I don’t like OpenVPN. With that out of the way, SoftEther VPN supports a lot more protocols (including SSTP) and is made in Japan, so I decided to go with it. Unfortunately it is not available in package managers, but they do have a GitHub repo.
$> cd /opt $> git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git $> cd SoftEtherVPN $> ./configure $> apt install libreadline-dev libssl-dev libncurses5-dev # I thought I DID install build-essential but those packages weren't present... $> make $> fucking-coffee.sh # Google it, fun read $> make install
Then we can verify the server works and start configuring it.
$> vpnserver start $> vpncmd 1 localhost:5555 <enter>
The instructions in
vpncmd suggested that the default setting for the server would be localhost:8888 but that was wrong. It seems that if you leave everything blank the
vpncmd utility tries to connect to localhost:443, which in my case was used by the web server and caused the command to fail.
Next, once we manage to make a connection to the VPN server with
vpncmd, we set the server password:
Rather than reading the manual, here I preferred using the GUI configuration tool they provide to manage the settings. Namely enable L2TP/IPsec, disable the less secure L2TP variant, turn on SSTP and create a user (apparently RADIUS or AD authentication is not available in the open-source version for some reason…).
Final step I took was to disable the built-in DDNS and sign and install a certificate.
$> openssl genrsa -out vpnserver.key 4096 $> openssl req -new -key vpnserver.key -out vpnserver.csr
Use the CSR to request a certificate using
certsrv (for Windows Server CAs), download the certificate, and load them up from SoftEther’s GUI tool along with the private key.
And of course create a systemd service because despite all the hate it gets I like it.
$> nano /etc/systemd/system/softether.service [Unit] Description=SoftEther VPN daemon After=network.target [Service] ExecStart=/usr/bin/vpnserver start ExecStop=/usr/bin/vpnserver stop RemainAfterExit=yes [Install] WantedBy=multi-user.target
Then start and enable the service. Relatively simple.