SoftEther VPN

From Wikipedia, the free encyclopedia
  (Redirected from Softether)
Jump to: navigation, search
SoftEther VPN
Softethervpn logo.jpg
Softethervpn ss.jpg
SoftEther VPN
Original author(s) SoftEther VPN Project at University of Tsukuba
Developer(s) Daiyuu Nobori, Tetsuo Sugiyama, Takao Ito, Christopher Smith, Mei Sharie Ann Yamaguchi and other contributors.[1]
Initial release January 4, 2014
Development status Active
Written in C and C++
Operating system Windows, Linux, Mac OS X, FreeBSD, Solaris, iOS, Android
Platform Cross-platform
Available in English, Japanese and Simplified-Chinese [2]
Type VPN
License GPL v2 [3]
Website softether.org

SoftEther VPN is an open-source free cross-platform multi-protocol VPN program, developed as an academic project from University of Tsukuba, released under the GPLv2 license since January 4, 2014. It supports multiple VPN protocols (SSL-VPN, L2TP/IPsec, OpenVPN and MS-SSTP) in a single VPN server instance. It claims to be one of the most powerful and versatile vpn software ever built.[4]

Overview[edit]

SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.

SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge.

SoftEther VPN is an optimum alternative to OpenVPN and Microsoft's VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8 / 8.1. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function.

SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN's L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN's L2TP VPN Server has strong compatibility with Windows, Mac, iOS and [Android_(operating_system)|[Android]].

SoftEther VPN is not only an alternative VPN server to existing VPN products (OpenVPN, IPsec and MS-SSTP). SoftEther VPN has also original strong SSL-VPN protocol to penetrate any kinds of firewalls. Ultra-optimized SSL-VPN Protocol of SoftEther VPN has very fast throughput, low latency and firewall resistance.

SoftEther VPN has strong resistance against firewalls than ever. Built-in NAT-traversal penetrates your network admin's troublesome firewall for overprotection. You can setup your own VPN server behind the firewall or NAT in your company, and you can reach to that VPN server in the corporate private network from your home or mobile place, without any modification of firewall settings. Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.

Easy to imagine, design and implement your VPN topology with SoftEther VPN. It virtualizes Ethernet by software-enumeration. SoftEther VPN Client implements Virtual Network Adapter, and SoftEther VPN Server implements Virtual Ethernet Switch. You can easily build both Remote-Access VPN and Site-to-Site VPN, as expansion of Ethernet-based L2 VPN. Of course, traditional IP-routing L3 based VPN can be built by SoftEther VPN.

SoftEther VPN has strong compatibility to today's most popular VPN products among the world. It has the interoperability with OpenVPN, L2TP, IPsec, EtherIP, L2TPv3, Cisco VPN Routers and MS-SSTP VPN Clients. SoftEther VPN is the world's only VPN software which supports SSL-VPN, OpenVPN, L2TP, EtherIP, L2TPv3 and IPsec, as a single VPN software.

SoftEther VPN is free software because it was developed as Daiyuu Nobori's Master Thesis research in the University. You can download and use it today. The source-code of SoftEther VPN is available under GPL license.

The SoftEther VPN Server Architecture

Components[edit]

SoftEther VPN Server[edit]

SoftEther VPN Server implements the VPN server function to listens and accepts connections from VPN Client or VPN Bridge with several VPN protocols.

A VPN Server can have several Virtual Hubs and Virtual Layer-3 Switches. A Virtual Hub has full layer-2 Ethernet packet-switching functions like a physical Ethernet switch. Additionally, a Virtual Hub can be configured to define IP packet filter entries to filter the packets through the Virtual Hub. A Virtual Layer-3 Switch has layer-3 IP static routing functions like a physical router.

A VPN Server can have local-bridges. A local bridge is the layer-2 packet-switching fabric between a physical Ethernet network-adapter and a Virtual Hub. The administrator defines a local-bridge between the Virtual Hub and the existing corporate network to build a remote-access VPN server or a site-to-site VPN server.

SoftEther VPN Client[edit]

SoftEther VPN Client is a VPN client program which has the virtualized function of an Ethernet network adapter. A computer with installed SoftEther VPN Client can establish a VPN connection to the VPN Server. Since the VPN Server has the support for multiple VPN protocols such as L2TP/IPsec or MS-SSTP VPN, VPN users are not required to install SoftEther VPN Client on client computers. When a user uses L2TP/IPsec or MS-SSTP VPN to connect to the VPN Server, the built-in VPN client programs on the operating system can be used to establish a VPN to the VPN Server. However, SoftEther VPN Client has advanced functions (e.g. more detailed VPN communication settings) than OS built-in VPN clients. To exploit the full performance of SoftEther VPN Server, it is recommended to install SoftEther VPN Client on each client computer.

SoftEther VPN Bridge[edit]

SoftEther VPN Bridge is a VPN program for building a site-to-site VPN. To build a site-to-site VPN network, the system administrator has to install SoftEther VPN Server on the central site, and has to install SoftEther VPN Bridge on one or more remote sites. A VPN Bridge connects to the central VPN Server by cascade connection. A cascade connection is similar to, but a virtualized of, an uplink connection (cross-cable connection) between two physical Ethernet switches.

SoftEther VPN Server Management GUI Tool[edit]

The SoftEther VPN Server Management GUI Tool

The GUI Tool is the administrative tool for SoftEther VPN Server and SoftEther VPN Bridge. It is a program runs on both Windows and Linux with WINE. A system administrator installs the GUI Tool on his laptop PC, and make it connect to the remote VPN Server or VPN Bridge for administration. The connection is made by SSL session, and management commands are transported as RPC over SSL.

SoftEther VPN Command-line Admin Utility (vpncmd)[edit]

vpncmd is the CUI administrative tool for SoftEther VPN Server, Client and Bridge. It is a program runs on consoles of every supported operating systems. When a user is unable to use Windows or Linux with WINE, the user can alternatively use vpncmd to manage the VPN programs. vpncmd is also useful to execute a batch operation, such as creating many users on the Virtual Hub, or creating many Virtual Hubs on the VPN Server.

Supported VPN protocols[edit]

SoftEther VPN supports the following major VPN protocols by a single program. Since these VPN protocols have been supported on smart-phones and tablets including iOS and Android, these mobile devices can connect to the SoftEther VPN Server without additional software installation.

Features[5][edit]

The IPsec / L2TP setting screen for iPhone and iPad
  • Free and open-source software.
  • Easy to establish both remote-access and site-to-site VPN.
  • SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls.
  • Revolutionary VPN over ICMP and VPN over DNS features.
  • Resistance to highly restricted firewall.
  • Ethernet-bridging (L2) and IP-routing (L3) over VPN.
  • Embedded dynamic-DNS and NAT-traversal so that no static nor fixed IP address is required.
  • AES 256-bit and RSA 4096-bit encryptions.
  • Sufficient security features such as logging and firewall inner VPN tunnel.
  • 1Gbit/s-class high-speed throughput performance with low memory and CPU usage.
  • Windows, Linux, Mac, Android, iPhone, iPad and Windows Phone are supported.
  • SSL-VPN (HTTPS) and 6 major VPN protocols (OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP) are all supported as VPN tunneling underlay protocols.
  • The OpenVPN clone function supports legacy OpenVPN clients.
  • IPv4 / IPv6 dual-stack.
  • The VPN server runs on Windows, Linux, FreeBSD, Solaris and Mac OS X.
  • Configure All settings on GUI.
  • Multi-languages (English, Japanese and Simplified-Chinese).
  • No memory leaks. High quality stable codes, intended for long-term runs. We always verify that there are no memory or resource leaks before releasing the build.
  • RADIUS / NT Domain user authentication function
  • RSA certificate authentication function
  • Deep-inspect packet logging function
  • Source IP address control list function
  • Syslog transfer function
  • SoftEther VPN is safe from the Heartbleed vulnerability of OpenSSL. (April 11, 2014)

Architectures[6][edit]

Some parts of the architecture of SoftEther VPN are different from typical traditional IPsec-based VPN systems.

Full Ethernet Virtualization[edit]

The key concept of the method of realizing VPN by SoftEther VPN is the full virtualization of Ethernet segments, layer-2 Ethernet switches and Ethernet adapters.

Since SoftEther VPN tunnels the Internet and establish a VPN Session between remote sites with full capabilities to transmit any Ethernet packets, SoftEther VPN has unlimited protocol transparency as exact same as physical Ethernet segments. There are many of protocols which can be used on Ethernet. For example, IPv4 (TCP, UDP, ICMP, ESP, GRE etc.), IPv6 (the next generation of IP), NetBEUI, IPX/SPX, PPPoE, RIP, STP and so on. All protocols can be transmitted on the tunnel by SoftEther VPN.

Legacy VPN systems with L2TP, IPsec or PPTP can transmit only IPv4. Because these VPN protocols can carry only the upper layer of equal or more than layer-3. Contrariwise, SoftEther VPN can carry any packets which are equal or more than layer-2.

The user can derive a benefit from this advantage. The user can any legacy and latest protocols within the VPN session of SoftEther VPN. If the user's company uses some specified protocol for controlling a manufacturing machine, the user can use it on the SoftEther VPN session. No modifications on the software are needed to use such a protocol on the layer-2 VPN.

Virtual Hub[edit]

The forwarding database (FDB) of a Virtual Hub

A Virtual Hub is the software-emulated virtual Ethernet switch. It learns and maintains its own forwarding-database table inside. Although traditional physical Ethernet switches implements this function by hardware, SoftEther VPN implements the same function by software. A VPN Server can have several Virtual Hubs. Each Virtual Hub is isolated. A Virtual Hub performs the packet-switching between concurrently connected VPN sessions to realize the communication between VPN Clients and VPN Bridges.

When there are several Virtual Hubs in a single instance of VPN Server, these Virtual Hubs are isolated for security. Each different administrator can have the delegated privilege for each correspondent Virtual Hub. An administrator for a Virtual Hub can define user-objects and ACLs, limited only the delegated Virtual Hub.

Virtual Network Adapter[edit]

A Virtual Network Adapter is the software-emulated virtual Ethernet adapter. A VPN Client can create several Virtual Network Adapters on the client computer. A VPN user can establish a VPN session between the Virtual Network Adapter and the destination Virtual Hub of the remote VPN Server. While the VPN session is established, the VPN user can communicate to the remote VPN network through the Virtual Network Adapter. Since the Virtual Network Adapter works as if it is the physical one, any applications or operating system components can be used without any modification.

Virtual Layer-3 Switch[edit]

A Virtual Layer-3 Switch is the software-emulated virtual IP router. Several Virtual Layer-3 Switch can be created on a single VPN Server instance. A Virtual Layer-3 Switch has virtual IP interfaces connected to Virtual Hubs. It also has several static routing table entries.

The Virtual Layer-3 Switch is useful to make a large-scale site-to-site VPN network. Although the easy way to make a site-to-site VPN network is to build the layer-2 bridging based VPN, if the number of computers are huge the number of broadcasting packets will increase to load the inter-site links. To prevent that scaling problem, the VPN administrator isolates IP networks by Virtual Layer-3 switch.

Cascade Connection between Virtual Hubs[edit]

The administrator can define a cascade connection between local or remote Virtual Hubs. After the cascade connection will be established, the originally-isolated two Ethernet segments are combined to the single Ethernet segment. Therefore, the cascade connection function is used to build the site-to-site layer-2 Ethernet bridging.

Local Bridge between Virtual Hubs and Physical Ethernet Segment[edit]

Since Virtual Hubs and Virtual Network Adapters are only the software-emulated virtual Ethernet devices, the Ethernet packets through these virtual devices cannot communicate with physical Ethernet devices. Therefore, the bridge between the virtual and the physical is necessary to build a remote-access VPN or site-to-site VPN. To make a bridge, the Local Bridge function exchanges the Ethernet packets between a Virtual Hub and a physical Ethernet network adapter to combine the both isolated Ethernet segment to the single Ethernet segment.

After defining the Local Bridge on SoftEther VPN Server, any VPN Client can connect to the VPN Server and communicate to all existing Ethernet devices (e.g. servers or network equipment) through the Local Bridge. This is called a remote-access VPN.

If the network administrator set up the remote-site VPN Bridge, and defines two Local Bridges on both VPN Server and VPN Bridge, and defines a cascade connection between VPN Server and VPN Bridge, then the remote two Ethernet segments are connected directly in layer-2 Ethernet level. This is called a site-to-site VPN.

Firewall, Proxy and NAT Transparency[edit]

Firewall, Proxy and NAT Transparency

One of the key features of SoftEther VPN is the transparency for firewalls, proxy servers and NATs (Network Address Translators). To do this, SoftEther VPN supports SSL-VPN and NAT Traversal. SoftEther VPN uses HTTPS protocol in order to establish a VPN tunnel. HTTPS (HTTP over SSL) protocol uses the 443 (may vary) of TCP/IP port as destination.

Parallel Transmission Mechanism of Multiple SSL-VPN Tunnels[edit]

When the user chooses SSL-VPN protocol between the VPN Client and VPN Server, SoftEther VPN Server and VPN Client uses the parallel transmission mechanism to improve the throughput of the SSL-VPN tunnel. A user can set up the number of concurrent parallel transmission channels 1 to 32. In the environment such as slow and delaying network, this performance tuning will be a faster result for throughputs. When this function is enabled, the logical VPN Session will consist of several TCP (HTTPS) connections. All packets will be added to one of the appropriate TCP connections with calculations of optimizing modules. If some packet losses have been detected on a TCP connection of the logical VPN Session, then the new packet will use another health VPN connection. This fast-switching optimization to determine the processing TCP connection enables high throughput.

NAT Traversal[edit]

Traditional VPN systems require the user to ask the firewall's administrator of the company to open an endpoint (TCP or UDP port) on the firewall or NAT on the border between the company and the Internet. In order to reduce the necessity to open an endpoint on the firewall, SoftEther VPN Server has the NAT Traversal function. NAT Traversal is enabled by default. During it is enabled, SoftEther VPN Client computers can connect to your VPN Server behind the firewall or NAT. No special settings on the firewall or NAT are necessary.

VPN over ICMP, and VPN over DNS[edit]

A few very-restricted networks only permit to pass ICMP or DNS packets. On such a network, TCP or UDP are filtered. Only ICMP and DNS are permitted. In order to make it possible to establish SoftEther VPN client-server session via such a very-restricted network, SoftEther VPN has the "VPN over ICMP" and the "VPN over DNS" function.

This function is very powerful to penetrate such a restricted firewall. All VPN packets are capsuled into ICMP or DNS packets to transmit over the firewall. The receiver-side endpoint extracts the inner packet from the capsuled packet. This is very useful for exploiting public Wi-Fi. Some public Wi-Fi can pass only ICMP or DNS packets. They filter TCP or UDP packets. If you have a VPN Server installed on your home or office in advance to go outdoor, you can enjoy protocol-free network communication by using such a restricted network.

See also[edit]

References[edit]

External links[edit]