SoftEther VPN Port from FreeBSD 10.3 Release 3 Repository



  • This is a how-to install the SoftEther VPN Server on your pfSense 2.3 machine running FreeBSD 10.3 RELEASE 3

    PLEASE FOLLOW THESE INSTRUCTIONS AT YOUR OWN RISK
    The pfSense wiki urges against manually installing FreeBSD ports from mirrors other than the native pfSense repositories.

    PLEASE CONSIDER YOURSELF WARNED
    I would definitely backup of your entire config file via the Diagnostics -> Backup & Restore page, at the very least, before following these instructions.

    PLEASE FOLLOW THESE INSTRUCTIONS AT YOUR OWN RISK

    Here are some reasons why I prefer SoftEther over OpenVPN:

    While SoftEther does provide some new features like packet obfuscation, I do find it faster on my i7 than the OpenVPN package.
    I would be curious to see other people's performance as we start to test, and if the results are good, we can convert this package in the native pfSense 2.3 library.

    Lets get started!!!

    Here are the requirements for the SoftEther VPN Package as listed on the FreeBSD 10.3 Release 3 Ports mirror:
    http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/

    Please run the following commands via the shell to ensure all of the following packages are included. I recommend running each command one at a time to monitor any issues.

    pkg install vim-lite
    pkg install help2man
    pkg install gettext-runtime
    pkg install gmake
    pkg install indexinfo
    pkg install libiconv
    pkg install pfSense-pkg-Shellcmd
    pkg add http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/softether-4.18.9570_1.txz
    rehash
    

    We now need to create a rc.d file so that the pfSense rc.d system picks up the pkg:

    echo '#!/bin/sh' > /usr/local/etc/rc.d/vpnserver.sh
    echo '# This file was automatically generated' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '# by the pfSense service handler.' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'rc_start() {' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        /usr/local/etc/rc.d/softether_server onestart &' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '}' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'rc_stop() {' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        /usr/local/etc/rc.d/softether_server onestop &' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        sleep 2' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        /usr/bin/killall vpnserver' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '}' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'case $1 in' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '       start)' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_start' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '               ;;' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        stop)' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_stop' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '               ;;' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        restart)' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_stop' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_start' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                ;;' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'esac' >> /usr/local/etc/rc.d/vpnserver.sh
    
    chmod +x /usr/local/etc/rc.d/vpnserver.sh
    

    This is no longer required when using the above rc.d file (starting using onestart versus start)
    We will then need to create an rc.conf.local file so that pfSense picks up the server rc.d file:
    echo "#softether_server" >> /etc/rc.conf.local
    echo "softether_server_enable=""YES"" " >> /etc/rc.conf.local

    Then run service softether_server rcvar to confirm that the rc.conf.local file changes were recognized.

    Lastly, you will need to configure the server using the SoftEther VPN Server Manager for Windows:  http://www.softether-download.com/en.aspx?product=softether

    Feel free to post additional how to's below to enhance this thread for various VPN configurations. Please be aware you will definitely need to setup some firewall rules and possibly some outbound NAT rules.

    There are many posts on Google explaining on how to setup a SoftEther server.

    On a separate note, does anyone know how to properly get this to show up in the Services -> Service Watchdog -> Add screen? Thanks!

    –---- UPDATE ------

    Please see this post below for instructions on how to get this to show up in the Service Watchdog list: https://forum.pfsense.org/index.php?topic=117626.msg653035#msg653035



  • Thank you for this topic;

    I am really interested to migrate from OVPN set-up but looking for documentation I found this note:
    not promising for setup site to site on pfsense at this moment:

    7.5 Install on Other Unix Systems

    SoftEther VPN Server also supports FreeBSD, Solaris, and Mac OS X.

    You can install SoftEther VPN Server to these operating systems, but there are several limitations. The following limitations, in particular, are important.

    The local bridge function cannot be used on Unix systems other than Linux and Solaris.
        The performance of SoftEther VPN Server on these operating systems is inferior to that on Windows and Linux operating systems.

    Because of these limitations, we do not recommend installing SoftEther VPN Server to systems other than Windows or Linux. Using SoftEther VPN Server on these operating systems requires a very detailed understanding of the operating system, SoftEther VPN Server, and network operations, so caution must be exercised.

    This manual does not describe how to install SoftEther VPN Server to FreeBSD, Solaris, or Mac OS X. However, many of the operations are similar to the procedure for installing SoftEther VPN Server to Linux described in 7.3 Install on Linux and Initial Configurations, so you can use this as a reference.

    https://www.softether.org/4-docs/1-manual/7._Installing_SoftEther_VPN_Server/7.5_Install_on_Other_Unix_Systems



  • @n3by:

    Thank you for this topic;

    I am really interested to migrate from OVPN set-up but looking for documentation I found this note:
    not promising for setup site to site on pfsense at this moment:

    7.5 Install on Other Unix Systems

    SoftEther VPN Server also supports FreeBSD, Solaris, and Mac OS X.

    You can install SoftEther VPN Server to these operating systems, but there are several limitations. The following limitations, in particular, are important.

    The local bridge function cannot be used on Unix systems other than Linux and Solaris.
        The performance of SoftEther VPN Server on these operating systems is inferior to that on Windows and Linux operating systems.

    Because of these limitations, we do not recommend installing SoftEther VPN Server to systems other than Windows or Linux. Using SoftEther VPN Server on these operating systems requires a very detailed understanding of the operating system, SoftEther VPN Server, and network operations, so caution must be exercised.

    This manual does not describe how to install SoftEther VPN Server to FreeBSD, Solaris, or Mac OS X. However, many of the operations are similar to the procedure for installing SoftEther VPN Server to Linux described in 7.3 Install on Linux and Initial Configurations, so you can use this as a reference.

    https://www.softether.org/4-docs/1-manual/7._Installing_SoftEther_VPN_Server/7.5_Install_on_Other_Unix_Systems

    I believe that commentary is out of date.  The FreeBSD port starts and configures with a bridge to my lan for a remote VPN setup. Currently the only two problems I am facing are getting UDP Acceleration to work and connecting via WAN (I have the port forwards setup - I believe it is an outbound nat problem) .



  • How did you configured ?
    to bind to wan IP or to local host ( me I suggest to use local host (127.0.0.1) and then nat/redirect traffic from wan on that port/protocol to localhost ).

    5.3.8 Coexistence of VPN Bridge and VPN Server

    SoftEther VPN beginning users often make the mistake of installing both VPN Server and VPN Bridge on the same computer, which creates conflicting operations. Just as the descriptions of VPN Server and VPN Bridge are separate in this manual, there is no reason to install both VPN Server and VPN Bridge on the same computer.

    Because VPN Server has a function for creating a local bridge between a Virtual Hub and a physical network, the Virtual Hub of VPN Server can be connected to a physical network adapter using Layer 2 on VPN Server alone. To make this type of connection, you do not need to use VPN Bridge.

    Do not install VPN Server and VPN Bridge on the same computer.

    https://www.softether.org/4-docs/1-manual/5._SoftEther_VPN_Bridge_Manual/5.3_Differences_between_VPN_Server_and_VPN_Bridge



  • @n3by:

    How did you configured ?
    to bind to wan IP or to local host ( me I suggest to use local host (127.0.0.1) and then nat/redirect traffic from wan on that port/protocol to localhost ).

    5.3.8 Coexistence of VPN Bridge and VPN Server

    SoftEther VPN beginning users often make the mistake of installing both VPN Server and VPN Bridge on the same computer, which creates conflicting operations. Just as the descriptions of VPN Server and VPN Bridge are separate in this manual, there is no reason to install both VPN Server and VPN Bridge on the same computer.

    Because VPN Server has a function for creating a local bridge between a Virtual Hub and a physical network, the Virtual Hub of VPN Server can be connected to a physical network adapter using Layer 2 on VPN Server alone. To make this type of connection, you do not need to use VPN Bridge.

    Do not install VPN Server and VPN Bridge on the same computer.

    https://www.softether.org/4-docs/1-manual/5._SoftEther_VPN_Bridge_Manual/5.3_Differences_between_VPN_Server_and_VPN_Bridge

    I created a bridge from the virtual hub in softether to my LAN pfsense interface

    –--- UPDATE ------

    there is no need to create a bridge on the softether interface



  • @Paint:

    This is a how-to install the SoftEther VPN Server on your pfSense 2.3 machine running FreeBSD 10.3 RELEASE 3

    PLEASE FOLLOW THESE INSTRUCTIONS AT YOUR OWN RISK
    The pfSense wiki urges against manually installing FreeBSD ports from mirrors other than the native pfSense repositories.

    PLEASE CONSIDER YOURSELF WARNED
    I would definitely backup of your entire config file via the Diagnostics -> Backup & Restore page, at the very least, before following these instructions.

    PLEASE FOLLOW THESE INSTRUCTIONS AT YOUR OWN RISK

    Here are some reasons why I prefer SoftEther over OpenVPN:

    While SoftEther does provide some new features like packet obfuscation, I do find it faster on my i7 than the OpenVPN package.
    I would be curious to see other people's performance as we start to test, and if the results are good, we can convert this package in the native pfSense 2.3 library.

    Lets get started!!!

    Here are the requirements for the SoftEther VPN Package as listed on the FreeBSD 10.3 Release 3 Ports mirror:
    http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/

    gettext-runtime-0.19.8.1, gmake-4.2.1_1, indexinfo-0.2.4, libiconv-1.14_9, openssl-1.0.2_15,1
    

    Please run the following commands via the shell to ensure all of the following packages are included. I recommend running each command one at a time to monitor any issues.

    pkg install vim
    pkg install help2man
    pkg install gettext-runtime
    pkg install gmake
    pkg install indexinfo
    pkg install libiconv
    pkg install pfSense-pkg-Shellcmd
    pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/openssl-1.0.2_11.txz
    pkg add http://pkg.freebsd.org/freebsd:10:dx86:64/release_3/All/softether-4.18.9570_1.txz
    rehash
    

    We now need to create a rc.d file so that the pfSense rc.d system picks up the pkg:

    echo '#!/bin/sh' > /usr/local/etc/rc.d/vpnserver.sh
    echo '# This file was automatically generated' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '# by the pfSense service handler.' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'rc_start() {' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        /usr/local/etc/rc.d/softether_server onestart &' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '}' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'rc_stop() {' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        /usr/local/etc/rc.d/softether_server onestop &' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        sleep 2' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        /usr/bin/killall vpnserver' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '}' >> /usr/local/etc/rc.d/vpnserver.sh
    echo ' ' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'case $1 in' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '       start)' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_start' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '               ;;' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        stop)' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_stop' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '               ;;' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '        restart)' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_stop' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                rc_start' >> /usr/local/etc/rc.d/vpnserver.sh
    echo '                ;;' >> /usr/local/etc/rc.d/vpnserver.sh
    echo 'esac' >> /usr/local/etc/rc.d/vpnserver.sh
    
    chmod +x /usr/local/etc/rc.d/vpnserver.sh
    

    This is no longer required when using the above rc.d file (starting using onestart versus start)
    We will then need to create an rc.conf.local file so that pfSense picks up the server rc.d file:
    echo "#softether_server" >> /etc/rc.conf.local
    echo "softether_server_enable=""YES"" " >> /etc/rc.conf.local

    Then run service softether_server rcvar to confirm that the rc.conf.local file changes were recognized.

    Lastly, you will need to configure the server using the SoftEther VPN Server Manager for Windows:  http://www.softether-download.com/en.aspx?product=softether

    Feel free to post additional how to's below to enhance this thread for various VPN configurations. Please be aware you will definitely need to setup some firewall rules and possibly some outbound NAT rules.

    There are many posts on Google explaining on how to setup a SoftEther server.

    On a separate note, does anyone know how to properly get this to show up in the Services -> Service Watchdog -> Add screen? Thanks!

    After disabling UDP Acceleration, enabling SecureNAT, adding pushed routes on the SoftEther configuration side and setting up the various Virtual IP addresses and Firewall rules required from the pfSense side, I have been able to successfully connect to the VPN over IPv4 remotely and locally!
    Initial speed tests show that I can easily push 150/150mbps over my WAN, which is the limit of my connection. Over the next few days, I will post some benchmarks and run a theoretical speed test so we can see the actual performance verses OpenVPN.



  • How to get SoftEther to show up in your Services list and the Service Watchdog Package:

    Take a backup of your /conf/config.xml file as we are about to make some changes.

    Edit the /conf/config.xml file in your favorite CLI editor (I like VIM personally).

    First, search for the installedpackages section:

    	 <installedpackages><package><name>iftop</name>
    			<pkginfolink>https://forum.pfsense.org/</pkginfolink>
    
    			<website>http://www.ex-parrot.com/~pdw/iftop/</website>
    			<version>0.17_2</version>
    			<configurationfile>iftop.xml</configurationfile></package> 
    		 <package><name>Backup</name>
    
    			<version>0.4_2</version>
    			<configurationfile>backup.xml</configurationfile></package></installedpackages> 
    

    You will need to add the VPN service lines below:

    		 <package><name>vpnserver</name>
    			<pkginfolink>https://forum.pfsense.org/</pkginfolink>
    
    			<website>http://www.softether-download.com/en.aspx</website>
    			<version>4.18_9570</version>
    			<configurationfile>vpnserver.xml</configurationfile></package> 
    

    Next, you will need to find the service section:

    		 <service><name>snort</name>
    			<rcfile>snort.sh</rcfile>
    			<executable>snort</executable></service> 
    		 <service><name>dnsbl</name>
    			<rcfile>dnsbl.sh</rcfile>
    			<executable>lighttpd_pfb</executable></service> 
    		 <service><name>ntopng</name>
    			<rcfile>ntopng.sh</rcfile>
    			<executable>ntopng</executable></service> 
    

    You will need to add a new section for the vpnserver (SoftEtherVPN Server):

    
    		 <service><name>vpnserver</name>
    				 <rcfile>vpnserver.sh</rcfile>
    				 <executable>vpnserver</executable></service> 
    
    

    Restart pfSense and you should be able to now add the vpnserver in the Service Watchdog menu and see the process in the WebGUI under Service Status



  • @Paint:

    gettext-runtime-0.19.8.1, gmake-4.2.1_1, indexinfo-0.2.4, libiconv-1.14_9, openssl-1.0.2_15,1
    

    should I run this in the shell ? I get an error, "gettext-runtime-0.19.8.1 command not found"

    @Paint:

    echo '#!/bin/sh' > /usr/local/etc/rc.d/vpnserver.sh
    
    and an error here too 'event not found'
    
    


  • @bob.russo:

    @Paint:

    gettext-runtime-0.19.8.1, gmake-4.2.1_1, indexinfo-0.2.4, libiconv-1.14_9, openssl-1.0.2_15,1
    

    should I run this in the shell ? I get an error, "gettext-runtime-0.19.8.1 command not found"

    @Paint:

    echo '#!/bin/sh' > /usr/local/etc/rc.d/vpnserver.sh
    
    and an error here too 'event not found'
    
    

    Hi Bob,

    No please skip over that first list of packages. I was just listing the dependencies. The other code boxes need to be run via the CLI (command line interface).



  • OK. That worked perfectly now. Awesome. Thank you.

    Now… not really relevant to this topic, but off to figure out the firewall so the server manager can connect from the outside and set up RADIUS as domain creds wont work.

    Thank you.



  • @bob.russo:

    OK. That worked perfectly now. Awesome. Thank you.

    Now… not really relevant to this topic, but off to figure out the firewall so the server manager can connect from the outside and set up RADIUS as domain creds wont work.

    Thank you.

    I essentially setup securenat via 192.168.1.95/24 on the softether configuration, added an IP Alias for 192.168.95.1/32 (for dns), and setup and firewall allow rules for ports I am using for SoftEther (configured via the admin client from your desktop machine: e.g., 5555,8888, 1194, etc) You do not need NAT port forwards, because the process is running directly on the pfSense firewall.



  • Need some help on the SoftEther. I followed your instruction to install the SoftEther, configure the SoftEther to do L2TP over IPSec. I added port forward in NAT (UDP 500, 4500). I am able to connect using native L2TP on my iphone but there is no internet access. Next thing I tried was using the iphone connect to the wifi, then connect to VPN, still no internet. Any ideas? Thanks



  • Unfortunately that package is out of date and is no longer updated.

    I compiled softether from the sources under FreeBSD

    The binaries can be found here https://1drv.ms/u/s!At1fq2XtLVZvhr18B5xAsQgJtLYnWA

    • Extract the content of the archive under /etc using the command tar -xf softether-freebsd-vpnserver-v4.24-9652.tar.gz -C /etc
    • chmod -R +X /etc/vpnserver
    • install shellcmd package
    • from the services menu go into the shellcmd section
    • add a new command /etc/vpnserver/vpnserver start


  • A little update from my installation (please update to the latest pfSense release first):

    1. Download latest build from http://www.softether-download.com/en.aspx?product=softether
    SoftEther VPN Server (Ver 4.25, Build 9656, rtm)
    softether-vpnserver-v4.25-9656-rtm-2018.01.15-freebsd-x64-64bit.tar.gz (5.82 MB)
    Release Date: 2018-01-15  <latest build="">2. From the shell console:
    [2.4.2-RELEASE][root@pfsense]/root: tar -xf softether-vpnserver-v4.25-9656-rtm-2018.01.15-freebsd-x64-64bit.tar.gz -C /etc
    [2.4.2-RELEASE][root@pfsense]/root: pkg install help2man
    [2.4.2-RELEASE][root@pfsense]/root: pkg install gmake
    [2.4.2-RELEASE][root@pfsense]/root: pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/openssl-1.0.2n,1.txz
    [2.4.2-RELEASE][root@pfsense]/root: pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/binutils-2.29.1,1.txz
    [2.4.2-RELEASE][root@pfsense]/root: pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/mpfr-3.1.6.txz
    [2.4.2-RELEASE][root@pfsense]/root: pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/mpc-1.0.3.txz
    [2.4.2-RELEASE][root@pfsense]/root: pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gcc7-7.3.0.txz
    change in /etc/vpnserver/Makefile: CC=/usr/local/bin/gcc7
    [2.4.2-RELEASE][root@pfsense]/etc/vpnserver: ./.install.sh
    [2.4.2-RELEASE][root@pfsense]/etc/vpnserver: ./vpnserver start
    Services > Shellcmd > add a new command /etc/vpnserver/vpnserver start (shellcmd package should be installed in pfSense)
    check firewall rules in pfSense
    [2.4.2-RELEASE][root@pfsense]/etc/vpnserver: sockstat -4 -l</latest>