How To Use SoftEther VPN With Local Bridge [Ubuntu]

Using Local Bridge with SoftEther VPN (w/o SecureNAT)

If you’ve ever used SoftEther VPN, you’ll probably have used the SecureNAT function to easily hand out IP addresses to clients. Though this is nice and easy, it has a few drawbacks. For one, it is harder on the CPU to use SecureNAT and two, the throughput of the VPN link is much slower.

Today, we’ll take a look on how to use SoftEther VPN with a local bridge on a remote server and remove the need for SecureNAT.

NOTE: If you’ve used my se-autoinstall script after 5/11/19, then please only follow Create Local Bridge, Enable NAT and enable postrouting, and Restart dnsmasq and SoftEther VPN Server. The script will now take care of everything else.

Requirements

  • Ubuntu Linux server
  • SSH and root access (please log in as root user during this tutorial, or use sudo!)
  • SoftEther VPN installed (you can use my script here)
  • dnsmasq installed on the Linux server

Prepare SoftEther VPN Server

If you’ve just installed your server, great! You can simply skip to Create Local Bridge. If not, we’ll need to disable SecureNAT fist before we continue.

Disable SecureNAT (example here)

  1. Open the SoftEther VPN Server Management Utility
  2. Connect to your VPN server
  3. Select the VPN hub (or whatever hub you use on the VPN server) and click “Manage Virtual Hub”
  4. Click “Virtual NAT And Virtual DHCP Server (SecureNAT)”
  5. Click Disable, then exit to main configuration screen

Create Local Bridge (example here)

  1. Click “Local Bridge Setting”
  2. Under “New Local Bridge Definition” select the VPN hub (or whatever hub you use on the VPN server)
  3. Select the “Bridge with New Tap Device”
  4. Name the device soft and click “Create Local Bridge”
  5. Verify that the new device was create by running ifconfig tap_soft in a SSH terminal session. You should see something like this:

Now we can proceed to install and configure our own DHCP server!

Install & configure dnsmasq

First, we’ll need to install dnsmasq.

apt update && apt install dnsmasq

Now we will need to edit the /etc/dnsmasq.conf file

nano /etc/dnsmasq.conf

Once opened, insert the following at the end of the file:

# Specify what interface to use, in our case we're using "soft"
interface=tap_soft
# Set DHCP range, 10.42.10.10 - 10.42.10.100 with a 12 hour lease time
dhcp-range=tap_soft,10.42.10.10,10.42.10.100,12h
# Set DHCP default gateway
dhcp-option=tap_soft,3,10.42.10.1

Create SoftEther VPN Server Init Script

NOTE: If you previously used my softether-autoinstall script before 5/11/19, you already have this script located at /etc/init.d/vpnserver, however it is missing some important options. Rename this file to vpnserver.bak with mv /etc/init.d/vpnserver /etc/init.d/vpnserver.bak before continuing!

We need to create an init script to start SoftEther VPN Server on boot, and to configure the TAP interface when the server is started.

First, use nano to create the file:

nano /etc/init.d/vpnserver

Then insert the following into the file:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable Softether by daemon.
### END INIT INFO
DAEMON=/opt/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=10.42.10.1

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Now simply close and save the file with Ctrl + X and then [ENTER].

Enable NAT and enable postrouting

We need to create a file in /etc/sysctl.d/ to enable ipv4 forwarding. Use the following command to create this file:

nano /etc/sysctl.d/ipv4_forwarding.conf

and insert the following into the file:

net.ipv4.ip_forward = 1

Again, save and close the file by hitting Ctrl + X then [ENTER].

Now we must enable this new option by issuing the following command:

sysctl --system

Now we need to add a POSTROUTING rule to iptables to correctly route traffic and enable NAT. Please replace [YOUR VPS IP ADDRESS] with the public IP address of your server.

iptables -t nat -A POSTROUTING -s 10.42.10.0/24 -j SNAT --to-source [YOUR VPS IP ADDRESS]

This rule will exist until the next system reboot, so to keep it persistent we will install iptables-persistent

apt install iptables-persistent

Restart dnsmasq and SoftEther VPN Server

If everything above was done correctly, all we need to do now is to restart the DHCP server and the running SoftEther VPN server.

/etc/init.d/dnsmasq restart && /etc/init.d/vpnserver restart

Need Help?

Feel free to post in #help! Please describe your issue with a fair amount of detail so we can minimize the time spent troubleshooting and the amount of posts.

Having VPN speed issues after creating a local bridge? See the following post: