Create an L2TP/IPsec server on Linux using SoftEther

SoftEther offers a command-line interface (CLI) for creating and managing multi-protocol VPN servers. Available potocols include OpenVPN, IPsec, L2TP, Microsoft SSTP, and Ethernet-over-HTTPS.

This page shows you how to use SoftEther to create an L2TP/IPsec server on Linux. L2TP/IPsec is a well-established VPN protocol with native clients available for many platforms. Although there is a Windows SoftEther VPN client you can use if you want to, you don't need to use it. In the tutorial on this page, you'll use the Windows built-in VPN client.

This tutorial uses the SoftEther CLI. You can alternatively manage your Linux SoftEther server from the SoftEther Server Manager GUI running on a Windows PC. The GUI approach is described at http://blog.lincoln.hk/blog/2013/03/19/softether-on-vps.

Determine latest SoftEther release

  1. Open a browser on your workstation.
  2. Visit https://www.softether-download.com/en.aspx.
  3. Under Select Software, choose SoftEther VPN (Freeware).
  4. Under Select Component, choose SoftEther VPN Server.
  5. Under Select Platform, choose Linux.
  6. Under Select CPU, choose Intel (x86 and x64).
  7. Hover over the most recent release, right-click, and select Copy Link. This will place in your clipboard a link such as https://www.softether-download.com/files/softether/v4.43-9799-beta-2023.08.31-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz.

Install latest SoftEther release

SSH into your Linux server and download the compressed tarball with wget:

wget https://www.softether-download.com/files/softether/v4.43-9799-beta-2023.08.31-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz

Get your server up to date:

apt update && apt upgrade

Install the tools for a build:

apt install build-essential

Extract the compressed tarball:

tar -xf softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz

Change into the vpnserver directory:

cd vpnserver

Run the installation script:

./.install.sh

When the script is complete, it produces the following messages:

The preparation of SoftEther VPN Server is completed!

*** How to switch the display language of the SoftEther VPN Server Service ***

SoftEther VPN Server supports the following languages:

- Japanese
- English
- Simplified Chinese

You can choose your prefered language of SoftEther VPN Server at any time. To switch the current language, open and edit the 'lang.config' file.

Note: the administrative password is not set on the VPN Server. Please set your own administrative password as soon as possible by vpncmd or the GUI manager.

*** How to start the SoftEther VPN Server Service ***

Please execute './vpnserver start' to run the SoftEther VPN Server Background Service. And please execute './vpncmd' to run the SoftEther VPN Command-Line Utility to configure SoftEther VPN Server.

Of course, you can use the VPN Server Manager GUI Application for Windows / Mac OS X on the other Windows / Mac OS X computers in order to configure the SoftEther VPN Server remotely.

*** For Windows users ***

You can download the SoftEther VPN Server Manager for Windows from the http://www.softether-download.com/ web site. This manager application helps you to completely and easily manage the VPN server services running in remote hosts.

*** For Mac OS X users ***

In April 2016 we released the SoftEther VPN Server Manager for Mac OS X. You can download it from the http://www.softether-download.com/ web site. VPN Server Manager for Mac OS X works perfectly as same as the traditional Windows versions. It helps you to completely and easily manage the VPN server services running in remote hosts.

*** PacketiX VPN Server HTML5 Web Administration Console (NEW) ***

This VPN Server / Bridge has the built-in HTML5 Web Administration Console. After you start the server daemon, you can open the HTML5 Web Administration Console is available at https://127.0.0.1:5555/ or https://ip_address_of_the_vpn_server:5555/

This HTML5 page is obviously under construction, and your HTML5 development contribution is very appreciated.

SoftEther VPN server setup using CLI

Open firewall

Since L2TP will be tunneled through IPsec, you need only open ports udp/500 and udp/4500. How you do this depends on how you built your firewall in the first place. If you are using iptables, you can use commands:

iptables -A INPUT -p udp --dport 500 -j ACCEPT

iptables -A INPUT -p udp --dport 4500 -j ACCEPT

If you persisted your original firewall by installing iptables-persistent, you can save the revised firewall rules with:

dpkg-reconfigure iptables-persistent

Set server password

Start the server running:

./vpnserver start

Invoke the SoftEther command-line tool:

./vpncmd

You will be presented with three options:

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

To manage the VPN server, type 1 and press Enter.

You are prompted to enter the hostname or IP Address of the server. Just press Enter to connect to localhost.

You are prompted to enter a virtual hub name. Since we are setting a password for the server as a whole, just press Enter.

The prompt turns into:

VPN Server>

Set the server password with the ServerPasswordSet command. For example, to set a server password of secret1234, enter the command:

ServerPasswordSet secret1234

On successful completion, you are returned to the prompt:

VPN Server>

Create virtual hub

A virtual hub is a bit like a router that exists only as a software construct. Create a virtual hub named vpn by issuing the command:

HubCreate vpn

You can either enter a password for the virtual hub, or leave it blank.

Enable L2TP/IPsec

Enable L2TP/IPsec on this server. The pre-shared key will be potatodigitalcabbagepie in this example. The default hub will be vpn:

IPsecEnable /L2TP:yes /L2TPRAW:no /ETHERIP:no /PSK:potatodigitalcabbagepie /DEFAULTHUB:vpn

Connect to virtual hub

Now work on the specific virtual hub vpn by issuing the command:

Hub vpn

The command prompt changes to:

VPN Server/vpn>

Create users(s)

Create one or more users and related passwords. For example, create a user name derek, whose real name is Derek:

UserCreate derek /GROUP:none /REALNAME:Derek /NOTE:none

Set password(s) for users(s)

Set a password for your user(s). For example, to give user derek the password pass4567:

UserPasswordSet derek /PASSWORD:pass4567

Enable SecureNAT

Enable the Virtual NAT and DHCP Server functions ("SecureNat") on the current virtual hub:

SecureNatEnable

Exit vpncmd command:

exit

Exit SSH session with the server:

exit

Windows laptop client

Now go to work on your client.

A one-time registry change is required on Windows clients. Search for and open the Registry Editor. In the tree in the leftmost pane, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent. Insert a new DWORD (32-bit) Value. Set the name to AssumeUDPEncapsulationContextOnSendRule. Set the value to 2.

Add your VPN profile as follows:

  1. Go to Settings > Network &Internet > VPN.
  2. Click Add a VPN connection.
  3. Select Windows (built-in).
  4. Enter a Connection name of your choice.
  5. Enter your server IP or dynamic DNS name.
  6. Select L2TP/IPsec with pre-shared key.
  7. Enter your SoftEther Pre-Shared Key (our example was potatodigitalcabbagepie).
  8. Type of sign-in info is User name and password.
  9. Enter your SoftEther user name.
  10. Enter your SoftEther user password.
  11. Check the box for Remember my sign-in info
  12. Click Save.

Take your Windows laptop offsite, to a location that is not in your data center's network. If you go to a coffee shop, make sure they do not block VPN connections.

  1. Go to Settings > Network &Internet > VPN.
  2. Select the row for your L2TP/IPsec VPN server profile.
  3. Connect your client to your VPN server.

Return to home page