How to make a free VPN with SoftEther and an AWS EC2 Linux instance

If you’re keen on setting up your own VPN for free, there’s no easier way to do it than with SoftEther. SoftEther is a VPN solution with free software to connect a server to a client. It’s relatively easy to use compared to the standard OpenVPN setup, and it supports more protocols. They include OpenVPN, L2TP/IPSec, PPTP, SSTP, and EtherIP.

In this tutorial, we’ll show you how to set up SoftEther using the L2TP/IPSec protocol on an Amazon Web Services EC2 Instance. You can use Amazon’s micro tier free of charge for one year, provided you stay under the time, space, and bandwidth limits.

Once set up, you should be able to use your homemade VPN just like any other commercial VPN: bypass censorship, unblock geo-locked content, secure open wifi connections, and encrypt P2P file transfers. We’ve even tested this with Netflix and were able to bypass the VPN and proxy firewall to watch US Netflix from Germany, something many paid VPN providers struggle with (we’ve got a list here of paid services that beat the Netflix VPN ban).

What you need to make your own VPN using SoftEther:

Before we get started, make sure you have all the following ingredients:

• Amazon Web Services account. This requires a credit card, but you’ll only be charged for what you use, which will likely be nothing if you’re prudent about what you’re doing.
• PuTTy and PuTTygen for Windows users. Download both here.
• SoftEther client application for your operating system
• A basic working knowledge of Unix commands and how servers work with clients will be massively helpful in troubleshooting should something not go exactly as planned.

Launch an EC2 instance

First, we need to create an EC2 instance in Amazon. An “instance” is lingo for a virtual server. EC stands for “Elastic Cloud,” meaning the server can increase and decrease in size as needed. Only the smallest instance size is available under the free trial, so make sure to pick that one.

1. Once you’ve registered an AWS account, open the dashboard and click on EC2.
2. Click the button that says “Launch instance”.
3. For this tutorial we’re going to use Amazon Linux AMI, which is free tier eligible as of time of writing. The Ubuntu Server 14.04 LTS should also work, but some details will be different. Click the Select button.
4. Make sure the “free tier eligible” t2.micro tier is selected and click Next (not Review and Launch) until you get to Step 6: Configure Security Group.
5. For simplicity’s sake we’re just going to change Type to “All Traffic” and Source to “My IP”. If you prefer more security or a wider range of clients than just your computer, you can open ports 22, 443, 500, 992, 1194, 4500, and 5555. Name the security group something you’ll recognize such as “softether”.
   
6. Click Review and Launch, then Launch.
7. Next you’ll be asked to create a key pair (or use an existing one if you’ve done this before). Name the key pair something you’ll recognize, such as “softether”, and download it. Keep this somewhere secure and do not lose it, or else you won’t be able to access your server.
8. Click Launch Instances. Scroll to the bottom of this page and click View Instances.
9. You should see your new instance initializing. Click on it to display information below including the Public DNS address. We’ll need that in the next step, so copy it to your clipboard.

Congratulations, you have a server. Now we need to access it.

Accessing your EC2 instance

For this tutorial, we’ll be using PuTTy and PuTTygen on Windows. Mac and Linux users can just use their terminal. First, we need to generate a key file so we can access our server through SSH.

1. Open PuTTygen
2. Click Load
3. Navigate to wherever you downloaded your .pem key pair. Click the dropdown menu in your file navigator to show “All files”, or else the .pem key wont appear. Select the .pem file and click Open.
4. Click “Save private key” and confirm to save without a passphrase. You must give it a file name identical to that of the .pem file. In this case, “softether”.

With the .ppk private key file in hand, we can now connect to the server.

1. Open PuTTy
2. Under Host Name, paste the public DNS address of your instance (starts with “ec2” and ends with “amazonaws.com”) from the EC2 instances dashboard.
3. In the left sidebar, click the ‘+’ icon next to SSH to expand it, then click “Auth”
4. Next to the bottom field, click the Browse button. Navigate to the private key (.ppk) file you just created. Click Open.
5. Go back to the Session page in the left sidebar. Name the session something you’ll remember and hit Save. Now you can connect instantly from PuTTy in the future without having to go through all these steps again.
6. Click Open at the bottom of PuTTy
7. Click Yes to confirm you trust the server
8. In the black terminal window that appears, you’ll be prompted for a username. Assuming you chose the Amazon Linux AMI, type in “ec2-user” and hit enter.

You are now SSH’ed into your server. Anything you type into the PuTTy terminal is a command for the server, not for your local computer.

Install SoftEther on your EC2 instance

Now that you can give commands to your server, we can install the SoftEther server application. Unfortunately, SoftEther is not available in any package managers, so we’ll have to download it from the website. But before we do that, let’s make sure everything is up to date.

1. In the PuTTy terminal, type sudo yum upgrade (note other versions of Linux may use “apt-get” instead of “yum”.
2. Type wget http://www.softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/Linux/SoftEtherVPNServer/64bit-Intelx64or_AMD64/softether-vpnserver-v4.21-9613-beta-2016.04.24-linux-x64-64bit.tar.gz and hit Enter.
3. If the above download fails, you can find the latest version of the SoftEther VPN Server software here. Replace the URL in the above command with the download link on SoftEther’s website.
4. Copy the name of the file you just downloaded as it’s displayed in the terminal.
5. Type tar xzvf softether-vpnserver-v4.21-9613-beta-2016.04.24-linux-x64-64bit.tar.gz and hit Enter to unpack the file into a new directory called “vpnserver”.
6. In order to compile those files, type sudo yum groupinstall "Development Tools"
7. Some users have reported the gcc package won’t install via the above command, in which case you can type and enter sudo yum install gcc
8. Type and enter cd vpnserver
9. Type and enter make
10. Type “1” and hit Enter three times to get through the licensing agreement.

SoftEther is now compiled and can be executed on your server. One step closer!

Start SoftEther as a service

Next we’re going to make a file in the init.d folder that will automatically start SoftEther as a service whenever the server boots up. This will save us the trouble of turning it on manually each time we stop and start the server. You can skip this step if you please, but it can save you a lot of time in the long run. First, let’s move the SoftEther directory somewhere else.

1. Type the following commands, hitting Enter after each line:
   1. cd ..
   2. sudo mv vpnserver /usr/local
   3. cd /usr/local/vpn/server/
2. Now change the file permissions to protect your files using the following commands:
   1. chmod 600 *
   2. chmod 700 vpnserver
   3. chmod 700 vpncmd
3. Create a file by typing sudo nano /etc/init.d/vpn/server
4. In the empty text file, paste the following (you can paste by right clicking in Windows):

        #!/bin/sh

   # chkconfig: 2345 99 01

   # description: SoftEther VPN Server

   DAEMON=/usr/local/vpn/server/vpn/server

   LOCK=/var/lock/subsys/vpn/server

   test -x $DAEMON || exit 0

   case “$1” in

   start)

   $DAEMON start

   touch $LOCK

   ;;

   stop)

   $DAEMON stop

   rm $LOCK

   ;;

   restart)

   $DAEMON stop

   sleep 3

   $DAEMON start

   ;;

   *)

   echo “Usage: $0 {start|stop|restart}”

   exit 1

   esac

   exit 0

5. Press CTRL+O (‘o’ not zero) and hit Enter to save the file. Then hit CTRL+X to exit Nano.
6. Type the following commandsto make Softether run on startup:
   1. mkdir /var/lock/subsys (this might already exist)
   2. sudo su
   3. chmod 755 /etc/init.d/vpn/server && /etc/init.d/vpn/server start
   4. chkconfig --add vpnserver

SoftEther will now run automatically at server startup.

Check to make sure SoftEther is working

Here we will run a quick check to make sure everything is working as desired.

1. Type cd /usr/local/vpn/server and hit Enter
2. Type ./vpn/cmd and hit Enter
3. Type ‘3’ to choose the third option and hit Enter
4. Type check and hit Enter to run the test

You should receive a message that all the checks passed. If not, something went wrong.

Type “exit” to quit vpntools.

Configuring SoftEther

Next we need to configure SoftEther so we can connect to it from our PC client.

1. While you’re still in the vpnserver directory, type ./vpn/cmd
2. Choose option 1 and hit Enter
3. For the hostname IP, input the IP address of the EC2 server instance followed by a colon and port 5555. You can find the IP of your server instance on the EC2 dashboard. The input should look like this: 123.123.123.123:5555
4. In the next step, leave the input blank and hit Enter to connect from the Server Admin node
5. The prompt should now read “VPN Server>”. Enter ServerPasswordSet and hit Enter
6. Enter a password of your choice and type it again to confirm
7. Next, type HubCreate VPN and enter a new password that you will use to log in when you are not in Server Admin mode
8. Type Hub VPN and hit Enter
9. Type SecureNatEnable
10. Type UserCreate paul, replacing “paul” with a username of your choice.
11. You will be asked to enter a Group Name, Full Name, and Description for the new user. Leave the Group Name blank, and use whatever you want for the other two.
12. Type UserPasswordSet paul, replacing paul with the username you just created. Enter and confirm a password for that user.
13. Repeat steps 10-12 for as many users as you wish.

A couple notes here. In step 9, we use Secure NAT as the means to connect hubs to the server network. Another option is Local Bridge connection, but it’s more complicated and requires you set up a DHCP server. Secure NAT takes care of the DHCP server for you.

In step 12, we use the UserPasswordSet command to enable password authentication on a particular user. SoftEther supports several other types of authentication, which can vary between users. They include NT domain, anonymous, RADIUS, individual certificate, and signed certificate authentication.

Set up L2TP/IPSec on the VPN server

We decided to use L2TP/IPSec as the VPN protocol in this tutorial for three main reason: a) it’s more secure than PPTP, b) it’s easier to set up than OpenVPN, and c) it works across multiple operating systems, unlike the Windows-only SSTP.

1. While still in vpncmd’s “VPN Server>” prompt, enter IPsecEnable
2. Next you are given a series of configuration prompts. Below we’ll give our recommended answers:
   1. Enable L2TP over IPsec Server Function – yes, enable the VPN for use on multiple devices including Windows PC, Mac OSX, iOS, and Android
   2. Enable Raw L2TP Server Function – no, do not allow connections without encryption
   3. Enable EtherIP / L2TPv3 over IPsec Server Function – yes, allow routers with this built-in function to connect
3. Next comes the pre-shared key. This is a password with a maximum of nine characters. Enter whatever you like.
4. For “Default Virtual HUB in a case of omitting the HUB on the Username:”, simply enter VPN

That’s it! make sure you write down all the passwords you’ve created above and what each one is for.

Connecting to your homemade SoftEther VPN

You can connect to your VPN using any L2TP-compatible VPN client you want, but we’ll show you how to do it with SoftEther’s own app. Start by downloading the and installing the client for your operating system here.

1. Open the SoftEther VPN Client Manager app and click “Add a VPN connection”
2. You’ll be prompted to create a virtual adapter if you haven’t already. Confirm and press OK to accept the default name.
3. In the Properties window that appears, enter the following:
   • A Setting Name of your choice
   • Host Name is your server’s IP address
   • Port Number is 5555 as specified above
   • Virtual Hub Name is “VPN” as specified above
   • User Name is the username you set on the server above, in this case “paul”
   • Password is what you set for that user with the UserPasswordSet function above

Leave everything else to the default settings and press OK. Now, back on the main window, double click the connection you just set up to connect.

A message will appear saying your VPN connection was established. Congratulations! You are now connected to your homemade VPN!

Remember to keep your bandwidth within Amazon’s free tier limits. The easiest way to do this is to right click on your instance in the AWS Console and click on the “Add/Edit Alarms” link. You can set your server to stop or even terminate after a few hours of inactivity. The free tier allows for 750 hours per month (which covers the whole month), so you shouldn’t need to do this. Those users past their initial free year of service or doing more with their AWS account, however, can prevent unnecessary charges for unused server time.

Somewhere in this tutorial, something will probably go wrong for you. If you really want a VPN but aren’t willing to do your fair share of troubleshooting, it’s probably best to opt for a paid VPN service. There are a fair number of off-the-shelf free VPN services, but they have their limitations. Linux users can find a list of our favorite VPNs for Debian and Fedora distros here. Paid subscription VPNs also allow you to channel your internet traffic through dozens of geographic locations, whereas an EC2 instance is limited to just one. Check out our VPN reviews here!