If you’re keen on setting up your own VPN for free, there’s no easier way to do it than with SoftEther. SoftEther is a VPN solution with free software to connect a server to a client. It’s relatively easy to use compared to the standard OpenVPN setup, and it supports more protocols. They include OpenVPN, L2TP/IPSec, PPTP, SSTP, and EtherIP.
Once set up, you should be able to use your homemade VPN just like any other commercial VPN: bypass censorship, unblock geo-locked content, secure open wifi connections, and encrypt P2P file transfers. We’ve even tested this with Netflix and were able to bypass the VPN and proxy firewall to watch US Netflix from Germany, something many paid VPN providers struggle with (we’ve got a list here of paid services that beat the Netflix VPN ban).
What you need to make your own VPN using SoftEther:
Before we get started, make sure you have all the following ingredients:
Launch an EC2 instance
Congratulations, you have a server. Now we need to access it.
Accessing your EC2 instance
For this tutorial, we’ll be using PuTTy and PuTTygen on Windows. Mac and Linux users can just use their terminal. First, we need to generate a key file so we can access our server through SSH.
- Open PuTTygen
- Click Load
- Navigate to wherever you downloaded your .pem key pair. Click the dropdown menu in your file navigator to show “All files”, or else the .pem key wont appear. Select the .pem file and click Open.
- Click “Save private key” and confirm to save without a passphrase. You must give it a file name identical to that of the .pem file. In this case, “softether”.
With the .ppk private key file in hand, we can now connect to the server.
You are now SSH’ed into your server. Anything you type into the PuTTy terminal is a command for the server, not for your local computer.
Install SoftEther on your EC2 instance
Now that you can give commands to your server, we can install the SoftEther server application. Unfortunately, SoftEther is not available in any package managers, so we’ll have to download it from the website. But before we do that, let’s make sure everything is up to date.
- In the PuTTy terminal, type sudo yum upgrade (note other versions of Linux may use “apt-get” instead of “yum”.
- Type wget http://www.softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/Linux/SoftEtherVPNServer/64bit-Intelx64or_AMD64/softether-vpnserver-v4.21-9613-beta-2016.04.24-linux-x64-64bit.tar.gz and hit Enter.
- If the above download fails, you can find the latest version of the SoftEther VPN Server software here. Replace the URL in the above command with the download link on SoftEther’s website.
- Copy the name of the file you just downloaded as it’s displayed in the terminal.
- Type tar xzvf softether-vpnserver-v4.21-9613-beta-2016.04.24-linux-x64-64bit.tar.gz and hit Enter to unpack the file into a new directory called “vpnserver”.
- In order to compile those files, type sudo yum groupinstall “Development Tools”
- Some users have reported the gcc package won’t install via the above command, in which case you can type and enter sudo yum install gcc
- Type and enter cd vpnserver
- Type and enter make
- Type “1” and hit Enter three times to get through the licensing agreement.
SoftEther is now compiled and can be executed on your server. One step closer!
Start SoftEther as a service
Next we’re going to make a file in the init.d folder that will automatically start SoftEther as a service whenever the server boots up. This will save us the trouble of turning it on manually each time we stop and start the server. You can skip this step if you please, but it can save you a lot of time in the long run. First, let’s move the SoftEther directory somewhere else.
- Type the following commands, hitting Enter after each line:
- cd ..
- sudo mv vpnserver /usr/local
- cd /usr/local/vpnserver/
- Now change the file permissions to protect your files using the following commands:
- chmod 600 *
- chmod 700 vpnserver
- chmod 700 vpncmd
- Create a file by typing sudo nano /etc/init.d/vpnserver
- In the empty text file, paste the following (you can paste by right clicking in Windows):
- #!/bin/sh
chkconfig: 2345 99 01
description: SoftEther VPN Server
- DAEMON=/usr/local/vpnserver/vpnserver
- LOCK=/var/lock/subsys/vpnserver
- test -x $DAEMON || exit 0
- case “$1” in
- start)
- $DAEMON start
- touch $LOCK
- ;;
- stop)
- $DAEMON stop
- rm $LOCK
- ;;
- restart)
- $DAEMON stop
- sleep 3
- $DAEMON start
- ;;
- *)
- echo “Usage: $0 {start|stop|restart}”
- exit 1
- esac
- exit 0
- Press CTRL+O (‘o’ not zero) and hit Enter to save the file. Then hit CTRL+X to exit Nano.
- Type the following commandsto make Softether run on startup:
- mkdir /var/lock/subsys (this might already exist)
- sudo su
- chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start
- chkconfig –add vpnserver
SoftEther will now run automatically at server startup.
cd ..
sudo mv vpnserver /usr/local
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd
#!/bin/sh
chkconfig: 2345 99 01
description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case “$1” in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
restart)
sleep 3
*)
echo “Usage: $0 {start|stop|restart}”
exit 1
esac
exit 0
- mkdir /var/lock/subsys (this might already exist)
- sudo su
- chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start
- chkconfig –add vpnserver
Check to make sure SoftEther is working
Here we will run a quick check to make sure everything is working as desired.
- Type cd /usr/local/vpnserver and hit Enter
- Type ./vpncmd and hit Enter
- Type ‘3’ to choose the third option and hit Enter
- Type check and hit Enter to run the test
You should receive a message that all the checks passed. If not, something went wrong.
Type “exit” to quit vpntools.
Configuring SoftEther
Next we need to configure SoftEther so we can connect to it from our PC client.
- While you’re still in the vpnserver directory, type ./vpncmd
- Choose option 1 and hit Enter
- For the hostname IP, input the IP address of the EC2 server instance followed by a colon and port 5555. You can find the IP of your server instance on the EC2 dashboard. The input should look like this: 123.123.123.123:5555
- In the next step, leave the input blank and hit Enter to connect from the Server Admin node
- The prompt should now read “VPN Server>”. Enter ServerPasswordSet and hit Enter
- Enter a password of your choice and type it again to confirm
- Next, type HubCreate VPN and enter a new password that you will use to log in when you are not in Server Admin mode
- Type Hub VPN and hit Enter
- Type SecureNatEnable
- Type UserCreate paul, replacing “paul” with a username of your choice.
- You will be asked to enter a Group Name, Full Name, and Description for the new user. Leave the Group Name blank, and use whatever you want for the other two.
- Type UserPasswordSet paul, replacing paul with the username you just created. Enter and confirm a password for that user.
- Repeat steps 10-12 for as many users as you wish.
A couple notes here. In step 9, we use Secure NAT as the means to connect hubs to the server network. Another option is Local Bridge connection, but it’s more complicated and requires you set up a DHCP server. Secure NAT takes care of the DHCP server for you.
In step 12, we use the UserPasswordSet command to enable password authentication on a particular user. SoftEther supports several other types of authentication, which can vary between users. They include NT domain, anonymous, RADIUS, individual certificate, and signed certificate authentication.
Set up L2TP/IPSec on the VPN server
We decided to use L2TP/IPSec as the VPN protocol in this tutorial for three main reason: a) it’s more secure than PPTP, b) it’s easier to set up than OpenVPN, and c) it works across multiple operating systems, unlike the Windows-only SSTP.
- While still in vpncmd’s “VPN Server>” prompt, enter IPsecEnable
- Next you are given a series of configuration prompts. Below we’ll give our recommended answers:
- Enable L2TP over IPsec Server Function – yes, enable the VPN for use on multiple devices including Windows PC, Mac OSX, iOS, and Android
- Enable Raw L2TP Server Function – no, do not allow connections without encryption
- Enable EtherIP / L2TPv3 over IPsec Server Function – yes, allow routers with this built-in function to connect
- Next comes the pre-shared key. This is a password with a maximum of nine characters. Enter whatever you like.
- For “Default Virtual HUB in a case of omitting the HUB on the Username:”, simply enter VPN
That’s it! make sure you write down all the passwords you’ve created above and what each one is for.
- Enable L2TP over IPsec Server Function – yes, enable the VPN for use on multiple devices including Windows PC, Mac OSX, iOS, and Android
- Enable Raw L2TP Server Function – no, do not allow connections without encryption
- Enable EtherIP / L2TPv3 over IPsec Server Function – yes, allow routers with this built-in function to connect
Connecting to your homemade SoftEther VPN
You can connect to your VPN using any L2TP-compatible VPN client you want, but we’ll show you how to do it with SoftEther’s own app. Start by downloading the and installing the client for your operating system here.
- Open the SoftEther VPN Client Manager app and click “Add a VPN connection”
- You’ll be prompted to create a virtual adapter if you haven’t already. Confirm and press OK to accept the default name.
- In the Properties window that appears, enter the following:
- A Setting Name of your choice
- Host Name is your server’s IP address
- Port Number is 5555 as specified above
- Virtual Hub Name is “VPN” as specified above
- User Name is the username you set on the server above, in this case “paul”
- Password is what you set for that user with the UserPasswordSet function above
Leave everything else to the default settings and press OK. Now, back on the main window, double click the connection you just set up to connect.
- A Setting Name of your choice
- Host Name is your server’s IP address
- Port Number is 5555 as specified above
- Virtual Hub Name is “VPN” as specified above
- User Name is the username you set on the server above, in this case “paul”
- Password is what you set for that user with the UserPasswordSet function above
A message will appear saying your VPN connection was established. Congratulations! You are now connected to your homemade VPN!
Somewhere in this tutorial, something will probably go wrong for you. If you really want a VPN but aren’t willing to do your fair share of troubleshooting, it’s probably best to opt for a paid VPN service. There are a fair number of off-the-shelf free VPN services, but they have their limitations. Linux users can find a list of our favorite VPNs for Debian and Fedora distros here. Paid subscription VPNs also allow you to channel your internet traffic through dozens of geographic locations, whereas an EC2 instance is limited to just one. Check out our VPN reviews here!