How To Install SoftEther VPN Server on AlmaLinux 10

Setting up a robust VPN solution on your AlmaLinux 10 server doesn’t have to be complicated. SoftEther VPN Server stands out as one of the most powerful and versatile open-source VPN platforms available today, developed by researchers at the University of Tsukuba in Japan. This comprehensive guide walks you through every step of installing and configuring SoftEther VPN Server on AlmaLinux 10, providing you with enterprise-grade security features including 256-bit AES encryption and multi-protocol support. AlmaLinux 10, as a stable, community-driven RHEL-compatible distribution, offers the perfect foundation for hosting production VPN services. Whether you’re securing remote access for your team, creating site-to-site connections, or bypassing restrictive firewalls, this tutorial covers everything from initial system preparation to advanced configuration options.

Table of Contents

What is SoftEther VPN?

SoftEther VPN represents a paradigm shift in virtual private networking technology. Unlike traditional VPN solutions that operate at Layer 3 (network layer), SoftEther functions at Layer 2 (Ethernet level), providing more flexible and powerful connectivity options. Originally conceived as an academic research project, this cross-platform software has evolved into a production-ready solution trusted by enterprises worldwide.

The software’s architecture supports multiple VPN protocols simultaneously, including its proprietary SSL-VPN protocol, L2TP/IPsec, OpenVPN, Microsoft SSTP, and EtherIP. This multi-protocol approach ensures compatibility with virtually any client device or operating system without requiring specialized software installations. SoftEther employs military-grade encryption using SSL/TLS versions 1.0 through 1.3, protecting data transmission with 256-bit AES encryption and RSA certificate authentication.

One of SoftEther’s most innovative features is its parallel transmission mechanism. The software can establish up to 32 concurrent SSL-VPN tunnels, automatically distributing network packets across multiple TCP connections. This intelligent load balancing significantly improves throughput, especially on high-latency or unstable network connections. Performance benchmarks consistently show speeds up to five times faster than conventional OpenVPN implementations.

Key Features and Benefits

SoftEther VPN delivers comprehensive security features that meet enterprise requirements. The platform implements advanced encryption algorithms including AES-128, AES-256, and RC4, combined with SHA-256 for integrity verification. Authentication mechanisms support multiple methods: password-based authentication, RSA certificate validation, RADIUS server integration, and Windows NT Domain authentication. The built-in packet filtering engine allows administrators to create granular access control lists, preventing unauthorized access and protecting against man-in-the-middle attacks.

Performance optimization sets SoftEther apart from competing solutions. The parallel TCP connection feature intelligently manages multiple simultaneous tunnels, compensating for packet loss and network congestion. Quality of Service (QoS) capabilities prioritize time-sensitive traffic like VoIP calls and video conferencing. The dynamic DNS function eliminates the need for static IP addresses, automatically updating hostname records when IP addresses change.

Firewall transparency represents another crucial advantage. SoftEther tunnels VPN traffic through HTTPS (TCP port 443), the same protocol used for secure web browsing. This approach allows VPN connections to traverse even the most restrictive corporate firewalls and proxy servers. Network administrators can establish secure connections from environments that block traditional VPN protocols entirely.

The software’s flexibility extends to deployment scenarios. SoftEther supports remote access VPN for mobile workers, site-to-site VPN for connecting branch offices, and cascade connections for creating complex network topologies. Virtual Hub functionality enables administrators to create multiple isolated VPN networks on a single server, each with independent security policies and user databases.

Prerequisites

Before beginning the installation process, ensure your system meets the minimum hardware and software requirements. AlmaLinux 10 requires a 64-bit processor with x86_64 architecture running at least 1 GHz clock speed. The server should have a minimum of 2 GB RAM, though 4 GB is recommended for production environments handling multiple concurrent connections. Allocate at least 20 GB of disk space to accommodate the operating system, VPN server software, logs, and configuration files.

Your AlmaLinux 10 installation should be fresh and fully updated. Root access or sudo privileges are mandatory for installing packages and modifying system configurations. A stable internet connection is essential throughout the installation process for downloading packages and dependencies. Consider configuring a static IP address for your VPN server to simplify client configurations and DNS management.

The compilation process requires several development tools and libraries. The gcc compiler, make utility, and binutils package provide essential build capabilities. Runtime dependencies include glibc (GNU C Library), zlib compression library, OpenSSL cryptographic toolkit, readline library for interactive command-line input, and ncurses library for terminal handling. These packages enable SoftEther to compile successfully and function properly on your AlmaLinux system.

Network prerequisites include firewall access to configure port forwarding rules. If your server sits behind a NAT router, you’ll need administrative access to configure port forwarding. Document your server’s internal and external IP addresses before proceeding with the installation.

Step 1: Update AlmaLinux 10 System

Maintaining an updated system is the foundation of security and stability. Before installing any new software, refresh your package repositories and upgrade all installed packages to their latest versions. This practice prevents dependency conflicts and ensures compatibility with newly installed software.

Execute the following command to update your AlmaLinux 10 system:

sudo dnf update -y && sudo dnf upgrade -y

The dnf update command refreshes package metadata and installs newer versions of currently installed packages. The dnf upgrade command performs the same updates but also intelligently handles obsolete packages, removing them when necessary. The -y flag automatically confirms all prompts, streamlining the update process.

This update process may take several minutes depending on your internet connection speed and the number of packages requiring updates. The system might download hundreds of megabytes of package data. Monitor the output for any errors or warnings that might indicate repository problems or corrupted packages.

After completing the update, consider rebooting your server if kernel updates were installed. While not always mandatory, a reboot ensures all system services run with the latest security patches and kernel features. Check which kernel version is active using uname -r and verify it matches the latest installed kernel.

Step 2: Install Required Dependencies

Compiling SoftEther from source requires a complete development environment. AlmaLinux 10 provides convenient package groups that bundle related software together, simplifying the installation of multiple related packages.

Install the necessary development tools and libraries:

sudo dnf groupinstall "Development Tools" -y
sudo dnf install wget curl gcc make readline-devel ncurses-devel openssl-devel zlib-devel -y

The “Development Tools” group includes essential compilation utilities. GCC (GNU Compiler Collection) translates human-readable source code into machine-executable binaries. The make utility automates the build process by following instructions in makefiles. Binutils provides tools for manipulating binary files, including linkers and assemblers.

Individual package installations serve specific purposes. Wget and curl are command-line tools for downloading files from web servers. Readline-devel provides development headers for the readline library, enabling interactive command-line editing with history and completion features. Ncurses-devel offers terminal control capabilities for creating text-based user interfaces.

OpenSSL-devel is particularly critical for VPN functionality. This package provides development files for OpenSSL, the cryptographic library that powers SoftEther’s encryption capabilities. Without OpenSSL support, SoftEther cannot establish secure VPN connections. Zlib-devel enables data compression, reducing bandwidth consumption and improving connection speeds.

Verify successful installation by checking package versions:

gcc --version
make --version
openssl version

Each command should return version information, confirming the software is installed and accessible from your command line.

Step 3: Download SoftEther VPN Server

Obtaining the correct SoftEther package ensures compatibility with your AlmaLinux 10 system. The official SoftEther download portal offers packages for various operating systems and CPU architectures. Navigate to the SoftEther download center using your web browser or proceed directly from the command line.

The download process involves selecting four options. First, choose “SoftEther VPN Server” as the software component. Second, select “Linux” as your operating system. Third, choose “Intel x64 / AMD64 (64bit)” for CPU architecture. Finally, select the latest RTM (Release to Manufacturing) version, which represents the stable production release.

Download the package directly to your server using wget:

cd /tmp
wget https://www.softether-download.com/files/softether/v4.41-9782-beta/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.41-9782-beta-2022.11.17-linux-x64-64bit.tar.gz

Note that version numbers change with each release. Visit the download page to identify the current version string and update the wget URL accordingly. The filename follows a consistent pattern: softether-vpnserver-[version]-linux-x64-64bit.tar.gz.

Verify the downloaded file’s integrity by checking its size. The package typically ranges from 5 to 15 megabytes. Corrupt or incomplete downloads result in compilation failures later in the installation process.

ls -lh softether-vpnserver-*.tar.gz

The output displays file size and permissions, allowing you to confirm a successful download before proceeding to extraction and compilation.

Step 4: Extract and Compile SoftEther VPN Server

Extracting the downloaded archive creates a directory structure containing source code, configuration files, and build instructions. The tar command handles compressed archive extraction, decompressing the gzip-compressed tar file in a single operation.

Extract the SoftEther package:

tar -xvzf softether-vpnserver-*.tar.gz
cd vpnserver

The extraction process creates a directory named “vpnserver” containing all necessary files. The -x flag extracts files, -v enables verbose output showing each extracted file, -z handles gzip decompression, and -f specifies the filename.

Compilation transforms human-readable source code into executable machine code optimized for your specific CPU architecture. Before compiling, SoftEther presents its End User License Agreement, which you must review and accept.

Initiate the compilation process:

make

The make command reads instructions from the Makefile and executes compilation steps sequentially. During compilation, you’ll encounter three prompts requiring acceptance of license terms. Read each agreement and press 1 to indicate “Yes” for each prompt. The first prompt asks if you read the agreement, the second confirms you understand its terms, and the third represents your acceptance.

Compilation typically completes within two to five minutes on modern hardware. The process generates considerable output as the compiler processes each source file. Warning messages are normal and generally harmless, but error messages indicate problems requiring attention. Successful compilation concludes with messages confirming the creation of executable files.

Verify compilation success:

ls -la

The directory should now contain executable files including vpnserver (the main server daemon) and vpncmd (the command-line administration tool). These files have file sizes significantly larger than the original source files, indicating successful binary creation.

Move the compiled software to a permanent location:

cd ..
sudo mv vpnserver /usr/local/
cd /usr/local/vpnserver

Setting appropriate file permissions enhances security by restricting access to authorized users only:

sudo chmod 600 *
sudo chmod 700 vpnserver vpncmd

Permission 600 (read/write for owner only) protects configuration files containing sensitive information. Permission 700 (read/write/execute for owner only) allows the server daemon and command tool to execute while preventing unauthorized access.

Step 5: Create a Systemd Service File

Systemd is AlmaLinux 10’s initialization system and service manager. Creating a systemd unit file enables automatic VPN server startup during system boot and provides convenient service management commands for starting, stopping, and monitoring the VPN server.

Create the systemd service file:

sudo nano /etc/systemd/system/softether-vpnserver.service

Insert the following configuration:

[Unit]
Description=SoftEther VPN Server
After=network.target
Wants=network-online.target

[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure
RestartSec=10s

[Install]
WantedBy=multi-user.target

The [Unit] section defines service metadata and dependencies. The After=network.target directive ensures networking is available before starting the VPN server. The Description provides a human-readable service name displayed in status outputs.

The [Service] section specifies how systemd should manage the service process. Type=forking indicates the vpnserver executable daemonizes itself, creating a child process and exiting the parent. ExecStart and ExecStop define commands for starting and stopping the service. The Restart=on-failure directive automatically restarts the service if it crashes unexpectedly. RestartSec=10s introduces a ten-second delay before restart attempts, preventing rapid restart loops.

The [Install] section controls service enablement. WantedBy=multi-user.target ensures the service starts when the system reaches multi-user mode, the standard boot state for servers.

Save and close the file (Ctrl+X, then Y, then Enter in nano). Reload systemd configuration to recognize the new service:

sudo systemctl daemon-reload

Start the SoftEther VPN Server service:

sudo systemctl start softether-vpnserver

Enable automatic startup at boot:

sudo systemctl enable softether-vpnserver

Verify the service is running correctly:

sudo systemctl status softether-vpnserver

The status output should display “active (running)” in green text, indicating successful service initialization. Check for error messages if the service fails to start, examining log entries for troubleshooting clues.

Step 6: Configure Firewall Rules

AlmaLinux 10 uses firewalld as its default firewall management system. Properly configured firewall rules permit legitimate VPN traffic while blocking unauthorized access attempts. SoftEther VPN Server requires multiple ports for different protocols and connection types.

SoftEther’s default configuration listens on several TCP ports. Port 443 serves SSL-VPN connections using HTTPS protocol, providing excellent firewall compatibility. Port 992 supports TELNETS protocol connections. Port 5555 is SoftEther’s default administrative port. Port 8888 serves as an optional alternative listener.

For L2TP/IPsec support, open UDP ports 500 (Internet Key Exchange) and 4500 (IPsec NAT Traversal). OpenVPN compatibility requires UDP port 1194.

Configure firewalld to permit necessary traffic:

sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=992/tcp
sudo firewall-cmd --permanent --add-port=5555/tcp
sudo firewall-cmd --permanent --add-port=8888/tcp
sudo firewall-cmd --permanent --add-port=500/udp
sudo firewall-cmd --permanent --add-port=4500/udp
sudo firewall-cmd --permanent --add-port=1194/udp

The --permanent flag saves rules to persistent storage, ensuring they survive system reboots. Without this flag, rules exist only in memory and disappear when the system restarts.

Reload firewalld to activate new rules:

sudo firewall-cmd --reload

Verify configured rules:

sudo firewall-cmd --list-all

The output displays active rules, including newly added port permissions. Confirm all required ports appear in the “ports:” section.

If your server sits behind a NAT router, configure port forwarding on the router to direct external traffic to your VPN server’s internal IP address. Forward the same ports (443, 992, 5555, 500, 4500, 1194) to ensure external clients can reach your VPN server.

Step 7: Initial VPN Server Configuration

SoftEther provides a powerful command-line administration tool called vpncmd. This utility offers three operational modes: VPN Server management, VPN Client management, and VPN Tools for testing and diagnostics. Initial server configuration establishes the administrator password, creates virtual hubs, and configures user accounts.

Access the VPN command-line tool:

cd /usr/local/vpnserver
sudo ./vpncmd

The tool presents a menu with three options. Select option 1 for “Management of VPN Server or VPN Bridge.” When prompted for hostname, press Enter to connect to localhost. Leave the port field empty to use the default port.

Set the administrator password immediately after first connection:

ServerPasswordSet

Enter a strong password containing at least 12 characters with uppercase letters, lowercase letters, numbers, and special symbols. This password protects administrative access to your VPN server. Anyone with this password can modify server configuration, create users, and access sensitive information.

Create a Virtual Hub, which functions as an isolated VPN network within the server:

HubCreate VPN

Replace “VPN” with your preferred hub name. The system prompts for a hub password. While optional, setting a hub password adds an additional security layer, preventing unauthorized hub modifications even if someone obtains the server administrator password.

Select the newly created hub for further configuration:

Hub VPN

Create a VPN user account:

UserCreate username

Replace “username” with the desired username. The system prompts for user-specific settings. Accept defaults by pressing Enter.

Set a password for the user:

UserPasswordSet username

Enter a strong password for this VPN user account. Each VPN client needs credentials to establish connections, so create multiple user accounts for different individuals or devices.

Enable SecureNAT functionality, which provides DHCP and NAT services to VPN clients:

SecureNatEnable

SecureNAT automatically assigns IP addresses to connecting clients and routes their internet traffic through the VPN server. This feature simplifies client configuration by eliminating manual IP address assignment and routing table modifications.

View SecureNAT configuration:

SecureNatStatusGet

The output displays the virtual DHCP server’s IP range, gateway address, and DNS server settings. Default configuration typically uses the 192.168.30.0/24 subnet with the VPN server acting as gateway at 192.168.30.1.

Exit vpncmd:

exit

Step 8: Enable L2TP/IPsec Server (Optional)

L2TP/IPsec support enables native VPN client compatibility with Windows, macOS, iOS, and Android devices without requiring third-party software installations. This protocol combination enjoys widespread support across operating systems and network equipment.

Access vpncmd and enable IPsec functionality:

cd /usr/local/vpnserver
sudo ./vpncmd

Select option 1 for server management, then execute:

IPsecEnable

The command presents a series of configuration prompts. Enable L2TP Server Function by entering yes. Enable L2TP over IPsec Server Function by entering yes. Enable EtherIP / L2TPv3 over IPsec Server Function only if you need site-to-site VPN capabilities; otherwise, enter no.

When prompted for the IPsec Pre-Shared Key, enter a complex passphrase containing mixed-case letters, numbers, and symbols. All L2TP/IPsec clients must use this pre-shared key for authentication, so distribute it securely to authorized users.

Set the default Virtual Hub for L2TP connections. Enter the hub name you created earlier (e.g., “VPN”). This setting directs all L2TP connections to the specified hub automatically.

Verify IPsec configuration:

IPsecGet

The output displays current IPsec settings, including enabled functions and the configured pre-shared key (partially masked for security).

L2TP/IPsec connections use UDP ports 500 and 4500, which you configured in the firewall section. Ensure your router’s port forwarding includes these UDP ports if operating behind NAT.

Step 9: Enable OpenVPN Compatibility (Optional)

SoftEther’s OpenVPN clone function allows standard OpenVPN clients to connect without modifications. This compatibility extends VPN access to devices and platforms where OpenVPN client software is already installed and configured.

Enable OpenVPN server functionality:

cd /usr/local/vpnserver
sudo ./vpncmd

After accessing server management mode, execute:

OpenVpnEnable yes /PORTS:1194

This command activates OpenVPN protocol support on UDP port 1194, the standard OpenVPN port. You can specify multiple ports by separating them with commas (e.g., /PORTS:1194,1195,1196).

Generate OpenVPN configuration files:

OpenVpnMakeConfig ~/openvpn_config.zip

This command creates a ZIP archive containing pre-configured OpenVPN client profiles and certificates. The archive includes separate configuration files for different operating systems and connection methods.

Exit vpncmd and locate the generated file:

exit
ls -lh ~/openvpn_config.zip

Transfer this file to your local computer using SCP or SFTP. Extract the archive to find .ovpn configuration files. Windows users should use the *_openvpn_remote_access_l3.ovpn file. Mac and Linux users can use the same file with OpenVPN client software.

Distribute the appropriate configuration file to users. They should import this file into their OpenVPN client application and provide their VPN username and password when connecting.

Step 10: Configure SSTP VPN (Optional)

SSTP (Secure Socket Tunneling Protocol) is Microsoft’s proprietary VPN protocol with native support in Windows operating systems. SSTP connections tunnel through TCP port 443, identical to HTTPS traffic, providing excellent firewall compatibility.

SSTP requires a valid SSL certificate. You can use either a self-signed certificate for testing or a certificate from a trusted Certificate Authority for production use. Let’s Encrypt provides free SSL certificates with automated renewal.

For production deployments, obtain a domain name and configure it to point to your VPN server’s public IP address. Install certbot for Let’s Encrypt certificate acquisition:

sudo dnf install certbot -y

Temporarily stop the VPN server to free port 443 for certificate validation:

sudo systemctl stop softether-vpnserver

Request a certificate:

sudo certbot certonly --standalone -d vpn.yourdomain.com

Replace “vpn.yourdomain.com” with your actual domain name. Follow the prompts to complete certificate issuance. Successful completion creates certificate files in /etc/letsencrypt/live/vpn.yourdomain.com/.

Configure SoftEther to use the certificate:

cd /usr/local/vpnserver
sudo ./vpncmd

In server management mode, execute:

ServerCertSet /LOADCERT:/etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem /LOADKEY:/etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem

Restart the VPN server:

exit
sudo systemctl start softether-vpnserver

Windows clients can now connect using the built-in SSTP VPN client. Create a new VPN connection in Windows Network Settings, select SSTP as the connection type, and enter your domain name as the server address.

Step 11: Test VPN Connection

Thorough testing verifies that your VPN server is operational and accessible. Begin by confirming the service is running and listening on expected ports.

Check service status:

sudo systemctl status softether-vpnserver

The output should indicate “active (running)” status. Review any error messages if the service is stopped or failed.

Verify listening ports:

sudo netstat -tulpn | grep vpnserver

Alternatively, use the ss command:

sudo ss -tulpn | grep vpnserver

The output displays all ports where the vpnserver process is listening. Confirm you see ports 443, 992, and 5555 in the TCP list, plus ports 500, 4500, and 1194 in the UDP list (if you enabled L2TP/IPsec and OpenVPN).

Test connectivity from a client device. Download and install SoftEther VPN Client on a Windows, Mac, or Linux computer. Create a new connection profile with your server’s IP address or domain name, specify the virtual hub name, and enter the username and password you created earlier.

Attempt to establish a VPN connection. Successful authentication results in an IP address assignment from the SecureNAT DHCP pool (typically 192.168.30.0/24 range). Verify the assigned IP address matches this range.

Test network connectivity through the VPN tunnel:

ping 192.168.30.1

This command pings the VPN server’s SecureNAT gateway address. Successful replies indicate proper tunnel establishment and routing configuration.

Test internet connectivity through the VPN:

ping 8.8.8.8

If you receive replies, your VPN tunnel is successfully routing internet traffic. Visit whatismyip.com to verify your public IP address shows the VPN server’s IP rather than your client’s actual IP.

Security Best Practices

Implementing robust security measures protects your VPN infrastructure from unauthorized access and potential attacks. Security configuration should address authentication, encryption, access control, and ongoing monitoring.

Configure strong authentication requirements. Enforce complex password policies requiring minimum 12-character passwords with uppercase, lowercase, numeric, and special characters. Consider implementing certificate-based authentication for enhanced security, eliminating password-based attacks entirely. For organizational deployments, integrate RADIUS or Windows Active Directory authentication to centralize user management.

Optimize encryption settings for maximum security. Verify AES-256 encryption is active for all VPN connections. Disable deprecated algorithms including RC4, DES, and 3DES, which contain known vulnerabilities. Configure TLS 1.2 or TLS 1.3 as the minimum acceptable protocol version, disabling older SSL 3.0, TLS 1.0, and TLS 1.1 protocols.

Implement network security controls. Enable SoftEther’s built-in packet filtering to restrict traffic types and destinations. Configure access control lists limiting VPN access to specific IP addresses or networks. Monitor connection logs regularly for suspicious activity patterns like repeated failed authentication attempts or unusual connection times.

Harden the underlying operating system. Keep AlmaLinux 10 updated with the latest security patches using sudo dnf update regularly. Configure SELinux to enforcing mode for mandatory access controls. Install and configure fail2ban to automatically block IP addresses after repeated failed authentication attempts. Restrict SSH access using key-based authentication and disable password login.

Limit administrative access to the VPN server itself. Configure firewall rules allowing SSH connections only from trusted IP addresses. Change the default SSH port from 22 to a non-standard port number. Disable root login via SSH, requiring users to authenticate as regular users before escalating privileges with sudo.

Regularly review user accounts and connection logs. Remove accounts for users who no longer require VPN access. Monitor the vpncmd command LogFileGet to download and analyze server logs. Look for patterns indicating reconnaissance attempts, brute-force attacks, or unusual connection behaviors.

Troubleshooting Common Issues

Even with careful configuration, you may encounter issues during installation or operation. Understanding common problems and their solutions accelerates problem resolution.

Service fails to start: If systemctl status reports failed activation, examine detailed logs using sudo journalctl -u softether-vpnserver -n 50. Common causes include incorrect file permissions on the vpnserver executable or configuration files. Verify permissions using ls -la /usr/local/vpnserver/ and ensure vpnserver has 700 permissions and configuration files have 600 permissions. Port conflicts occur when another service already uses required ports; identify the conflicting process with sudo netstat -tulpn | grep :443 and modify either SoftEther’s configuration or the conflicting service.

Cannot connect to VPN server: Verify firewall rules are properly configured and active using sudo firewall-cmd --list-all. Confirm the VPN server process is listening on expected ports with sudo netstat -tulpn | grep vpnserver. If your server operates behind NAT, verify router port forwarding rules direct external traffic to the correct internal IP address and ports. Test connectivity from the VPN server itself using telnet localhost 443 to eliminate network routing issues from troubleshooting.

Connection drops or unstable: Network instability often stems from MTU (Maximum Transmission Unit) mismatches. Reduce the MTU size on VPN clients to 1400 or 1300 bytes. Check for packet loss using extended ping tests: ping -c 100 your-vpn-server-ip. Examine router logs for dropped packets or connection resets. Verify sufficient bandwidth is available and no traffic shaping policies interfere with VPN connections.

Authentication failures: Double-check username and password accuracy, remembering that authentication is case-sensitive. Verify the user account exists in the correct virtual hub using vpncmd’s UserList command. Confirm the virtual hub name specified in client configuration exactly matches the server configuration. Review server logs for detailed authentication failure reasons.

VPN connected but no internet access: Verify SecureNAT is enabled using vpncmd’s SecureNatStatusGet command. Check routing tables on the VPN server using ip route show. Ensure IP forwarding is enabled in the kernel: sudo sysctl net.ipv4.ip_forward should return “1”. If it returns “0”, enable forwarding with sudo sysctl -w net.ipv4.ip_forward=1 and make it permanent by adding net.ipv4.ip_forward = 1 to /etc/sysctl.conf.

Performance issues: Monitor server resource utilization using top or htop. High CPU usage may indicate encryption overhead; consider hardware with AES-NI CPU extensions for acceleration. Memory pressure degrades performance; ensure adequate RAM is available. Check network interface statistics for errors: ip -s link show. Optimize SoftEther settings by reducing encryption strength slightly (AES-128 instead of AES-256) or limiting maximum concurrent connections.

Performance Optimization Tips

Maximizing VPN server performance ensures smooth operation even under heavy load. Strategic configuration adjustments significantly improve throughput, latency, and connection stability.

Enable SoftEther’s parallel TCP connection feature for clients on high-latency networks. This functionality establishes multiple simultaneous TCP tunnels (up to 32), distributing packets across connections for improved aggregate throughput. Configure this setting in VPN Client Manager under Connection Settings → Advanced Settings → Number of TCP Connections.

Optimize encryption algorithm selection based on your security requirements and performance needs. AES-128-CBC provides excellent security with lower computational overhead than AES-256-GCM. For maximum performance in trusted environments, consider using RC4-MD5, though this sacrifices security for speed. Modern CPUs with AES-NI hardware acceleration handle AES encryption efficiently with minimal performance impact.

Configure Quality of Service (QoS) prioritization for time-sensitive applications. VoIP calls and video conferencing benefit from reduced jitter and latency. Access vpncmd and execute QoSSet to configure traffic prioritization rules based on protocol, port, or application.

Tune system-level networking parameters for optimal throughput. Increase TCP buffer sizes to accommodate high-bandwidth connections:

sudo sysctl -w net.core.rmem_max=134217728
sudo sysctl -w net.core.wmem_max=134217728
sudo sysctl -w net.ipv4.tcp_rmem="4096 87380 134217728"
sudo sysctl -w net.ipv4.tcp_wmem="4096 65536 134217728"

Make these changes permanent by adding them to /etc/sysctl.conf.

Hardware considerations impact performance significantly. Deploy your VPN server on SSD storage rather than traditional spinning hard drives. SSDs provide faster log writing and configuration file access. Allocate sufficient RAM (4GB minimum, 8GB or more for production). Modern multi-core processors handle concurrent connections more efficiently; prioritize CPU clock speed and core count.

Monitor server performance metrics regularly. Use sar (from the sysstat package) to track historical CPU, memory, and network utilization. Identify peak usage periods and plan capacity upgrades accordingly. Consider deploying multiple VPN servers behind a load balancer for high-availability environments.

Congratulations! You have successfully installed SoftEther VPN. Thanks for using this tutorial for installing the SoftEther VPN Server on AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official SoftEther website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!