This article introduces how to set up a SoftEther VPN server on AWS EC2 instance that resides in a public subnet of a AWS VPC and how to set up VPN client on Mac OS to make VPN connection, which enables the client to access the private instances located within the private subnets of the same VPC using their private IP as if they’re in the same local network.
Why Use SoftEther VPN
SoftEther VPN is one of the most powerful and easit VPN software. It’s free and open sources, developed in University of Tsukuba, Japan.
As an alternative to OpenVPN, SoftEther exceeds OpenVPN in various aspects:
- Supports more VPN protocols than just OpenVPN only, e.g. L2TP/IPSec, L2TPv3/IPsec, EtherIP, and etc.
- Newer and more active development. OpenVPN has been stalled for many years and no improvement is introduced for the recent years. However SoftEther is released in 2013 and is under active development.
- SoftEther has built-in VPN clients on most of the common used OS while OpenVPN doesn’t have.
- SoftEther is faster, >900Mbps throughput compared to OpenVPN <100Mbps.
- Offers Dynamic DNS and NAT Traversal while OpenVPN doesn’t
- Offers GUI Management while OpenVPN doesn’t.
- Offers a user management system while OpenVPN doesn’t.
Install SoftEther Server
SSH to your AWS EC2 instance and make sure the following software are installed and enabled:
- gcc software
- binutils software
- tar, gzip or other software for extracting package files
- chkconfig system utility
- cat, cp or other basic file operation utility
- EUC-JP, UTF-8 or other code pagccge table for use in a Japanese language environment
- libc (glibc) library
- zlib library
- openssl library
- readline library
- ncurses library
- pthread library
If you’re using a AWS Linux AMI, you should have most of them, the only thing you need to install is gcc.
1 | sudo yum install gcc -y |
Now download the linux distribution of SoftEther Server at the download link by selection the right component and platform:
Copy the URL address, download it and extract it:
1 | wget -O softether-vpnserver.tar.gz http://www.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz |
If all the dependencies mentioned above are installed and enabled, you should now be able to make the project:
1 | cd vpnserver |
You will be prompted a set of questions, Choose ‘1’ (yes) all the way to the end and you will get the vpnserver executable when the make command is completed successfully.
1 | ... |
Now move the location of the whole forder to the /usr/local/ directory:
1 | cd .. |
Finally, perform a check using the vpncmd command line to see whether SoftEther VPN server can operate peroperly on your system:
1 | cd /usr/local/vpnserver |
If you see everything passed successfully, your system is good and VPN server can safely be used.
Configure the OS
After installing it, in order to make SoftEther VPN server to work properly, we need to configure the OS environment. There are essentially 4 things that we need to do to get it working:
Enable IP forward
1 | sudo sysctl -w net.ipv4.ip_forward = 1 |
Add a POSTROUTING rule to NAT table and make it persistent
1 | iptables -t nat -A POSTROUTING -s 192.168.7.1/24 -j SNAT --to-source 10.10.0.41 |
Note that the IP 192.168.7.1 is the VPN Server IP for it’s local bridge setup, which we will introduce later, and the IP 10.10.0.41 is the private IP of the VPN Server.
Start a DHCP Server with static routing configured
1 | sudo yum install dnsmasq -y |
In the above setup, we created a DHCP server for the network interface tap “vpn”, the DHCP IP range is between 192.168.7.10 to 192.168.7.100, the router is set at 192.168.7.1 and the static routing routes all traffic from the router 192.168.7.1 to 10.10.0.0/16, which is the VPC CIDR in my case. The tap_vpn inferface is going to be used by the SoftEther VPN server to setup the local bridge.
Disable Source/Destination Check for the instance
Go to your AWS console and disable the source/dest check for your VPN instance.
The reason why we setup the DHCP server is that we’re not gonna use the SecureNAT option provided by SoftEther, we will use Local Bridge instead because it’s less CPU consuming and it’s faster in terms of speed. And Local Bridge requires a DHCP server to be up and running. The IP addresses mentioned above can be changed to reflect your actual settings, you don’t have to follow exactly the same setup.
Setup SoftEther Server
After installing and configuring the OS environment, we want to let the VPN server run as a system daemon and also will start up whenever the system boots up. To do this we create startup script for it:
1 | sudo vi /etc/init.d/vpnserver |
Please note that in the script, we will config the tap interface vpn whenever the vpnserver starts up. After this you should see the vpnserver is up and running. It will start up automatically when the system restarts also. You can verify this by restarting the system once.
1 | ps aux | grep vpnserver |
Manage SoftEther Server
Up to this point, the VPN server is up and running, but it’s not configured and we don’t have any users. We use SoftEther VPN Server Manager to configure these.
Download the manager and install
Go to the download page and select the right component.
Connect to the VPN server as admin and setup password
After installing, open the SoftEther VPN Server Manager and create a new settings, fill in the name, host name, port number (443) and leave the password empty (Because it’s your first time connecting).
Once the connection is established, you will be prompt to set up a password:
After you set up the password you will asked to configure the VPN server type, in our case here, we choose Remote Access VPN server:
Configure VPN server type
Now you will be prompt to name your Virtual Hub, and the DDNS hostname, which you can just leave as their default values. The next page you will see is the IPsec/L2TP/EtherIP/L2TPv3 Settings, select Enable L2TP Server Function (L2TP over IPsec) and type in the IPSec Pre-Shared Key.
Configure the Local Bridge
At the main page, click on the Local Bridge Settings to bring up the settings page, selecte our hub and choose to use Bridge with New Tap Device, in the device name field type in “vpn” (rembemer we just created this tap in the above steps). When you are done click Create Local Bridge and you will see the local bridge created.
Create a user
Now you’re all set to establish the VPN connection, click on the Manage Virtual Hub button and you will see the manage users option:
Add a user with password authentication (you can also add other types of authentication if needed), set up his password and click ok.
Configure the VPN Client On MacOS
Now we have the VPN server up and running, and we have configured it to accept connections from a VPN client. We also created a user that are allowed to connect to the VPN. The next step is to test the connection to the VPN using a VPN client.
Connect using L2TP/IPsec protocol
Mac has a built-in support to IPsec/L2TP VPN so we don’t need to install anything else but just do a few configurations to get it to work.
- Open System Preferences -> Network -> +:
- Fill in the server address and your account name and click on the authentication settings, you can select Show VPN status in the menu bar if you want to see the status bar.
- Fill in the password for the user and the pre-shared key for the IPsec:
You’re all set to connect to the VPN.
When the VPN is connected, ping to your VPN server using it’s private IP and see whether it go through. If it works, try to ping to another private instance in the same VPC using it’s private IP. (Note: The VPN Server Security Group has to allow incoming ICMP from your IP, the private instance has to allow ICMP from the VPN security group in order to get it to work).
1 | ping -c 3 10.10.0.41 |
Connect using OpenVPN protocol
SoftEther VPN supports OpenVPN as well, we just need to enable it using the VPN Server Manager:
Tick Enable the OpenVPN Clone Server Function, set your desired port and client OK.
Mac doesn’t have a native support for OpenVPN protocol, but a free client called Tunnelblick is available here. Download and install the app and open it with a new configuration with the following content:
1 | dev tun |
The route-nopull is used to prevent the server to push “redirect-gateway def1” to client, as it will lead to problems for DNS resolving. The route 10.10.0.0 255.255.0.0 is used to route requests from 10.10.0.0 to the VPN. You can get the content of the certs and keys from the VPN Server Manager at:
Once you opened the configuration with Tunnelblick, you can now connect to the VPN.
Conclusion
In this article, I introduced how to setup a VPN server using SoftEther VPN Server software on a AWS EC2 instance to enable L2TP/IPSec VPN connections from password authenticated user to the private instances in a AWS VPC. The key challenge is about setting of the DHCP server and static routing on the server to enable the Local Bridge mode for the SoftEther VPN Server and allow the VPN client to access private instances. Although I’m using linux as the VPN server and mac as the VPN client in this article, you can easily apply it to other combinations (linux + windows, windows + android for example) if you understand the idea between the configurations. Because SoftEther VPN Server has a lot more features in terms of VPN Protocol and authentication methods, you can refer to the detailed full documents on it’s offcial site at this link if you’re interested.