Softether VPN on OpenWRT

  • Router must have at least ~8MB free space (preferrably extroot)
  • Must have at least 32MB of RAM and swap on

In my case I’m running

  • OpenWRT Barrier Breaker 14.07 x86 on Virtaulbox with 256MB RAM.

This configuration has been tested on these routers

  • TP-Link TL-WR842N/ND v2 (3GB extroot, 512MB swap) ar71xx
  • Asus RT-N14U (1,5GB extroot, 512MB swap) RAMIPS

I assume that you have met the prerequisites stated above, therefore in this guide I will not tell how to configure your router with extroot and swap.

Softether needs a few packages to work correctly, therefore we have to install them

# opkg update
# opkg install zlib libpthread librt libreadline libncurses libiconv-full kmod-tun libopenssl

The packages take up approximately 2,5MB of free space.



After the depending packages have been installed there are two ways to install softether

  • Using precompiled binary packages from mikmoe or my webpage, please note that only ar71xx and brcm47xx is available from mikmoe and atheros, ramips, brcm63xx is available from my webpage , therefore if your router has any other chipset such as lantiq you have to compile the packages yourself. If you have ar71xx, brcm47xx, ramips, brcm63xx, atheros feel free to skip PART 2a of this guide and continue with installing the package by following PART 2b.
  • Compiling the packages yourself.

PART 2a – Compiling Softether for your router
Prerequisites: PC or VM with Debian based distribution, ~5GB of space.
Connect to the PC on which you are going to compile.
To compile packages on Debian based distribution you have to install specific packages.

# apt-get update
# apt-get install -y subversion make gcc g++ libncurses5-dev libghc-zlib-dev libreadline-dev libssl-dev gawk bzip2 patch xz-utils git unzip

Clone OpenWRT Buildroot

svn co svn://
cd barrier_breaker

Add Softether for OpenWRT repository to OpenWRT Buildroot feeds file

echo "src-git softethervpn" >> feeds.conf.default

Update OpenWRT SDK feeds and install softether into OpenWRT SDK.

./scripts/feeds update
./scripts/feeds install softethervpn

Make default configuration for OpenWRT SDK

make defconfig

Configure architecture and which packages to compile

make menuconfig

Choose the target system by clicking enter while on “Target System”, in my case it is x86.
Choose the architecture and press ENTER
After choosing architecture head to Network->VPN. Navigate to “softethervpn” and press space two times, to enable the compilation of package.
Now press ESC until you’ve arrived to the screen below.
Press ENTER.
It should exit the OpenWRT SDK configuration and you should be ready to compile.
NB! The compilation on Intel Xeon E3-1225v2 with 4 cores takes approximately 20 minutes. So plan your time accordingly.
When you are ready to compile the packages replace the X with the amount of cores you have access to. In my case four, this will speed up things immensely.
make prepare -jX

make prepare -j4

Build the softether package, once again replace X with number of cores. This process took approximately 5 minutes on my setup.
make package/softethervpn/compile V=99 -jX

make package/softethervpn/compile V=99 -j4

The compiled package should be available at

in my case

Connect to the server where you compiled the firmware and download it, in my case I will use scp.
scp [USERNAME]@[IP_ADDRESS]:~/barrier_breaker/bin/[ARCHITECTURE]/packages/softethervpn/softethervpn* /tmp/


Now install the package
opkg install /tmp/sfotethervpn*
If everything went correctly it should look like this.


PART 2b – Downloading the precompiled packages and installing them
I will use ar71xx as an example here.
NB! Yo do not need to do this if you already did Part 2a
Head to mikmoe or my webpage and look for corresponding package, in my case “softethervpn_4.14-9529_ar71xx.ipk”
Download the package
cd /tmp/ && wget [HYPERLINK]
In my case
cd /tmp/ && wget

Install the package
opkg install softethervpn*

PART 3 – Configuring Softether administration password
Start the server
/usr/bin/env LANG=en_US.UTF-8 /usr/bin/vpnserver start

Check if everything works correctly

/usr/bin/env LANG=en_US.UTF-8 /usr/bin/vpncmd

  1. Choose 3
  2. Write check
  3. Write exit

If everything works it should look like this

Setup password for administering server
/usr/bin/env LANG=en_US.UTF-8 /usr/bin/vpncmd

  1. Choose 1
  2. Press ENTER
  3. Press ENTER
  4. Write ServerPasswordSet
  5. Input your password
  6. Repeat your password
  7. Write exit


Enable Softether VPN to start on boot

/etc/init.d/softethervpnserver enable

PART 4 – Port forwarding

To use Softether you have to open below listed ports.
TCP 443, TCP 992, TCP 1194, TCP 5555
There are two ways to do this

1)Automatically by using commands written below
NB! You will disconnect after executing firewall restart command, it is Ok and should not be feared.

wget -q -O - >> /etc/config/firewall
/etc/init.d/firewall restart &

2)Manually by inputting the ports in LUCI
Open your routers webinterface and head to Network–>Firewall–>Traffic Rules
Add your traffic rules
After you’ve added them click Save & Apply

PART 5 – Configuring Softether
Download Softether server manager from Softether downloads page


For the Linux enthusiasts out there: There is no native Linux client, but the server manager works very well if you run it through wine.

Launch the Server manager.

Click New setting

Enter the server IP and administration password, press OK

Double click on the created server.

Check “Remote Access VPN Server” and click “Next”
Click Yes
Click OK
Click Exit

Now you can configure L2TP support, in my case I will use l2TP, but you can choose as you like, it is always possible to enable it later.

Check what you need and set the connection Pre-Shared key.
Click Ok

Choose if you want to use VPN Azure, in my case I will not use it, because it is just too slow.
Click Ok

Here we can add users, just for the sake of testing we create one here.
Click Create Users and input username and password.
When done click exit.

Now we will set up local bridge since SecureNAT is slow by itself and will be even slower on a router.
Select “Local bridge setting”

PART 6 – Setting up Local bridge
I will provide two different ways to configure your network
a) All VPN clients are in the same subnet as local DHCP clients of your router
I.E if your computer has IP then if someone connects to your VPN he will be assigned

b) VPN clients will have their own subnet
I.E Your computer has IP, if someone connects to your VPN he will have

PART 6a – VPN Clients are in the same subnet as your local clients

  1. Select “Virtual Hub” “VPN”
  2. Check “Bridge with New Tap device”
  3. Write into “New Tap device name “soft”
  4. Click “Create Local-Bridge”

Click OK
If everything went well the bridge status should be “Operating”

Now open up Luci (Webinterface) and head to Network->Interfaces
Click on Edit
Head to “Physical settings” and check “Ethernet Adapter: “tap_soft” ”
Click “Save & Apply” At the buttom of page.

We are done! Now every client who connects will be given IP address of your lan subnet and everything should work out of the box.

Part 6b – VPN clients are in different subnet than local clients

  1. Select “Virtual Hub” “VPN”
  2. Check “Bridge with New Tap device”
  3. Write into “New Tap device name “soft”
  4. Click “Create Local-Bridge”

Click Ok
If everything went well the bridge status should be “Operating”

Now open Luci (Webinterface) and head to Network->Interfaces
Down below interfaces click “Add new interface”
Name the interface “vpn”
And under “Cover the following interface” select “tap_soft”
When done click “Submit”
In next page under “General setup”

  1. Write IPv4 address
  2. Choose IPv4 netmask

Click “Save & Apply”
Now scroll down and click on “Setup DHCP Server”
Click “Save & Apply”

Now head to Network->Firewall
Find the lan->wan zone and click edit
Scroll down to “Covered networks” and check “vpn”
Click “Save & Apply”

Everything is ready! Clients who connect to your VPN will be assigned 192.168.50.x addresses.