32
ip route add default via 123.49.47.247

Finally I was able to do it!

Src & Credits: 
https://www.softether.org/@api/deki/pages/356/pdf
https://www.cactusvpn.com/tutorials/how-to-set-up-softether-vpn-client-on-linux/
https://www.rapidvpn.com/setup-vpn-softether-mint
https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.5_VPN_Client_Management_Command_Reference
https://github.com/bgilmer77/SoftEther-VPN-Client-Setup-on-Linux/blob/master/softether-linux-howto.md

Install SoftEther client in CentOS

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.