Setting up a VPN with SoftEther

  • 1
  • Question
  • Updated 2 years ago
  • Answered
I'm trying to set up a SoftEther VPN to let me use my iPad and Stu's app while we're on vacation. I've got it installed on the desktop PC and am trying to get the settings right on the iPad.  I'm not getting a connection, so I obviously have something set wrong, but this is way out of my field of expertise.  Anyone out there running SoftEther who can give me a hand?  I'd be glad to set up a telephone call and/or TeamViewer session to get things straightened out.
Photo of Rick Hadley - W0FG

Rick Hadley - W0FG

  • 579 Posts
  • 120 Reply Likes

Posted 3 years ago

  • 1
Photo of KY6LA - Howard

KY6LA - Howard, Elmer

  • 3541 Posts
  • 1396 Reply Likes
Assuming you have set everything up correctly on your PC, have yet set up your Router to Port Forward to your PC?
Photo of Rick Hadley - W0FG

Rick Hadley - W0FG

  • 579 Posts
  • 120 Reply Likes
No, and I think that's where I'm lost.  I've never done any network setup that required port forwarding before.
Photo of Rick Hadley - W0FG

Rick Hadley - W0FG

  • 579 Posts
  • 120 Reply Likes
Bump.  Help please!
Photo of KY6LA - Howard

KY6LA - Howard, Elmer

  • 3541 Posts
  • 1396 Reply Likes
Tied up today. Am available after 11pm Pacifc. Ky6la at ky6la dot com
Photo of Winston VK7WH

Winston VK7WH

  • 247 Posts
  • 42 Reply Likes
To Rick

(and Howard - for information.)


I am also contemplating using SoftEther to setup a VPN and, like you Rick, this is is also something new for me. At the moment I am successfully using Parallels to control my remote site but a VPN would appear to be a better solution for my setup .


I have studied all the documentation but I am still uncertain about the correct procedure. For example, In my setup, the remote site will be my main station and my home will be merely an access point. Should I setup a Softether VPN Server at the remote site and the Client at home, or vice versa? Or should I setup a remote (external) VPN Server and setup Clients at home AND the remote site? These question alone probably best explain my newbie status as far as VPNs are concerned.


Rich, would you be good enough to share any information you may obtain from Howard which you think could also help me (with Howard's permission , of course) either here on the Community, (preferred, as it may also assist others), or direct if you prefer. My email is winston.henry@bigpond.com


Many thanks


Winston.
(Edited)
Photo of KY6LA - Howard

KY6LA - Howard, Elmer

  • 3541 Posts
  • 1396 Reply Likes
Your VPN Server should be at your Remote site because the Radio needs to be on the Same IP Subnet as the VPN.. that way any client anywhere can login to the VPN and obtain a local IP
Photo of Winston VK7WH

Winston VK7WH

  • 247 Posts
  • 42 Reply Likes
Thanks Howard, that makes sense. Sometimes I can't see the forest for the trees!
Photo of Rick Hadley - W0FG

Rick Hadley - W0FG

  • 579 Posts
  • 120 Reply Likes
I've installed SoftEther on mty shack PC, and attempted to set up a client on my iPad, but still have been unable to get them to connect.
Photo of Winston VK7WH

Winston VK7WH

  • 246 Posts
  • 41 Reply Likes
Rick, have you tried to connect from another PC or laptop running the client software. I am going to download the software and try to set this up over the couple of days. I'll let you know how I get on.

Winston
Photo of Rob Fissel

Rob Fissel

  • 270 Posts
  • 47 Reply Likes
Rick,

We have no idea what kind of router you have. Port forwarding in most routers is very straight forward. You may wish to google your router make/model along with port forwarding, as I'm sure someone out there has listed a step by step on how to port forward. 

Be aware that if you're trying to use an iPad, you'll have to configure L2TP to work within the SoftEther server software. 

If this is all starting to sound a little heavy, no worries. There are plenty of us in the forums that can likely lend a hand. With some basic networking and PC experience, setting up a SoftEther VPN is a piece of cake, but without it, I can certainly understand how daunting it may appear to be. 

73,

Rob
Photo of Rob G6EIH

Rob G6EIH

  • 100 Posts
  • 12 Reply Likes
Never been able to get this working and I guess I'm missing something stupid, how about one of you guys writing up an install guide.
Photo of Rob Fissel

Rob Fissel

  • 270 Posts
  • 47 Reply Likes
Photo of Carmine Iannace, W1EQX

Carmine Iannace, W1EQX

  • 45 Posts
  • 15 Reply Likes
There are a number of networking steps to go through to have your SoftEther setup work properly. 

When first installing SoftEther make sure you setup the VPN server and the VPN bridge. Flex Radio SmartSDR requires Ethernet broadcasts to find the 6000 series radio. Bridging allows broadcasts to pass through the VPN tunnel while routing typically does not. 

Follow these instructions:
https://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/2.Remote_Access_VPN_to_LAN 

If you are going to use the SoftEther client on a PC or Mac then pick one of the ports the server uses. I would recommend port 443 or 5555, assuming your ISP does not block these ports. You will need to configure a rule on your router to forward TCP port 443 or 5555 from your outside WAN (internet facing) interface to the internal IP address of the computer you installed the SoftEther server. Once you configure the port number you chose on the SoftEther client on a PC or Mac you should should get a connection.

If you will be using a iPad or IPhone remotely via the built-in iOS L2TP client you will need to setup additional port forwarding rules on your router. Those additional forwarded ports are:

 UDP 1701, UDP 500 and UDP 4500

Again, these ports are from your outside WAN (internet facing) interface to the internal IP address of the computer you installed the SoftEther server. 

I hope this helps!

Carmine
W1EQX
Photo of Rick Hadley - W0FG

Rick Hadley - W0FG

  • 579 Posts
  • 120 Reply Likes
Thanks,.  I'll give that a shot.  I didn't have the last 3 UDP ports set up.
Photo of Carmine Iannace, W1EQX

Carmine Iannace, W1EQX

  • 45 Posts
  • 15 Reply Likes
Also, first test to ensure the SoftEther server is setup correctly before configuring ports. Set up your iPad to connect to the server's internal IP address while the iPad is on the internal wireless network. This may sound counterintuitive but it will ensure that you don't have any server related configuration issues.

Once you test that the VPN does authenticate and connect internally, configure the additional L2TP/IPSec UDP ports I had indicated in my previous post and give it a try over the internet. Don't forget to to reconfigure the native L2TP VPN client to point to the external address of your router.

Carmine
W1EQX
(Edited)
Photo of Rob G6EIH

Rob G6EIH

  • 100 Posts
  • 12 Reply Likes
Thanks for all the info, I'll be giving this another go now.
Photo of Rick, K7FYI

Rick, K7FYI

  • 19 Posts
  • 2 Reply Likes
Thanks for the clear instructions.  I had this all set up yesterday (...the day after receiving my 6300).
Photo of Mike - W8MM

Mike - W8MM

  • 189 Posts
  • 38 Reply Likes
Wow, ... I don't know where to start with my tale of woeful newbieness.  I'm a pretty successful RF engineer, but I'm probably dangerous when it comes to IT experimentation (which is what I would call my recent actions).

After abandoning attempts to use my router's built-in VPN facility because of a lack of bridging function, I took the accumulated advice and installed SoftEther on a boot-camped Mac Mini running Windows 10.  It sits in a rack fixture with my 6700's and I only use it to locally trouble shoot radio configurations and attached plumbing.

My router is a Draytek Vigor3900 (don't ask, I'm stuck with it).  I have fiber-to-the-house high speed internet from Cincinnati Bell using an Alcatel-Lucent 7342 ISAM FTTU GPON edge device.  CinBell formerly connected that to a ZyXEL router which was subsequently replaced by the Draytek to support Jive/Panasonic VOIP.

So, I downloaded the SoftEther VPN software to the boot-camped Mac Mini and installed it to the best of my ability.  In the Draytek router, I port redirected UDP 500 & 4500 and TCP 5555 to the static local LAN IP of the Mini. 

I set up the L2TP VPN facility of my ATT-LTE-connected iPad Pro with all the correct info.  It wouldn't connect a successful VPN session.

After some head scratching and reading some SoftEther user group threads, I tried connecting the iPad to the local server IP on the local lan via WiFi.  It connected to the VPN server just fine and K6TU Remote worked just right with a newly assigned IP address ... so I thought it was working locally OK.

Then I tried via WAN via ATT again.  Still nothing.

Then I checked out the server logs in SoftEther and could see the successful connection items.  What I could not see any evidence of was any trace of WAN attempts.  Not one single reaction from the VPN server at all.

So, ....... then I started messing around with the settings (bad idea).   After only a few clicks and further attempts to connect, some script kiddie took over my Windows 10 session with a pop-up browser appearance that said my IP address had been blocked by my service provider and I should call 855-202-1848 to resolve the issue.  It warned not to turn off the computer or dire things woiuld happen, all the while making a max-volume beeping noise.

Well, ... the heck with that.  I forced re-boot and selected under the Recover Menu to "RESET" Windows 10 to clear all apps, files, etc., and reloaded the OS in a pristine manner. 

Now, I'm still a bit confused about why the WAN connection didn't work.  I've posed a question to Cincinnati Bell tech support to see if they're somehow blocking or filtering ports 500, 4500, or 5555.  I'll see what they say.

Then, I think I'll try SoftEther on OSX on the Mini (only use boot camp & Windows for local radio testing as needed) as a way to keep the script kiddies guessing a bit longer.

Any suggestions?
Photo of Mike - W8MM

Mike - W8MM

  • 189 Posts
  • 38 Reply Likes
OK .... Success!!!!!!!!!!!!!!

After I read page 334 of 474 in the Draytek instruction book, a sightly obscure sentence told me to make sure certain VPN services were "un-checked" if one wanted to run a VPN server on the LAN side of the router.

Voila!!!  Connections!!!!!
Photo of W5UN_Dave

W5UN_Dave

  • 315 Posts
  • 30 Reply Likes
HELP! I had SoftEther server working fine with my iPad. Then my computer died. I loaded up a new computer, installed SoftEther and set it up as before. Now my iPad WILL NOT CONNECT. I have a client installed on my notebook computer, and it connects just fine. When attempting to connect the iPad I get the following error message "The L2TP-VPN server did not respond" I triple checked all settings and am convinced it is setup exactly as on the old computer. (BTW all port forwarding rules are in place as before, since nothing changed here)

One thing I noticed on the server is that Port 443 says error.

all help will be appreciated.
Photo of Rick - W5FCX

Rick - W5FCX

  • 202 Posts
  • 50 Reply Likes
OK.  I finally got SoftEther to work - here's how...

My setup is I have a lake house where there's no restrictions on antennas, so I placed the 6700 there. It has a (slow) Windstream DSL connection, with about 3 Mb down and .5 Mb upload - not great, but usable for the moment.

On a new "Radio PC" at the lake house, I installed SoftEther VPN Server.  I added a Local Bridge connection so the Ethernet packets on the LAN managed by the DSL modem/router can be bridged via the VPN to my home network.  SoftEther creates a "virtual Ethernet cable" tunneled through a VPN connection, which is how it bridges the two networks and allows UDP broadcasts like SmartSDR to Flex radios to get through.

One of the great things about SoftEther is it has a built-in Dynamic DNS service, which creates a DNS entry at softether.net for your Internet router.  In my case, I ended up with something like myradiopc.softether.net, which will always point to my DSL modem's IP address, even when the IP address periodically changes.  This is how I now address the lake modem when connecting to any service (VPN, RDP).

Next, on the DSL router, I added port forwarding for ports 500 (UDP), 4500 (UDP), 5555 (TCP) to the Radio PC IP address.  For the bridge connection, I added a port forwarding mapping rule to map port 8443 (TCP) to 443 on the Radio PC.  That's because port scanners look for 443 on the Internet and I'd prefer to make that port harder to find.  Also, I mapped 23389 (TCP) to 3389 so I can use Windows Remote Desktop to remote into the Radio PC.

I also have both TeamViewer and Splashtop Streamer installed, so I now have three ways to remote into the PC desktop for maintenance, in case the VPN is down for any reason. (it's a 2 hour drive to the lake house, so would prefer not to be forced to do that too often)

On my local (home) PC, I installed SoftEther VPN Bridge, then added a Local Bridge to my home network.  In the Security Rules, I blocked everything related to IPv6 and DHCP, to prevent those packets from crossing the bridge (there's a different DHCP server on each network segment I don't want cross-talking and polluting IP assignments).

This allowed SmartSDR to discover the radio!  So far so good... but cannot connect to the remote radio's IP just yet, as the radio IP address is on the lake network segment, not my local home network.  To address this, I simply added a new IP address on my home PC network adapter that's actually on my lake network.  Now this seems a bit counterintuitive, but it works because the SoftEther Bridge and Local Bridges extend the layer 2 ethernet frames of both networks - I just needed a way to create a route table entry on the local network that enabled my home PC to participate on the lake network.

Now it works!  I'm able to run SmartSDR on my home PC and operate the Flex 6700 radio remotely.

But not done quite yet... I found the audio to be choppy at first, so I went into the SoftEther Bridge settings and turned on Compression and blocked all other services that aren't required to reduce the amount of cross-bridge network chatter.

That's what worked for me.  Hope that's helpful.

Rick
KG5PJB
 
Photo of EA4GLI - 8P9EH - Salvador

EA4GLI - 8P9EH - Salvador

  • 1752 Posts
  • 534 Reply Likes
Thanks for the detail information . I am sure it will be helpful to many.
I would like to let you guy know that you do not want to connect 2 networks that are on the same subnet. So if you are in 192.168.1.x at home make sure your remote is at 192.168.2.x or anything that is not 192.168.1.x

If both networks are on the same subnet you will see the Flex radio when you are connected but you will have a lot of dropped packets and poor performance.... and because you can see the flex you might think that the VPN works and it is just a bad internet connection.
Photo of Ria - N2RJ

Ria - N2RJ, Elmer

  • 2254 Posts
  • 879 Reply Likes
I set it up similarly but I used a Raspberry Pi as my VPN endpoint. This way the VPN is on its own hardware. 

My home network is in the class A RFC1918 CIDR anyway which most people do not use for home networks. 

The bridge took care of everything for me, I get an IP from my home DHCP server as well. 
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
OK, I am getting ready to tackle this but have a basic question first.

I have two computers in the shack. My "main faster" computer is where I run SmartSdr.  The other computer is just a backup and runs some security cameras.

Should I install the VPN on the computer that I run SmartSdr on or the backup which mainly sits idle?  Or does it really matter?

Thanks,

Harold
W5ZZT
Photo of Ria - N2RJ

Ria - N2RJ, Elmer

  • 2254 Posts
  • 879 Reply Likes
I would try to run it on the PC you do not use SmartSDR on, for two reasons.

1. You want your SmartSDR PC dedicated to that, and no extraneous drivers/software to mess it up, especially on the network side.

2. If you ever need to reboot your SmartSDR PC, you'll remain connected while the reboot is in progress and you won't have to worry if the VPN came back up.

That does not mean it won't work on your SmartSDR PC, it's just not what I would personally do. 

SoftEther doesn't use much CPU as you can run it on a Raspberry pi or other small PC. 
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
Thanks Ria.

I will take your advice and install it on the second PC.  I am hoping this is not as hard as it looks:) 

Here goes.......
Photo of Ria - N2RJ

Ria - N2RJ, Elmer

  • 2254 Posts
  • 879 Reply Likes
If you really want to get fancy, get a Raspberry Pi and install it there. Just plug it in and forget it even exists. Consumes only a couple of watts too. $60 on amazon for the full kit...
Photo of K6OZY

K6OZY, Elmer

  • 532 Posts
  • 197 Reply Likes
There's a video for that:  
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
OK guys. Help me out a little.

1. I installed the VPN Server.
2. Installed the Bridge
3. Connect server and bridge
4. Accepted the default DDNS name.
5. Set up L2tp..i think with encryption...Can't remember.
5. Added a user name and password
6. Port forwarded 443,992,1194,5555 to the PC the server is on. Checked them all at canyouseeme.com. They are open

Then I went into the iphone and GUESSED at what it wants in the different fields.  It fails to connect.
I am sure I have things wrong on both sides but don't know where to start troubleshooting.  I am an old mainframe guy so I need a little direction on how to figure out whats going on.

Any suggestions?  The iphone just saying failed to connect doesn't give me a clue where to start.

Thanks in advance for any help.

Harold
Photo of Ria - N2RJ

Ria - N2RJ, Elmer

  • 2254 Posts
  • 879 Reply Likes
When you install the server it installs a bridge component. There's no reason to install that separately.

For the iPhone vpn after the wizard you need to click L2TP and select a shared secret. This is also what you put in the "secret" field in the iPhone. This is different from the password for the user account, which you also need to create.
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
OK, well, thanks for trying to help.  I don't want to fill the forum up with this.  I am not a network guy and I am totally lost.  I don't even know what questions to ask at this point. 

I'll go read some more.  Over and out...
Photo of K6OZY

K6OZY, Elmer

  • 532 Posts
  • 197 Reply Likes
Harold, shoot me your info offline.  I've helped dozens of people get their Flex's working via SoftEther VPN.  I think I can get you up and running very quickly.   k6ozy [at] arrl [dot] net.
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
OK. I'll do that.  Thanks
Photo of K6OZY

K6OZY, Elmer

  • 532 Posts
  • 197 Reply Likes
Above I fat fingered, and said UDP450 UDP4500.  It's UDP 500, UDP4500, TCP 5555.  I don't want bad information to say on the net confusing people.
(Edited)
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
I guess what I am looking for is a way to may sure the PC is set up correctly.  Can I troubleshoot it through another PC?  Then when I know it's working I can figure out the iphone.
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
Ria, Thanks for you help. I am going to have to try and find someone offline to help me. 

Take care
Photo of Harold Rosee

Harold Rosee

  • 85 Posts
  • 19 Reply Likes
IT Works!!!

I have to say a big Thank You to Chris, K6OZY, for his help.  This guy is a whiz.  It's 12:20 am here in Texas and he just spent a lot of his time helping me set up my VPN.

There is no way I could have done that myself.  Of course he tells me if I had watched his video on youtube I could have done it.  He has encouraged me to get a Raspberry Pi and run the server on it as Ria also suggested.  So tomorrow I am off to the local Microcenter down the street to pick one up.

Chris, thanks again for your time and also the offer to help with the Pi.  Help like yours is what sells Flex.  Plus the radios are pretty good too:)  

Now I can sleep.  Goodnight
Photo of K6OZY

K6OZY, Elmer

  • 532 Posts
  • 197 Reply Likes
Thanks for the kind words.   I just hate seeing people not able to use their radio remotely because of VPN issues.
Photo of Lasse Moell

Lasse Moell

  • 85 Posts
  • 14 Reply Likes
OK, so I am next in line for some hand-holding!
Currently have a RPI running as server. Client computer do connect over my cell phone using port 5555 (it seems 443 is a no-no on that provider). But I cannot see the radio on SSDR client, unless I do connect over my LAN (and VPN).  The VPN server is on DMZ i.e. no ports should be blocked on that side.

Where to look for those lost broadcast packets from my radio?
Checking ports (externally) 5555 reports open but 500 and 4500 reports open/filtered (UDP), is the RPI not responding?
Should a bridge work better? I thought starting with client it would be easier to verify things....
Is this due to client having a different ip-subnet?
My head about to burst :(

/Lasse SM5GLC
(Edited)
Photo of Ria - N2RJ

Ria - N2RJ, Elmer

  • 2254 Posts
  • 879 Reply Likes
There does need to be a bridge. Did you use my script or set it up yourself? My script automates it all (except the port forwarding), but if you do it yourself you need to set up the bridge manually.

Open SE-VPN server manager
Log in to the VPN server
Click "Local bridge setting"

Under "New Local Bridge Definition":
Select the virtual hub to create the bridge on (if you did a basic setup there should only be one, choose it)
Under "type to create" select "Bridge with Physical existing network adapter"
Select "eth0" as the LAN adapter
Then click "create local bridge."

The only thing that somewhat concerns me is that your vpn is on a DMZ. It probably won't work that way. It needs to sit on the LAN for the bridge unless you have a 2nd ethernet interface but that is getting into a more complicated setup. The reason is that it needs to be on the same LAN as the radio to receive and forward the VITA-49 broadcast packets. However, if you can route traffic to your LAN from the DMZ, you can specify the IP in SmartSDR for iOS and connect that way. 
Photo of Lasse Moell

Lasse Moell

  • 85 Posts
  • 14 Reply Likes
YES! That did it! I was setting up everyting accrding to K6OZY... and missed the part with having local bridge enabled. It's up and running, sort of.... My cell phone do not give good enough through put, but I have seen the spectrum! Now I can start to fine-tune things.
A big Thank You Ria!
Cheers and CU on the bands
/Lasse SM5GLC
Photo of Lasse Moell

Lasse Moell

  • 85 Posts
  • 14 Reply Likes
Just one thing more, I did try the DMZ as I was a bit confused with my main router when things did not work. Back to the main router and ports properly opened.
Photo of Lasse Moell

Lasse Moell

  • 85 Posts
  • 14 Reply Likes
Just a quick update. The VPN runs fine, and I even managed to configure an Orange Pi Zero to do the work. This computer is half the physical size of a R-Pi, and costs about $9!  DId a small demo at the local ham club showing how to operate remote.