SoftEther VPN

Description

Daiyuu Nobori developed SoftEther VPN as part of his master’s thesis at the University of Tsukuba, Japan, and released it publicly on January 4, 2014 under GPLv2. The name combines “Software” and “Ethernet,” reflecting the project’s core idea: replacing physical network hardware with software-emulated equivalents. The license changed to Apache License 2.0 on January 21, 2019, making the terms more permissive for commercial and embedded use. The project accepts community contributions through GitHub.

SoftEther differs from most VPN software by supporting seven distinct VPN protocols simultaneously from a single server binary — SSL-VPN (HTTPS), WireGuard, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3, and EtherIP — without requiring separate server instances for each. This makes it the only VPN software in its class to cover all of these protocols under one installation. Organizations can serve clients that speak any of these protocols from the same machine without running parallel software stacks.

VIRTUAL ETHERNET ARCHITECTURE

SoftEther’s architecture centers on software emulation of physical networking components. The Virtual Hub acts as a software-simulated Ethernet switch: it learns MAC addresses, builds a forwarding database, and switches packets between connected sessions exactly as a physical switch would, but entirely in software. The Virtual Network Adapter on each client computer emulates a physical Ethernet network card at the operating system level. A VPN Session represents the virtual cable connecting the adapter to the hub.

The Local Bridge function ties a Virtual Hub to a physical Ethernet adapter on the server machine. This bridge merges the virtual and physical network segments so that VPN clients can communicate with real devices — printers, file servers, network equipment — on the local network as if they connected directly. For site-to-site VPN, SoftEther VPN Bridge installs at a remote office and establishes a cascade connection back to the central VPN Server, linking both offices at layer 2 without requiring routing configuration on either end.

The server can run multiple independent Virtual Hubs simultaneously, each isolated from the others. Separate administrators can manage individual hubs with delegated privileges, and each hub carries its own user list and access control rules without visibility into the others.

SSL-VPN AND FIREWALL BYPASS

SoftEther wraps all VPN traffic inside standard HTTPS connections on TCP port 443 by default. Firewalls and deep packet inspection systems that examine traffic flows see HTTPS sessions rather than VPN handshakes, because the encapsulation mimics real HTTPS behavior closely enough to pass inspection. This allows SoftEther to operate on networks that block conventional VPN protocols by targeting their characteristic port numbers or handshake patterns.

For environments where even HTTPS traffic faces restrictions, SoftEther provides two additional bypass mechanisms. VPN over ICMP encapsulates Ethernet frames inside ICMP echo packets — the same packet type used by the ping utility — which most firewalls pass without inspection. VPN over DNS encapsulates frames inside DNS query and response packets, exploiting the near-universal permission that networks grant to DNS traffic. These two modes trade throughput for penetration, functioning in environments where no other tunnel can establish.

To improve throughput on high-latency or lossy connections, the SSL-VPN tunnel can open between 1 and 32 parallel TCP connections simultaneously. The logical VPN session multiplexes traffic across all active connections, and the software aggregates their bandwidth. This parallel transmission mechanism raises effective throughput on links where a single TCP connection cannot fill the available bandwidth due to window size or latency constraints.

PROTOCOL COMPATIBILITY

The OpenVPN clone function accepts connections from standard OpenVPN clients — both the desktop application and OpenVPN Connect — without any modification to the client configuration beyond pointing it at the SoftEther server address. Administrators migrating from OpenVPN deployments can redirect existing client profiles to a SoftEther server and retain all client software unchanged.

The MS-SSTP implementation clones Microsoft’s Secure Socket Tunneling Protocol as found in Windows Server 2008 R2 and later. Windows clients can connect using the built-in VPN client without installing any additional software, using the same SSTP configuration they would use for a genuine Microsoft server. The L2TP/IPsec server function similarly serves the native VPN clients built into iOS, Android, Windows, and macOS, covering mobile devices that lack support for other protocols.

The L2TPv3 and EtherIP implementations handle site-to-site connections from network equipment — Cisco routers, managed switches, and other hardware that speaks these protocols natively — allowing SoftEther to integrate with existing infrastructure without replacing edge hardware.

AUTHENTICATION METHODS

SoftEther supports six user authentication methods that administrators can assign per user or per Virtual Hub. Anonymous authentication grants access to anyone who supplies a registered username, suited to publicly offered hubs. Standard password authentication hashes the password at entry and verifies it through a challenge-response exchange so the plaintext password never travels over the network. RADIUS authentication delegates credential checking to an external RADIUS server, integrating with existing corporate authentication infrastructure. NT domain and Active Directory authentication validates credentials against a Windows domain controller, allowing single sign-on for domain users. X.509 certificate authentication uses PKI key pairs — either key files on disk or keys stored on PKCS#11 smart cards and USB tokens — for the strongest credential binding. The server presents its own certificate to clients during connection setup, and clients verify it before completing authentication, preventing impersonation of the server.

ENCRYPTION AND SECURITY

SoftEther applies AES-256-bit encryption on the data channel and uses RSA 4096-bit keys for certificate operations. All VPN session traffic travels inside SSL/TLS, which the software supports through TLS 1.0, 1.1, and 1.2. The server administrator can select the cipher suite independently for each Virtual Hub, choosing from AES, DES, RC4, and their variants along with SHA-1 or MD5 for HMAC. The default configuration selects AES-128 with SHA-1.

Packet filtering rules apply inside the VPN tunnel on each Virtual Hub, blocking specific source addresses, protocols, or port ranges before packets reach other connected sessions. The firewall operates at the virtual switch level rather than at the OS network stack, so it handles intra-VPN traffic that never touches the physical interface. The server logs all connection events, authentication attempts, packet counts, and administrative actions to configurable log files per Virtual Hub, with log rotation and retention settings adjustable independently for each hub.

NAT TRAVERSAL AND DYNAMIC DNS

SoftEther’s NAT traversal activates by default and requires no open ports on the server-side router or firewall. Clients on the internet initiate outbound connections to the server, and SoftEther negotiates the path through any intervening NAT without the administrator opening inbound port forwarding rules. The embedded dynamic DNS function registers the server’s current public IP address under a hostname automatically, so clients connect by hostname rather than IP address even when the server’s ISP-assigned address changes. This allows deployment on residential or consumer broadband connections without a static IP contract.

PERFORMANCE AND CLUSTERING

SoftEther targets 1 Gbps-class throughput on commodity server hardware by reducing memory copy operations in the packet path and running parallel transmission across multiple TCP connections in SSL-VPN mode. A clustering feature distributes client sessions across a pool of server instances behind a shared virtual IP address. The cluster controller balances load dynamically as sessions connect and disconnect, allowing the deployment to scale horizontally by adding more server machines rather than upgrading existing hardware.

MANAGEMENT TOOLS

Three management interfaces address different operator needs. VPN Server Manager provides a Windows GUI application that connects to the server over the network and exposes all configuration through a graphical interface. The vpncmd command-line utility runs on all supported platforms and accepts the complete set of management commands in both interactive and scripted modes, suiting automated deployment and configuration management workflows. A JSON-RPC API exposes nearly all server control operations as HTTP endpoints, allowing developers to build custom management applications or integrate server control into cloud orchestration systems using any language capable of making HTTP requests.

VPNGATE

VPNGate is a separate academic experiment at the University of Tsukuba that runs on top of SoftEther VPN Server. Volunteers worldwide install SoftEther VPN Server and register their instances with the VPNGate relay database. Any user can download the VPNGate client, fetch the current relay list, and connect through a volunteer server to reach the internet. The project targets users in countries with internet access restrictions. It operates independently from the main SoftEther VPN development effort but depends on SoftEther’s server software and protocol for its relay infrastructure.