Softether Setup Guide(solved cpu 100% problem!)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3  Next
Author Message
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Sun Jan 01, 2017 14:18    Post subject: Softether Setup Guide(solved cpu 100% problem!) Reply with quote
UPDATE: Use startup script instead of firewall script to solve 100% cpu problem. Follow the updated step below!

Spending three days to figure out how to set softether to work is a pain in the ass, and this guide is to help those of you suffering like me before!
(BS and Kong should have made this more user friendly, so we suffer less Sad )
Tested environment: R30949 & R30965M on DIR-860L-A1


What you need:
1. dd-wrt with softether embedded (generally speaking: builds after nov 2016)
2. router with at least 64kb total nvram and have free space more than 20kb!
3. Router with enough cpu power! (I overclock my cpu to 1.4ghz and it goes full load when I connect to it, so I really can’t tell how much it need lol)
I solved this by using startup script instead of firewall script, and cpu usage is below 10%.(probably a infinity loop bug in firewall script)
4. a windows pc connected to your router local network via lan cable or wifi
5. Softether VPN Server Manager for windows (preferably non beta exe)
6. Time and brain cells!!!


Steps: (Extremely basic and works for l2tp/ipsec only)
1. Do this at your own risk, do anything different from this guide and brick your router is your fault!
2. Install Softether VPN Server Manager for windows (select “Admin Tool” to install)
3. In dd-wrt gui, go to services>vpn, enable softether server then apply settings
4. Open your Softether VPN Server Manager
5. Click new setting
6. Set a name as you like
7. Enter 192.168.1.1 (or any router you have set), then click ok
8. Double click that name to connect
9. Enter a new admin password for the vpn and click ok
10. Tick remote access vpn server, then next
11. Click yes
12. Enter a name you like
13. A DDNS function pop up, if you use it then change to a name you want then exit, if not, just click exit
14. Tick enable l2tp server function (l2tp over ipsec)
15. Change your ipsec pre-shared key (no more than 8 characters), then click ok
16. Disable VPN Azure, then ok
17. Click create users
18. Enter user name, password, confirm password, then ok
19. Then click close
20. Click local bridge setting (bottom left)
21. Select a virtual hub you just created, then select bridge with new tap device
22. Enter vpn into the name section, then click create local bridge
23. You should see vpn pop up in the list, then click exit
24. Click edit config
25. Click save to file, save it to somewhere safe, because it contains the secrete of your vpn!!!
26. Then close and exit the program.
27. ~~~~From here, the softether vpn setting is basically done, if you want more advance setting, we will discuss that at the later part of this guide!~~~~

Now we should set our router to work with this thing! (The MOST critical part!)
1. Use notepad to open the config file you just saved
2. Replace all tab character in the file with space (ctrl+h)
3. Copy the whole text to dd-wrt softether config box
4. Click apply settings
5. Jump to administration>commands
*****Updated*****
6. Copy the following to commands box
Code:
sleep 15
vpncmd localhost:443 /SERVER /PASSWORD: /CMD ConfigSet //tmp//vpn_server.config

7. Click save startup
8. Copy the following to commands box
Code:
sleep 15
brctl addif br0 tap_vpn

9. Click save firewall
******************
10. Wait at least a minute!
11. After the router settle down and all light turn on as normal, power off it and then on
12. Set port forwarding list
Code:
UDP:500,1701,4500
TCP:443,992,555
Both:1194

13. Reboot


NOW go back to your windows pc, open softether server manager and click connect.
If it can successfully connect, congratulation, you have done it!
Then just connect your vpn with your client and enjoy.


As I have said, I will discuss more advance setting, and here they are!

Get SSTP to work:
1. Connect vpn with the manager
2. Click encryption and network (middle right)
3. Change encryption to something more secure, for example aes256-sha
4. Click new to generate a certificate for sstp connection
5. Enter common name(CN) as your ddns hyperlink name (you can use what softether give you or your own ddns name)
6. Set expire day to 9999 if you want it to work long time
7. Set Strengthness to 4096 bits, then click ok
8. Click export and then click ok, here you will get two files, save them to somewhere safe!
9. Click ok, then click OpenVPN/MS-SSTP setting (bottom right)
10. Enable what you want (for me I don’t use OpenVPN, so I disable it and save some cpu power on the router)
11. Now go back to the main page, click edit config, save to file, and you should know what to do Very Happy
12. Now install this certificate in a windows pc you want to connect to, here is a link from Microsoft on how to install a certificate chain
https://technet.microsoft.com/en-US/library/dd441378(v=office.13).aspx
13. Now you should be able to connect via sstp!

For OpenVPN, please follow normal procedures on how to use an openvpn client.

Some more tweaks to somehow make it safer and faster (need some coding experience, so do it at your own risk)
1. Open the config file you just get and we are going to edit this (use cautious!)
2. If you don’t use ddns from softether, bool Disabled true
3. SSLv3 is somehow consider not secure, so to completely disable this, set bool AcceptOnlyTls true
4. Import the file back to the manager.
5. At main page, click manage virtual hub (middle left)
6. Click log save setting, uncheck save security log and save package log
7. Click ok
8. Go to edit config, copy the setting to dd-wrt config box!
9. Restart your router if you want.


At this point, your vpn should work like charm, congratulation!

That's all and Happy 2017 Very Happy


Last edited by rickyyip123 on Sat Jan 21, 2017 8:27; edited 5 times in total
Sponsor
Gross
DD-WRT Novice


Joined: 07 Dec 2016
Posts: 4

PostPosted: Mon Jan 02, 2017 3:36    Post subject: Reply with quote
For me it actually connects, but the IP I get seems to be dished out by my ISP and not a 192.168.30.* address. Granted I am not running a standard config and I have a few vlans. I probably just need to play with the bridge config.
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Mon Jan 02, 2017 3:42    Post subject: Reply with quote
Gross wrote:
For me it actually connects, but the IP I get seems to be dished out by my ISP and not a 192.168.30.* address. Granted I am not running a standard config and I have a few vlans. I probably just need to play with the bridge config.


In your case, you can play with the command line that bridges br0 to tap_vpn, change br0 to something you want to bridge to(vlan1,vlan2,etc), then it should work.
Gross
DD-WRT Novice


Joined: 07 Dec 2016
Posts: 4

PostPosted: Mon Jan 02, 2017 4:12    Post subject: Reply with quote
Thanks, I'll try that.
ThomasTrain
DD-WRT Novice


Joined: 26 Oct 2016
Posts: 2

PostPosted: Thu Jan 12, 2017 20:18    Post subject: Re: Softether Setup Guide(edit: port forwarding list) Reply with quote
rickyyip123 wrote:

10. Set port forwarding list
Code:
UDP:500,1701,4500
TCP:443,992,555
Both:1194



You sir, are a GENIUS!

I finally got L2TP/IPSEC running on my RT-AC68U.

One piece of note: for L2TP/IPSEC only, you only need ports 500 and 4500 to be forwarded and you will forward to the routers IP.

1194 and 443 is only required if you enable OpenVPN.

443 is required if you enable SSTP.

Only thing I have left to figure out is how to get it to hand out IPs that are separate from my DHCP server.
kammerma
DD-WRT Novice


Joined: 27 Dec 2016
Posts: 24

PostPosted: Sat Jan 14, 2017 17:06    Post subject: Reply with quote
Thank you, this worked perfectly! Smile
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Sat Jan 21, 2017 8:33    Post subject: Reply with quote
Finally figured what is causing the 100% cpu bug, which is due to the infinity looping of firewall script.
I have now modified the steps for the scripts, cpu loading should be below 20% after you modify yours!
Softether should be connectable via outside connection within 3 minutes after you powered on your router.
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Sat Jan 21, 2017 8:43    Post subject: Re: Softether Setup Guide(edit: port forwarding list) Reply with quote
ThomasTrain wrote:
rickyyip123 wrote:

10. Set port forwarding list
Code:
UDP:500,1701,4500
TCP:443,992,555
Both:1194



You sir, are a GENIUS!

I finally got L2TP/IPSEC running on my RT-AC68U.

One piece of note: for L2TP/IPSEC only, you only need ports 500 and 4500 to be forwarded and you will forward to the routers IP.

1194 and 443 is only required if you enable OpenVPN.

443 is required if you enable SSTP.

Only thing I have left to figure out is how to get it to hand out IPs that are separate from my DHCP server.


If you want to create separate subnet, you should first create a new bridge different from br0(eg br1), then use the command "brctl addif br1 tap_vpn" to add the tap device to bridge br1, then add a multiple DHCP server for br1. Now you should have a separate DHCP server specifically for br1 i.e. tap_vpn
kammerma
DD-WRT Novice


Joined: 27 Dec 2016
Posts: 24

PostPosted: Sat Jan 21, 2017 16:42    Post subject: Reply with quote
CPU load is still at around 60-70% ... even with no clients connected. This is on a Asus RT-AC68U.

P.S.: Other than that, everything works without any problems (using both OpenVPN and LT2P).
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Sun Jan 22, 2017 6:05    Post subject: Reply with quote
kammerma wrote:
CPU load is still at around 60-70% ... even with no clients connected. This is on a Asus RT-AC68U.

P.S.: Other than that, everything works without any problems (using both OpenVPN and LT2P).

This is probably due to random running sequence of the script, so the bridging script may actually run before the softether successfully start.

So you might have to test the delay timing of your device, try to reduce the delay time for startup script to make the vpncmd command run as soon as possible, and try to increase the delay time of firewall script to make it run after the wireless network is online.(if firewall script runs before wireless online, it caused some weird infinity loop bug that might make the wireless network unstable.)

I have tested on R6300v2, which has similar spec as ac68u. I set first delay time to be 5, and second delay time to be 60, so that softether can initialize successfully and it will be connectable from outside network at about 3 minutes after boot.

And I hope Kong or BS can integrate vpncmd command to their code, so softether can boot properly on all devices!
kammerma
DD-WRT Novice


Joined: 27 Dec 2016
Posts: 24

PostPosted: Sun Jan 22, 2017 8:08    Post subject: Reply with quote
Thanks for your input. This is weird. I tried different combinations of delays. And while different values clearly affected router load, it still remained high (~60% over a longer period of time).
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Sun Jan 22, 2017 12:40    Post subject: Reply with quote
kammerma wrote:
Thanks for your input. This is weird. I tried different combinations of delays. And while different values clearly affected router load, it still remained high (~60% over a longer period of time).

Then you might have to use telnet "top" command to identify which process consumes so much cpu, and see if it is related to vpncmd or vpnserver
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Tue Jan 24, 2017 11:34    Post subject: Reply with quote
I'm running tests on a spare router.
From what I can see, when you enable softether vpn server it increases the nvram usage.
softether creates a file /tmp/var/lib called vpn_server.config.
I used the file in that was created in post #1 and copied it to a usb mounted on the router.
my startup script is

Code:


#!/bin/sh

sleep 30
/tmp/vpnserver stop
cp /opt/myscripts/vpn/vpn_server.config /tmp/var/lib
/tmp/vpnserver start
sleep 15
brctl addif br0 tap_vpn


This works great without increasing the nvram more.

Also I disabled some parameters that causing cpu spikes and softether calling home
Code:

bool UseKeepConnect true -> false

declare DDnsClient
 {
  bool Disabled false -> true
 
bool DisableNatTraversal false -> true

bool SuppressClientUpdateNotification false -> true



I want to create a port forwarding rule in the firewall commands instead of port forwarding under nat.
Can someone help?

_________________
Netgear R9000 main router
RAX80 as AP
rickyyip123
DD-WRT Novice


Joined: 31 Dec 2016
Posts: 18

PostPosted: Tue Jan 24, 2017 13:23    Post subject: Reply with quote
blaser wrote:
I'm running tests on a spare router.
From what I can see, when you enable softether vpn server it increases the nvram usage.
softether creates a file /tmp/var/lib called vpn_server.config.
I used the file in that was created in post #1 and copied it to a usb mounted on the router.
my startup script is

Code:


#!/bin/sh

sleep 30
/tmp/vpnserver stop
cp /opt/myscripts/vpn/vpn_server.config /tmp/var/lib
/tmp/vpnserver start
sleep 15
brctl addif br0 tap_vpn


This works great without increasing the nvram more.

Also I disabled some parameters that causing cpu spikes and softether calling home
Code:

bool UseKeepConnect true -> false

declare DDnsClient
 {
  bool Disabled false -> true
 
bool DisableNatTraversal false -> true

bool SuppressClientUpdateNotification false -> true



I want to create a port forwarding rule in the firewall commands instead of port forwarding under nat.
Can someone help?

Nice info for low nvram users! Very Happy
And for port forwarding using firewall commands, I think you can use the same structure as this
Code:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

But I think setting up this way is the same as setting it in gui Rolling Eyes
Mr_Orange
DD-WRT Novice


Joined: 29 Nov 2015
Posts: 7

PostPosted: Wed Jan 25, 2017 9:08    Post subject: VPN Log? Reply with quote
I got it working, thanks to the detailed explanation in the first post but it seems the vpn logs are missing.
Do yuo have the same problem or I'm not searching the log in the right places?
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum