SoftEtherVPN Configuration/Installation

A quick lookup page for me to install softether vpn server on Ubuntu 16.04 since the apt version no longer work proper (17-01-2020)

Original apt version
https://launchpad.net/~paskal-07/+archive/ubuntu/softethervpn

Requirements

apt-get install -y build-essential make gcc

Download

wget -O /tmp/softether-vpnserver.tar.gz https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.32-9731-beta/softether-vpnserver-v4.32-9731-beta-2020.01.01-linux-x64-64bit.tar.gz

Extract

tar xfz /tmp/softether-vpnserver.tar.gz -C /usr/local

Compile

cd /usr/local/vpnserver
make

Method 1: Non-root User

Note that local bridge setting will not work, so you will need to use SecureNAT

Adding a service account for softether

sudo useradd --system --no-create-home softether

Permissions

chown -R softether:softether /usr/local/vpnserver

find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;

chmod +x /usr/local/vpnserver/vpncmd 
chmod +x /usr/local/vpnserver/vpnserver

Create /etc/systemd/system/softether.service

[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
TasksMax=16777216
User=softether
Group=softether
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID

[Install]
WantedBy=multi-user.target

Allow vpnserver to bind to local ports despite being run by softether user (non-root)

sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/vpnserver/vpnserver

Start service

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service

Method 2: Root User

Permissions

chown -R root:root /usr/local/vpnserver

find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;

chmod +x /usr/local/vpnserver/vpncmd 
chmod +x /usr/local/vpnserver/vpnserver

Create /etc/systemd/system/softether.service

cat > /lib/systemd/system/softether.service << EOF
[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
TasksMax=16777216
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID

[Install]
WantedBy=multi-user.target
EOF

Run

Enable and start the Service

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service

Clean up

rm -f /tmp/softether-vpnserver.tar.gz 

Full Script

apt-get update
apt-get install -y build-essential make gcc

curl -s https://api.github.com/repos/SoftEtherVPN/SoftEtherVPN_Stable/releases/latest \
| grep "softether-vpnserver.*linux-x64-64bit.tar.gz" \
| cut -d : -f 2,3 \
| tr -d \" \
| wget -O /tmp/softether-vpnserver.tar.gz  -i -

cd /usr/local/vpnserver
make

chown -R root:root /usr/local/vpnserver

find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;

chmod +x /usr/local/vpnserver/vpncmd 
chmod +x /usr/local/vpnserver/vpnserver

cat > /lib/systemd/system/softether.service << EOF
[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
TasksMax=16777216
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service
rm -f /tmp/softether-vpnserver.tar.gz