Installing and Configuring SoftEther Server on Ubuntu 22.04/20.04

How do I set up a secure and fast SoftEther server on Ubuntu?

In this step-by-step and practical guide, you will learn how to SoftEther Install, configure, and secure on Ubuntu 22.04 or 20.04. This article is for network administrators, DevOps, site administrators, and technical users who need a stable VPN with support for OpenVPN, L2TP/IPsec, SSTP, and Layer 2/3 tunneling.

Prerequisites

Before you begin, make sure the following conditions are met:

• Ubuntu 22.04 or 20.04 server with root access or a user with sudo
• At least 1GB RAM (for production environments) 2GB+ is recommended.)
• Access to required ports or ability to configure firewall
• Build tools if building from source or downloading the official binary

Part 1 — Installing SoftEther VPN (Compile from Source)

1. Update the system and install prerequisites

sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential gcc make git libreadline-dev libssl-dev libncurses-dev zlib1g-dev liblzma-dev

2. Clone the official repository and build

Clone and compile the official SoftEther repository; you will be asked to accept the terms when you run make.

git clone https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.git
cd SoftEtherVPN_Stable
make

During make, the option 1 Enter to continue the build. After completion, the binaries will be in the /etc/bin/bin folder. vpn server They are made.

3. Install in the standard path and set permissions

sudo mv vpnserver /usr/local/
cd /usr/local/vpnserver
sudo chmod 600 *
sudo chmod 700 vpnserver vpncmd

4. Create systemd service

Create the service file and enable the service:

sudo tee /etc/systemd/system/vpnserver.service > /dev/null <<'SERVICE'
[Unit]
Description=SoftEther VPN Server
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
Restart=on-abort

[Install]
WantedBy=multi-user.target
SERVICE

sudo systemctl daemon-reload
sudo systemctl enable --now vpnserver
sudo systemctl status vpnserver

Part 2 — Initial configuration with vpncmd

1. Set the server administrative password

To enter the management tool:

sudo /usr/local/vpnserver/vpncmd

In the first menu, select the option 1 (Management of VPN Server or VPN Bridge) Select and then run the following command to set the server password:

ServerPasswordSet

2. Create Virtual Hub and User

HubCreate MyHub
Hub MyHub
UserCreate user1 /GROUP:none /REALNAME:"Trader" /NOTE:"VPS for trading"
UserPasswordSet user1

By order UserPasswordSet, Set the user password.

3. Enable SecureNAT

Hub MyHub
SecureNatEnable

SecureNAT is the fastest way to create an internal network with DHCP and NAT and does not require a Local Bridge; suitable for public VPS and simple uses.

4. Setting up Local Bridge

To connect the hub to a physical interface (e.g. eth0):

BridgeCreate MyHub /DEVICE:eth0

Note: Local Bridge requires root permissions and may not work on some VMs with hypervisor network settings.

Part 3 — Enabling Protocols: OpenVPN, L2TP/IPsec, SSTP

1. OpenVPN (export .ovpn file)

OpenVpnEnable yes /PORTS:1194 /HUB:MyHub

After activation, you can export the .ovpn file and give it to the OpenVPN client.

2. L2TP/IPsec

IPsecEnable /L2TP:yes /L2TPRAW:yes /ETHERIP:yes /PSK:YourSharedSecret /DEFAULTHUB:MyHub

Choose a strong PSK (Pre Shared Key). L2TP is suitable for mobiles and default operating systems.

3. SSTP

SstpEnable yes /PORTS:443

SSTP uses TCP/443 and is useful for bypassing strict firewalls.

Section 4 — Firewall and NAT (iptables/ufw)

Enable IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

Sample iptables rules for SecureNAT (internal network 10.10.10.0/24)

sudo iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT

sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Sample rules with ufw

sudo ufw allow 443/tcp
sudo ufw allow 992/tcp
sudo ufw allow 1194/tcp
sudo ufw allow 1701/udp
sudo ufw allow 500/udp
sudo ufw allow 4500/udp

Port if needed 5555 Open for internal management only — It is recommended not to open from the Internet..

Save iptables rules

sudo apt install -y iptables-persistent
sudo netfilter-persistent save

Section 5 — Security and Best Practices

• Strong passwords For Server, Hub, and Users, choose; use long and complex passphrases.
• Do not open the management port (5555) to the internet. Use an internal VPN or SSH tunnel for management.
• From fail2ban Use to protect against brute force attacks.
• Use a valid certificate (Let's Encrypt) for TLS; files fullchain.pem and privatekey.pem Enter or use stunnel/HAProxy for TLS termination.
• Use key/certificate authentication for sensitive users and connect to RADIUS/LDAP if needed.
• Take regular backups of the configuration file and store it in a secure location (S3/cloud).
• Send and review logs to a central system (ELK/Graylog) to identify abnormal behavior faster.

Section 6 — Performance Optimization (for Trading/Gaming/AI)

Key tips for reducing ping and increasing stability:

• Choose a location: Place the VPN server in the closest location to the destination service. For trading, a server close to the exchanges; for gaming, close to the game data center.
• Hardware: For heavy cryptographic loads, use servers with support AES-NI Use.
• Network: High bandwidth plans, BGP, and the use of a CDN can reduce latency. Use anti-DDoS servers if needed.
• Setting MTU and MSS It is essential on routes with long tunnels or multiple bridges to prevent fragmentation.
• Protocol selection: For the fastest speeds, use OpenVPN UDP or SoftEther native on a UDP/SSL port; if your firewall is restrictive, SSTP (TCP/443) is more suitable.

Section 7 — Application Scenarios and Examples

Example 1 — VPS for trading

• Location: Close to the broker or exchange server (e.g. New York, London, Tokyo).
• Configuration: Simple SecureNAT or Local Bridge, QoS and Anti-DDoS.
• Recommendation: Short keepalives, ping monitoring, and choosing a CPU with low latency.

Example 2 — Gaming VPS

• Location: Close to the game server or using multi-region.
• Configuration: Local Bridge to support LAN, reducing encryption overhead if needed.
• Recommendation: 10Gbps network and direct port to reduce ping and jitter.

Example 3 — Remote Access and DevOps

• Enable OpenVPN and L2TP for mobile, key management for developers, and RADIUS connectivity for unified authentication.

Section 8 — Monitoring, Backup, and Maintenance

Simple instructions for daily maintenance:

sudo cp -r /usr/local/vpnserver/ /root/backup/vpnserver-$(date +%F).tar.gz

sudo systemctl status vpnserver
sudo journalctl -u vpnserver -f

SoftEther logs on the way /usr/local/vpnserver/ are located; use rsyslog or Filebeat to send to a central log server.

Conclusion

Setting up SoftEther on Ubuntu 22.04/20.04 is simple but requires some networking and security considerations. By using SecureNAT or Local Bridge, enabling OpenVPN/L2TP/SSTP, and applying firewall and NAT rules, you can create a secure and fast VPN for trading, gaming, and remote access applications. For heavy crypto loads, choose a server with support for AES-NI And the right location is very important.

Related services and options

If you need a VPS or cloud server with multiple locations, a graphics server (GPU), an anti-DDoS server, or special trading and gaming plans, you can use the company's default options to select a location and configure it. The technical team offers the ability to set up SoftEther, Local Bridge, configure a firewall, and optimize ping.

Frequently Asked Questions