SoftEther VPN Client
Introduction
- The guide was written for version 21.02 (current at time of writing). I experienced severe issues in 22.03, so your mileage on current-as-of-update might vary.
- This how-to describes the method for setting up the SoftEther VPN client on OpenWrt.
- Follow SoftEther VPN server for server setup and SoftEther VPN extras for additional tuning.
- This guide was in part adapted from kyson-lok at the GL.iNnet forums and from Anuradha Karunarathna .
- The SoftEther VPN Manual is also a highly useful resource.
- The guide will use both LuCI and CLI; feel free to use LuCI-equivalent CLI commands where appropriate. CLI can alternatively be almost entirely avoided with access to a Windows PC and SoftEther's remote management tool.
Goals
Instructions
1. Install Packages
- Log into LuCI
- Go to “System” → “Software”
- Click “Update lists...”
- Filter the list for “softether”
- Install “softethervpn5-libs”
- Install “softethervpn5-client”
- Install “luci-app-softether” (somewhat optional - very limited LuCI interface at this point)
- Reboot the router
2. Configure SoftEther VPN Client
Note: If you have a Windows PC, you can use the remote client manager (“Manage Remote Computer's SoftEther VPN Client” in Start) to set everything up via GUI after issuing the command “RemoteEnable” in command line client management. It is also possible to drop an existing configuration file into place via SCP.
The guide here will show configuration with CLI/SSH, for which you issue the following command:
vpncmd
- The following prompt will appear:
By using vpncmd program, the following can be achieved. 1. Management of VPN Server or VPN Bridge 2. Management of VPN Client 3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool) Select 1, 2 or 3:
- Type “2” and confirm with “Enter”
- The following prompt will appear:
Specify the host name or IP address of the computer that the destination VPN Client is operating on. If nothing is input and Enter is pressed, connection will be made to localhost (this computer). Hostname of IP Address of Destination:
- Simply press “Enter” (since you want to manage localhost)
- The following prompt will appear:
Connected to VPN Client "localhost". VPN Client>
- Create a VPN network device by issuing the following command (replacing <devName> with your name of choice)1)
NicCreate <devName>
- Configure the VPN connection by issuing the following command (replacing <accountName> with your name of choice)
AccountCreate <accountName>
- You will now be prompted for a number of connection parameters. Fill in the <placeholders> with the relevant information - these will depend on how you've configured your server, except for <devName> which you chose above.
Destination VPN Server Host Name and Port Number: <server address or IP>:<server port> Destination Virtual Hub Name: <server virtual hub> Connecting User Name: <user name> Used Virtual Network Adapter Name: <devName>
- Issue the following command to finish configuration:
AccountPasswordSet <accountName>
- Follow the prompts to configure the user password for the VPN connection (again depending on how you configured your server; for standard configurations you want to choose “standard” at the last prompt)
- Exit the VPNcmd environment with Ctrl+C
3. Configure OpenWRT networking
- Log into LuCI
- First, you need to set up a suitable interface:
- Go to “Network” → “Interfaces”
- Click “Add new interface...”
- For “Name”, choose and enter an <ifName> (e.g. “VPN”)
- For “Protocol”, select “DHCP client”
- For “Device”, select the Ethernet adapter “vpn_<devName>” (name chosen in part 2)
- Click “Create interface”
- Go to “Advanced Settings” tab
- Disable “Use default gateway”
- Disable “Delegate IPv6 prefixes”2)
- Go to “Firewall Settings” tab
- Select “wan” from the drop-down3)
- Click “Save”
- Click “Save & Apply”
- The following block of steps were necessary on my setup to make things work, but that might be due to server-side issues
- Go to “Devices” tab
- For “vpn_<devName>”, click “Configure”
- Disable “Enable IPv6” checkbox
- Click “Save”
- Click “Save & Apply”
- Lastly you just need to set up routing. My setup works well with specific static routes as shown here (i.e., VPN use only for specific connections); I haven't gotten it to work with VPN-as-default routing however.
- Go to “Network” → “Static Routes”
- Click “Add...”
- For “Interface”, select <ifName> (created earlier)
- For “Target”, specify the remote IP you want VPN traffic routing for
- For “Netmask”, specify the remote IP range for the above address
- For “Gateway”, specify the VPN server gateway IP. This will depend on how you have set up the VPN-server-side DHCP (e.g. via Softether VPN server SecureNAT, in which case the default I believe is 192.168.30.1).
- Click “Save”
- Click “Save & Apply”
- Reboot the router
4. Starting/Stopping the VPN
Note: If you have a Windows PC, you can again use the remote client manager (“Manage Remote Computer's SoftEther VPN Client” in Start) for these parts.
The guide will again use CLI/SSH, for which you issue the following command:
vpncmd
- The following prompt will appear:
By using vpncmd program, the following can be achieved. 1. Management of VPN Server or VPN Bridge 2. Management of VPN Client 3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool) Select 1, 2 or 3:
- Type “2” and confirm with “Enter”
- The following prompt will appear:
Specify the host name or IP address of the computer that the destination VPN Client is operating on. If nothing is input and Enter is pressed, connection will be made to localhost (this computer). Hostname of IP Address of Destination:
- Simply press “Enter” (since you want to manage localhost)
- The following prompt will appear:
Connected to VPN Client "localhost". VPN Client>
- To start the VPN, issue the following command (replacing <accountName> with your chosen one from step 2)
AccountConnect <accountName>
- To stop the VPN, issue the following command (replacing <accountName> with your chosen one from step 2)
AccountConnect <accountName>
- To auto-start the VPN on boot, issue the following command (replacing <accountName> with your chosen one from step 2)
AccountStartupSet <accountName>
- To later disable auto-start, issue the following command (replacing <accountName> with your chosen one from step 2)
AccountStartupRemove <accountName>
- Exit the VPNcmd environment with Ctrl+C
Testing
Note: traceroute doesn't work properly for me with the VPN running, unfortunately. However, you can confirm routing e.g. by setting up static routes for an IP geolocation server or similar and checking that way.
Troubleshooting
If you've installed the “luci-app-softether” package, you can check the connection status in LuCI under System → Softether. If you have a Windows PC, you can use the remote client manager for this. Or you can again use vpncmd (refer to the official documentation).