Install SoftEther VPN
on Debian / Ubuntu
A complete walkthrough for installing SoftEther VPN Server on Debian or Ubuntu, configuring a virtual hub, setting up user accounts, enabling L2TP/IPsec, and connecting from a client device.
What is SoftEther VPN?
SoftEther VPN is a powerful, free, open-source multi-protocol VPN server developed as part of a research project at the University of Tsukuba, Japan. It supports SSL-VPN, L2TP/IPsec, OpenVPN, Microsoft SSTP, L2TPv3 and EtherIP — all from a single server instance.
| Protocol | Port | Use case |
|---|---|---|
| SoftEther SSL-VPN | 443/TCP | Bypasses restrictive firewalls |
| L2TP/IPsec | 500, 4500/UDP · 1701/UDP | Native on iOS, Android, Windows |
| OpenVPN | 1194/UDP or 443/TCP | Cross-platform compatibility |
| SSTP | 443/TCP | Windows built-in VPN |
| Admin GUI | 5555/TCP | Remote management |
SoftEther is available for Linux, Windows, and macOS. This tutorial focuses on the Linux server installation. A separate graphical VPN Server Manager (Windows/macOS) can optionally be used to manage the server remotely.
Prerequisites
Before you begin, make sure you have:
- A server running Debian 11/12 or Ubuntu 22.04/24.04 (64-bit recommended)
- Root or sudo access on the server
- A public IP address (or a domain pointing to it) for client connections
- Basic familiarity with the Linux command line
- Ports
443,992,1194,5555open in your firewall / cloud security group
If running on AWS, GCP, Azure, or similar — remember to also open the required ports in the cloud security group / firewall rules, in addition to the OS-level firewall.
Install Dependencies
Update your package index and install the required libraries:
sudo apt update && sudo apt upgrade -y
sudo apt install -y \
build-essential \
libreadline-dev \
libssl-dev \
zlib1g-dev \
wget \
curl
These packages provide the build tools and SSL libraries required to compile and run SoftEther VPN.
Download SoftEther VPN
Download the latest SoftEther VPN Server for Linux from the official website. Always grab the latest stable build from softether-download.com.
# Navigate to your home or opt directory
cd /usr/local/src
# Download the latest VPN Server build (x86_64 Linux)
# Replace the URL below with the latest version from the download page
wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.43-9799-beta/softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz
Visit the GitHub releases page
to find the most recent stable build URL and replace the wget URL above
accordingly.
Extract the archive:
tar -xvzf softether-vpnserver-*.tar.gz
cd vpnserver
Build & Install
SoftEther uses a make-based build process that prompts you to accept the license
agreement
during compilation.
# Compile — you will be prompted to read and accept the license
make
# Move to a permanent location
sudo mv /usr/local/src/vpnserver /usr/local/vpnserver
# Set correct permissions
sudo chmod 600 /usr/local/vpnserver/*
sudo chmod 700 /usr/local/vpnserver/vpnserver
sudo chmod 700 /usr/local/vpnserver/vpncmd
During make, you will see a license prompt. Type 1 to read the
agreement,
then 1 again to accept it. The build will only proceed after acceptance.
Create a Systemd Service
Create a systemd unit file so SoftEther starts automatically on boot and can be managed
with standard systemctl commands.
sudo nano /etc/systemd/system/vpnserver.service
Paste the following unit file content:
[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable vpnserver
sudo systemctl start vpnserver
sudo systemctl status vpnserver
You should see active (running) in the status output. SoftEther VPN Server is
now running
and will start automatically on reboot.
Initial Configuration via vpncmd
SoftEther is configured through vpncmd — a command-line management tool. Launch it
on the server itself:
sudo /usr/local/vpnserver/vpncmd
At the menu, follow these prompts:
- Type
1to select VPN Server or VPN Bridge - Press Enter to connect to
localhost(default) - Press Enter to skip the Virtual Hub name (connects as administrator)
- Type
ServerPasswordSetand press Enter to set the admin password - Enter and confirm your new admin password
- Type
HubCreate VPNto create a virtual hub named VPN - When prompted, set a hub password (or leave blank for no hub password)
- Type
Hub VPNto switch into the new hub
Create a user account
# Create a user (replace "alice" with your desired username)
UserCreate alice /GROUP:none /REALNAME:"Alice" /NOTE:"VPN user"
# Set a password for the user
UserPasswordSet alice
Enable L2TP/IPsec
# Enable L2TP/IPsec with a Pre-Shared Key (replace "mypresharedkey")
IPsecEnable /L2TP:yes /L2TPRAW:no /ETHERIP:no /PSK:mypresharedkey /DEFAULTHUB:VPN
Enable SecureNAT (virtual NAT + DHCP)
SecureNatEnable
SecureNAT provides a built-in DHCP server and NAT for connected clients. It works without kernel-level TAP/TUN bridging, making it ideal for VPS environments where TAP devices may be restricted. For high-throughput setups, consider using kernel-level bridging instead.
Type exit to leave vpncmd.
Configure the Firewall
Open the required ports with ufw (or your preferred firewall):
# SoftEther SSL-VPN / SSTP
sudo ufw allow 443/tcp
# SoftEther alternate SSL port
sudo ufw allow 992/tcp
# OpenVPN
sudo ufw allow 1194/udp
# L2TP/IPsec
sudo ufw allow 500/udp
sudo ufw allow 4500/udp
sudo ufw allow 1701/udp
# Admin GUI port (optional — restrict to your IP in production)
sudo ufw allow 5555/tcp
sudo ufw reload
In a production environment, restrict port 5555 to your admin IP only:
sudo ufw allow from YOUR.ADMIN.IP to any port 5555
Enable IP Forwarding
For clients to route internet traffic through the VPN, the server needs IP forwarding enabled:
# Enable IPv4 forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
# Apply immediately (no reboot required)
sudo sysctl -p
Verify the setting took effect:
cat /proc/sys/net/ipv4/ip_forward
# Expected output: 1
Connect a Client
SoftEther supports multiple connection methods. Use whichever protocol is natively available on your client device.
L2TP/IPsec (iOS, Android, Windows, macOS)
| Field | Value |
|---|---|
| Server address | Your server's public IP or domain |
| VPN type | L2TP/IPsec with pre-shared key |
| Pre-shared key | The PSK you set in IPsecEnable |
| Username | The user you created (e.g. alice) |
| Password | The password set with UserPasswordSet |
SoftEther VPN Client (Windows)
- Download and install the SoftEther VPN Client
- Create a new VPN connection
- Enter your server's IP / hostname and port
443 - Select the VPN hub
- Log in with your username and password
Once connected, visit ifconfig.me from your client. If it shows your VPN server's IP address, all traffic is routing correctly through the VPN.
Troubleshooting
Check the service log
sudo journalctl -u vpnserver -f
Check SoftEther's own log files
ls /usr/local/vpnserver/server_log/
tail -f /usr/local/vpnserver/server_log/vpn_YYYYMMDD.log
Common issues
| Symptom | Likely cause | Fix |
|---|---|---|
| Service fails to start | Port 443 already in use | Run ss -tlnp | grep 443 to find the conflicting process |
| Client can't connect | Firewall blocking ports | Double-check ufw status and cloud security groups |
| No internet through VPN | IP forwarding disabled | Run sysctl net.ipv4.ip_forward — should return 1 |
| L2TP auth fails | Wrong PSK or username | Re-check the PSK in IPsecEnable and the hub username |
Credits & Project Info
SoftEther VPN is a free, open-source project with a rich academic and community history. Here is a full overview of the people and organisations behind it.
Founder & Core Developer
| Name | Role | GitHub |
|---|---|---|
| Daiyuu Nobori | Founder & lead developer — maintains both the stable and developer edition repositories | @dnobori |
Notable Contributors
| Name | GitHub | Since |
|---|---|---|
| Moataz Elmasry | @moatazelmasry2 | Nov 2017 |
| Zulyandri Zardi | @zulzardi | Nov 2017 |
| Alex Maslakov | @GildedHonour | Nov 2017 |
| Davide Beatrici | @davidebeatrici | Jul 2018 |
| Ilya Shipitsin | @chipitsine | Jul 2018 |
| Koichiro Iwao | @metalefty | FreeBSD ports maintainer |
Academic Origin
SoftEther VPN was originally developed as a research project at the University of Tsukuba, Japan, under the supervision of the SoftEther Project lab. The name SoftEther stands for Software Ethernet — reflecting the project's goal of implementing full Ethernet-level networking entirely in software.
Government & Institutional Support
The development of SoftEther VPN was supported by the MITOH Project — a research and development programme by the Japanese Government, subsidised by METI (Ministry of Economy, Trade and Industry of Japan) and administered by IPA (Information Promotion Agency, Japan). ipa.go.jp
License
SoftEther VPN is released under the Apache License 2.0, effective from January 21, 2019 (switched from GPLv2). This means you are free to use, modify, and distribute the software, including for commercial purposes, as long as you comply with the license terms.
Copyright (c) all contributors on SoftEther VPN project in GitHub.
Copyright (c) Daiyuu Nobori, SoftEther Project at University of Tsukuba,
and SoftEther Corporation. All Rights Reserved.
Official Links
| Resource | URL |
|---|---|
| Official website | softether.org |
| Downloads | softether-download.com |
| GitHub — Stable edition | SoftEtherVPN/SoftEtherVPN_Stable |
| GitHub — Developer edition | SoftEtherVPN/SoftEtherVPN |
| Security reports | [email protected] |
| Patch acceptance policy | softether.org/5-download/src/9.patch |
| Apache License 2.0 | apache.org/licenses/LICENSE-2.0 |
SoftEther VPN welcomes contributions. If you find a bug or want to improve the project, send pull requests to the developer edition repository on GitHub. The project is community-driven and actively maintained.