How To Install SoftEther VPN Server on Debian 13

9 minutes read

Setting up a secure VPN server has become essential for organizations and individuals seeking to protect their network communications and enable remote access. SoftEther VPN Server stands out as a powerful, open-source solution that supports multiple VPN protocols including SSL-VPN, OpenVPN, L2TP/IPsec, and SSTP. This comprehensive guide walks you through installing and configuring SoftEther VPN Server on Debian 13, providing you with a robust virtual private network infrastructure that combines high performance with enterprise-grade security features.

Table of Contents

What is SoftEther VPN Server?

SoftEther VPN represents a next-generation VPN solution developed at the University of Tsukuba, Japan. Unlike traditional VPN implementations, SoftEther provides multi-protocol support, allowing clients to connect using their preferred VPN method without requiring multiple server installations. The software excels in NAT traversal, making it particularly valuable for environments with restrictive firewalls or network address translation.

The architecture includes several key components. Virtual Hubs function as virtual layer-2 switches, enabling network segmentation and management. SecureNAT provides built-in NAT and DHCP functionality, simplifying client configuration and eliminating the need for complex routing setups. The HTML5-based administration console offers convenient management from any modern web browser.

Performance benchmarks demonstrate SoftEther’s efficiency. The software achieves throughput speeds comparable to native IPsec implementations while maintaining compatibility across Windows, Linux, macOS, FreeBSD, and Solaris platforms. Use cases range from secure remote access for distributed teams to creating site-to-site VPN tunnels between office locations.

Prerequisites and System Requirements

Before beginning the installation process, ensure your Debian 13 server meets the necessary specifications. A minimum of 1 CPU core and 512MB RAM suffices for small deployments, though production environments benefit from 2 CPU cores and 2GB RAM or more. Allocate at least 1GB disk space for the VPN server software and log files.

Your server requires several development tools and libraries. The gcc compiler, binutils, and build-essential package form the compilation foundation. Additional dependencies include development libraries for glibc, zlib, openssl, readline, ncurses, and pthread. These components enable SoftEther to compile correctly and function properly on Debian systems.

Network configuration considerations include obtaining a static IP address or configuring a domain name pointing to your server. Plan to open specific firewall ports: TCP 443, 992, 1194, and 5555, plus UDP 1194, 500, and 4500. Administrative access through root or sudo privileges is mandatory for system-level installations and service management.

Step 1: Preparing Your Debian 13 Server

Begin by updating your system repositories and installed packages. This ensures compatibility and security. Open your terminal and execute:

sudo apt update && sudo apt upgrade -y

The update process may take several minutes depending on your system state and internet connection speed. Reboot if kernel updates were installed.

Next, install the required build tools and dependencies:

sudo apt install build-essential gcc binutils make wget tar gzip gnupg2 -y

Follow with development libraries essential for compilation:

sudo apt install libreadline-dev libssl-dev libncurses5-dev libncursesw5-dev libpthread-stubs0-dev zlib1g-dev -y

Verify successful installation by checking gcc version:

gcc --version

You should see output displaying the GCC compiler version installed on your system. Create a working directory for the installation files:

mkdir ~/softether-setup
cd ~/softether-setup

This organizational approach keeps installation files separate from system directories, facilitating cleanup after completion.

Step 2: Downloading SoftEther VPN Server

Navigate to the SoftEther download server to obtain the latest stable release. The official repository maintains current versions for various platforms. For Debian 13 64-bit systems, download the Linux x64 package:

wget https://www.softether-download.com/files/softether/v4.44-9807-rtm-2025.04.16-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.44-9807-rtm-2025.04.16-linux-x64-64bit.tar.gz

Note: Replace the version number with the current stable release available at download time. Check the official SoftEther website for the latest version URL.

Alternatively, use the interactive lynx browser method if you prefer visual selection:

sudo apt install lynx -y
lynx https://www.softether-download.com/

Navigate through the menu to select “SoftEther VPN Server,” choose your platform (Linux), and download the appropriate package.

Verify the downloaded file integrity (optional but recommended):

ls -lh softether-vpnserver-*.tar.gz

The file size should match the specification on the download page, typically ranging from 5-15MB depending on the version.

Step 3: Extracting and Compiling SoftEther VPN Server

Extract the downloaded archive using tar:

tar xzvf softether-vpnserver-*.tar.gz

The extraction creates a “vpnserver” directory containing source files and scripts. Navigate into this directory:

cd vpnserver

Initiate the compilation process by running make:

make

The make utility presents the End-User License Agreement. You must read and accept this agreement to proceed. The system prompts you three times:

Press 1 to read the license agreement
Press 1 to confirm you read and understood the agreement
Press 1 to accept the terms

After accepting, compilation begins automatically. The process typically completes within 30-60 seconds on modern hardware. Successful compilation produces binary files including “vpnserver” and “vpncmd”.

Troubleshooting Compilation Issues:

If compilation fails with missing dependencies errors, revisit Step 1 and ensure all development libraries installed correctly. Permission errors require sudo privileges or root access. Compiler errors may indicate architecture mismatches—verify you downloaded the correct package for your system (x64 vs x86).

Verify successful compilation:

ls -la

Confirm vpnserver and vpncmd files exist with executable permissions.

Step 4: Installing SoftEther VPN Server

Move the compiled vpnserver directory to a permanent system location. The standard installation path is /usr/local/ or /opt/:

cd ..
sudo mv vpnserver /usr/local/

Alternatively, use /opt/ for software not managed by package managers:

sudo mv vpnserver /opt/softether

This guide uses /usr/local/vpnserver for consistency. Set appropriate file permissions to enhance security:

sudo chmod 600 /usr/local/vpnserver/*
sudo chmod 700 /usr/local/vpnserver/vpnserver
sudo chmod 700 /usr/local/vpnserver/vpncmd

These permission settings restrict access to root user only, preventing unauthorized modifications.

Verify system compatibility by running the built-in check command:

cd /usr/local/vpnserver
sudo ./vpncmd

When prompted, select option 3 (Use VPN Tools). At the VPN Tools prompt, type “check” and press Enter. The check utility tests various system components including threading, memory allocation, ANSI/Unicode strings, file system operations, and network sockets. All tests should return “Pass” or “OK” status.

Exit the vpncmd utility by typing “exit” twice.

Step 5: Creating Systemd Service for Auto-Start

Configure SoftEther VPN Server to start automatically at system boot using systemd. Create a new service unit file:

sudo nano /etc/systemd/system/softether-vpnserver.service

Insert the following configuration:

[Unit]
Description=SoftEther VPN Server
After=network-online.target
After=dbus.service

[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

Save the file (Ctrl+O, Enter) and exit (Ctrl+X). This configuration ensures the VPN server starts after network services initialize and automatically restarts on failure.

Reload the systemd daemon to recognize the new service:

sudo systemctl daemon-reload

Start the SoftEther VPN Server service:

sudo systemctl start softether-vpnserver

Enable automatic startup at boot:

sudo systemctl enable softether-vpnserver

Verify the service is running correctly:

sudo systemctl status softether-vpnserver

The output should display “active (running)” in green text. Check listening ports to confirm the server is accepting connections:

sudo ss -lnptu | grep vpnserver

You should see the vpnserver process listening on multiple TCP ports including 443, 992, 1194, and 5555.

Step 6: Initial Configuration Using vpncmd

Access the VPN server management console using the command-line administration tool:

sudo /usr/local/vpnserver/vpncmd

When prompted, press Enter for “localhost:5555” and press Enter again for server administrator access. Select option 1 (Management of VPN Server or VPN Bridge).

Set a strong administrator password immediately:

ServerPasswordSet

Enter and confirm your password. Use a complex password combining uppercase, lowercase, numbers, and special characters.

Create a Virtual Hub if the default hub doesn’t meet your needs, or use the existing DEFAULT hub:

Hub DEFAULT

This command switches context to the DEFAULT Virtual Hub. Create VPN user accounts:

UserCreate vpnuser
UserPasswordSet vpnuser

Enter and confirm the password for this VPN user. Repeat this process for additional users as needed.

Enable SecureNAT functionality to provide automatic NAT and DHCP services:

SecureNatEnable

SecureNAT creates a virtual NAT router and DHCP server within the Virtual Hub, simplifying client configuration. Configure the DHCP settings:

DhcpSet /START:192.168.30.10 /END:192.168.30.200 /MASK:255.255.255.0 /EXPIRE:7200 /GW:192.168.30.1 /DNS:192.168.30.1 /DNS2:8.8.8.8 /DOMAIN:vpn.local /LOG:yes

This configuration assigns IP addresses from the 192.168.30.10-200 range with a 2-hour lease time. The gateway and primary DNS point to the virtual router address.

Exit vpncmd by typing “exit” twice.

Step 7: Configuring Firewall Rules

Configure your Debian firewall to allow VPN traffic. If using UFW (Uncomplicated Firewall), execute:

sudo apt install ufw -y
sudo ufw allow 443,992,1194,5555/tcp
sudo ufw allow 1194,500,4500/udp

These rules open essential ports for various VPN protocols:

TCP 443: HTTPS/SSL-VPN and SSTP
TCP 992: Alternative HTTPS port
TCP 1194: OpenVPN
TCP 5555: Server administration
UDP 1194: OpenVPN
UDP 500/4500: L2TP/IPsec

Allow VPN clients to access network resources:

sudo ufw insert 1 allow in from 192.168.30.0/24

This rule permits all traffic from the VPN subnet. Enable the firewall if not already active:

sudo ufw enable

Verify firewall status:

sudo ufw status verbose

For iptables users, configure rules manually:

sudo iptables -A INPUT -p tcp --match multiport --dports 443,992,1194,5555 -j ACCEPT
sudo iptables -A INPUT -p udp --match multiport --dports 1194,500,4500 -j ACCEPT
sudo iptables -A INPUT -s 192.168.30.0/24 -j ACCEPT

Save iptables rules to persist across reboots:

sudo apt install iptables-persistent -y
sudo netfilter-persistent save

Security Best Practice: Restrict management port 5555 to specific trusted IP addresses. Replace the rule with:

sudo ufw allow from YOUR_ADMIN_IP to any port 5555 proto tcp

Step 8: Installing and Configuring DNS Resolver

VPN clients require DNS resolution for proper functionality. Install BIND9 DNS server:

sudo apt install bind9 -y

Configure BIND to allow recursive queries from the VPN subnet. Edit the configuration file:

sudo nano /etc/bind/named.conf.options

Add the allow-recursion directive within the options block:

options {
    directory "/var/cache/bind";
    allow-recursion { 127.0.0.1; 192.168.30.0/24; };
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    dnssec-validation auto;
    listen-on-v6 { any; };
};

Save and close the file. Configure BIND to use IPv4 only:

sudo nano /etc/default/named

Add or modify the OPTIONS line:

OPTIONS="-u bind -4"

Manage DNSSEC trust anchors to prevent validation issues:

sudo rndc managed-keys destroy
sudo rndc reconfig

Restart BIND service:

sudo systemctl restart named
sudo systemctl enable named

Verify DNS is listening on the correct interface:

sudo ss -lnptu | grep named

Test DNS resolution from localhost:

dig @127.0.0.1 google.com

You should receive a valid response with IP addresses.

Step 9: Setting Up SSL/TLS Certificate with Let’s Encrypt

Implement HTTPS encryption using Let’s Encrypt free SSL certificates. This requires a domain name pointing to your server IP address.

Install Certbot:

sudo apt install certbot -y

Obtain a certificate using standalone mode (requires stopping services on port 80 temporarily):

sudo systemctl stop softether-vpnserver
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --key-type rsa --email admin@yourdomain.com -d vpn.yourdomain.com

Replace admin@yourdomain.com with your email and vpn.yourdomain.com with your actual domain.

Certbot stores certificates in /etc/letsencrypt/live/yourdomain/. Install the certificate in SoftEther:

sudo /usr/local/vpnserver/vpncmd

Select option 1, press Enter twice, then execute:

ServerCertSet /LOADCERT:/etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem /LOADKEY:/etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem

Note: You may need to combine the certificate and key or adjust paths depending on your configuration. Exit vpncmd.

Restart the VPN server:

sudo systemctl restart softether-vpnserver

Configure automatic certificate renewal. Edit root’s crontab:

sudo crontab -e

Add this line to renew certificates daily and restart the VPN server:

@daily certbot renew --quiet && systemctl restart softether-vpnserver

This ensures your certificates remain valid without manual intervention.

Step 10: Testing and Verification

Perform comprehensive testing to ensure proper installation. Verify the VPN server process is running:

sudo systemctl status softether-vpnserver

Check all listening ports:

sudo netstat -tulnp | grep vpnserver

Access the web-based administration console. Open your browser and navigate to:

https://your-server-ip:5555/admin

Accept the security warning if using a self-signed certificate (skip this if you installed Let’s Encrypt). Log in with the administrator password you set earlier.

Review server logs for errors or warnings:

sudo tail -f /usr/local/vpnserver/server_log/vpn_*.log

Press Ctrl+C to exit log viewing. Test SecureNAT functionality by connecting a test client and verifying IP address assignment within the configured DHCP range.

Common Issues and Solutions:

Service fails to start: Check file permissions and ensure no other service occupies required ports
Cannot connect to admin console: Verify firewall rules and ensure port 5555 is accessible
DNS not working for clients: Confirm BIND configuration and check VPN subnet allow-recursion rules
Certificate errors: Verify certificate paths and ensure proper permissions on /etc/letsencrypt directories

Connecting VPN Clients

SoftEther supports various client connection methods. Windows users can utilize the built-in SSTP VPN client:

Open Settings > Network & Internet > VPN
Click “Add VPN”
Select “Windows (built-in)” as VPN provider
Enter connection name and server address (vpn.yourdomain.com)
Choose “Secure Socket Tunneling Protocol (SSTP)”
Enter username and password created in Step 6

Linux users can install sstp-client:

sudo apt install sstp-client -y
sudo sstpc --user vpnuser --password yourpassword vpn.yourdomain.com

For enhanced compatibility, install the SoftEther VPN Client software from the official website. Download the appropriate package for your operating system and follow the installation wizard. The client application provides a graphical interface for managing VPN connections and supports all SoftEther features.

Android and iOS devices support L2TP/IPsec and SSTP connections through built-in VPN settings. Configure mobile devices using the server address, user credentials, and appropriate protocol selection.

Security Hardening Best Practices

Implement additional security measures to protect your VPN infrastructure. Configure access control lists (ACLs) within Virtual Hubs to restrict traffic based on source/destination IP addresses or protocols. Enable detailed logging to monitor connection attempts and user activity.

Change the default administration port from 5555 to a non-standard port to reduce automated attack vectors. Edit the listener configuration through vpncmd:

ListenerCreate 44555 /TCP:yes
ListenerDelete 5555

Implement connection rate limiting to prevent denial-of-service attacks and brute-force attempts. Review security logs regularly:

sudo tail -100 /usr/local/vpnserver/security_log/DEFAULT/sec_*.log

Disable unused VPN protocols to minimize attack surface. If you only use SSL-VPN, disable OpenVPN and L2TP/IPsec listeners. Maintain your Debian system with regular updates:

sudo apt update && sudo apt upgrade -y

Consider implementing two-factor authentication through external RADIUS servers or LDAP integration for enterprise environments. Create regular backups of the VPN server configuration:

sudo tar -czf /backup/vpnserver-backup-$(date +%Y%m%d).tar.gz /usr/local/vpnserver/

Congratulations! You have successfully installed SoftEther VPN. Thanks for using this tutorial for installing the SoftEther VPN Server on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official SoftEther website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!