SoftEther VPN

Last updated
SoftEther VPN
Original author(s) SoftEther VPN Project at the University of Tsukuba
Developer(s) Daiyuu Nobori, Tetsuo Sugiyama, Takao Ito, Christopher Smith, Mei Sharie Ann Yamaguchi and other contributors. [1]
Initial releaseJanuary 4, 2014;10 years ago (2014-01-04)
Stable release
5.02.5181 [2] / 3 December 2023;10 months ago (3 December 2023)
Repository
Written in C and C++
Operating system Windows, Linux, macOS, FreeBSD, Solaris, iOS, Android
Available inEnglish, Japanese and Simplified-Chinese [3]
Type VPN
License Apache License 2.0 [4]
Website www.softether.org

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. [5] [6] It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

Contents

SoftEther VPN supports NAT traversal, making it useful to run VPN servers on computers that are behind residential gateways, facility routers, and firewalls. Firewalls performing deep packet inspection are unable to detect SoftEther's VPN transport packets as a VPN tunnel because HTTPS is used to camouflage the connection.

SoftEther VPN optimizes performance by using full Ethernet frame utilization, reducing memory copy operations, parallel transmission, and clustering. Together, these reduce latency normally associated with VPN connections while increasing throughput.

The SoftEther VPN server architecture Softethervpn stack.jpg
The SoftEther VPN server architecture

Interoperability

SoftEther VPN Server and VPN Bridge run on Windows, Linux, OS X up to OS X 10.8, FreeBSD, and Solaris operating systems. SoftEther VPN Client runs on Windows, Linux, and macOS.

SoftEther VPN Server serves the SoftEther VPN protocol, but it also serves OpenVPN, Microsoft Secure Socket Tunneling Protocol (SSTP), SSL VPN[ clarification needed ], EtherIP, L2TPv3, and IPsec. It serves mobile devices running iOS, Android, and Windows Phone via L2TP/IPsec.

VPN clients and endpoints supporting other VPN protocols may also be used; this includes many routers from Cisco, Juniper, Linksys (with DD-WRT), Asus, and others.

VPN Server

SoftEther VPN Server implements the VPN server function. [6] It listens and accepts connections from VPN Client or VPN Bridge with several VPN protocols.

A VPN Server can have several Virtual Hubs and Virtual Layer-3 Switches. A Virtual Hub has full layer-2 Ethernet packet-switching functions like a physical Ethernet switch. Additionally, a Virtual Hub can be configured to define IP packet filter entries to filter the packets through the Virtual Hub. A Virtual Layer-3 Switch has layer-3 IP static routing functions like a physical router.

A VPN Server can have local bridges. A local bridge is the layer-2 packet-switching fabric between a physical Ethernet network-adapter and a Virtual Hub. The administrator defines a local bridge between the Virtual Hub and the existing corporate network to build a remote-access VPN server or a site-to-site VPN server.

VPN Client

SoftEther VPN Client is a VPN client program which has the virtualized function of an Ethernet network adapter. [6] A computer with installed SoftEther VPN Client can establish a VPN connection to the VPN Server. Since the VPN Server has the support for multiple VPN protocols such as L2TP/IPsec or MS-SSTP VPN, VPN users are not required to install SoftEther VPN Client on client computers. When a user uses L2TP/IPsec or MS-SSTP VPN to connect to the VPN Server, the built-in VPN client programs on the operating system can be used to establish a VPN to the VPN Server. However, SoftEther VPN Client has advanced functions (e.g. more detailed VPN communication settings) than OS built-in VPN clients. To exploit the full performance of SoftEther VPN Server, it is recommended to install SoftEther VPN Client on each client computer.

In response to the unavailability of the VPNGate iOS Client in some countries like Turkey, VPNGate.Online has released an alternate version. This ensures users worldwide can benefit from the secure and unrestricted browsing experience that VPNGate offers, regardless of their location.

VPN Bridge

SoftEther VPN Bridge is a VPN program for building a site-to-site VPN. [6] To build a site-to-site VPN network, the system administrator has to install SoftEther VPN Server on the central site, and has to install SoftEther VPN Bridge on one or more remote sites. A VPN Bridge connects to the central VPN Server by cascade connection. A cascade connection is similar to, but a virtualization of, an uplink connection (cross-cable connection) between two physical Ethernet switches.

VPN Server Manager for Windows

The GUI Tool is the administrative tool for SoftEther VPN Server and SoftEther VPN Bridge. It is a program that runs on both Windows and Linux with WINE. A system administrator installs the GUI Tool on his laptop PC, and makes it connect to the remote VPN Server or VPN Bridge for administration. The connection is made by SSL session, and management commands are transported as RPC over SSL.

Command-line admin utility

vpncmd is the CUI administrative tool for SoftEther VPN Server, Client and Bridge. It is a program that runs on consoles of every supported operating systems. When a user is unable to use Windows or Linux with WINE, the user can alternatively use vpncmd to manage the VPN programs. vpncmd is also useful to execute a batch operation, such as creating many users on the Virtual Hub, or creating many Virtual Hubs on the VPN Server.

Architecture

Some parts of the architecture of SoftEther VPN are different from typical traditional IPsec-based VPN systems. [7] [8]

Virtual Hub

The forwarding database (FDB) of a Virtual Hub Softethervpn fdb.jpg
The forwarding database (FDB) of a Virtual Hub

A Virtual Hub is the software-emulated virtual Ethernet switch. It learns and maintains its own forwarding-database table inside. While traditional physical Ethernet switches implement this function by hardware, SoftEther VPN implements the same function by software. A VPN Server can have several Virtual Hubs. Each Virtual Hub is isolated. A Virtual Hub performs the packet-switching between concurrently connected VPN sessions to realize the communication between VPN Clients and VPN Bridges.

When there are several Virtual Hubs in a single instance of VPN Server, these Virtual Hubs are isolated for security. Each different administrator can have the delegated privilege for each correspondent Virtual Hub. An administrator for a Virtual Hub can define user-objects and ACLs, limited only the delegated Virtual Hub.

Virtual Network Adapter

A Virtual Network Adapter is the software-emulated virtual Ethernet adapter. A VPN Client can create several Virtual Network Adapters on the client computer. A VPN user can establish a VPN session between the Virtual Network Adapter and the destination Virtual Hub of the remote VPN Server. While the VPN session is established, the VPN user can communicate to the remote VPN network through the Virtual Network Adapter. Since the Virtual Network Adapter works as if it were the physical one, any applications or operating system components can be used without any modification.

Virtual Layer-3 Switch

A Virtual Layer-3 Switch is the software-emulated virtual IP router. Several Virtual Layer-3 Switches can be created on a single VPN Server instance. A Virtual Layer-3 Switch has virtual IP interfaces connected to Virtual Hubs. It also has several static routing table entries.

The Virtual Layer-3 Switch is useful to make a large-scale site-to-site VPN network. Although the easy way to make a site-to-site VPN network is to build the layer-2 bridging based VPN, if the number of computers is huge the number of broadcasting packets will increase to load the inter-site links. To prevent that scaling problem, the VPN administrator isolates IP networks by Virtual Layer-3 switch.

Cascade Connection between Virtual Hubs

The administrator can define a cascade connection between local or remote Virtual Hubs. After the cascade connection has been established, the originally-isolated two Ethernet segments are combined to the single Ethernet segment. Therefore, the cascade connection function is used to build the site-to-site layer-2 Ethernet bridging.

Local Bridge between Virtual Hubs and physical Ethernet segment

Since Virtual Hubs and Virtual Network Adapters are only software-emulated virtual Ethernet devices, the Ethernet packets through these virtual devices cannot communicate with physical Ethernet devices. Therefore, a bridge between the virtual and the physical is necessary to build a remote-access VPN or site-to-site VPN. To make a bridge, the Local Bridge function exchanges the Ethernet packets between a Virtual Hub and a physical Ethernet network adapter to combine both isolated Ethernet segments into a single Ethernet segment.

After defining the Local Bridge on SoftEther VPN Server, any VPN Client can connect to the VPN Server and communicate to all existing Ethernet devices (e.g. servers or network equipment) through the Local Bridge. This is called a remote-access VPN.

If the network administrator sets up the remote-site VPN Bridge, and defines two Local Bridges on both VPN Server and VPN Bridge, and defines a cascade connection between VPN Server and VPN Bridge, then the remote two Ethernet segments are connected directly in layer-2 Ethernet level. This is called a site-to-site VPN.

Firewall, proxy, and NAT transparency

Firewall, proxy, and NAT transparency Softethervpn trans.jpg
Firewall, proxy, and NAT transparency

One of the key features of SoftEther VPN is the transparency for firewalls, proxy servers, and NATs (Network Address Translators). To do this, SoftEther VPN supports SSL-VPN and NAT Traversal. SoftEther VPN uses HTTPS protocol in order to establish a VPN tunnel. HTTPS (HTTP over SSL) protocol uses the TCP/IP port 443 (may vary) as destination.

Parallel transmission mechanism of multiple SSL-VPN tunnels

When the user chooses SSL-VPN protocol between the VPN Client and VPN Server, SoftEther VPN Server and VPN Client use a parallel transmission mechanism to improve the throughput of the SSL-VPN tunnel. A user can set up the number of concurrent parallel transmission channels from 1 to 32. In an environment such as a slow and delaying network, this performance tuning will result in a faster throughput. When this function is enabled, the logical VPN Session will consist of several TCP (HTTPS) connections. All packets will be added to one of the appropriate TCP connections with calculations of optimizing modules. If some packet losses have been detected on a TCP connection of the logical VPN Session, then the new packet will use another healthy VPN connection. This fast-switching optimization to determine the processing TCP connection enables high throughput.

NAT traversal

Traditional VPN systems require the user to ask the firewall's administrator of the company to open an endpoint (TCP or UDP port) on the firewall or NAT on the border between the company and the Internet. In order to reduce the necessity to open an endpoint on the firewall, SoftEther VPN Server has the NAT Traversal function. NAT Traversal is enabled by default. As long as it is enabled, SoftEther VPN Client computers can connect to your VPN Server behind the firewall or NAT. No special settings on the firewall or NAT are necessary.

VPN over ICMP, and VPN over DNS

A few very-restricted networks only permit to pass ICMP or DNS packets. On such a network, TCP or UDP are filtered. Only ICMP and DNS are permitted. In order to make it possible to establish a SoftEther VPN client-server session via such a very-restricted network, SoftEther VPN has the "VPN over ICMP" and the "VPN over DNS" function.

This function is very powerful to penetrate such a restricted firewall. All VPN packets are encapsulated into ICMP or DNS packets to transmit over the firewall. The receiver-side endpoint extracts the inner packet from the capsuled packet. This is useful for exploiting public Wi-Fi. Some public Wi-Fi can pass only ICMP or DNS packets. They filter TCP or UDP packets. If you have a VPN Server installed on your home or office in advance of going outdoors, you can enjoy protocol-free network communication by using such a restricted network.

VPN Gate

VPN Gate is a plugin for SoftEther VPN, which allows users to connect to free VPN servers, run by volunteers who use SoftEther to host their VPN servers. Volunteers use personal computers as "servers". VPN Gate is sponsored by the University of Tsukuba. [9] [10]

See also

Related Research Articles

<span class="mw-page-title-main">Wake-on-LAN</span> Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message. It is based upon AMD's Magic Packet Technology, which was co-developed by AMD and Hewlett-Packard, following its proposal as a standard in 1995. The standard saw quick adoption thereafter through IBM, Intel and others.

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

Networking hardware, also known as network equipment or computer networking devices, are electronic devices that are required for communication and interaction between devices on a computer network. Specifically, they mediate data transmission in a computer network. Units which are the last receiver or generate data are called hosts, end systems or data terminal equipment.

<span class="mw-page-title-main">Computer network</span> Network that allows computers to share resources and communicate with each other

A computer network is a set of computers sharing resources located on or provided by network nodes. Computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

A VoIP VPN combines voice over IP and virtual private network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data, the VoIP VPN solution accomplishes voice encryption quite simply, applying standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

An application-level gateway is a security component that augments a firewall or NAT employed in a mobile network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

In computer networking, Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

HTTP tunneling is used to create a network link between two computers in conditions of restricted network connectivity including firewalls, NATs and ACLs, among other restrictions. The tunnel is created by an intermediary called a proxy server which is usually located in a DMZ.

<span class="mw-page-title-main">Zeroshell</span> Linux distribution

Zeroshell is a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

University of Tsukuba Virtual Private Network, UT-VPN is a free and open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls. It was written by Daiyuu Nobori and SoftEther Corporation, and is published under the GNU General Public License (GPL) by University of Tsukuba.

IPOP (IP-Over-P2P) is an open-source user-centric software virtual network allowing end users to define and create their own virtual private networks (VPNs). IPOP virtual networks provide end-to-end tunneling of IP or Ethernet over “TinCan” links setup and managed through a control API to create various software-defined VPN overlays.

<span class="mw-page-title-main">Provider-provisioned VPN</span>

A provider-provisioned VPN (PPVPN) is a virtual private network (VPN) implemented by a connectivity service provider or large enterprise on a network they operate on their own, as opposed to a "customer-provisioned VPN" where the VPN is implemented by the customer who acquires the connectivity service on top of the technical specificities of the provider.

References

  1. Authors of SoftEther VPN on GitHub
  2. "Release 5.02.5181".
  3. Multi-language, Single Binary Package and Unicode Support
  4. "SoftEtherVPN_Stable_LICENSE at master · SoftEtherVPN_SoftEtherVPN_Stable". GitHub . 2019-07-30. Archived from the original on 2019-07-31. Retrieved 2019-07-30.
  5. "The SoftEtherVPN Open Source Project on Open Hub". www.openhub.net. Open Hub. 2019-07-30. Archived from the original on 2019-07-31. Retrieved 2019-07-30.
  6. 1 2 3 4 Bischoff, Paul (2018-08-31). "6 open source tools for making your own VPN". Opensource.com . Archived from the original on 2018-08-31. Retrieved 2019-07-30.
  7. Layer-2 Ethernet-based VPN
  8. "ExpressVPN Speed Test".
  9. "VPN Gate FAQ (Frequently Asked Questions)".
  10. "How to Provide Your Computer as a VPN Server for VPN Gate".