1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ultime VPN server (SSTP,IPsec...) - need help compiling it

Discussion in 'Tomato Firmware' started by maurer, May 30, 2013.

  1. maurer

    maurer LI Guru Member

    Guys,

    I've found yesterday one of the the most interesting and promising VPN projects:
    http://www.softether.org/
    it supports all of the following protocols:
    I need your help compiling it and porting to tomato.
    Untill we can all help integrating it into the web-gui we can use the windows tools for configuration:
    http://www.softether.org/4-docs/1-m...N_Server_Manual/3.3_VPN_Server_Administration

    Linux mips32 package:
    http://www.softether-download.com/files/softether/v1.00-9091-rc3-2013.05.19-tree/Linux/SoftEther VPN Server/32bit - MIPS Little-Endian/softether-vpnserver-v1.00-9091-rc3-2013.05.19-linux-mips_el-32bit.tar.gz

    linux installation and configuration:
    http://www.softether.org/4-docs/1-m...3_Install_on_Linux_and_Initial_Configurations

    Thanks
     
    rs232 likes this.
  2. lancethepants

    lancethepants Network Guru Member

    Hmmm, I just had a small go at trying to compile this.

    Their application isn't yet open source, but it sounds like later this year they will release the source code.
    They pretty much provide a bunch of pre-compiled static libraries and then the rest should link against your linux installation libraries.

    I think that their static libraries and application are dependent on a different libc implementation. Tomato uses uClibc, which is more of an slimmed down version.
    I haven't been able to compile it. I'm using the entware toolchain, but I think you will have similar difficulties with the TomatoUSB toolchain.

    Too bad they don't provide an entirely static binary, but it then may or may not run anyway. One could try to create one on a different non-uClibc mipsel system and transfer it over (static binary of course), but I think our best hope is to wait for the source to be released, or ask them to use one of our toolchain for their pre-compilation.
     
  3. lancethepants

    lancethepants Network Guru Member

    Looks like a pretty cool project though, kind of an all in one solution.
     
  4. rs232

    rs232 Network Guru Member

    wow! +1
     
  5. zenix

    zenix Reformed Router Member

    Hi,

    did someone succeed in compiling SoftEther to use in Tomato ?
    I use this VPN server on small VPSs and it is really light on ressources consumption (much more than original openvpn).
    IMHO It would be a great improvement to this wonderful alternative firmware!

    (I know that this project became open source lately and could be less hardenned to vulnerabiliteies than the 'good ol openvpn' but it works flawessly on many servers so..)
    Cheers.
     
  6. nick ant0ny

    nick ant0ny Networkin' Nut Member

  7. lancethepants

    lancethepants Network Guru Member

    ryzhov_al likes this.
  8. nick ant0ny

    nick ant0ny Networkin' Nut Member

    So it is "Incompatible with the uclibc" ? and thus impossible to have to tomato openwrt ecc.?
     
  9. lancethepants

    lancethepants Network Guru Member

    Not sure. I made a static binary using an eglibc mipsel toolchain, but it still gave me that error also. Not sure what the issue is, but I'm confident it could be made to work for our routers.
     
  10. lancethepants

    lancethepants Network Guru Member

    Actually, looks like OpenWRT may have a patch. I'll take another stab at compiling this today.
     
  11. nick ant0ny

    nick ant0ny Networkin' Nut Member

    Well let's hope. It is a great and complete feature.
    Regarding the better openvpn performance, do you think it comes from the way the server to which they made these tests, handles the openvpn server vs the softethervpn server? Or there might have been tweaks? Just wondering.

    Regards
     
  12. ryzhov_al

    ryzhov_al Networkin' Nut Member

    iconv issue? Take a look at OpenWRT patches.

    PS 1) Look like it's heavy even for PC. 2) Some features like userspace NAT may to be painfully slow.
     
  13. lancethepants

    lancethepants Network Guru Member

    I applied patch "120-fix-iconv-headers-common.patch", but that did not help. I think it wants full iconv/gconv only provided in glibc package (uclibc has stripped version), and is looking for location of files at runtime.
     
  14. ryzhov_al

    ryzhov_al Networkin' Nut Member

    You may add glibc (with iconv-full) or take it from Entware.
     
  15. mstombs

    mstombs Network Guru Member

    Interesting project, I hope the University of Tsukuba, Japan continue with non-commercial development and support. Since Tomato has an historic link with Japan would be nice for a student project to look at optimum configuration for end-points on a Tomato router. Would have to look carefully at all the compile options/libraries and the processor specific machine code encryption algorithms - which would benefit other platforms, especially ARM core routers and mobile phones! A true benchmark would be to compare a Tomato router with integrated OpenVPN vs new code. A CS student could also look into the real meaning of the license conditions associated with the user interface!
     
  16. koitsu

    koitsu Network Guru Member

    What? Just because Jonathan Zarate happens to speak Japanese (and may be Japanese or half-Japanese himself; I'm still unsure) doesn't mean the firmware has a "historic link" with a country. :)
     
  17. lancethepants

    lancethepants Network Guru Member

    Finally got something to compile! The binaries appear to be functional, if you guys want to give it a test out.

    http://lancethepants.com/files

    These are static binaries. You need hamcore.se2 to reside with the binaries for them to work.
     
    szpunk likes this.
  18. NikCoul

    NikCoul Reformed Router Member

    Been using this on a remote server for a long time now, great stuff ... but can't sadly get tomato to connect to it as a client :(
     
  19. zenix

    zenix Reformed Router Member

    That's great news !
    I'll test this asap.
    Thanks for your time and sharing lancepants !
     
  20. maurer

    maurer LI Guru Member

    Hi Lance,

    Congrats for the successful compilation of SoftEthervpn.
    I already use it for a month now on rmerlin fw.
    Can you please share the compilation steps or recompile the latest version as there are some fixes and features that we really use (like workaround for vpnserver stop hang issue)

    Thanks.
     
  21. i1135t

    i1135t Network Guru Member

    Thanks lancetheparts. Works, but seems to heavily tax my CPU on N66U. Had to take it offline. Too bad... :(
     
  22. lancethepants

    lancethepants Network Guru Member

    Here is the script I use to compile SoftEtherVPN.
    https://github.com/lancethepants/SoftEtherVPN-mipsel-static

    Compilation was a little tricky to figure out because SoftEtherVPN uses one of the binaries it makes later in the building process. This poses an issue when cross-compiling because obviously x86 cannot run mipsel binaries. I then actually compile it twice, once for the host system, and then the cross-compilation.

    I've also uploaded the latest binaries from the latest git commits. If I fall behind in keeping SoftEtherVPN binaries up-to-date, just post or message me and I will create and upload the latest.

    edit: Your host system will need the necessary development libraries installed in order to do the host compilation first.
     
    Last edited: Mar 31, 2014
  23. maurer

    maurer LI Guru Member

    Great news !
    Thank you very much !
     
  24. Ka Hooli

    Ka Hooli Serious Server Member

    I've used SoftEther VPN server before running off Windows Server, but have been using the OpenVPN server built into my router's firmware. I've been wanting to try and set this up on my router for quite some time now, and have finally had the time to attempt it.

    Using an Asus AC-RT66U with AsusWRT-Merlin version 3.0.0.4.374.40_0 (latest at time of writing this). I've added a USB drive formatted as ext3, enabled JFFS (formatted enabled, then rebooted router), then via SSH ran the entware-setup.sh script (as detailed here). I then added nano and "openssh-sftp-server" entware packages. This allowed me to SFTP your pre-compiled files into the "/mnt/sda1/entware/bin" folder.

    I can then run "vpnserver start" and it says its started and I can connect to SoftEther VPN Server via the management software on my laptop running Windows 7 on the local WLAN network.

    I've set up all the settings, but can't get my iPhone to connect to it at all, the iPhone keeps saying that "The VPN server did not respond".

    Do I need to open any ports? There are 4 TCP ports listed on main VPN manage window (443, 992, 1194 & 5555). I created the script at /jffs/scripts/firewall-start and set settings "chmod a+rx /jffs/scripts/firewall-start" with the following...
    Code:
    #!/bin/sh
    iptables -I INPUT -p tcp --destination-port 443  -j ACCEPT
    iptables -I INPUT -p tcp --destination-port 992  -j ACCEPT
    iptables -I INPUT -p tcp --destination-port 1194  -j ACCEPT
    iptables -I INPUT -p tcp --destination-port 5555  -j ACCEPT
    ...ran it, no change to the message.

    I changed from IPSec to L2TP, temporarily enabled the "Raw L2TP with No Encryption), and got the error "THe L2TP-VPN server did not respond...". Also tried via OpenVPN using the generated config file, but the connection times out.

    This leads me to three questions... (so
    1. Should I have a Local Bridge setup?
    2. Have I setup the firewall correctly to allow external connections to communicate with the SoftEther VPN server?
    3. Is there anything else I should be aware of with the setup that I didn't think of?
     
  25. lancethepants

    lancethepants Network Guru Member

    Did you try connected locally over wifi or from another network? Typically OpenVPN runs on UDP 1194. Did you check that both your client and server configs are using TCP then?
     
    Ka Hooli likes this.
  26. Ka Hooli

    Ka Hooli Serious Server Member

    Thanks for getting back to me :)
    By using the scripts listed here, I've changed my setup slightly, but no change :(

    /jffs/scripts/firewall-start
    Code:
    #!/bin/sh
    # SoftEther VPN Server: SoftEther VPN Protocol (Ethernet over HTTPS)
    iptables -I INPUT -p tcp --destination-port 443  -j ACCEPT
    iptables -I INPUT -p tcp --destination-port 992  -j ACCEPT
    iptables -I INPUT -p tcp --destination-port 1194  -j ACCEPT
    iptables -I INPUT -p tcp --destination-port 5555  -j ACCEPT
    # SoftEther VPN Server: L2TP/IPsec Sever
    iptables -I INPUT -p udp --destination-port 500  -j ACCEPT
    iptables -I INPUT -p udp --destination-port 4500  -j ACCEPT
    # SoftEther VPN Server: OpenVPN Server
    #  TCP 443, 992 & 5555 already opened above
    iptables -I INPUT -p udp --destination-port 1194  -j ACCEPT
    
    /jffs/scripts/services-start (added to end of existing script)
    Code:
    /tmp/mnt/sda1/entware/bin/vpnserver start
    /jffs/scripts/services-stop (added to end of existing script)
    Code:
    /tmp/mnt/sda1/entware/bin/vpnserver stop
    This has made no change, I've rebooted the router and confirmed that SoftEther VPN Server has started, as I can manage it on the local WLAN network. But my iOS devices can't connect to it when on Cellular Data. But when I enable to OpenVPN Server in the router firmware, I can connect to that fine.

    The whole reason for wanting to use the SoftEther Entware package is so we can VPN into the local network by using the options built into Apple's iOS (L2TP over IPSec) & Microsoft's Windows 7 (same protocol or MS-SSTP) operating systems.

    I really do appreciate any assistance or insight you can give,
    TIA.
     
  27. Ka Hooli

    Ka Hooli Serious Server Member

    Found out some details as to what is happening. When I open the server_log/vpn_20140409.log file (from Manage Virtual Hub -> Log File List), I found these entries when trying to connect via L2TP from an iPhone...
    Code:
    2014-04-09 01:14:46.783 [HUB "VPN-Server"] Session "SID-JAMES-[L2TP]-5": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 406, Client build number: 9435, Server product name: "SoftEther VPN Server (32 bit) (Open Source)", Server version: 406, Server build number: 9435, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "James-iPhone", Client IP address: "<Cellular Data IP, removed for privacy>", Client port number: 1701, Server host name: "<Router's WAN IP, removed for privacy>", Server IP address: "<Router's WAN IP, removed for privacy>", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN-Server", Client unique ID: "14258F0FDFAECB18C4D0566DDFBE626B")
    2014-04-09 01:14:46.863 L2TP PPP Session [<Cellular Data IP, removed for privacy>:1701]: Trying to request an IP address from the DHCP server.
    2014-04-09 01:14:51.873 L2TP PPP Session [<Cellular Data IP, removed for privacy>:1701]: Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to. If you do not have a DHCP server, you can use the Virtual DHCP function of the SecureNAT on the Virtual Hub instead.
    2014-04-09 01:15:05.693 L2TP PPP Session [<Cellular Data IP, removed for privacy>:1701]: The VPN Client sent a packet though an IP address of the VPN Client hasn't been determined.
    2014-04-09 01:15:05.693 L2TP PPP Session [<Cellular Data IP, removed for privacy>:1701]: A PPP protocol error occurred, or the PPP session has been disconnected.
    2014-04-09 01:15:05.715 [HUB "VPN-Server"] Session "SID-JAMES-[L2TP]-5": The session has been terminated. The statistical information is as follows: Total outgoing data size: 3136 bytes, Total incoming data size: 1332 bytes.
    And later when I tried to connect using the preferred IPSec...
    Code:
    2014-04-09 01:29:23.633 IPsec Client 172 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): A new IPsec client is created.
    2014-04-09 01:29:23.633 IPsec Client 172 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
    2014-04-09 01:29:26.213 IPsec Client 173 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): A new IPsec client is created.
    2014-04-09 01:29:26.213 IPsec Client 173 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
    2014-04-09 01:29:29.453 IPsec Client 174 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): A new IPsec client is created.
    2014-04-09 01:29:29.453 IPsec Client 174 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
    2014-04-09 01:29:33.503 IPsec Client 175 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): A new IPsec client is created.
    2014-04-09 01:29:33.503 IPsec Client 175 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
    2014-04-09 01:29:34.763 IPsec Client 172 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): This IPsec Client is deleted.
    2014-04-09 01:29:37.263 IPsec Client 173 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): This IPsec Client is deleted.
    2014-04-09 01:29:39.753 IPsec Client 174 (<Cellular Data IP, removed for privacy>:500 -> <Router's WAN IP, removed for privacy>:500): This IPsec Client is deleted.
    
    So, from the L2TP connection attempts, it appears that it can't see the DHCP server on the router. Could this be because I may not have the right interface bridged to under Local Bridge Settings? I have these to choose from: br0, eth0, eth1, eth2 & vlan1. Or should I be setting up a Virtual DHCP server under the Manage Virtual Hub -> SecureNAT settings?
     
  28. Ka Hooli

    Ka Hooli Serious Server Member

    RMerlin has specified what the interfaces are here...
    So I set the bridge to Network Adapter br0, but I'm still getting the same issue :(
     
  29. lancethepants

    lancethepants Network Guru Member

    br0 should be the correct interface that would have dhcp, so long as you have it enabled in the router. I actually haven't used SoftEtherVPN. Just ran it once and connected using the Windows manager, but I haven't done anything extensive. Their forum might be more helpful than I can be.
     
  30. Ka Hooli

    Ka Hooli Serious Server Member

    That was my thought too.
    Oh, ok, will check them out.
    I can see someone on the DD-WRT Wiki has created an Entware repo with it on there too, I'll see if they have anything on their forum.
     
  31. maurer

    maurer LI Guru Member

    Hi Lance,

    Can we have an update of the softether vpn?
    I've also sent you an email.

    Thanks,
    M
     
  32. lancethepants

    lancethepants Network Guru Member

    v4.09-9451-beta has been compiled and uploaded.
     
  33. The Master

    The Master LI Guru Member

    Hello

    has anybody successfully installt this vpn projekt on a arm router like the R7000!?!? I want to test it for my mobile phone... thank you
     
  34. i1135t

    i1135t Network Guru Member

    I got it to run on the MIPS2 router (N66U) and that pushes my CPU to full speed when a connection is established so I don't think this software will work well on these. You may have better luck with the ARM routers but I don't think the static compiles above will work on your router since the R7000 is ARM based. Good luck!
     
  35. lancethepants

    lancethepants Network Guru Member

    Just created some arm binaries. Haven't tested them, but I think they should work.
    http://files.lancethepants.com/Binaries/SoftEtherVPN/
     
    maurer and The Master like this.
  36. maurer

    maurer LI Guru Member

    Can you please compile the latest code?
    it should finally fix the nasty shutdown bug on linux platform

    Many Thanks !
     
  37. The Master

    The Master LI Guru Member

    Could somebody be so kind to make a how to install @arm router?!

    I dont get it :(
     
  38. lancethepants

    lancethepants Network Guru Member

    SoftEtherVPN v4.09-9473-beta has been uploaded for both mipsel and arm builds.
     
  39. OLOCO

    OLOCO Networkin' Nut Member

    Hi guys.

    Is the massive CPU usage already fixed, or you think that a router like RT-N66U is not enough machine for this software?

    I could be interested on creating a bridged VPN in this router, and openvpn software has some annoying issues that SoftEther could solve for me.

    Thank you, and great work!
     
  40. roberthuang

    roberthuang Connected Client Member

    Update: Following issue has been resolve by removing local bridge. Everything is working as expected.

    Hi Guys,

    I just installed SoftEtherVPN (SoftEtherVPN v4.15-9538-beta) on my Linksys E3200 running on Shibby Tomato 117. Thanks lancethepants for your effort. I set the "Local Bridge Setting" to Network Adapter br0. Everything works fine except for one thing. The SoftEtherVPN DHCP pool is servicing both remote VPN users and local users(wired and wireless).

    How can I make the VPN DHCP only service the remote VPN clients? I'd like the local users still using the original DHCP provided by Tomato.

    Thank you.

    Robert
     
    Last edited: Mar 31, 2015
  41. somms

    somms Network Guru Member


    OpenVPN vs. SoftEther VPN

    Popular Question: What is the advantage of SoftEther VPN to OpenVPN?

    Obviously, OpenVPN is an excellent tool. However, the development of OpenVPN has been stalled for many years. And as you know OpenVPN has no significant improvement in recent years.

    http://www.softether.org/

    Smells like bullshit over at that site...oh yeah, whats up with their claim they can achieve over 900Mbps throughput vs OpenVPN less than 100Mbps? Is this legit!?:confused:
     
  42. RMerlin

    RMerlin Network Guru Member

    Code:
    Revolutionary VPN over ICMP and VPN over DNS features
    
    Errr... say again?
     
    ryzhov_al and AndreDVJ like this.
  43. mstombs

    mstombs Network Guru Member

  44. RMerlin

    RMerlin Network Guru Member

    A lot of routers (think about transit routers, not your endpoint router) will give a very low priority to ICMP traffic, even dropping it in case of congestion. I'm not sure I'd want to rely on ICMP for any type of data exchange beyond what it was designed for.

    As for VPN over DNS, I don't even want to try guessing the type of issues involved in using an application-layer protocol to encapsulate VPN traffic...

    Hackish and even more hackish.
     
    mstombs and AndreDVJ like this.
  45. jerrm

    jerrm Network Guru Member

    True, but these would not be the preferred methods, only intended as a last resort, where nothing else would work. I wonder how useful they would be though, at our highly restrictive locations, dns and icmp would be the least likely options to work.
     
  46. roberthuang

    roberthuang Connected Client Member

    Last edited: Jul 22, 2015
  47. roberthuang

    roberthuang Connected Client Member

    Deleted.
     
    Last edited: Jul 22, 2015
  48. roberthuang

    roberthuang Connected Client Member

    New version (SoftEther VPN 4.19 Build 9599 Beta (October 19, 2015)) is out. This version has dramatically improved the performance of the SecureNAT. Can't wait for the modified binaries from Lancethepants.
     
    Last edited: Oct 24, 2015
  49. ThanatosUA

    ThanatosUA New Member Member

    Hello, can you compile this stable version?
    SoftEther VPN 4.20 Build 9608 RTM
     
  50. lancethepants

    lancethepants Network Guru Member

    @ThanatosUA

    SoftEther VPN 4.20 Build 9608 RTM is now available.
     
    Goggy and ThanatosUA like this.
  51. lancethepants

    lancethepants Network Guru Member

    Just a note, I know some of you have tried to have SoftEtherVPN bridge to the br0 interface, but it doesn't seem to really work. You can instead have it create it's own interface and then bridge that to br0 using brctl. You can probably script this to happen when starting up SoftEtherVPN. It doesn't create the interface immediately, so you'd have to put a sleep in there to give it time.
     

Share This Page