What is a VPN?
A VPN (Virtual Private Network) is a technology that encrypts your communication over the internet and protects your privacy. Normally, when you use the internet, your data passes through a public network. However, by using a VPN, your communication is protected as if you were using a private network.
Main Purposes of a VPN
- Privacy Protection: By using a VPN, the risk of your online activities being observed by third parties is reduced. For example, even if you are using public Wi-Fi in a café, a VPN allows you to browse the internet safely.
- Bypassing Regional Restrictions: Some web services and content are only available in specific regions. A VPN allows you to access these services from other regions.
- Enhanced Security: Companies and organizations use VPNs to ensure that remote workers can securely access the internal network. This helps to keep sensitive data safe.
+-----------------+ +--------------------+
| Your Device | ---- Internet (Public) ----| VPN Server |
| (PC, Smartphone)| | (Google Cloud, etc.)|
+-----------------+ +--------------------+
| |
| |
Public Wi-Fi Encrypted
Network Tunnel
| |
v v
+-----------------------------------------------------------+
| Internet (Secure) |
| Your data is protected and private |
+-----------------------------------------------------------+
This diagram shows a reader’s device (PC or smartphone) on the left, connecting to the internet via a public Wi-Fi network. However, by using a VPN, the communication is encrypted and securely routed through a VPN server.
Setting Up a VPN in Various Environments
The method introduced here can be used not only on Google Cloud but also in the following environments:
- WSL (Windows Subsystem for Linux): This is a feature that allows you to run Linux on Windows. By installing Docker on WSL, you can set up a VPN server on your Windows machine using the same steps.
- Physical Linux Machine: The same steps can be followed to set up a VPN server on a physical Linux environment such as Ubuntu or CentOS.
Steps to Set Up a VPN Server Using Docker (Introduction to Mistakes)
This section explains the steps to set up a SoftEther VPN server using Docker. We will start with a typical setup method, but later, we will explain any mistakes made in the process and how to correct them.
About the Environment Used
In this setup, we will use an instance from Google Cloud’s free tier. Specifically, we’ll use the e2-micro plan with Ubuntu as the operating system. The same steps can be followed in other environments, such as WSL or a physical Linux machine.
Docker Image for the VPN Server
To easily install SoftEther VPN, we will use a Docker image. Various images are available on Docker Hub, but we will use the image linked in the following GitHub repository:
https://github.com/siomiz/SoftEtherVPN
Executing the Command
First, execute the following command to start the VPN server with Docker. This command is configured to use port 5555.
docker run -d --name vpn --cap-add NET_ADMIN -p 5555:5555/tcp siomiz/softethervpn
-d
: Runs the container in the background.--name vpn
: Names the container “vpn.”--cap-add NET_ADMIN
: Adds network administration privileges to the container.-p 5555:5555/tcp
: Maps port 5555 on the host to port 5555 on the container.
Important Notes
After executing the command above, use the docker ps
command to check the running containers. At this point, you may notice some ports being displayed that were not configured. However, these do not affect the host, so you don’t need to worry about them.
Firewall Settings
To ensure the VPN server functions correctly, you need to check Ubuntu’s firewall settings. If the firewall is enabled, you should either open port 5555 for the VPN or temporarily disable the firewall if necessary.
Specifically, you can use the following command to check if the firewall is enabled and open the port if needed:
sudo ufw status
If the firewall is enabled, run the following command to open port 5555:
sudo ufw allow 5555/tcp
If you want to temporarily disable the firewall, use the following command:
sudo ufw disable
This will allow the VPN server to operate correctly and permit external connections.
Container Check and Connection Settings
Previously, when I set up the VPN Server without Docker, I experienced connection failures on Ubuntu. Therefore, this time, I decided to check the OS inside the container just to be sure.
docker exec -it vpn bash
Upon entering the container, I found that apt
could not be used, but instead, yum
and dnf
were available. This is because the VPN Server is running on a Red Hat-based OS rather than Ubuntu. According to my research, Ubuntu has network-related bugs, which is why other OSs are recommended officially.
Using the Management Tool on Windows
Now that the container has started successfully, the next step is to configure the connection settings. If configuring on Linux is challenging, you can install the SoftEther management tool on your Windows machine at home and proceed with the setup. Although this method is not documented in the official guides, it’s a method I’ve used before.
You can download the SoftEther VPN Manager for Windows from the official site below:
https://www.softether-download.com/ja.aspx?product=softether
Run the downloaded file and select “Server Manager” during the installation. This will make it easier to configure the VPN server.
Update with Additional Information
This article was originally posted in 2022, but during this update, I discovered some new information.
First, upon rechecking the distribution inside the container, it was found that Alpine Linux is now being used. This is a significant change, indicating that the container has become lighter and more efficient.
Additionally, the officially recommended operating system for SoftEther has been updated to Ubuntu 22.04. This suggests that the previous network-related bugs may have been resolved.
Firewall Configuration and Server Manager Settings
Once the SoftEther VPN server installation is complete, the next step is to check the firewall settings in Google Cloud’s VPC network. Here, you need to configure the firewall to allow traffic on port 5555.
Important: If this setting is not configured, external connections will be blocked, and the VPN server will not function correctly.
Step-by-Step Instructions with Screenshots
Refer to the screenshots and follow the steps to navigate to the Google Cloud VPC network settings screen and configure it to allow traffic on port 5555.
Log Review and Troubleshooting
If the connection fails, the next step is to follow the GitHub documentation and check the container logs. The logs may display the username and password required for the connection. You can check the logs using the following command:
docker logs vpn
By following this procedure, you can identify the cause of the connection failure and take appropriate action.
Log Review and Administrator Password Issue
When attempting to connect to the VPN server, the username and password may be displayed in the logs. As shown in the screenshot above, while the username and password are indeed displayed, these are for connecting to the VPN and are different from the administrator password used by the server management tool.
Important: If the administrator password is unknown, you will not be able to log in to the server management tool. Therefore, you need to explicitly set this password when configuring Docker.
Reconfiguring the Docker Container
To set the administrator password, you first need to stop and remove the current VPN container. Run the following commands to stop and remove the container:
docker stop vpn
docker rm vpn
These commands will completely stop the container, allowing you to reconfigure it.
Setting the Administrator Password and Reconnecting
To resolve the earlier issue, this time we will set the administrator password when starting the VPN server with Docker. This will allow you to log in to the server management tool.
Execute the following command to recreate the VPN container while setting the administrator password:
docker run \
--name vpn \
--cap-add NET_ADMIN \
-p 5555:5555/tcp \
-e SPW=test \
-e HPW=test \
-d siomiz/softethervpn
-e SPW=test
:SPW
is an option to set the server password, and here we are setting the password to “test.” This will be the password used by the server management tool.-e HPW=test
:HPW
is an option to set the hub password, and here we are also setting it to “test.”
With this, the administrator password is set, and the container will start up again.
Reconnecting with the Server Management Tool
Next, attempt to reconnect using the Server Manager. Use the password (test) that was set earlier to make the connection. This time, the connection should succeed without any issues.
Disabling Unnecessary Features
After successfully connecting to the VPN server, the next step is to disable any features that are not needed. For security and performance reasons, we will disable any ports other than port 5555, which was specified in the docker run
command, as well as any unnecessary features.
Disabling Server Features
The VPN server comes with various built-in features, but not all of them are necessary. Follow these steps to disable the unnecessary server features:
- Open the Management Tool: Open the SoftEther VPN Server Manager and connect to the server.
- Check Server Feature Settings: From the menu, select “Server Feature Settings.”
- Select Features to Disable: Deselect the features that are not needed in this environment, such as IPsec/L2TP, EtherIP, and L2TPv3.
Configuring for Smartphone Connections
If you are connecting via a smartphone or other devices, you will need to adjust the ports and features accordingly. In that case, do not disable the features or ports required for the connection, and proceed with the appropriate settings.
Disabling Unnecessary Features and Feature Descriptions
After successfully establishing a connection, it is important to disable any unused features to operate the VPN server more securely and efficiently. Here, I will explain the roles of some key features and why they should be disabled.
Dynamic DNS Feature
Dynamic DNS is a feature that assigns a specific domain name to the server. This allows you to access the server using the same domain name even if the server’s IP address changes. For example, in environments where the IP address changes every time you connect to the internet, you can still access the server using a consistent domain name.
However, since we are using a fixed IP address in this setup, the Dynamic DNS feature is unnecessary. To enhance security, we will disable this feature.
OpenVPN and MS-SSTP
OpenVPN and MS-SSTP are protocols used to establish VPN connections. These protocols allow VPN connections across various environments and devices.
In this case, we have chosen to use only the specific port 5555, and we will not be using other protocols. Therefore, these protocols will also be disabled.
VPN Azure
VPN Azure is a feature provided by SoftEther VPN that enables connections via the cloud. It allows VPN connections to be established across NATs and firewalls.
However, VPN Azure involves using an external cloud service, which requires careful consideration of privacy and security. In this setup, we will not be using VPN Azure, opting instead to manage the server directly, so this feature will also be disabled.
Creating a User for VPN Connection
Next, you’ll create a user for the VPN connection. The user management settings are done through the Virtual HUB management, and here I’ll explain the steps in detail.
- Open Virtual HUB Management: Use the SoftEther VPN Server Manager to open the Virtual HUB management screen.
- Check and Delete Existing Users: By default, one user is already created during the initial setup. This user might be the general user displayed in the
docker logs vpn
command. For security reasons, it is recommended to delete the default user and create a new, custom user. - Create a New User: Click on “Create New User” and set the username and password that will be used for the connection. This user will be used for the VPN connection.
Important Notes
Using the default user that was created automatically may increase security risks. Always create a new user and set a strong password.
Final Preparation for VPN Connection and Connection Verification
At this point, the VPN server setup is complete, and you are ready to connect. Next, we’ll use the SoftEther VPN Client to establish the actual connection. Here, I’ll explain in detail how to input the necessary information and verify the connection.
Launching and Configuring the SoftEther VPN Client
Verifying the Connection: Once the setup is complete, click the “Connect” button to attempt to connect to the VPN server. As shown in the screenshot below, if the connection is successful, the connection status will display as “Connected.”
Launch the SoftEther VPN Client: First, launch the SoftEther VPN Client that you installed. Refer to the screenshot below to navigate to the main screen.
Setting Up a New Connection: Click on “New VPN Connection Setting” and enter the required information. This includes the hostname (the server’s IP address), port number, username, and password.
When the Connection is Successful
Once the connection is successful, your internet traffic will be routed through the VPN. This ensures privacy protection and secure communication.
How to Verify the VPN Connection
To confirm whether the VPN connection is successful, it is effective to check your IP address using a browser. Here, I will explain the steps in detail.
Steps to Check the IP Address
- Open a Browser: Open any browser of your choice. Google Chrome or Firefox, or any browser you typically use, will work fine.
- Access an IP Address Check Website: In the browser’s address bar, type “what is my IP address” or something similar, and access a website that displays your IP address. Refer to the screenshot below.
- Check the IP Address: Once you access the site, your current IP address will be displayed. If the displayed IP address matches the external IP address of your Google Cloud server, then the VPN connection is confirmed to be successful.
Points to Confirm
It is important that the displayed IP address matches the external IP address of the Google Cloud server hosting the VPN.
If they do not match, there may be an issue with the connection, so please review your settings.
Verifying the Configuration File for Applied Settings
Finally, it’s important to verify that the settings made in the Server Manager have been correctly reflected in the configuration file. This ensures that the settings have been properly applied and helps prevent potential issues.
Steps to Access the Container and Check the vpn_server.config
File
- Access the Container: First, use the following command to access the VPN server container:
docker exec -it vpn bash
This command allows you to enter the container where the VPN server is running. - Check the
vpn_server.config
File: Next, verify that the settings made in the Server Manager are reflected in thevpn_server.config
file. Specifically, check whether the port number used for the VPN and other settings have been correctly applied. Since the file is located in the container, you should be able to check it using the following command:cat vpn_server.config
This command will display the contents of thevpn_server.config
file. - Verify the Settings: Confirm that the actions performed in the GUI are correctly reflected in the
vpn_server.config
file. For example, check if the port number used for the VPN is set as expected. Refer to the screenshot below to ensure the settings have been properly reflected.
Points to Confirm
It is crucial that the settings in the vpn_server.config
file match those made in the Server Manager.
If the settings are not reflected correctly, review the settings again and make any necessary adjustments.