Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ServerPasswordSet ADMINPASSWORD
HubCreate VPN /PASSWORD:
hubdelete default
Hub VPN
UserCreate USERNAME /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet USERNAME /PASSWORD:TESTPASS
OpenVPNEnable no /PORTS:1194
sstpenable no
SecureNatDisable
natdisable
dhcpdisable
bridgecreate VPN /DEVICE:soft /TAP:yes
ipsecenable /L2TP:yes /L2TPRAW:no /ETHERIP:no /PSK:TESTSECRET /DEFAULTHUB:VPN
keepdisable
vpnovericmpdnsenable /ICMP:no /DNS:no
listenerdelete 1194
listenerdelete 5555
listenerdelete 992
ServerCipherset AES256-SHA
flush
exit
auto lo
iface lo inet loopback
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_stp off
bridge_waitport 0
bridge_maxwait 0
bridge_fd 0
post-up ip link set br0 address MACADDRESS
allow-hotplug eth0
iface eth0 inet manual
#!/bin/bash
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p
echo "
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > \$vpn/accept_redirects; echo 0 > \$vpn/send_redirects; done
iptables -A FORWARD -i br0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT" >> /etc/rc.local
[L2TPVPN]
title=Johan's L2TP
description=Dis is a VPN
ports=500,1701,4500/udp|1701,1723/tcp

Install raspbian, set up your users however you would like, so long as you have sudo access on the user you are running this with. You probably want to resize the image so it fills the SD card as well.

  1. Copy this entire gist to your raspberry pi

  2. Do chmod +x step1.sh step2.sh iptables.sh in the gist folder (so that

  3. Run step1.sh a) This script does a few things - it first updates your raspberry pi, then it installs a few needed utilities, then it upgrades the firmware on your raspberry pi b) Next, it sets up a few iptables rules in /etc/rc.local. Please verify that there is not an 'exit 0' statement before those rules are run, as the 'exit 0' will obviously prevent them from being loaded c) It downloads softether for raspberry pi, extracts it to /usr/local/vpnserver, agrees to the license terms, and then "makes" it. d) It changes the permissions as necessary on the /usr/local/vpnserevr files e) It adds the ufw profile for l2tpvpn's and allows it (But it doesn't enable ufw if it isn't already enabled) f) It adds the init.d script to start up the vpn server on startup

    A) Please enable ufw if you would like your pi to be more secure. The IPTables and ufw rules should allow you to simple type 'sudo ufw enable' and everything should work B) Please check /etc/rc.local to ensure that 'exit 0' does not come before the iptables commands C) Unless you are confident in managing the services manually, please reboot your pi to make sure everything is working nicely.

  4. Run step2.sh a) This script sets up the softether VPN config for an L2TP/IPSec vpn b) It will ask you various things in order and then stream-edit them into a copy of the 'commands.in' file, which it will then use to configure the softether server with. c) This script only works with a clean-install of softether - if you have already placed a password on softether, it will not work d) The soft-ether admin password is used only to administer the server using the vpncmd program or the softether gui for Windows e) The IPSec secret is the shared secret for all the IPSec connection f) The User/Pass are for one specific account, and do not have to match your unix account g) The script also grabs the mac address of the Raspberry Pi's 'eth0' interface, and then sets up the /etc/network/interfaces to use a bridge with that mac address rather than the ethernet adapter direction 1) This is because we have softether binding to a TAP, which we then need to bridge together, so that we can access the raspberry pi via the vpn. If we did a local bridge directly onto eth0, we would be able to access everything but the raspberry pi when connected via VPN

    A) Please check /etc/network/interfaces to make sure things look good! You shouldn't see MACADDRESS in the file, and you should see it making a bridge, and that eth0 is set to manual with no additional settings

Lastly, which you must do on your own,

Set up a dhcp reservation for your Raspberry Pi in your router (essentially a DHCP assigned static IP). If you cannot do this, you may want to mess around with the bridge settings and assign the pi a static IP that way. Then, you need to forward ports 1701tcp, 4500udp, and 500udp from your router to your Raspberry Pi

That should be it! Feel free to message me if you have issues, but only if you are using a raspberrypi and raspbian. I may or may not be able to get back to you. If you make modifications to these scripts to work for other OS's, it might be nice if you shared them with us. If you have any tips on how I should improve my PI's, let me know!

#! /bin/bash
DOWNLOADURL="http://www.softether-download.com/files/softether/v4.08-9449-rtm-2014.06.08-tree/Linux/SoftEther%20VPN%20Server/32bit%20-%20ARM%20EABI/softether-vpnserver-v4.08-9449-rtm-2014.06.08-linux-arm_eabi-32bit.tar.gz"
sudo apt-get update
sudo apt-get dist-upgrade -y
sudo apt-get install vim git-core ufw moreutils lsof rpi-update build-essential curl bridge-utils -y
sudo rpi-update
sudo ./iptables.sh
curl $DOWNLOADURL -s | sudo tar xzvf - -C /usr/local/
pushd .
cd /usr/local/vpnserver
echo "1
1
1
1
" | sudo make
popd
sudo chmod 755 /usr/local/vpnserver
sudo chmod 600 /usr/local/vpnserver/*
sudo chmod 700 /usr/local/vpnserver/vpncmd
sudo chmod 700 /usr/local/vpnserver/vpnserver
sudo cp l2tpvpn /etc/ufw/applications.d/
sudo chmod 644 /etc/ufw/applications.d/l2tpvpn
sudo ufw allow L2TPVPN
sudo ufw allow ssh
sudo cp vpnserver /etc/init.d/
sudo chmod 755 /etc/init.d/vpnserver
sudo update-rc.d vpnserver defaults
echo "Please enable UFW if you would like to be more secure (sudo ufw enable)"
echo "Please check /etc/rc.local. If 'exit 0' occurs before the iptables rules,
please edit so that 'exit 0' is after."
echo "ATTENTION: Please restart before next step to ensure new raspberry pi
firmware is loaded and vpn server starts"
#!/bin/bash
HOSTNAME=`hostname`
CONFIGBASEFILENAME=commands.in
NETWORKBASEFILENAME=interfaces
mkdir .vpnsetuptemp
cp $CONFIGBASEFILENAME $NETWORKBASEFILENAME .vpnsetuptemp/
CONFIG=.vpnsetuptemp/$CONFIGBASEFILENAME
CONFIG2=.vpnsetuptemp/$NETWORKBASEFILENAME
echo "Please enter your softether admin password: "
read softadmin
echo "Please enter your IPSEC Secret: "
read secret
echo "Please enter your l2tp username: "
read username
echo "Please enter your l2tp password: "
read pass
sed -i "s/ADMINPASSWORD/$softadmin/g" $CONFIG
sed -i "s/USERNAME/$username/g" $CONFIG
sed -i "s/TESTPASS/$pass/g" $CONFIG
sed -i "s/TESTSECRET/$secret/g" $CONFIG
sed -i "s/MACADDRESS/`cat /sys/class/net/eth0/address`/g" $CONFIG2
sudo /usr/local/vpnserver/vpncmd localhost:443 /SERVER /IN:$CONFIG
sudo cp /etc/network/interfaces /etc/network/interfaces.orig.bak
sudo cp $CONFIG2 /etc/network/interfaces
sudo rm -r .vpnsetuptemp
echo "You need to reboot for settings to take effect. PLEASE CHECK
/etc/network/interfaces TO make sure things look right! If they do
not, please edit accordingly, especially if working remotely!!!!"
#!/bin/bash
### BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $network $syslog $remote_fs
# Required-Stop: $network $syslog $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start firewall
### END INIT INFO
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
TIMEOUTCOUNTER=0
MAXTIMEOUT=50
SLEEPINTERVAL=0.5
until ifconfig tap_soft 1>/dev/null 2>&1; do
TIMEOUTCOUNTER=$((TIMEOUTCOUNTER + 1))
sleep $SLEEPINTERVAL
if (( $TIMEOUTCOUNTER > $MAXTIMEOUT )); then
echo "Time out waiting for device to come online. Could not add to bridge" 1>&2
exit 1
fi
done
brctl addif br0 tap_soft
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
@Ali3n0id

This comment has been minimized.

Copy link

commented Oct 9, 2014

This looks like a great solution however step1 didn't go as planned

I've ran the first script and get errors so I ran them manually and get:

'sudo ./iptables.sh' - Command not found

There was no ltpdvpn file/folder after the extraction so:

sudo cp l2tpvpn /etc/ufw/applications.d/ - cp: cannot stat 'l2tpvpn': No such file or directory

sudo chmod 644 /etc/ufw/applications.d/l2tpvpn - chmod: cannot access '/etc/ufw/applications.d/l2tpd' : No such file or directory

Also not important but:

innserv: warning 'vpnserver' missing LSB tags and overrides

@8flux

This comment has been minimized.

Copy link

commented Oct 13, 2014

Thanks! Really good! Everything works as expected.

@rligocki

This comment has been minimized.

Copy link

commented Nov 25, 2014

It works !!! But i would like to add next user, so how can i do it ?

@Thefunkymunkee

This comment has been minimized.

Copy link

commented Jan 2, 2015

Does anyone know if I can apply this to openelec or raspbmc? Desperate to get something like this working in xbmc!

@zt031318

This comment has been minimized.

Copy link

commented Jan 9, 2015

So I am a complete noob to Linux and VPN servers. Just got my raspberry pi, and I have been trying, with no success to set up an L2TP VPN. I was hoping this could help me out, and it looks like it can! Except... I'm not sure exactly what I have to do here. How do I run these scripts and what do I need to do with commands.in, interfaces, etc.?

@jhenkens

This comment has been minimized.

Copy link
Owner Author

commented Feb 8, 2015

@zt031318 Take a look through the first file, it should outline briefly what should be done. I just reran these scripts on my pi, and had no problems with the script.

I had manually updated the URL to point to the latest beta build. I reran them because I had been having some issues with connecting from outside my home network - turned out to be OSX using UPNP and overriding the port forward of 4500 on my router. I blocked port 4500 from being forwarded using UPNP and now all is right again in the world (and I shouldn't have had to update my softether setup!).

@Ratapelua

This comment has been minimized.

Copy link

commented Feb 27, 2015

Thank you very much for the script and shared!!!
I have the same issues than Ali3n0id :((

It could be because when I have copied the gist to my pi that it doesn't have the name l2tpvpn , or what is the issue? :((

That's what I got:

make[1]: Leaving directory '/usr/local/vpnserver'
step1.sh: 17: step1.sh: popd: not found
cp: cannot stat l2tpvpn': No such file or directory chmod: cannot access/etc/ufw/applications.d/l2tpvpn': No such file or directory
ERROR: Could not find a profile matching 'L2TPVPN'
Rules updated
Rules updated (v6)
update-rc.d: using dependency based boot sequencing
insserv: warning: script 'vpnserver' missing LSB tags and overrides
Please enable UFW if you would like to be more secure (sudo ufw enable)
Please check /etc/rc.local. If 'exit 0' occurs before the iptables rules,
please edit so that 'exit 0' is after.
ATTENTION: Please restart before next step to ensure new raspberry pi
firmware is loaded and vpn server starts
root@raspberrypi:/l2tpvpn# pwd
/root/l2tpvpn
root@raspberrypi:
/l2tpvpn# ls
commands.in interfaces iptables.sh l2tpvpn Raspberry Pi L2TP VPN Setup Scripts step1.sh step2.sh vpnserver

Any assistance, would be appreciated.

Thank you in advance,!

@Ratapelua

This comment has been minimized.

Copy link

commented Feb 27, 2015

I was going review step by step the script, I checked first if the "l2tpvpn" forder was actually when I have extracted the gist, it was there, then, I checked if it was executed by the script and if it was actually copied in /etc/ufw/applications.d/ , it wasn't , so I added.

After that, I checked as well if vpnserver was copied in /etc/init.d/ , it was, but when I tried to edit it, it was encrypted, so I copied again from the original unzipped gist folder.

I will reboot and continue with the second step... finger crossed! 😵

@Ratapelua

This comment has been minimized.

Copy link

commented Feb 27, 2015

It works!!!!!! :) Thank you soooo much, you're the man!!!! really nice all this script!!!!! 😃

@BraGeo

This comment has been minimized.

Copy link

commented Mar 24, 2015

Realy nice script !

Used some time to understand the VPN served config can be done from ./usr/local/vpnserver/vpncmd

Anyway ;)

How can I set a static IP adress on my rasberry? (My dhcp server can't, so I need to make this from the rasp)

@trananhtuan

This comment has been minimized.

Copy link

commented Mar 26, 2015

By default softether uses 443, 992 and 5555, so why do you open 1701tcp, 4500udp, and 500udp?

@nimmis

This comment has been minimized.

Copy link

commented Aug 2, 2015

"'sudo ./iptables.sh' - Command not found"

be sure to do "chmod +x *.sh" to make all scripts executable before running setup1.sh

@thomas930

This comment has been minimized.

Copy link

commented Aug 5, 2015

It seems Softether release a new version of RTM 4.18 after the releasing of Windows 10. Is the script still work by modifying DOWNLOADURL in step1.sh?

@StefanRetief

This comment has been minimized.

Copy link

commented Oct 18, 2015

Works great, however, I'm seeing:

[FAILED] Failed to start LSB: IPv4 DHCP client with IPv4LL support.
dhcpcd.service - LSB: IPv4 DHCP client with IPv4LL support.
Loaded: loaded (/etc/int.d/dhcpcd)
Active: failed (Result: exit-code)
Process: 694 ExecStart=/etc/init.d/dhcpcd start (code=exited, status=6)

Looked online and wasn't able to find anything. Any help would be appreciated.

@jhenkens

This comment has been minimized.

Copy link
Owner Author

commented Dec 8, 2015

@trananhtuan Because those aren't default ports for L2TP/IPSec. This works natively with Apple products :)
@thomas930 I've used this script with more recent versions, and it worked wonderfully. I'd recommend sticking to RTM versions.
@StefanRetief Sounds like the script may have messed up your /etc/networking file

@rtfmoz

This comment has been minimized.

Copy link

commented Dec 9, 2015

I did not need to port forward 1701/tcp. In fact I read elsewhere it is not a good idea to open that port up to the Internet . I tested VPN from Macbook Pro and iPhone 6. Worked perfectly with just 4500 and 500 UDP. Thank you.

@swellfr

This comment has been minimized.

Copy link

commented Dec 22, 2015

Any idea on how to configure this, so samba shares can be accessed throught NetBIOS names?

@olofbokedal

This comment has been minimized.

Copy link

commented Jan 22, 2016

I had to forward 1701 both for TCP and UDP before I was able to access the server remotely. I figured this out by looking at the rules for UWF. The rule also says to allow connections on 1723 for TCP, but I didn't have to forward this one.

Besides this, everything worked like a charm. By far the easiest way to setup a VPN, thanks!

Update: But it doesn't respond after reboot.. Fuck.
Update 2: Solved when I opened 1723 as well.

@olofbokedal

This comment has been minimized.

Copy link

commented Jan 28, 2016

Ok, so another problem which I noticed a couple of days after installation.

I've been using AirSonos (https://github.com/stephen/airsonos) in order to stream music via AirPlay to my Sonos speaker. It worked as intended before I installed SoftEther using this gist, but it can't find any Sonos devices afterwards. It works if I comment out the entire br0 interface (row 5-12 in https://gist.github.com/jhenkens/11190151#file-interfaces) in /etc/network/interfaces and reboot.

I've done a whole lot of searching for a solution, but my networking skills are very limited. However, it seems as if the Sonos devices advertises themselves through multicast, and this is what causes the problem.

Does anyone have a clue? I've created an issue (stephen/airsonos#270) at the AirSonos project as well.

@ppuls

This comment has been minimized.

Copy link

commented Mar 24, 2016

hi,
all great so far, but i'm getting the following in the end of step 2:

The commands written in the file ".vpnsetuptemp/commands.in" will be used instead of input from keyboard.
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.08 Build 9449 (English)
Compiled 2014/06/08 15:19:48 by yagi at pc25
Copyright (c) SoftEther VPN Project. All Rights Reserved.

Error occurred. (Error code: 2)
Protocol error occurred. Error was returned from the destination server.
You need to reboot for settings to take effect. PLEASE CHECK
/etc/network/interfaces TO make sure things look right! If they do
not, please edit accordingly, especially if working remotely!!!!

any ideas what went wrong?
cheers, phil

@cgioconda

This comment has been minimized.

Copy link

commented May 3, 2016

This worked beautifully for me for many many months. However, it appears a recent apt-get update/upgrade broke the VPN (I can't connect from any platform). How can I "uninstall" what these scripts have set up on my Pi, without using a whole new Raspbian image?

@christiankoetschan

This comment has been minimized.

Copy link

commented Jun 3, 2016

iptables.sh looks like it's broken in line 10: echo "
After a fresh install I got in /etc/rc.local:

(...)
exit 0

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -A FORWARD -i br0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT

@duceduc

This comment has been minimized.

Copy link

commented Jul 29, 2016

The guide works. I am able to connect remotely. However, when I install pi hole and after a reboot, I lose network connection on the pi. I cannot ping, access internet, etc. There seems to be conflict with pi hole. Maybe a firewall issue?

With a fresh install of pi and the vpn, I am able to connect and reboot without issue. The network breaks after installing pi hole. I do not know how to troubleshoot this or where to begin finding the problem Anyone?

Would be great if someone got their vpn running with pi hole installed.

@lucas-bremond

This comment has been minimized.

Copy link

commented Oct 12, 2016

It works perfectly using eth0!
Is there any way to use wlan0 instead?

@Porco-Rosso

This comment has been minimized.

Copy link

commented Nov 11, 2016

worked great thanks!

@link611

This comment has been minimized.

Copy link

commented Dec 17, 2016

hi there,

i installed softether with your script on my pi3, but if i establish a l2tp vpn, i am not able to connect to the pi3 over vpn, do i have to set something else up?

another thing, the script does not create a br0 interface, i already have the eth0 interface.

@rrothermund

This comment has been minimized.

Copy link

commented Apr 18, 2017

Works great! Only solution so far that works with both my Nexus 6P and HP Chromebook 13 G1. Is it possible to tweak this to run on other architectures as well besides the Pi?

@jsrichards

This comment has been minimized.

Copy link

commented Jun 28, 2017

Has anyone gotten this to work with WLAN0 instead of eth0? I have played around with the script with no luck. Everything installs, except no br0 interface is created, or at least I cannot see it when I do an ifconfig?

@jhenkens

This comment has been minimized.

Copy link
Owner Author

commented Sep 20, 2017

@jsrichards You usually cannot bridge with WLAN interfaces.

@thomas930

This comment has been minimized.

Copy link

commented Dec 24, 2017

@jhenkens
Hello, it seems your script doesn't work starting on Raspbian Stretch due to a major change on network interfaces structures by using Predictable Network interface Names...
i.e. using /etc/dhcpcd.conf instead of /etc/network/interfaces
May you revise the script, so we can use Softether L2TP VPN with latest Raspbian Stretch?

@thomas930

This comment has been minimized.

Copy link

commented Dec 30, 2017

@jhenkens
Hello, problem is solved by disable the "N3 Network interfaces name" in "2 Network Options" via "raspi-config"...
Script can be still work in Raspbian Stretch...
But dunno if Raspbian will compulsory ask user to use Predict Network Interface names in the future distribution.

@NoWayOut76

This comment has been minimized.

Copy link

commented Jan 17, 2018

Many thanks for this great scripts.
It was installing smoothly on Raspbian Stretch. i changed the step1.sh to include the latest SoftEther version:
http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Linux/SoftEther_VPN_Server/32bit_-_ARM_EABI/softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-arm_eabi-32bit.tar.gz

Also downloaded the SoftEther Windows Admin Tool which also works perfectly well to set up more users and configure the server.

In order to make it work when connected directly to the internet without router i installed fail2ban to protect logins, changed the listener port of the admin console of softether to a random port and also had to enable SecureNAT in the VirtualHub configuration (DHCP and NAT).

Worked fine!

@Bugz000

This comment has been minimized.

Copy link

commented Feb 28, 2019

does not work, rendered my pi inaccessible remotely, it's only by luck that i have physical access to it's keyboard.
DO NOT USE.

@kwasmich

This comment has been minimized.

Copy link

commented Sep 7, 2019

Works great with the latest Raspbian Buster (2019-07-10) on an original Pi 1 Model B.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.