1. Introduction

Secure Socket Tunneling Protocol (SSTP) is a Virtual Private Network (VPN ) protocol that uses Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption to create secure connections over the internet for remote access to resources on a private network.

SSTP was developed by Microsoft to replace Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol/IP Security (L2TP/IPSec) as a more secure and simpler-to-use protocol. One of its advantages is working over TCP port 443, which is commonly allowed by firewalls and network components.

In this tutorial, we’ll look into how to configure an SSTP VPN server on Linux using SoftEther VPN Server.

2. What Is SoftEther VPN?

SofEther VPN is an open-source and freeware cross-platform multi-protocol VPN implementation developed by SoftEther VPN Project. It can be installed on Windows, Mac, and Linux and is currently one of the few projects that offer SSTP support on Linux.

3. Preparing the Environment

SoftEther VPN Server is distributed as a source package and needs to be compiled for our platform. We need to ensure a few requirements are available on our target machine. All the requirements can be installed using yum or apt.

For Debian and Ubuntu, we’ll run:

$ apt-get update 
$ apt-get install wget make gcc binutils

For RedHat, Fedora, AlmaLinux, and other RHEL derivatives, we’ll run:

$ yum install wget make gcc binutils

Once we have the prerequisites installed, we’re ready to install SoftEther VPN Server.

4. Installation

The following steps have been tested on AlmaLinux 8 and Ubuntu 23.04, but they should not be different for other distributions. The only major requirement is that the distribution kernel version should be newer than 2.4.

4.1. Downloading SoftEther VPN Server

We can download SoftEther VPN Server from the project website. We first choose a mirror site and then follow the prompts to select the component “SoftEher VPN Server”, platform “Linux”, and finally, the CPU architecture suitable for our target server. Once the page displays the available download links, we can use wget to download the source package directly to our server. For example:

$ wget "https://www.softether-download.com/files/softether/v4.41-9787-rtm-2023.03.14-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-x64-64bit.tar.gz"

After that, let’s use tar to unpack the downloaded archive:

tar -xzf softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-x64-64bit.tar.gz

Now that we’ve downloaded the software package, we’re ready to install it.

4.2. Compiling and Installing SoftEther VPN Server

First, let’s switch to the uncompressed directory:

$ cd vpnserver/

Next, we’ll use the make command to compile and run the installation script:

$ make

We should pay attention to the make command’s output. If there are any errors due to missing packages, we’ll need to install them and run the command again.

Now that we have our binaries generated, let’s move the compiled files to a common location and secure the file permissions:

$ cd ..
$ mv vpnserver /usr/local/
$ chmod -R 600 /usr/local/vpnserver/*
$ chmod 700 /usr/local/vpnserver/vpnserver
$ chmod 700 /usr/local/vpnserver/vpncmd

If we have SELinux running in “Enforcing” mode, we need to adjust the main binary file context accordingly:

$ chcon -Rv -u system_u -t bin_t /usr/local/vpnserver/vpnserver

For our VPN to start automatically when the server boots, let’s create a systemd service specifications file:

$ cat /usr/lib/systemd/system/softether.service

[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
EnvironmentFile=-/usr/local/vpnserver
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_ADMIN CAP_SETUID

[Install]
WantedBy=multi-user.target

Next, let’s inform systemd of our newly created service, and then enable and start it:

$ systemctl daemon-reload
$ systemctl enable softether
$ systemctl start softether

After that, we can verify the service is running correctly using the systemctl command:

$ systemctl status softether

If we discover the service is not running for any reason, we should troubleshoot and resolve the issue before proceeding with the configuration. After we finish the installation, we’ll need to verify that SoftEther can run on our machine.

4.3. Verifying the Installation

SoftEther VPN Server includes a command-line tool called vpncmd to manage the server configuration. It also includes a check command that we can use to verify if the server can run successfully on our machine. Let’s run vpncmd check to see the results:

$ /usr/local/vpnserver/vpncmd /TOOLS /CMD check

vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.41 Build 9787   (English)
Compiled 2023/03/14 11:00:03 by buildsan at crosswin with OpenSSL 3.0.7
Copyright (c) 2012-2023 SoftEther VPN Project. All Rights Reserved.

VPN Tools has been launched. By inputting HELP, you can view a list of the commands that can be used.

VPN Tools>check
Check command - Check whether SoftEther VPN Operation is Possible
---------------------------------------------------
SoftEther VPN Operation Environment Check Tool

Copyright (c) SoftEther VPN Project.
All Rights Reserved.

If this operation environment check tool is run on a system and that system passes, it is most likely that SoftEther VPN software can operate on that system. This check may take a while. Please wait...

Checking 'Kernel System'... 
              Pass
Checking 'Memory Operation System'... 
              Pass
Checking 'ANSI / Unicode string processing system'... 
              Pass
Checking 'File system'... 
              Pass
Checking 'Thread processing system'... 
              Pass
Checking 'Network system'... 
              Pass

All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system.

The command completed successfully.

Since all checks appear to have passed, we’re ready to move to the configuration.

5. Configuration

In the following sections, we’ll go through the steps to configure the basic system settings including configuring the admin password, creating a hub, creating users, and lastly, configuring SSTP.

5.1. Server Configuration

To enter server configuration mode, we can use the command /usr/local/vpnserver/vpncmd /SERVER:

$ /usr/local/vpnserver/vpncmd /SERVER

We’ll be prompted to enter the “Hostname or IP Address of Destination”. Since we’re connecting to the local server, we can keep this empty and hit Enter.

Next, vpncmd will prompt us to “Specify Virtual Hub Name”. Since we haven’t created our own hub yet, we can keep this empty and hit Enter to use the default hub.

After that, if all goes well, we should see the server configuration prompt:

Connection has been established with VPN Server "localhost" (port 443).

You have administrator privileges for the entire VPN Server.

VPN Server>

Let’s start by creating a password for the administrator account:

$ VPN Server> ServerPasswordSet

It will then prompt us to type and confirm a password for the administrator account.

Next, let’s create a Virtual Hub for our SSTP server and users:

$ VPN Server> HubCreate SSTP

We’ll then be prompted to type and confirm a password for the created hub.

Our Virtual Hub can connect to the physical network either using a Local Bridge or using the SecureNAT feature. Let’s configure it to use SecureNAT since it’s easy to set up and includes supporting features such as a DHCP Server for our VPN clients:

$ VPN Server/SSTP> SecureNatEnable

5.2. User Configuration

Now, let’s enter our newly created hub and create our first VPN user:

$ VPN Server> Hub SSTP
$ VPN Server/SSTP> UserCreate myuser
$ VPN Server/SSTP> UserPasswordSet myuser

Note that it will prompt us to type and confirm a password for the created user.

5.3. SSL Certificate

SSTP requires an SSL certificate to secure communications between clients and the server. If we already have an SSL certificate, we can use the command ServerCertSet to add it to the server. Alternatively, we can ask SofEther to generate a self-signed certificate and dump it to a local file to distribute it later to clients:

$ VPN Server/SSTP> ServerCertRegenerate mydomain.com
$ VPN Server/SSTP> ServerCertGet ~/mydomain.com.cer

We should note that the hostname we use for our certificate must resolve to the VPN server IP address as it will be the hostname used in the client configuration.

After running the above command, we can later find the certificate file at the path /root/mydomain.com.cer — assuming we’re using the root user.

The final step would be to enable SSTP for our hub:

$ VPN Server/SSTP> SstpEnable yes

5.4. Verifying Installation

Finally, to verify our configuration, we can use the StatusGet command to ensure our hub is running correctly:

$ VPN Server/SSTP> StatusGet

StatusGet command - Get Current Status of Virtual Hub
Item                         |Value
-----------------------------+-------------------
Virtual Hub Name             |SSTP
Status                       |Online
Type                         |Standalone
SecureNAT                    |Enabled
Sessions                     |1
Access Lists                 |0
Users                        |1
Groups                       |0
MAC Tables                   |1
IP Tables                    |1
Num Logins                   |0
Last Login                   |2023-05-03 07:43:13
Last Communication           |2023-05-04 07:27:02
Created at                   |2023-05-03 07:43:13
Outgoing Unicast Packets     |6,300 packets
Outgoing Unicast Total Size  |264,600 bytes
Outgoing Broadcast Packets   |0 packets
Outgoing Broadcast Total Size|0 bytes
Incoming Unicast Packets     |6,300 packets
Incoming Unicast Total Size  |264,600 bytes
Incoming Broadcast Packets   |12,594 packets
Incoming Broadcast Total Size|768,234 bytes
The command completed successfully.

VPN Server/SSTP>

We can type exit or hit ctrl-q to exit configuration mode. It will save and apply changes automatically.

6. Firewall Configuration

We should note that SSTP uses TCP port 443 by default. Therefore, if we’re using a firewall, we need to configure it to allow incoming connections to this port.

7. Conclusion

In this article, we’ve looked at how to install SoftEther VPN Server on Linux systems and later how to configure it as an SSTP server.

SSTP is one of the many available VPN protocols. One of its main advantages is using standard SSL to secure communications over the standard TCP port 443, which greatly simplifies configuration. And even though Microsoft developed it mainly for the Windows operating system, with SoftEther, we can use it for Linux systems as well.