← Academy/SoftEther VPN

🔀 Setup SoftEther VPN — Multi-Protocol VPN

Deploy SoftEther VPN Server, supporting OpenVPN, L2TP/IPSec, SSTP, and SoftEther protocols simultaneously. One server compatible with all major VPN clients.

⚠️ This script is provided for demo and testing purposes only.

📦 Resources & Setup Scripts

Grab the automated bash script from GitHub to follow along.

Automated install script — SoftEther multi-protocol VPN server.
View on GitHub

Quick Install:

wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/softether/softether-ubuntu.sh
chmod +x softether-ubuntu.sh
sudo bash softether-ubuntu.sh

Tutorial Steps

1 Download & Run the Script

The script installs Docker, pulls the SoftEther image, and starts the VPN server with all supported protocols enabled.

wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/softether/softether-ubuntu.sh
chmod +x softether-ubuntu.sh
sudo bash softether-ubuntu.sh

2 Manage via SoftEther VPN Server Manager

Download the SoftEther VPN Server Manager on Windows or Linux. Connect to your server on port 5555 to manage hubs, users, and protocol settings.

3 Configure L2TP/IPSec or OpenVPN

In Server Manager, enable L2TP/IPSec and set a pre-shared key. For OpenVPN, generate and download the .ovpn config file from the OpenVPN settings tab.

4 Connect from Any Device

Use your device's native VPN client for L2TP/IPSec, or the OpenVPN app. iOS, Android, Windows, and macOS all support L2TP/IPSec natively without extra software.

Ports Used

PortProtocolPurpose
5555TCPSoftEther Admin Manager
443TCPSSTP / HTTPS VPN
1194UDPOpenVPN
500UDPIKE (IPSec)
4500UDPIPSec NAT-T
1701UDPL2TP

Files Location

/root/docker/softether/docker-compose.yml

Overview

SoftEther VPN is a free, powerful, multi-protocol VPN software that supports L2TP/IPsec, OpenVPN, SSTP, SoftEther's own protocol, and EtherIP simultaneously from a single server. It can operate as a VPN server, bridge, or client, and works through most firewalls because it uses HTTPS port 443 by default.

Why Use It

SoftEther VPN's defining advantage is multi-protocol support from a single server — L2TP/IPsec, SSTP, OpenVPN, and SoftEther's own high-performance protocol all run simultaneously. This means Windows, iOS, Android, and Linux devices can connect using their native, built-in VPN clients without installing any additional app. Its HTTPS-based SoftEther protocol bypasses most corporate firewalls that block UDP. For organizations that support diverse device types and need firewall traversal, no other self-hosted solution matches this flexibility.

When You Need It

    Who Should Use It

      Real Use Cases

        Main Features

          How to Use After Installation

            Security Best Practices

              Ports and Firewall Notes

              SoftEther requires several ports depending on which protocols you use. Port 443 (TCP) is used for SoftEther's own HTTPS-based protocol and for SSTP. Port 1194 (UDP/TCP) is used for OpenVPN compatibility mode. Ports 500 and 4500 (UDP) are used for IPsec IKE and NAT traversal in L2TP/IPsec mode. Port 1701 (UDP) is used for L2TP. Port 5555 (TCP) is the SoftEther Server Manager management port — restrict this by firewall to trusted management IPs and never expose it publicly.

              Backup and Maintenance

                Common Mistakes

                  Troubleshooting

                    Alternatives

                    Pritunl offers a polished web UI for OpenVPN/WireGuard management with SSO — better for team management. WireGuard Easy is a lightweight, modern single-protocol alternative focused on simplicity and performance. OpenVPN Access Server provides a web-managed OpenVPN server with enterprise features but charges per user. StrongSwan is a powerful IPsec/IKEv2 server used in enterprise environments with advanced routing. For mesh VPN instead of hub-and-spoke, Tailscale/Headscale or Netbird are more appropriate.

                    When Not to Use It

                    SoftEther is complex to administer — if you only need simple WireGuard access for a small team, the overhead of SoftEther's configuration is unjustified. If your user base is entirely Linux or macOS, WireGuard from wg-easy or Pritunl is faster and easier to manage. For zero-trust or mesh networking models, SoftEther's hub-and-spoke architecture does not fit — use Headscale or Netbird instead. On very limited hardware (under 512MB RAM), SoftEther's memory footprint may be constraining.

                    Need Help Setting Up SoftEther?

                    PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.

                      Contact Us

                      Frequently Asked Questions

                      Can Windows users connect without installing any software?

                      Yes. Windows 7 and later include a built-in L2TP/IPsec VPN client and SSTP VPN client. iOS and Android also include native L2TP/IPsec clients. Users enter the server IP, username, password, and pre-shared key in their OS network settings — no additional download required. For the higher-performance SoftEther protocol, users need to install the SoftEther VPN Client separately.

                      Is SoftEther VPN free to use for commercial purposes?

                      Yes. SoftEther VPN is released under the Apache License 2.0, which permits free use in commercial environments. There are no per-user fees or enterprise license requirements. The server, client, and bridge are all open source. The original development was funded by the Japanese Ministry of Economy, Trade and Industry, and the project is maintained by the University of Tsukuba.

                      What is the difference between SecureNAT and bridge mode?

                      SecureNAT is a built-in DHCP and NAT engine inside the Virtual Hub — VPN clients get IP addresses from SoftEther's internal DHCP without touching the OS network stack. It works out of the box but adds a double-NAT that can cause routing issues. Bridge mode connects the Virtual Hub directly to a physical NIC or tap interface at Layer 2 — VPN clients appear on your actual LAN and get real network IPs. Bridge mode is better for LAN integration but requires OS-level tap configuration.

                      How does SoftEther bypass deep packet inspection?

                      SoftEther's own protocol encapsulates VPN traffic inside HTTPS (TLS) on port 443. To a firewall or DPI system, this traffic appears identical to normal HTTPS web traffic. The server listens on the same port as HTTPS, making it impossible to block SoftEther without blocking all HTTPS — which is impractical for most networks. This makes SoftEther effective in restrictive corporate or governmental network environments.

                      Can I run multiple VPN networks on one machine?

                      SoftEther handles this through Virtual Hubs — you can create multiple isolated Virtual Hubs on one server, each with separate users, routing, and protocols. Each hub acts as an independent VPN network. If you need separate port bindings or completely isolated server processes, you can run multiple SoftEther server instances on different ports, but most use cases are satisfied with multiple Virtual Hubs on one instance.

                      Does SoftEther support site-to-site VPN?

                      Yes. SoftEther supports site-to-site connectivity via its cascade connection feature. On each site, configure SoftEther to connect to the central hub server — this merges both sites' networks through the VPN. Alternatively, configure EtherIP or L2TPv3 to bridge two physical LANs at Layer 2, making devices on both sites appear on the same network without routing.

                      How do I manage SoftEther on a Linux server without a GUI?

                      Use vpncmd — the command-line management utility installed alongside the server. Run: vpncmd localhost /SERVER to connect to the local server. Type 'help' for available commands. Key commands: HubCreate, HubList, UserCreate, UserPasswordSet, IPsecEnable. You can also connect to a remote Linux SoftEther server using the Windows Server Manager GUI over TCP port 5555 for graphical management from a Windows machine.

                      What is the performance difference between SoftEther protocol and L2TP?

                      SoftEther's own protocol is significantly faster — it uses optimized user-space packet processing and achieves speeds close to WireGuard on modern hardware. L2TP/IPsec is limited by IPsec encryption overhead and kernel-level processing latency. In real-world tests, SoftEther protocol on a 1Gbps link can achieve 400-900Mbps throughput, while L2TP/IPsec typically maxes out at 100-200Mbps on the same hardware. Use L2TP only when native client compatibility is required.

                      Related Tutorials

                      WireGuard Easy OpenVPN Access Server Pritunl Nginx Proxy Manager