SoftEther VPN Running on AsusWRT Routers

SoftEther VPN (“SoftEther” means “Software Ethernet”) is one of the world’s most powerful and easy-to-use multi-protocol VPN software.
Tested on RT-AC68U rev A2, RMerlin firmware v380.65, hdd usb3, Optware-NG & Entware-NG

1 – Flash RMerlin firmware from here

2a – Install Optware-NG from here
or
2b – Install Entware-NG from here

3a – For ARM devices download and install SoftEtherVPN (thanks @lancethepants for binaries)

cd /opt/etc
wget -c -O SoftEtherVPN-4.20-9608-rtm-arm.tgz goo.gl/DTkk3C
tar xvzf ./SoftEtherVPN-4.20-9608-rtm-arm.tgz
rm ./SoftEtherVPN-4.20-9608-rtm-arm.tgz

or
3b – For MIPSEL devices download and install SoftEtherVPN (thanks again @lancethepants for binaries) (NOT TESTED)

cd /opt/etc
wget -c -O SoftEtherVPN-4.20-9608-rtm-mipsel.tgz goo.gl/ZFNwqg
tar xvzf ./SoftEtherVPN-4.20-9608-rtm-mipsel.tgz
rm ./SoftEtherVPN-4.20-9608-rtm-mipsel.tgz

4 – Start SoftEtherVPN server ( I added a 12 seconds start delay because will crash the router if is starting right after router reboot)

/opt/etc/init.d/S80softethervpnserver start
The SoftEther VPN Server service has been started.

– Enter VPN Command Line Management Utility

admin@RT-AC68U:/tmp/mnt/sda1/optware-ng.arm/etc# /opt/etc/softethervpn/vpncmd
vpncmd command – SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608 (English)
Compiled 2016/04/17 20:58:26 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.By using vpncmd program, the following can be achieved.1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)Select 1, 2 or 3: 1
Specify the host name or IP address of the computer that the destination VPN Server or VPN Bridge is operating on.
By specifying according to the format ‘host name:port number’, you can also specify the port number.
(When the port number is unspecified, 443 is used.)
If nothing is input and the Enter key is pressed, the connection will be made to the port number 8888 of localhost (this computer).
Hostname of IP Address of Destination: ENTER
If connecting to the server by Virtual Hub Admin Mode, please input the Virtual Hub name.
If connecting by server admin mode, please press Enter without inputting anything.
Specify Virtual Hub Name: ENTER
Connection has been established with VPN Server “localhost” (port 443).You have administrator privileges for the entire VPN Server.

– Create a server password (highly recommended)

VPN Server>ServerPasswordSet
ServerPasswordSet command – Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.
Password: serverpassword
Confirm input: serverpassword
The command completed successfully.

– Create a hub (chose which name you like)

VPN Server>HubCreate RT-AC68U
HubCreate command – Create New Virtual Hub
Please enter the password. To cancel press the Ctrl+D key.
Password: hubpassword
Confirm input: hubpassword
The command completed successfully.

– Connect to RT-AC68U hub

VPN Server>Hub RT-AC68U
Hub command – Select Virtual Hub to Manage
The Virtual Hub “RT-AC68U” has been selected.
The command completed successfully.

– Create a new user for hub RT-AC68U

VPN Server/RT-AC68U>UserCreate TeHashX
UserCreate command – Create User
Assigned Group Name: ENTER
User Full Name: ENTER
User Description: ENTER
The command completed successfully.

10 – Create a password for this user

VPN Server/RT-AC68U>UserPasswordSet TeHashX
UserPasswordSet command – Set Password Authentication for User Auth Type and Set Password
Please enter the password. To cancel press the Ctrl+D key.
Password: userpassword
Confirm input: userpassword
The command completed successfully.

11 – Enable Secure Nat for this hub

VPN Server/RT-AC68U>SecureNatEnable
SecureNatEnable command – Enable the Virtual NAT and DHCP Server Function (SecureNat Function)
The command completed successfully.

12 – Enable IPsec/L2TP

VPN Server/RT-AC68U>IPsecEnable
IPsecEnable command – Enable or Disable IPsec VPN Server Function
Enable L2TP over IPsec Server Function (yes / no): yes
Enable Raw L2TP Server Function (yes / no): no
Enable EtherIP / L2TPv3 over IPsec Server Function (yes / no): yes
Pre Shared Key for IPsec (Recommended: 9 letters at maximum): presharedkey
Default Virtual HUB in a case of omitting the HUB on the Username: RT-AC68U
The command completed successfully.

13 – Enable SSTP

VPN Server/RT-AC68U>sstpEnable yes
SstpEnable command – Enable / Disable Microsoft SSTP VPN Clone Server Function
The command completed successfully.

14 – Enable OpenVPN (you can change port number or input multiple ports)

VPN Server/RT-AC68U>OpenVPNEnable yes /PORTS:1194
OpenVpnEnable command – Enable / Disable OpenVPN Clone Server Function
The command completed successfully.

15 – Generate a server certificate, chose your ddns address as Common Name

VPN Server/RT-AC68U>ServerCertRegenerate [tehashx.asuscomm.com]
ServerCertRegenerate command – Generate New Self-Signed Certificate with Specified CN (Common Name) and Register on VPN Server
A new server certificate has been set.
If you are using OpenVPN protocols, please mind that you may have to update the inline certificate data in the OpenVPN configuration file.
The command completed successfully.

16 – Generate a Sample Setting File for OpenVPN Client

VPN Server/RT-AC68U>OpenVpnMakeConfig softethervpn/OpenVPNconfig.zip
OpenVpnMakeConfig command – Generate a Sample Setting File for OpenVPN Client
The sample setting file was saved as “softethervpn/OpenVPNconfig.zip”. You can unzip this file to extract setting files.
The command completed successfully.

17 – Create a bridge if you want to give wan access to connected clients

VPN Server/RT-AC68U>BridgeCreate RT-AC68U
BridgeCreate command – Create Local Bridge Connection
Bridge Destination Device Name: br0
While in the condition that occurs immediately after a new bridge connection is made when bridging to a physical network adapter, depending on the type of network adapter, there are cases where it will not be possible to communicate using TCP/IP to the network adapter using a bridge connection from a computer on the virtual network.
(This phenomenon is known to occur for Intel and Broadcom network adapters.)
If this issue arises, remedy the situation by restarting the computer on which VPN Server / Bridge is running. Normal communication will be possible after the computer has restarted.
Also many wireless network adapters will not respond to the sending of packets in promiscuous mode and when this occurs you will be unable to use the Local Bridge. If this issue arises, try using a regular wired network adapter instead of the wireless network adapter.
The command completed successfully.

18 – Exit VPN Command Line Management Utility

VPN Server/RT-AC68U>exit

19 – Open required ports (remove #!/bin/sh line if you already have firewall-start script)

cat >> /jffs/scripts/firewall-start << ‘EOF’
#!/bin/sh
iptables -I INPUT -p udp –destination-port 500 -j ACCEPT
iptables -I INPUT -p udp –destination-port 4500 -j ACCEPT
iptables -I INPUT -p udp –destination-port 1194 -j ACCEPT
EOF
chmod a+rx /jffs/scripts/firewall-start
sh /jffs/scripts/firewall-start

Now your SoftEther VPN server is configured and ready to accept connections 🙂
To connect with OpenVPN protocol download to your PC OpenVPNconfig.zip from /opt/etc/softethervpn, unzip and use openvpn_site_to_site_bridge_l2.ovpn to connect from pc and openvpn_remote_access_l3.ovpn to connect from smartphone but first replace “remote vpnxxxxxxxxx.v4.softether.net 1194” with your ddns address, like “remote tehashx.asuscomm.com 1194”
You can download Server Manager and/or SoftEther client from official site
Enjoy…

hqt