Quick Summary

SoftEther VPN is a highly powerful, open-source, multi-protocol VPN software developed by the University of Tsukuba. The SoftEther VPN Server has the defining feature of simultaneously supporting multiple encryption protocols (L2TP/IPsec, OpenVPN, SSTP, and its proprietary SoftEther protocol) on a single connection port, combined with advanced NAT Traversal and traffic obfuscation (VPN over HTTPS/ICMP).

Installing a SoftEther VPN Server on a Linux VPS provides administrators with a flexible networking platform. It allows the creation of Virtual Hubs (virtual switches) and SecureNAT (virtual routers) to securely connect remote devices into a unified internal network, all while offering an intuitive GUI management tool on Windows platforms.

While solutions like WireGuard focus on minimalist speed, SoftEther VPN aims for absolute versatility and compatibility. It is likened to a "Swiss Army knife" in the virtual private network world, allowing older devices using IPsec or OpenVPN to connect to the same network system alongside modern SoftEther clients. Especially in heavily censored network environments (Deep Packet Inspection), SoftEther is one of the few protocols capable of disguising packets to maintain continuous connectivity.

Table of Contents

1. What is SoftEther VPN?

SoftEther (short for "Software Ethernet") is cross-platform, open-source VPN software. Differentiating itself from most modern VPNs that support only a single protocol, SoftEther acts as a comprehensive hub capable of emulating and accepting connections from clients using OpenVPN, L2TP/IPsec, MS-SSTP, EtherIP, and its proprietary SoftEther (HTTPS) protocol.

By camouflaging VPN traffic as standard HTTP/HTTPS packets (SSL/TLS), SoftEther can effectively penetrate corporate firewalls and proxies that actively block VPN connections, making it an invaluable tool for multinational enterprises.

2. How SoftEther Works

The core strength of SoftEther lies in its ability to virtualize all physical network components:

  • Virtual Hub: Functions exactly like a physical network switch (Layer 2). It maintains an internal MAC address table and forwards packets between virtually connected devices. A single server can run multiple independent Virtual Hubs for different departments.
  • Virtual Network Adapter: Installed on the end-user's computer (Client). It communicates with the Virtual Hub over the Internet to transmit and receive data.
  • SecureNAT: A breakthrough feature of SoftEther, integrating Virtual DHCP and a Virtual NAT router. It allows the VPS to assign local IPs and route internet traffic for Clients without requiring the administrator to configure complex iptables or IP Forwarding rules on Linux.

3. System Architecture

The following diagram illustrates how SoftEther accepts diverse protocol streams and processes them through the SecureNAT feature on a Linux server:

[Client Devices]
(Windows, macOS, iOS, Android, Linux)
       │
       │  (Multi-Protocol: SoftEther, L2TP/IPsec, OpenVPN, SSTP)
       ▼
[Encrypted VPN Tunnel]
(Bypassing Deep Packet Inspection via HTTPS 443)
       │
       ▼
[VPS Linux (SoftEther VPN Server)]
 ├─ [Virtual Hub] (Manages Users & MAC Tables)
 └─ [SecureNAT] (Integrated Virtual DHCP & Virtual Router)
       │
       │  (Software-based NAT & Routing)
       ▼
[Public Internet] / [Private Cloud LAN]
  • Client Devices: End-user endpoints. Users can utilize the SoftEther App or native OS VPN protocols (L2TP/IPsec) on their smartphones.
  • Encrypted VPN Tunnel: The data encryption channel. The proprietary SoftEther protocol can aggregate multiple TCP connections to boost throughput.
  • VPS Linux (Virtual Hub): The central server acting as an authenticator and virtual switch.
  • SecureNAT: A software module that entirely replaces iptables, routing packets from the Virtual Hub out to the physical network interface (eth0) for Internet access.

Comparing Multi-Protocol Architecture with Other VPNs

  • SoftEther VPN: An "All-in-One" platform where a single server runs multiple protocols simultaneously, emulates Layer 2 Ethernet, and features built-in DHCP/NAT.
  • WireGuard / Tailscale / ZeroTier: Next-generation VPN protocols focusing on pure performance or automated mesh networking (at Layer 2 or Layer 3), but lacking support for legacy devices. See setups: WireGuard, Tailscale, ZeroTier.
  • OpenVPN: Operates independently with complex certificate configurations, generally slower speeds, and lacks a built-in dynamic DHCP function as flexible as SecureNAT.

4. VPN Deployment Models

The Virtual Hub architecture enables SoftEther to simulate any physical network topology:

  • Remote Access VPN (PC-to-LAN): Employees utilize the VPN Client software to remotely connect to the Virtual Hub on the VPS for secure browsing or accessing enterprise data systems.
  • LAN-to-LAN Bridge (Layer 2): Bridging the physical LANs of two distinct offices via a "Cascade Connection" between 2 Virtual Hubs. Both offices share a common IP range and broadcast domain.
  • Ad-Hoc VPN: Directly connecting multiple computers across various locations into a single virtual network range for online meetings or peer-to-peer file sharing.

5. Key Advantages & Real-World Use Cases

SoftEther is often considered a lifesaver in complex network environments:

  • Outstanding Firewall Penetration: The SoftEther VPN protocol disguises data as standard HTTP/HTTPS (Port 443), successfully bypassing stringent NAT systems and Deep Packet Inspection (DPI).
  • Intuitive GUI Administration: Although installed on a headless Linux VPS, administrators can use the "SoftEther VPN Server Manager" on a Windows PC to remotely manage the VPS via a graphical user interface.
  • Maximum Compatibility: iPhone and Android smartphones do not require third-party apps; users can utilize the OS's native L2TP/IPsec or IKEv2 configurations to connect to the SoftEther Server.

6. Real-World Architecture Deployment

The power of SoftEther is most apparent in traditional enterprise environments:

  • Legacy System Management: An enterprise possesses numerous older devices (network printers, legacy OS servers) that only support L2TP/IPsec. The admin deploys SoftEther on a VPS to support both new devices (using the SoftEther Client) and old devices (L2TP) communicating within the same Virtual Hub.
  • Bypassing Corporate Network Censorship: Office employees face firewalls blocking traditional VPN ports (like UDP 1194 for OpenVPN, UDP 51820 for WireGuard). They configure SoftEther to run over TCP Port 443 (HTTPS standard) to penetrate the corporate firewall and access external client networks.

7. SoftEther vs. Traditional VPNs

SoftEther's comprehensiveness makes comparing it to single protocols somewhat asymmetrical, but we can contrast the core values:

Feature Standalone OpenVPN / IPsec SoftEther VPN
Protocol Support Runs only its native protocol. Runs concurrently: SoftEther, L2TP, OpenVPN, SSTP.
Firewall Bypassing (DPI) Easily detected and blocked (DPI). Excellent (VPN over HTTPS, TCP obfuscation).
NAT/DHCP Integration Requires external iptables and DHCP configuration. Built-in SecureNAT (Enabled with 1 click).
Management Interface Primarily Command Line (CLI). Features a highly professional Server Manager GUI app.

8. Performance & Security Benchmark

The expansion of the Mesh VPN ecosystem has significantly altered performance optimization landscapes. Below is a comprehensive comparison of today's most popular protocols:

VPN Protocol Throughput Speed CPU Consumption Firewall Evasion (Bypass)
WireGuard Highest Very Low Poor (Easily blocked UDP)
Tailscale Very High Very Low Excellent (Via DERP Relay)
ZeroTier High Low Very Good (UDP Hole Punching)
SoftEther VPN Very High Medium-High (Due to Virtual Hub) Perfect (HTTPS 443 Obfuscation)
IPsec (IKEv2) High Medium Poor
OpenVPN Moderate High Moderate

9. When to Use SoftEther?

SoftEther's flexible architecture makes it suitable for specific network challenges:

Practical Scenario Recommendation
Enterprise networks requiring connection support from multiple operating systems and legacy devices. Recommended Highly Recommended
Bypassing national firewalls or hotel networks that block standard UDP VPN Ports. Recommended Highly Recommended
Administrators who need to configure a Linux Server but are only comfortable with Windows GUIs. Recommended Highly Recommended
Deploying a fully automated peer-to-peer Mesh network for Microservices architectures. Not Recommended Use Tailscale or ZeroTier instead

10. System Requirements & Supported Platforms

SoftEther VPN boasts flawless compatibility levels:

  • VPN Server: Linux (Ubuntu, Debian, CentOS), Windows Server, FreeBSD, Solaris. Requires an environment with compilation tools (GCC) to build the source code.
  • Client Devices: SoftEther VPN Client (Windows/Linux/Mac), or utilizing the built-in VPN tools on iOS/Android (via L2TP/IPsec, OpenVPN Connect).

11. How to Install SoftEther VPN on a Linux VPS

Below are the steps to download and compile the SoftEther source code directly on an Ubuntu/Debian server:

Install SoftEther Server
# 1. Update the system and install compilation build tools
apt update -y && apt upgrade -y
apt install build-essential gcc make wget tar -y

# 2. Download the SoftEther VPN Server source code (Direct binary link)
wget [https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.38-9760-rtm/softether-vpnserver-v4.38-9760-rtm-2021.08.17-linux-x64-64bit.tar.gz](https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.38-9760-rtm/softether-vpnserver-v4.38-9760-rtm-2021.08.17-linux-x64-64bit.tar.gz)

# 3. Extract and move into the installation directory
tar -xvzf softether-vpnserver-*.tar.gz
cd vpnserver

# 4. Compile the source code (Type "1" to accept the License terms when prompted)
make

# 5. Move the directory and grant system permissions
cd ..
mv vpnserver /usr/local/
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpnserver vpncmd

# 6. Start the VPN Server for the first time
./vpnserver start

12. Configuration Examples (via vpncmd)

Unlike VPNs configured with text files, SoftEther utilizes an interactive command-line tool called vpncmd. The first crucial step is setting the administrator password and enabling SecureNAT.

Admin & SecureNAT Setup
# Access the CLI management tool
/usr/local/vpnserver/vpncmd

# The system asks what you want to connect to. Select "1" (Management of VPN Server or VPN Bridge)
# When prompted for Hostname, press "Enter" to connect to localhost.
# When prompted for Virtual Hub, press "Enter".

# 1. Set the Server administrator password (Crucial)
ServerPasswordSet

# 2. Access the default Hub (DEFAULT)
Hub DEFAULT

# 3. Enable the SecureNAT feature (Includes Virtual DHCP and Virtual Router)
# This grants Clients IPs and Internet access immediately without iptables config.
SecureNatEnable

# 4. Enable IPsec/L2TP support for Mobile devices (iOS/Android)
IPsecEnable
# Enable L2TP over IPsec (Type "yes")
# Enable for Hub: DEFAULT
# Set the IPsec Pre-Shared Key (e.g., mysecretkey)

# 5. Create a User for connection
UserCreate john /GROUP:none /REALNAME:none /NOTE:none
# Set the password for the User
UserPasswordSet john

# Exit vpncmd
exit

13. VPN Client Setup

Thanks to its multi-protocol nature, users have multiple choices for connectivity:

  • Using SoftEther Client (Windows): Download the SoftEther VPN Client software. Create a "New VPN Connection Setting", input the VPS IP, select the Virtual Hub (DEFAULT), enter the created User/Password, and click Connect. This protocol supports robust firewall bypassing.
  • Using L2TP/IPsec (iOS/Android/Mac): No software installation is required. Navigate to the OS VPN Settings, add an L2TP connection. Enter the VPS IP, Account/Password, and the "Secret" (Pre-shared key) is the string you created during the IPsecEnable step.
  • Managing the VPS via GUI (For Admins): You can install the SoftEther VPN Server Manager for Windows on your personal PC. Enter the VPS IP and Server Password to graphically configure new Users or export OpenVPN profiles as if operating local software.

14. Connection Monitoring

Utilize vpncmd to check the operational status of the system directly on the Linux server:

Monitoring Connections
# Access the tool (Press 1 -> Enter -> Enter)
/usr/local/vpnserver/vpncmd

# Check overall Server status (Uptime, Version)
ServerInfoGet

# Enter the DEFAULT Hub and list connected Users
Hub DEFAULT
SessionList

# Check the status of the SecureNAT feature
SecureNatStatusGet

15. Performance Tuning & Troubleshooting

SoftEther's highly virtualized architecture requires administrators to optimize logically to prevent resource drain:

  • High CPU Usage Issues: The SecureNAT feature is extremely convenient (running in User-space) but consumes significant CPU on low-spec VPS servers handling heavy traffic. If you possess Linux experience, disable SecureNAT and establish a Local Bridge connecting the Virtual Hub directly to the eth0 network interface, combined with manual DNS/DHCP (dnsmasq) and iptables configurations to reclaim 100% performance.
  • Opening Firewall Ports: Ensure your VPS has opened UDP Ports 500 and 4500 for protocols like L2TP/IPsec to function. For standard SoftEther VPN connections, open TCP Port 443 or 5555.

16. Common Configuration Errors

A system with numerous options often comes with the risk of misconfigurations:

  • L2TP Client hangs at "Connecting...": Over 90% of these errors are due to IPSec/L2TP being blocked by the VPS Firewall. Double-check your ufw allow 500,4500/udp commands.
  • DHCP Conflict Error: If you utilize a Local Bridge (connecting the Hub to the physical network card), you MUST NOT enable SecureNAT. SecureNAT will spin up a virtual DHCP server that instantly conflicts with the Data Center's DHCP server, completely crashing your network connection.
  • Forgetting to Set the Administrator Password: If you skip the ServerPasswordSet command during initial setup, anyone scanning your IP can use the GUI tool to connect to your VPS and seize administrative control of the VPN.

17. Self-hosted vs. Public VPN Services

Deploying SoftEther on a VPS grants enterprise-level control, starkly contrasting market VPN services:

Comparison Criteria Self-host SoftEther (Installed on VPS) Commercial Public VPN
Device Protocol Support Supports Native IPsec/L2TP/SSTP. No extra Mobile App required. Usually mandates users download proprietary apps.
Network Customization (Virtual Hub) Allows creating multiple Virtual Hubs, isolating LANs between groups. Non-existent. Strictly acts as an internet router.
Public IP Ownership You own an exclusive Clean IP. Immune to Netflix blocks or Captchas. Uses a Shared IP with thousands, risking Blacklist status.

18. Choosing a Reliable VPS for VPN at VietHosting

Building a multi-protocol platform featuring deep virtualization modules like SoftEther (SecureNAT) demands a server capable of enduring continuous CPU processing and robust transmission lines. At VietHosting, we provide VPS solutions based on dedicated infrastructure with transparent resource commitments:

  • Enterprise Hardware: 100% Dell servers, Intel Xeon Platinum CPUs, and high-performance SSD RAID-10. This ensures high encryption processing performance even when the SecureNAT feature consumes User-space resources.
  • True KVM Virtualization: Guaranteed 100% real resources with zero overselling. The Promiscuous Mode feature is fully compatible, allowing the deployment of advanced Local Bridge (Ethernet Bridging) systems.
  • High-Speed Network Connectivity: Domestic connectivity up to 1Gbps, high-speed and stable international bandwidth (32Mbps shared, guaranteed minimum 10Mbps) with Unmetered Data Transfer.
  • Large Clean IPv4 Pool: Flexible allocation of clean IPv4 ranges, supporting up to 64 IP addresses per VPS (up to /26 subnet). This is exceptionally ideal for establishing Firewall Bypassing VPN systems without being blacklisted by Deep Packet Inspection (DPI) organizations.
Operate Professional Virtual Private Network Infrastructure with KVM VPS

Deploy a high-performance virtual server and flexibly install multi-protocol VPN management systems to establish secure connections for your network and enterprise.

Discover KVM VPS Explore Dedicated Servers

Related System & Network Infrastructure Knowledge

Understanding the differences between protocols and server platforms helps administrators make accurate network architecture decisions. Explore the technical documentation below.