SoftEther VPN Project

https://www.softether.org/

What is SoftEther VPN

SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.

SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge.

SoftEther VPN is an optimum alternative to OpenVPN and Microsoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function.

SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatible with Windows, Mac, iOS and Android.

SoftEther VPN is not only an alternative VPN server to existing VPN products (OpenVPN, IPsec and MS-SSTP). SoftEther VPN has also original strong SSL-VPN protocol to penetrate any kinds of firewalls. Ultra-optimized SSL-VPN Protocol of SoftEther VPN has very fast throughput, low latency and firewall resistance.

SoftEther VPN has strong resistance against firewalls than ever. Built-in NAT-traversal penetrates your network admin's troublesome firewall for overprotection. You can setup your own VPN server behind the firewall or NAT in your company, and you can reach to that VPN server in the corporate private network from your home or mobile place, without any modification of firewall settings. Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.

Easy to imagine, design and implement your VPN topology with SoftEther VPN. It virtualizes Ethernet by software-enumeration. SoftEther VPN Client implements Virtual Network Adapter, and SoftEther VPN Server implements Virtual Ethernet Switch. You can easily build both Remote-Access VPN and Site-to-Site VPN, as expansion of Ethernet-based L2 VPN. Of course, traditional IP-routing L3 based VPN can be built by SoftEther VPN.

SoftEther VPN has strong compatibility to today's most popular VPN products among the world. It has the interoperability with OpenVPN, L2TP, IPsec, EtherIP, L2TPv3, Cisco VPN Routers and MS-SSTP VPN Clients. SoftEther VPN is the world's only VPN software which supports SSL-VPN, OpenVPN, L2TP, EtherIP, L2TPv3 and IPsec, as a single VPN software.

SoftEther VPN is free software because it was developed as Daiyuu Nobori's Master Thesis research in the University. You can download and use it from today. The source-code of SoftEther VPN is available under the Apache License 2.0.

Features of SoftEther VPN

Free and open-source software.
Easy to establish both remote-access and site-to-site VPN.
SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls.
Revolutionary VPN over ICMP and VPN over DNS features.
Resistance to highly-restricted firewall.
Ethernet-bridging (L2) and IP-routing (L3) over VPN.
Embedded dynamic-DNS and NAT-traversal so that no static nor fixed IP address is required.
AES 256-bit and RSA 4096-bit encryptions.
Sufficient security features such as logging and firewall inner VPN tunnel.
1Gbps-class high-speed throughput performance with low memory and CPU usage.
Windows, Linux, Mac, Android, iPhone, iPad and Windows Mobile are supported.
SSL-VPN (HTTPS) and 6 major VPN protocols (OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP) are all supported as VPN tunneling underlay protocols.
The OpenVPN clone function supports legacy OpenVPN clients.
IPv4 / IPv6 dual-stack.
The VPN server runs on Windows, Linux, FreeBSD, Solaris and Mac OS X.
Configure All settings on GUI.
Multi-languages (English, Japanese and Simplified-Chinese).
No memory leaks. High quality stable codes, intended for long-term runs. We always verify that there are no memory or resource leaks before releasing the build.
RADIUS / NT Domain user authentication function
RSA certificate authentication function
Deep-inspect packet logging function
Source IP address control list function
syslog transfer function
More details at Specification.

Architecture of SoftEther VPN

Virtualization of Ethernet devices is the key of the SoftEther VPN architecture. SoftEther VPN virtualizes Ethernet devices in order to realize a flexible virtual private network for both remote-access VPN and site-to-site VPN. SoftEther VPN implements the Virtual Network Adapter program as a software-emulated traditional Ethernet network adapter. SoftEther VPN implements the Virtual Ethernet Switch program (called Virtual Hub) as a software-emulated traditional Ethernet switch. SoftEther VPN implements VPN Session as a software-emulated Ethernet cable between the network adapter and the switch.

You can create one or many Virtual Hub with SoftEther VPN on your server computer. This server computer will become a VPN server, which accepts VPN connection requests from VPN client computers.

You can create one or many Virtual Network Adapter with SoftEther VPN on your client computer. This client computer will become a VPN client, which establishes a VPN connections to the Virtual Hub on the VPN server.

You can establish VPN sessions, as called 'VPN tunnels', between VPN clients and VPN servers. A VPN session is the virtualized network cable. A VPN session is realized over a TCP/IP connection. The signals through the VPN session is encrypted by SSL. Therefore, you can safely establish a VPN session beyond the Internet. A VPN session is established by SoftEther VPN's "VPN over HTTPS" technology. It means that SoftEther VPN can create a VPN connection beyond any kinds of firewalls and NATs.

The Virtual Hub exchanges all Ethernet packets from each connected VPN session to other connected sessions. The behavior is same to traditional Ethernet switches. The Virtual Hub has a FDB (forwarding database) to optimize the transmission of Ethernet frames.

You can define a local bridge between the Virtual Hub and the existing physical Ethernet segment by using the Local Bridge function. The Local Bridge exchanges packets between the physical Ethernet adapter and the Virtual Hub. You can realize a remote-access VPN from home or mobile to the company network by using the Local Bridge function.

You can define a cascading connection between two or more remote Virtual Hubs. With cascading, you can integrate two or more remote Ethernet segments to a single Ethernet segment. For example, after you establish cascading connections between the site A, B and C, then any computers in the site A will be able to communicate with the computers in the site B and the site C. This is a site-to-site VPN.

SoftEther VPN can also establish a VPN session over UDP. The UDP-mode of SoftEther VPN supports NAT traversal. The NAT traversal function allows the VPN server behind existing NATs or firewalls to accept incoming VPN sessions. You need no network administrator's special permission before setting up a VPN server on the company network behind firewalls or NATs. Additionally, SoftEther VPN Server may be placed on the dynamic IP address environment since SoftEther VPN has built-in Dynamic DNS (DDNS) function.

SoftEther VPN Server supports additional VPN protocols, including L2TP/IPsec, OpenVPN, Microsoft SSTP, L2TPv3 and EtherIP. These realizes the interoperability with built-in L2TP/IPsec VPN clients on iPhone, iPad, Android, Windows and Mac OS X, and also with Cisco's VPN routers and other vendors VPN products.

How to Use SoftEther VPN ?

SoftEther VPN is an essential infrastructure to build-up IT systems on enterprises and small-businesses.

| http://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/1.Ad-hoc_VPN Make an ad-hoc VPN consists of the small-number computers with SoftEther VPN. Despite long-distance, it is easy to communicate mutually with any kinds of LAN-oriented protocols. http://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/3.LAN_to_LAN_Bridge_VPN Geologically distributed branches are isolated as networks by default. SoftEther VPN lays virtual Ethernet cables between your all branches. Then all computers of all branches are connected to the single LAN. | http://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/2.Remote_Access_VPN_to_LAN Does employees need to connect to the company LAN from outside or home? Remote Access VPN will realizes virtual network cable from a Client PC to the LAN from anywhere and anytime. | | --- | --- |

SoftEther VPN can build-up flexible and dependable virtual network around Clouds. Amazon EC2, Windows Azure and most of other Clouds are supporting SoftEther VPN.

| http://www.softether.org/4-docs/2-howto/2.VPN_for_Cloud/1.Join_a_Local_PC_into_Cloud Your desktop or laptop PC can join into the Cloud VM network. You can make use of Cloud VM as if it is on your own local network easily. | http://www.softether.org/4-docs/2-howto/2.VPN_for_Cloud/2.Join_a_Cloud_VM_into_LAN Your Cloud VM can join to your company LAN with SoftEther VPN. Anyone on your company can access to the Cloud VM without any settings. | | --- | --- | | http://www.softether.org/4-docs/2-howto/2.VPN_for_Cloud/3.Cloud_to_LAN_Bridge_VPN SoftEther VPN keeps a virtual dedicate Ethernet line from the Cloud to the LAN 24h/365d. You can consider remote Cloud private network as a part of your corporate network. | http://www.softether.org/4-docs/2-howto/2.VPN_for_Cloud/4.Cloud_to_Cloud_Bridge_VPN Are you using Amazon EC2 and Windows Azure, or using two or more remote datacenters of a Cloud service? SoftEther VPN can make a single united network between all Cloud VMs despite differences of physical locations. |

SoftEther VPN supports several mobile devices including iPhone and Android. Your smartphone is now a part of your on-premise or Cloud network by using SoftEther VPN.

| http://www.softether.org/4-docs/2-howto/3.VPN_for_Mobile/1.iPhone_and_Android iPhone and Android has a built-in VPN client but originally they need Cisco, Juniper or other expensive hardware-based VPNs for remote-access. SoftEther VPN has a same function to Cisco, and supports your iPhone and Android easily. | http://www.softether.org/4-docs/2-howto/3.VPN_for_Mobile/2.Windows_and_Mac_Laptops Your mobile PCs with Windows or Mac can be easily connected to SoftEther VPN anywhere and anytime, despite firewalls or packet filters on Wi-Fi or overseas ISP. Windows RT is also supported. | | --- | --- |

SoftEther VPN is also an ultra-convenient tool for effective system management by IT professionals on enterprises and system integrators.

| http://www.softether.org/4-docs/2-howto/4.VPN_for_IT_Professionals/1.Remote_Management Are you having problem with many servers, clients and printers of your client companies are distributed around the state? SoftEther VPN will help you a network administrator as a handy tool just from your desk. You can reach to any networks by only installing SoftEther VPN. http://www.softether.org/4-docs/2-howto/4.VPN_for_IT_Professionals/3.Building_Your_Own_Cloud Do you want to build and provide your own Cloud service which can beat Amazon EC2 or Windows Azure? SoftEther VPN can help you to build an inter-VMs network and remote-bridging network between your Cloud and your customer's on-premise. | http://www.softether.org/4-docs/2-howto/4.VPN_for_IT_Professionals/2.VPN_for_Network_Testing%2C_Simulation_and_Debugging SoftEther VPN is not a program only for building remote network. It can be used for network design, test, and simulation by IT professionals. For example, delay, jitter and packet loss generator is implemented on SoftEther VPN. So network designer can test VoIP phones under the bad-condition IP network. | | --- | --- |

SoftEther VPN is also convenient for home users. You can be proud of using enterprise-class VPN for your home-use.

| http://www.softether.org/4-docs/2-howto/5.VPN_for_Home/1.Remote_Access Do you want to access to your home server or digital appliance from outside? Set up SoftEther VPN Server on your home PC and gain access to your server or HDTV recorder from anywhere even the opposite side of the earth, through the Internet. | http://www.softether.org/4-docs/2-howto/5.VPN_for_Home/2.Comfortable_Network_Anywhere Are you a business man and running around the world? Most of Wi-Fi and local ISPs of several countries are discomfort to use because of packet filtering or censorship. So set up your private relay server on your own home PC and use it from fields to gain ease. | | --- | --- |

Does your network administrator hesitates to assign you a global IP address? Or Does your company has a firewall on the border between the private network and the Internet? No problem! SoftEther VPN has a strong function to penetrate troublesome corporate firewalls.

| http://www.softether.org/4-docs/2-howto/6.VPN_Server_Behind_NAT_or_Firewall/1.Dynamic_DNS_and_NAT_Traversal Unlike legacy IPsec-based VPN, even if your corporate network doesn't have any static global IP address you can set up your stable SoftEther VPN Server on your corporate network. | http://www.softether.org/4-docs/2-howto/6.VPN_Server_Behind_NAT_or_Firewall/2.VPN_Azure If the corporate firewall is more restricted and the NAT Traversal of SoftEther VPN doesn't work correctly, use VPN Azure to penetrate such a firewall. | | --- | --- |

IPsec-based VPN protocols which are developed on 1990's are now obsoleted. IPsec-based VPN are not familiar with most of firewalls, NATs or proxies. Unlike IPsec-based VPN, SoftEther VPN is familiar with any kind of firewalls. Additionally SoftEther VPN requires no expensive Cisco or other hardware devices. You can replace your Cisco or OpenVPN to SoftEther VPN today.

| http://www.softether.org/4-docs/2-howto/7.Replacements_of_Legacy_VPNs/1.Penetrates_Firewall_by_SSL-VPN Are you having trouble with IPsec-based legacy VPN products? Replace it to SoftEther VPN. SoftEther VPN Protocol is based on HTTPS so almost all kinds of firewalls will permits SoftEther VPN's packets. http://www.softether.org/4-docs/2-howto/7.Replacements_of_Legacy_VPNs/3.Replacements_of_Cisco_or_other_hardware-based_VPNs Cisco, Juniper or other hardware-based IPsec VPNs are expensive for set-up and management. They are also lack of usability and compatibility with Firewalls. Replace them to SoftEther VPN. You can very easily replace because SoftEther VPN also has the L2TP/IPsec VPN function which is same to Cisco's. | http://www.softether.org/4-docs/2-howto/7.Replacements_of_Legacy_VPNs/2.Replacements_of_OpenVPN Are you still using OpenVPN? SoftEther VPN has more ability, better performance and easy-configurable GUI-based management tools. SoftEther VPN has also the OpenVPN Server Clone Function so that any OpenVPN clients, including iPhone and Android, can connect to SoftEther VPN easily. | | --- | --- |

Screenshots

SoftEther VPN consists of three software: VPN Client, VPN Server and VPN Bridge.

SoftEther VPN Client

More Screenshots...

SoftEther VPN Server Admin Tool

More Screenshots...

This section will explain how to create a layer 3 connection between two or more remote networks by utilizing bridge connections together with IP routing.

10.6.1 Combining Bridge Connections and IP Routing

After reading section 10.5 Build a LAN-to-LAN VPN (Using L2 Bridge) you know how to connect multiple LANs together into a single layer 2 (Ethernet) segment, forming a LAN-to-LAN VPN.

By combining that method and the Virtual Layer 3 Switching capability built into VPN Server you can construct a LAN-to-LAN VPN that utilizes layer 3 IP routing.

10.6.2 IP Routing Via Virtual Layer 3 Switching

VPN Server has Virtual Layer 3 Switching capabilities which allow it to perform IP routing between multiple Virtual Hubs under the same VPN Server. By using this capability you can construct a large scale LAN-to-LAN VPN which works even if each individual LAN has multiple IP networks of its own.

Please refer to section 3.8 Virtual Layer 3 Switches for a summary of Virtual Layer 3 Switching and how to use it.

10.6.3 Pros and Cons of IP Routing

This section will give the pros and cons of setting up a LAN-to-LAN VPN that performs IP routing between LANs through Virtual Layer 3 Switching as opposed to setting up one using only bridge connections as explained previously in section 10.5 Build a LAN-to-LAN VPN (Using L2 Bridge).

IP Routing - Pros

Using only bridge connections to make a VPN connection to multiple LANs results in those LANs being joined together as a single layer 2 (Ethernet) segment. By also utilizing Virtual Layer 3 Switching you can perform layer 3 (IP) communication between LANs even if they are separated at a layer 2 level.
This means that you will be able to communicate between LANs that already have their own stable IP networks without making any changes to the computers/devices on those networks.
It's also a good idea to use IP routing when dealing with large LANs that contain more than 100 computers each. When simply bridging multiple LANs together there could be an increase in broadcast packet traffic due to the increased number of computers on the network. In this case it's best to use IP routing to perform routing between the LANs and create a smaller broadcast domain.

IP Routing - Cons

A good knowledge of TCP/IP and VPNs is required to configure Virtual Layer 3 Switching and design/build a LAN-to-LAN VPN that utilizes IP routing.
You may also notice a slight performance decrease in layer 3 compared to a simple layer 2 LAN-to-LAN VPN due to the routing processing (such as re-writing IP headers, etc.) which must transfer large numbers of packets in bursts.
Because each LAN's layer 2 segments are separated, they can only communicate to each other via IP.

10.6.4 Network Layout

This section will explain the following type of network layout as an example.

Network Layout.

In the above network example there are 3 LANs connected together through a VPN connection. Computers on all LANs are able to communicate with each other through the IP routing enabled VPN. For this example, assume that the three LANs are located in Tokyo, Osaka, and Tsukuba, Japan.

The Tokyo LAN is the main LAN and therefore VPN Server is installed there. This leaves the LANs in Osaka and Tsukuba as the sub-LANs. VPN Bridge will be installed to both of these locations.

The private IP networks in Tokyo, Osaka, and Tsukuba are separated as 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 respectively. When a computer from one LAN attempts to communicate with a host on another LAN it will automatically do so through the VPN.

Virtual Hubs on the VPN Server

In the above network the layer 3 switch operates on the VPN Server in Tokyo. When creating this network the following three Virtual Hubs should be made on the Tokyo LAN VPN Server.

TOKYO "TOKYO" will be the Virtual Hub that makes a local bridge connection to the network that the VPN Server is physically connected to. In this case, the Tokyo LAN. On a layer 3 level, this Virtual Hub is part of the 192.168.1.0/24 IP network.
OSAKA "OSAKA" will be the Virtual Hub that handles the cascade connection from the VPN Bridge on the Osaka LAN. Therefore, this Virtual Hub is on the same layer 2 segment as the Osaka LAN. On a layer 3 level, this Virtual Hub is part of the 192.168.2.0/24 IP network.
TSUKUBA "TSUKUBA" will be the Virtual Hub that handles the cascade connection from the VPN Bridge on the Tsukuba LAN. Therefore, this Virtual Hub is on the same layer 2 segment as the Tsukuba LAN. On a layer 3 level, this Virtual Hub is part of the 192.168.3.0/24 IP network.

Layer 3 Switches on the VPN Server

After the three Virtual Hubs above have been created on the VPN Server in Tokyo, you need to create a single Virtual Layer 3 Switch while looking to section 3.8 Virtual Layer 3 Switches for reference. Once this is done you have to define a virtual interface to the three Virtual Hubs.

The Virtual Layer 3 Switch will look like a single IP router to computers on the network. Therefore, you will need to assign a single IP address that belongs to the private network receiving Virtual Hub connections to each virtual interface. The IP address must be one that does not exist on any of the IP networks directly or indirectly connected to by each of the Virtual Hubs. For example, you could set up something like the table below.

Virtual Hub Name	Virtual Interface IP Address
TOKYO	192.168.1.254 / 255.255.255.0
OSAKA	192.168.2.254 / 255.255.255.0
TSUKUBA	192.168.3.254 / 255.255.255.0

Virtual Hub Name

Virtual Interface IP Address

TOKYO

192.168.1.254 / 255.255.255.0

OSAKA

192.168.2.254 / 255.255.255.0

TSUKUBA

192.168.3.254 / 255.255.255.0

In this example network the layer 3 switch will connect to each network on the VPN directly through the virtual interface. Therefore, there is no need to set up a routing table for the Virtual Layer 3 Switch.

Configuring the VPN Bridge on the Osaka and Tsukuba Networks

For the VPN Bridges installed on the Osaka and Tsukuba networks, first make a local bridge connection between all "BRIDGE" Virtual Hubs and each physical LAN.

Next, make a cascade connection from the VPN Bridge on the Osaka network to the "OSAKA" Virtual Hub on the Tokyo VPN Server. You must also make a cascade connection from the VPN Bridge on the Tsukuba network to the "TSUKUBA" Virtual Hub on the Tokyo VPN Server.

This will allow computers on different IP networks in three different locations to communicate with the other LANs connected to the VPN by routing through the Virtual Layer 3 Switch.

10.6.5 Installing VPN Server On the Main LAN

First, VPN Server will be installed on the main LAN in Tokyo.

The computer you install VPN Server on must make a local bridge connection the company LAN in Tokyo. Therefore, it must be installed physically close enough to the LAN to connect to the layer 2 segment via a network cable.

Because the VPN Server must receive incoming VPN connections from the VPN Bridge(s) over the Internet, it must have a public IP address or be able to receive TCP/IP communication through NAT, a firewall, or a reverse proxy system. (See section 10.2 Common Concepts and Knowledge.) Please consult with your network administrator if you are unsure about any of these issues.

Once VPN Server is installed create the three Virtual Hubs "TOKYO", "OSAKA", and "TSUKUBA" as described in section 10.6.4. Next, create a local bridge connection between the "TOKYO" Virtual Hub and the Tokyo LAN and configure the Virtual Layer 3 Switch.

10.6.6 Installing VPN Bridge on the Other LANs

Install one VPN Bridge at the Osaka and Tsukuba sub-LANs. After you have made local bridge connections to the LANs you want to connect to make cascade connections to the "OSAKA" and "TSUKUBA" Virtual Hubs on the VPN Server in Tokyo.

10.6.7 LAN-to-LAN VPN Connection

Unlike the layer 2 bridge connection configuration described in section 10.5 Build a LAN-to-LAN VPN (Using L2 Bridge), using IP routing to create a VPN connection between each LAN does not mean that the computers on each LAN will be able to automatically communicate with each other without any extra configuration.

For a network like the one in this example, you will need to set up a routing table for devices on each network so that the IP routing will properly communicate the data to the destination LAN via the Virtual Layer 3 Switch.

If you just think of the Virtual Layer 3 Switch or Virtual Hub as no different from a physical layer 3 switch, router, or switching hub then configuring such a routing table should be a breeze. One possible configuration for this example network is given below.

On the router used as the default gateway on the Tokyo LAN add two entries to the static routing table so that 192.168.2.0/24 (Osaka) bound packets and 192.168.3.0/24 (Tsukuba) bound packets use the gateway 192.168.1.254.
On the router used as the default gateway on the Osaka LAN add two entries to the static routing table so that 192.168.1.0/24 (Tokyo) bound packets and 192.168.3.0/24 (Tsukuba) bound packets use the gateway 192.168.2.254.
On the router used as the default gateway on the Tsukuba LAN add two entries to the static routing table so that 192.168.1.0/24 (Tokyo) bound packets and 192.168.2.0/24 (Osaka) bound packets use the gateway 192.168.3.254.

Let's look at an example of how things will work after the above configuration is performed. If a computer on the Osaka LAN (Ex. 192.168.2.3) tries to send a packet to a computer on the Tsukuba LAN (Ex. 192.168.3.5) the computer at 192.168.2.3 will send the packet to that network's default gateway which will follow the routing table and forward the packet to 192.168.2.254 (the Virtual Layer 3 Switch's virtual interface operating on the VPN Server in Tokyo). The Virtual Layer 3 Switch will use the virtual interface at 192.168.3.254 and send the packet to the TSUKUBA Virtual Hub where it will finally reach it's destination, the computer on the Tsukuba LAN at 192.168.3.5. This type of process is what will occur under a VPN connection that utilizes IP routing.

If for some reason you are unable to add entries to the default gateway router's static routing table you can also use the route command on each computer to add to the static routing table. However, you would have to modify the routing table for every computer that will communicate over the VPN which would be a lengthy and costly operation. Therefore, this method is not recommended.

10.6.8 Supplementary Information

The Virtual Layer 3 Switch can also forward packets to a network beyond the IP network the Virtual Hub connected to directly by the virtual interface is on. Please refer to section 3.8 Virtual Layer 3 Switches for more information on this topic.

Last updated 5 months ago