FreeBSD: Setup SoftEther and configure Offshore 100% Logless VPN server (Windows 10 as clients)

Written by: Özgür Konstantin Kazanççı -

Category: My FreeBSD Write-ups

Bonum Diem.

I’m going to install SoftEther VPN server on FreeBSD 12.2 today, through FreeBSD packages, and deeply dig into it, configure it being completely offshore, 100% logless.

SoftEther is an alternative and fast VPN Server software created by the people @ University of Tsukuba, Japan. It uses SSL-VPN (over HTTPS), and since it uses the TCP 443 (https) port, blocking SoftEther by firewalls is much more difficult, than any other VPN server softwares around.

SoftEther supports nearly all desktop platforms including Windows, MacOS, Linux, FreeBSD, and OpenBSD (it seems doesn’t really performing well under OpenBSD, but hey, we always have our nice buddy WireGuard under OpenBSD), as well as, mobile platforms including Android, iOS, and Maemo, offering the best security and performance available, it provides strong encryption, fast speeds, and high reliability even on high-latency networks and across great distances.

And the client software supports a large number of operating systems, interestingly from Windows 98 (never tried it anyway), to Windows Server systems.

(Supported Windows platforms: Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003/2008/2012/2016/2019)

SoftEther’s Advantages:

-Supporting all popular VPN protocols by the single VPN server:
SSL-VPN (HTTPS), OpenVPN IPsec, L2TP, MS-SSTP, L2TPv3, EtherIP
-Easy to establish both remote-access and site-to-site VPN.
-SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls.
-Revolutionary VPN over ICMP and VPN over DNS features.
-Resistance to highly-restricted firewall.
-Ethernet-bridging (L2) and IP-routing (L3) over VPN.
-Embedded dynamic-DNS and NAT-traversal so that no static nor fixed IP address is required.
-AES 256-bit and RSA 4096-bit encryptions.
-Sufficient security features such as logging and firewall inner VPN tunnel.
-User authentication with RADIUS and NT domain controllers.
-User authentication with X.509 client certificate.
-Packet logging.
-1Gbps-class high-speed throughput performance with low memory and CPU usage.
-Windows, Linux, Mac, Android, iPhone, iPad and Windows Phone are supported.
-The OpenVPN clone function supports legacy OpenVPN clients.
-IPv4 / IPv6 dual-stack.
-The VPN server runs on Windows, Linux, FreeBSD, Solaris and Mac OS X.
-Configure All settings on GUI. (I do it completely within the terminal – being a terminal-lover guy)
-No memory leaks (They claim?). High quality stable codes, intended for long-term runs.

Let’s start.

First of all, it is best practice to ensure your out-of-date packages are updated, and package repository catalogues are up to date before doing any package installation.

Invoking “pkg upgrade” will cause repository catalogues to be updated automatically, so no need to issue “pkg update”. So let’s “pkg upgrade” our system;

root@freebsdbox:~ # pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

And install SoftEther from Packages:

root@freebsdbox:~ # pkg install softether5

Then, to configure SoftEther VPN Server startup on boot:

root@freebsdbox:~ # sysrc softether_server_enable=yes
softether_server_enable:  -> yes

That command will actually add a line: softether_server_enable=”yes” to /etc/rc.conf file. Finally let’s start the VPN server and begin configuring it;

root@freebsdbox:~ # vpnserver start
The SoftEther VPN Server service has been started.

Then we will ‘check‘ the system, executing ‘check‘ within ‘vpncmd‘ command (and then selecting ‘3’) – we do this to check that there is no problem in our system and the libraries needed by our VPN Server software, and that SoftEther will work properly.

root@freebsdbox:~ # vpncmd

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 3

VPN Tools>check
Check command - Check whether SoftEther VPN Operation is Possible
---------------------------------------------------
Checking 'Kernel System'...
              Pass
Checking 'Memory Operation System'...
              Pass
Checking 'ANSI / Unicode string processing system'...
              Pass
Checking 'File system'...
              Pass
Checking 'Thread processing system'...
              Pass
Checking 'Network system'...
              Pass

All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system. The command completed successfully.

After getting “All checks passed” we type ‘exit’ and then continue configuring our server, with vpncmd again, choosing ‘1’ this time:

root@freebsdbox:~ # vpncmd

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
Select 1, 2 or 3: 1

Hostname of IP Address of Destination: -press enter-
Specify Virtual Hub Name: -press enter-

Connection has been established with VPN Server "localhost" (port 443). You have administrator privileges for the entire VPN Server.
VPN Server> _

Before all, each time when we want to configure our server, we should select a Virtual Hub to manage. We didn’t specify any name to our hub, therefore, it’s called “default”;

VPN Server> hub default
Hub command - Select Virtual Hub to Manage
The Virtual Hub "DEFAULT" has been selected.
The command completed successfully.
VPN Server/DEFAULT> _

Then, create a VPN user, e.g. called ‘vpntest’ for the VPN client on Windows:

VPN Server/DEFAULT>UserCreate
UserCreate command - Create User
User Name: vpntest
Assigned Group Name:
User Full Name:
User Description:
The command completed successfully.
VPN Server/DEFAULT> _

And we set a password for our VPN user:

VPN Server/DEFAULT>UserPasswordSet vpntest
UserPasswordSet command - Set Password Authentication for User Auth Type and Set Password. Please enter the password. To cancel press the Ctrl+D key.

Password: ****
Confirm input: ****

The command completed successfully.

In the future, with the command ‘UserList’, you can get list of all your VPN users in the system, with their traffic transfer statistics:

VPN Server/DEFAULT>UserList
UserList command - Get List of Users
Item            |Value
----------------+-------------------------
User Name       |vpntest
Full Name       |
Group Name      |-
Description     |
Auth Method     |Password Authentication
Num Logins      |7
Last Login      |2021-01-10 (Sun) 19:08:24
Expiration Date |No Expiration
Transfer Bytes  |199,930,740
Transfer Packets|457,317
The command completed successfully.

We’ll need to enable SecureNAT:

VPN Server/DEFAULT>SecureNATEnable
SecureNatEnable command - Enable the Virtual NAT and DHCP Server Function (SecureNat Function)
The command completed successfully.

Let’s see the virtual MAC Address, IP Block/Subnet Mask of our SoftEther’s SecureNAT/DHCP Server:

VPN Server/DEFAULT>SecureNatHostGet
Get Network Interface Setting of Virtual Host of SecureNAT Function
Item       |Value
-----------+-----------------
MAC Address|5E-A2-15-FE-61-FF
IP Address |192.168.30.1
Subnet Mask|255.255.255.0
The command completed successfully.

Related to the details above, our VPN clients will get IPs starting with 192.168.30, (IP range of 192.168.30.2-192.168.30.254) and undoubtedly, by the command SecureNatHostSet, you’re allowed to change these values of SoftEther server (including the MAC Address!) like, exempli gratia;

VPN Server/DEFAULT>SecureNatHostSet
Change Network Interface Setting of Virtual Host of SecureNAT Function

MAC Address: DE-AD-BE-EF-BA-BE
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
The command completed successfully.

For security reasons, we’ll set Server Administrator password:

VPN Server/DEFAULT>ServerPasswordSet
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.

Password: *****************
Confirm input: *****************

The command completed successfully.

Loglessness!

We’d like to have an absolutely Log-Less VPN Server, and go with 100% zero-log. With the following steps, we disable logging: to save disk space, RAM and CPU (Oh, and some privacy):

VPN Server/DEFAULT>LogDisable security
LogDisable command - Disable Security Log or Packet Log
The command completed successfully.
VPN Server/DEFAULT>LogDisable packet
LogDisable command - Disable Security Log or Packet Log
The command completed successfully.

And now quit from the management console and continue reading:

VPN Server/DEFAULT>exit

In the SoftEther documentation it tells how to disable ‘Security‘ and ‘Packets‘ logs, which we have done above. But how about Server Log? There’s no option to disable that thing.

Under FreeBSD 12.2, SoftEther’s server log is saved under /var/log/softether/server/ directory. The entire VPN Server operating log is saved in that folder as log files.

Storing detailed operating records, events upon the launch/termination of the VPN Server, and when, and what type of connections are being received/were received, and all.

And even worse, copies of each of the Virtual Hubs’ Security Logs are saved together in the server log, so that even if a Virtual Hub Administrator sets the security log not to be saved (as we did above), it’s always saved automatically in the server log.

As well as, even when the Virtual Hub Administrator does not save the Virtual Hub logs or deletes them, their contents can still be accessed from the VPN Server’s server log.

But how to prevent that?

We begin with truncating the prolly-existing log files:

root@freebsdbox: # truncate -s 0 /var/log/softether/packet/**/*.log
root@freebsdbox: # truncate -s 0 /var/log/softether/security/**/*.log
root@freebsdbox: # truncate -s 0 /var/log/softether/server/*.log

And lastly, removing the files completely:

root@freebsdbox: # find /var/log/softether -name '*.log' -delete

For Server Logs folder, /var/log/softether/server/, my solution is;
while FreeBSD offers write protection, we need to set our “server” folder carrying special bit called ‘immutable‘. Once this bit is setup to that folder, no one&no service/daemon can write, delete or modify that folder, including root. (That might be useful to -occasionally- protect some important system files like /etc/master.passwd) And only root can clear the immutable bit. So obviously, you must be a root user to setup or clear the immutable bit.

root@freebsdbox: # chflags schg /var/log/softether/server/

Check if the folder’s immutable bit is on or off:

root@freebsdbox: # ls -lo /var/log/softether/
drwx------  2 root  wheel  schg,uarch 2 Jan 11 20:25 server

The folder ‘server’ has ‘schg’ bit active. Now it’s not allowed to create, remove or modify anything within that folder and all its contents.

root@freebsdbox: # rm -rf /var/log/softether/server/
rm: server/: Operation not permitted

Testing:

root@freebsdbox: # echo spongebob > /var/log/softether/server/squarepants.log
/var/log/softether/server/squarepants.log: Operation not permitted.

Done. Our ‘server’ log folder will always remain empty, from now on.

To clear or remove immutable bit protection if you want to save logs again, use the command: chflags noschg /var/log/softether/server/

Few additional things left; we’ll disable Web Interface/WebUI (for security and stability reasons) and NAT-Traversal mode. First, we’ll need to stop vpnserver:

root@freebsdbox:~ # vpnserver stop
Stopping the SoftEther VPN Server service ...
SoftEther VPN Server service has been stopped.

Then, edit SoftEther’s config file:

root@freebsdbox:~ # nano /var/db/softether/vpn_server.config

Move your cursor to the lines numbered 84 and 85, and replace “false” with “true”:
bool DisableJsonRpcWebApi true
bool DisableNatTraversal true

Save it and exit from nano. Start vpnserver:

root@freebsdbox:~ # vpnserver start
The SoftEther VPN Server service has been started.

===========================================

Windows 10 Client Setup:

Download and setup SoftEther Client for Windows, from here.
(Select Component: SoftEther VPN Client)

After the installation is completed, we’ll need to create a new Virtual Network Adapter, open SoftEther and follow the menu:

Virtual Adapter – > New Virtual Adapter, give it a name (‘VPN’ by default) and press OK. You’ll see a “loading bar” telling;

Creating a new Virtual Network Adapter for Windows..
This process can take several seconds or over a minute.
Please wait… Please do not perform other operations,
while the Virtual Network Adapter is being installed.

Then, double click to “Add VPN Connection” icon, fill the values:
Host Name: IP Address of your VPN Server
Port Number: 443
tick the “Disable NAT-T” checkbox. (will add the tag ‘/tcp‘ at the end of your Host Name/IP Address value’)
Virtual Hub Name: default

At the right side of, under ‘User Authentication Setting‘;

Auth Type: Standard Password Authentication
Username: vpntest
Password: YourUserPass

Finally click to “OK” and back to SoftEther VPN Client Manager, double click to newly created “New VPN Connection” icon to connect to Internet all through your fresh SoftEther VPN Server.

And as always, try to see if your DNS/VPN leaks; https://dnsleaktest.com

Best,
Özgür Kazanççı.
Twitter: @ozgurkazancci


9 Comments

Mark Ogłoszenia 05/12/2021 Reply

A good blog post and valuable for its information. Many thanks for sharing it up!

Alex 11/01/2022 Reply

My system passes all of the tests as documented above. When attempting to “continue configuring our server, with vpncmd again, choosing ‘1’ this time:” I get this error:
Specify Virtual Hub Name:
Error occurred. (Error code: 2)
Protocol error occurred. Error was returned from the destination server.

Özgür Kazanççı 11/01/2022 Reply

Hi Alex.

Well, Softether server runs/listens by default on port TCP/443, if your server’s TCP port 443 is occupied by any another program (mostly and usually a webserver such as apache, nginx and so on), then the port is already taken and therefore Softether won’t be able to bind to it.

Please check and make sure that the port numbered 443 is empty. The command: “netstat -anf inet” will help you.

Alternatively, as Softether also listens on 992, 1194, and 5555 ports, you might specify:
localhost:5555, when it asks “Hostname of IP Address of Destination: localhost:5555”

Best,
Özgür.

Alex 16/01/2022 Reply

Thanks, your clarification worked perfectly (I am using localhost:1194) and I am *NOW* connecting to my remote server perfectly and accessing the internet from the remote server.
My remote server has multiple IP addresses. Is there a way to map a specific user/hub to use a specific external IP address?

Özgür Kazanççı 16/01/2022 Reply

You’re much welcome! Well, I think you can create different hubs, a second hub for your second IP, by ‘vpncmd’ then selecting ‘1’, and as “Hostname or IP Address of Destination” giving it a mapped IP address of your choice (of your own server) let’s say; 12.12.12.12:1194 and a different name
when it asks “Specify Virtual Hub Name:”, name it ‘hub2’ e.g., and then, instead of “hub default” command, type “hub hub2” to manage your second hub, and finally create a user for it with; UserCreate and so on.

BUT if your default hub which you created earlier at first, listening on localhost:1194, instead of an IP address, I think that would probably make *.1194 (listening the same port on all your IPs) so your second IP will be unable to bind the port (if you specified the same port), so either specify your second hub a different port of SoftEther, or for your default hub, you might wish to specify an IP address instead of “localhost” which listens all the IPs. Good luck.

P.S.: You can listen same port on different IPs as well but you should define IPs on each hub, instead of setting “localhost”.

Alex 27/01/2022

Thanks for your help but if I understood you correctly it did not work.
On a new server with 2 IP addresses I created 2 hubs and 2 users
Hostname of IP Address of Destination: x.x.x.88:992
HubCreate hub88
UserCreate user88
AND
Hostname of IP Address of Destination: x.x.x.89:992
HubCreate hub89
UserCreate user89

When accessing the VPN from home with either username whatismyipaddress.com always shows my IP address as x.x.x.88
I want user89 to access the internet as x.x.x.89, the IP address I used to connect to the VPN

Cioby 16/01/2022 Reply

Hello I have setup SoftEther VPN server on FreeBSD with success but when doing speed tests with VPN connected speed was quite slow.
The Internet connection is 1Gbps download/upload and while connected to VPN and transferring file I was not able to achieve more than 100Mbps in the best case.
I have tried both local bridge and SecureNAT and there were not big differences in terms of speed.
Do you know what can be done to improve the performance ? I expect the speed to be better at least 200 – 300 Mbps. The server has 16GB RAM and i7 8 core CPU.
Thank you.

Alex 30/01/2022 Reply

I used these steps:

Hostname of IP Address of Destination: xx.xx.xx.88:992
VPN Server>hubdreate hub88
VPN Server>hub hub88
VPN Server/hub88>usercreate user88

I then ran again with:

Hostname of IP Address of Destination: xx.xx.xx.89:992
VPN Server>hubdreate hub89
VPN Server>hub hub89
VPN Server/hub88>usercreate user89

It does not matter which user I connect with outgoing connections to the internet always go out through IP xx.xx.xx.88, I want user89 to access the internet via xx.xx.xx.89

Thomas 19/06/2022 Reply

I like the valuable info you supply in your articles.
I will bookmark your weblog and test once more here regularly.
I am fairly sure I will learn many new stuff right here! Good luck for the following!

Leave a Reply