SoftEther VPN Running on AsusWRT Routers

SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software.
Tested on RT-AC68U rev A2, RMerlin firmware v380.65, hdd usb3, Optware-NG & Entware-NG

1 - Flash RMerlin firmware from here

2a - Install Optware-NG from here
2b - Install Entware-NG from here

3a - For ARM devices download and install SoftEtherVPN (thanks @lancethepants for binaries)

cd /opt/etc
wget -c -O SoftEtherVPN-4.20-9608-rtm-arm.tgz
tar xvzf ./SoftEtherVPN-4.20-9608-rtm-arm.tgz
rm ./SoftEtherVPN-4.20-9608-rtm-arm.tgz

3b - For MIPSEL devices download and install SoftEtherVPN (thanks again @lancethepants for binaries) (NOT TESTED)

cd /opt/etc
wget -c -O SoftEtherVPN-4.20-9608-rtm-mipsel.tgz
tar xvzf ./SoftEtherVPN-4.20-9608-rtm-mipsel.tgz
rm ./SoftEtherVPN-4.20-9608-rtm-mipsel.tgz

4 - Start SoftEtherVPN server ( I added a 12 seconds start delay because will crash the router if is starting right after router reboot)

/opt/etc/init.d/S80softethervpnserver start
The SoftEther VPN Server service has been started.

- Enter VPN Command Line Management Utility

admin@RT-AC68U:/tmp/mnt/sda1/optware-ng.arm/etc# /opt/etc/softethervpn/vpncmd
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608 (English)
Compiled 2016/04/17 20:58:26 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.By using vpncmd program, the following can be achieved.1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)Select 1, 2 or 3: 1
Specify the host name or IP address of the computer that the destination VPN Server or VPN Bridge is operating on.
By specifying according to the format 'host name:port number', you can also specify the port number.
(When the port number is unspecified, 443 is used.)
If nothing is input and the Enter key is pressed, the connection will be made to the port number 8888 of localhost (this computer).
Hostname of IP Address of Destination: ENTER
If connecting to the server by Virtual Hub Admin Mode, please input the Virtual Hub name.
If connecting by server admin mode, please press Enter without inputting anything.
Specify Virtual Hub Name: ENTER
Connection has been established with VPN Server "localhost" (port 443).You have administrator privileges for the entire VPN Server.

- Create a server password (highly recommended)

VPN Server>ServerPasswordSet
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.
Password: serverpassword
Confirm input: serverpassword
The command completed successfully.

- Create a hub (chose which name you like)

VPN Server>HubCreate RT-AC68U
HubCreate command - Create New Virtual Hub
Please enter the password. To cancel press the Ctrl+D key.
Password: hubpassword
Confirm input: hubpassword
The command completed successfully.

- Connect to RT-AC68U hub

VPN Server>Hub RT-AC68U
Hub command - Select Virtual Hub to Manage
The Virtual Hub "RT-AC68U" has been selected.
The command completed successfully.

- Create a new user for hub RT-AC68U

VPN Server/RT-AC68U>UserCreate TeHashX
UserCreate command - Create User

Assigned Group Name: ENTER
User Full Name: ENTER
User Description: ENTER
The command completed successfully.

10 - Create a password for this user

VPN Server/RT-AC68U>UserPasswordSet TeHashX
UserPasswordSet command - Set Password Authentication for User Auth Type and Set Password

Please enter the password. To cancel press the Ctrl+D key.
Password: userpassword
Confirm input: userpassword
The command completed successfully.

11 - Enable Secure Nat for this hub

VPN Server/RT-AC68U>SecureNatEnable
SecureNatEnable command - Enable the Virtual NAT and DHCP Server Function (SecureNat Function)

The command completed successfully.

12 - Enable IPsec/L2TP

VPN Server/RT-AC68U>IPsecEnable
IPsecEnable command - Enable or Disable IPsec VPN Server Function
Enable L2TP over IPsec Server Function (yes / no): yes
Enable Raw L2TP Server Function (yes / no): no
Enable EtherIP / L2TPv3 over IPsec Server Function (yes / no): yes
Pre Shared Key for IPsec (Recommended: 9 letters at maximum): presharedkey
Default Virtual HUB in a case of omitting the HUB on the Username: RT-AC68U
The command completed successfully.

13 - Enable SSTP

VPN Server/RT-AC68U>sstpEnable yes
SstpEnable command - Enable / Disable Microsoft SSTP VPN Clone Server Function
The command completed successfully.

14 - Enable OpenVPN (you can change port number or input multiple ports)

VPN Server/RT-AC68U>OpenVPNEnable yes /PORTS:1194
OpenVpnEnable command - Enable / Disable OpenVPN Clone Server Function
The command completed successfully.

15 - Generate a server certificate, chose your ddns address as Common Name

VPN Server/RT-AC68U>ServerCertRegenerate []
ServerCertRegenerate command - Generate New Self-Signed Certificate with Specified CN (Common Name) and Register on VPN Server
A new server certificate has been set.
If you are using OpenVPN protocols, please mind that you may have to update the inline certificate data in the OpenVPN configuration file.
The command completed successfully.

16 - Generate a Sample Setting File for OpenVPN Client

VPN Server/RT-AC68U>OpenVpnMakeConfig softethervpn/
OpenVpnMakeConfig command - Generate a Sample Setting File for OpenVPN Client
The sample setting file was saved as "softethervpn/". You can unzip this file to extract setting files.
The command completed successfully.

17 - Create a bridge if you want to give wan access to connected clients

VPN Server/RT-AC68U>BridgeCreate RT-AC68U
BridgeCreate command - Create Local Bridge Connection
Bridge Destination Device Name: br0
While in the condition that occurs immediately after a new bridge connection is made when bridging to a physical network adapter, depending on the type of network adapter, there are cases where it will not be possible to communicate using TCP/IP to the network adapter using a bridge connection from a computer on the virtual network.
(This phenomenon is known to occur for Intel and Broadcom network adapters.)
If this issue arises, remedy the situation by restarting the computer on which VPN Server / Bridge is running. Normal communication will be possible after the computer has restarted.
Also many wireless network adapters will not respond to the sending of packets in promiscuous mode and when this occurs you will be unable to use the Local Bridge. If this issue arises, try using a regular wired network adapter instead of the wireless network adapter.
The command completed successfully.

18 - Exit VPN Command Line Management Utility

VPN Server/RT-AC68U>exit

19 - Open required ports (remove #!/bin/sh line if you already have firewall-start script)

cat >> /jffs/scripts/firewall-start << 'EOF'
iptables -I INPUT -p udp --destination-port 500 -j ACCEPT
iptables -I INPUT -p udp --destination-port 4500 -j ACCEPT
iptables -I INPUT -p udp --destination-port 1194 -j ACCEPT
chmod a+rx /jffs/scripts/firewall-start
sh /jffs/scripts/firewall-start

Now your SoftEther VPN server is configured and ready to accept connections :)
To connect with OpenVPN protocol download to your PC from /opt/etc/softethervpn, unzip and use openvpn_site_to_site_bridge_l2.ovpn to connect from pc and openvpn_remote_access_l3.ovpn to connect from smartphone but first replace "remote 1194" with your ddns address, like "remote 1194"
You can download Server Manager and/or SoftEther client from official site

This tutorial was requested and is dedicated @Joe Fox

  • Thank you so much. I didn't try yet but i wanted to thank you for the tutorial. :)

  • kcheon

    I have finished the setup. I can ping the VPN Gateway address I can access the outside through the gateway. However, I have 2 issues:

    1. I can't ping the internal network nodes, such as my NAS, my AP, etc.
    2. The router will reboot itself after a while, especially when I bring up the RMerlin web interface on another computer.

    Additional Info:
    SothEtherVPN 4.20-9608 (I have also tried 4.21 beta, the issues are the same)
    I am not using OpenVPN, so I did not have the firewall rule "iptables -I INPUT -p udp --destination-port 1194 -j ACCEPT"
    Using a 8G USB thumb drive on EXT2 filesystem
    Tried with swapon and swapoff, same
    Using iPhone 7 by L2TP/IPSec

    • nico nico

      I using 380.65_2 version. I have not the reboot issue.
      If you only open udp 500 and 4500 port, I don't think the client can connect the vpn server. I have to open 8888 or 5555 and let client connect the server through one of these port.

    • I don't have the reboot issue, maybe because I'm using a usb 3.0 hdd and swap

  • nico nico

    I can finished the setup procedures without error, but I can't connect to the server by my laptop and iphone. are there any ports need to be open in the router?

    • nico nico

      After added "iptables -I INPUT -p tcp --destination-port 8888 -j ACCEPT" to firewall-start file, I can connect to the server by 8888 port. But I can't add "iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT " to the file. I got an error "iptables v1.4.14: Cannot use -X with -I". Is that mean I can't open the 443 port? How can I access the vpn server by mobile phone?

      • Read again point 19
        Post here output from
        cat /jffs/scripts/firewall-start

        • nico nico

          I have follow the point 19 to use nano editor to add "iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT" into firewall-start file, and then run "sh /jffs/scripts/firewall-start" and got this error

          • cat /jffs/scripts/firewall-start

          • nico nico

            above is the result of cat command. but iphone can't connect the server still.

          • What error do you get when trying to connect?

          • nico nico

            I still testing the server. not sure why the iphone can't connect to the server if I not enable the securNAT function in the virtualhub.

          • nico nico

            after few days testing. I found that vpn client can not get the IP address from the DHCP server of the router. I have to enable SecurNAT and DHCP in Vhub to assign the IP address. But I can't enable local bridge for this vhub, since 2 DHCP server would get conflicts.

          • nico nico

            I added back "iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT" it works now. I don't know why error occurred before.I can connect the server through 443 port by softether pc client now. I will test the l2tp connection of the iphone later and get back to you.

  • Tim Dowker

    Getting /opt/etc/softethervpn/vpnserver: line 1: syntax error: unexpected word (expecting ")") when I try to run step 4. Running on an RT-N66U with latest firmware.

    • TeHashX

      This tutorials is for arm devices

      • I added mipsel version, refresh page and continue from step 4b after removing arm package
        rm -r /opt/etc/softethervpn
        rm /opt/etc/init.d/S80softethervpn
        Please leave feedback if is working or not

        • TeHashX

          Point 3b, sorry

          • Tim Dowker

            Awesome! Thank you! I'll give it a go and let you know.


To be notified by email when a new tutorial is posted :)

Thanks for Subscribing! I'll keeping you up-to-date with latest tutorials!

Something went wrong, try again...