FreeBSD: Setup SoftEther and configure Offshore 100% Logless VPN server (Windows 10 as clients)


Bonum Diem.

I’m going to install SoftEther VPN server on FreeBSD 12.2 today, through FreeBSD packages, and deeply dig into it, configure it being completely offshore, 100% logless.

SoftEther is an alternative and fast VPN Server software created by the people @ University of Tsukuba, Japan. It uses SSL-VPN (over HTTPS), and since it uses the TCP 443 (https) port, blocking SoftEther by firewalls is much more difficult, than any other VPN server softwares around.

SoftEther supports nearly all desktop platforms including Windows, MacOS, Linux, FreeBSD, and OpenBSD (it seems doesn’t really performing well under OpenBSD, but hey, we always have our nice buddy WireGuard under OpenBSD), as well as, mobile platforms including Android, iOS, and Maemo, offering the best security and performance available, it provides strong encryption, fast speeds, and high reliability even on high-latency networks and across great distances.

And the client software supports a large number of operating systems, interestingly from Windows 98 (never tried it anyway), to Windows Server systems.

(Supported Windows platforms: Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003/2008/2012/2016/2019)

SoftEther’s Advantages:

-Supporting all popular VPN protocols by the single VPN server:
SSL-VPN (HTTPS), OpenVPN IPsec, L2TP, MS-SSTP, L2TPv3, EtherIP
-Easy to establish both remote-access and site-to-site VPN.
-SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls.
-Revolutionary VPN over ICMP and VPN over DNS features.
-Resistance to highly-restricted firewall.
-Ethernet-bridging (L2) and IP-routing (L3) over VPN.
-Embedded dynamic-DNS and NAT-traversal so that no static nor fixed IP address is required.
-AES 256-bit and RSA 4096-bit encryptions.
-Sufficient security features such as logging and firewall inner VPN tunnel.
-User authentication with RADIUS and NT domain controllers.
-User authentication with X.509 client certificate.
-Packet logging.
-1Gbps-class high-speed throughput performance with low memory and CPU usage.
-Windows, Linux, Mac, Android, iPhone, iPad and Windows Phone are supported.
-The OpenVPN clone function supports legacy OpenVPN clients.
-IPv4 / IPv6 dual-stack.
-The VPN server runs on Windows, Linux, FreeBSD, Solaris and Mac OS X.
-Configure All settings on GUI. (I do it completely within the terminal – being a terminal-lover guy)
-No memory leaks (They claim?). High quality stable codes, intended for long-term runs.

Let’s start.

First of all, it is best practice to ensure your out-of-date packages are updated, and package repository catalogues are up to date before doing any package installation.

Invoking “pkg upgrade” will cause repository catalogues to be updated automatically, so no need to issue “pkg update”. So let’s “pkg upgrade” our system;

root@freebsdbox:~ # pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

And install SoftEther from Packages:

root@freebsdbox:~ # pkg install softether5

Then, to configure SoftEther VPN Server startup on boot:

root@freebsdbox:~ # sysrc softether_server_enable=yes
softether_server_enable:  -> yes

That command will actually add a line: softether_server_enable=”yes” to /etc/rc.conf file. Finally let’s start the VPN server and begin configuring it;

root@freebsdbox:~ # vpnserver start
The SoftEther VPN Server service has been started.

Then we will ‘check‘ the system, executing ‘check‘ within ‘vpncmd‘ command (and then selecting ‘3’) – we do this to check that there is no problem in our system and the libraries needed by our VPN Server software, and that SoftEther will work properly.

root@freebsdbox:~ # vpncmd

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 3

VPN Tools>check
Check command - Check whether SoftEther VPN Operation is Possible
---------------------------------------------------
Checking 'Kernel System'...
              Pass
Checking 'Memory Operation System'...
              Pass
Checking 'ANSI / Unicode string processing system'...
              Pass
Checking 'File system'...
              Pass
Checking 'Thread processing system'...
              Pass
Checking 'Network system'...
              Pass

All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system. The command completed successfully.

After getting “All checks passed” we type ‘exit’ and then continue configuring our server, with vpncmd again, choosing ‘1’ this time:

root@freebsdbox:~ # vpncmd

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
Select 1, 2 or 3: 1

Hostname of IP Address of Destination: -press enter-
Specify Virtual Hub Name: -press enter-

Connection has been established with VPN Server "localhost" (port 443). You have administrator privileges for the entire VPN Server.
VPN Server> _

Before all, each time when we want to configure our server, we should select a Virtual Hub to manage. We didn’t specify any name to our hub, therefore, it’s called “default”;

VPN Server> hub default
Hub command - Select Virtual Hub to Manage
The Virtual Hub "DEFAULT" has been selected.
The command completed successfully.
VPN Server/DEFAULT> _

Then, create a VPN user, e.g. called ‘vpntest’ for the VPN client on Windows:

VPN Server/DEFAULT>UserCreate
UserCreate command - Create User
User Name: vpntest
Assigned Group Name:
User Full Name:
User Description:
The command completed successfully.
VPN Server/DEFAULT> _

And we set a password for our VPN user:

VPN Server/DEFAULT>UserPasswordSet vpntest
UserPasswordSet command - Set Password Authentication for User Auth Type and Set Password. Please enter the password. To cancel press the Ctrl+D key.

Password: ****
Confirm input: ****

The command completed successfully.

In the future, with the command ‘UserList’, you can get list of all your VPN users in the system, with their traffic transfer statistics:

VPN Server/DEFAULT>UserList
UserList command - Get List of Users
Item            |Value
----------------+-------------------------
User Name       |vpntest
Full Name       |
Group Name      |-
Description     |
Auth Method     |Password Authentication
Num Logins      |7
Last Login      |2021-01-10 (Sun) 19:08:24
Expiration Date |No Expiration
Transfer Bytes  |199,930,740
Transfer Packets|457,317
The command completed successfully.

We’ll need to enable SecureNAT:

VPN Server/DEFAULT>SecureNATEnable
SecureNatEnable command - Enable the Virtual NAT and DHCP Server Function (SecureNat Function)
The command completed successfully.

Let’s see the virtual MAC Address, IP Block/Subnet Mask of our SoftEther’s SecureNAT/DHCP Server:

VPN Server/DEFAULT>SecureNatHostGet
Get Network Interface Setting of Virtual Host of SecureNAT Function
Item       |Value
-----------+-----------------
MAC Address|5E-A2-15-FE-61-FF
IP Address |192.168.30.1
Subnet Mask|255.255.255.0
The command completed successfully.

Related to the details above, our VPN clients will get IPs starting with 192.168.30, (IP range of 192.168.30.2-192.168.30.254) and undoubtedly, by the command SecureNatHostSet, you’re allowed to change these values of SoftEther server (including the MAC Address!) like, exempli gratia;

VPN Server/DEFAULT>SecureNatHostSet
Change Network Interface Setting of Virtual Host of SecureNAT Function

MAC Address: DE-AD-BE-EF-BA-BE
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
The command completed successfully.

For security reasons, we’ll set Server Administrator password:

VPN Server/DEFAULT>ServerPasswordSet
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.

Password: *****************
Confirm input: *****************

The command completed successfully.

Loglessness!

We’d like to have an absolutely Log-Less VPN Server, and go with 100% zero-log. With the following steps, we disable logging: to save disk space, RAM and CPU (Oh, and some privacy):

VPN Server/DEFAULT>LogDisable security
LogDisable command - Disable Security Log or Packet Log
The command completed successfully.
VPN Server/DEFAULT>LogDisable packet
LogDisable command - Disable Security Log or Packet Log
The command completed successfully.

And now quit from the management console and continue reading:

VPN Server/DEFAULT>exit

In the SoftEther documentation it tells how to disable ‘Security‘ and ‘Packets‘ logs, which we have done above. But how about Server Log? There’s no option to disable that thing.

Under FreeBSD 12.2, SoftEther’s server log is saved under /var/log/softether/server/ directory. The entire VPN Server operating log is saved in that folder as log files.

Storing detailed operating records, events upon the launch/termination of the VPN Server, and when, and what type of connections are being received/were received, and all.

And even worse, copies of each of the Virtual Hubs’ Security Logs are saved together in the server log, so that even if a Virtual Hub Administrator sets the security log not to be saved (as we did above), it’s always saved automatically in the server log.

As well as, even when the Virtual Hub Administrator does not save the Virtual Hub logs or deletes them, their contents can still be accessed from the VPN Server’s server log.

But how to prevent that?

We begin with truncating the prolly-existing log files:

root@freebsdbox: # truncate -s 0 /var/log/softether/packet/**/*.log
root@freebsdbox: # truncate -s 0 /var/log/softether/security/**/*.log
root@freebsdbox: # truncate -s 0 /var/log/softether/server/*.log

And lastly, removing the files completely:

root@freebsdbox: # find /var/log/softether -name '*.log' -delete

For Server Logs folder, /var/log/softether/server/, my solution is;
while FreeBSD offers write protection, we need to set our “server” folder carrying special bit called ‘immutable‘. Once this bit is setup to that folder, no one&no service/daemon can write, delete or modify that folder, including root. (That might be useful to -occasionally- protect some important system files like /etc/master.passwd) And only root can clear the immutable bit. So obviously, you must be a root user to setup or clear the immutable bit.

root@freebsdbox: # chflags schg /var/log/softether/server/

Check if the folder’s immutable bit is on or off:

root@freebsdbox: # ls -lo /var/log/softether/
drwx------  2 root  wheel  schg,uarch 2 Jan 11 20:25 server

The folder ‘server’ has ‘schg’ bit active. Now it’s not allowed to create, remove or modify anything within that folder and all its contents.

root@freebsdbox: # rm -rf /var/log/softether/server/
rm: server/: Operation not permitted

Testing:

root@freebsdbox: # echo spongebob > /var/log/softether/server/squarepants.log
/var/log/softether/server/squarepants.log: Operation not permitted.

Done. Our ‘server’ log folder will always remain empty, from now on.

To clear or remove immutable bit protection if you want to save logs again, use the command: chflags noschg /var/log/softether/server/

Few additional things left; we’ll disable Web Interface/WebUI for security and stability reasons (it’s not nicely implemented yet, anyway), and NAT-Traversal mode. First, we’ll need to stop vpnserver:

root@freebsdbox:~ # vpnserver stop
Stopping the SoftEther VPN Server service ...
SoftEther VPN Server service has been stopped.

Then, edit SoftEther’s config file:

root@freebsdbox:~ # nano /var/db/softether/vpn_server.config

Move your cursor to the lines numbered 84 and 85, and replace “false” with “true”:
bool DisableJsonRpcWebApi true
bool DisableNatTraversal true

Save it and exit from nano. Start vpnserver:

root@freebsdbox:~ # vpnserver start
The SoftEther VPN Server service has been started.

===========================================

Windows 10 Client Setup:

Download and setup SoftEther Client for Windows, from here.
(Select Component: SoftEther VPN Client)

After the installation is completed, we’ll need to create a new Virtual Network Adapter, open SoftEther and follow the menu:

Virtual Adapter – > New Virtual Adapter, give it a name (‘VPN’ by default) and press OK. You’ll see a “loading bar” telling;

Creating a new Virtual Network Adapter for Windows..
This process can take several seconds or over a minute.
Please wait… Please do not perform other operations,
while the Virtual Network Adapter is being installed.

Then, double click to “Add VPN Connection” icon, fill the values:
Host Name: IP Address of your VPN Server
Port Number: 443
tick the “Disable NAT-T” checkbox. (will add the tag ‘/tcp‘ at the end of your Host Name/IP Address value’)
Virtual Hub Name: default

At the right side of, under ‘User Authentication Setting‘;

Auth Type: Standard Password Authentication
Username: vpntest
Password: YourUserPass

Finally click to “OK” and back to SoftEther VPN Client Manager, double click to newly created “New VPN Connection” icon to connect to Internet all through your fresh SoftEther VPN Server.

And as always, try to see if your DNS/VPN leaks; https://dnsleaktest.com

Best,
Özgür Kazanççı.
Twitter: @ozgurkazancci


Leave a Reply