How to Setup a Multi-Protocol VPN Server Using SoftEther on Microsoft Azure (Windows Server)

What is SoftEther?

SoftEther VPN is one of the world's most powerful and easy-to-use multi-protocol VPN software, made by the good folks at the University of Tsukuba, Japan. It runs on Windows, Linux, Mac, FreeBSD and Solaris and is freeware and open-source. You can use SoftEther for any personal or commercial use free of charge. This article explains how to install and configure a multi-protocol VPN server using the SoftEther on Microsoft Azure using Windows Server.

Step 1 : Create Windows Server VM

First, you need to create a Windows Server VM from Azure Portal. Azure provide several Windows Server images to start with, from the oldest Windows Server 2008 R1 up to the latest Windows Server 2016. SoftEther will work on any of the versions but it is recommended to stick with the latest version of Windows Server.

This tutorial use Windows Server 2016 Datacenter with F1S Standard machine size. A machine with 1 core processor and 2GB of RAM is sufficient to run the SoftEther Server software.

Step 2 : Remote Access The VM

Remote access the machine by using Remote Desktop application. Enter the correct VM username and password to gain access. Alternately, you can download .rdp file from the Azure Portal by clicking the Connect button on the VM window.

Step 3 : Install SoftEther VPN Server

Download and install SoftEther VPN Server and VPN Bridge from the SoftEther website.

When prompted to "Select Software Components to Install", select SoftEther VPN Server on the setup wizard 

Step 4 : Connect to Server Manager

After the software is installed, open it and click Connect.

A window will popup asking you to create a new password for administrator account. Enter the desired password and click OK to proceed.

Step 5 : Configure Server Settings

SoftEther VPN Server/Bridge Easy Setup will show up on the window asking the user to choose which VPN topology settings that need to be initiated. Select Remote Access VPN Server.

A Virtual Hub name will be required. Virtual Hubs separates administration objects and VPN session layer communication between each Virtual Hub. The default virtual hub name is "VPN", but you can enter any name you want.

Additional settings such as L2TP/sec, VPN Azure, and Dynamic DNS will be asked. These settings are optional. You can ignore them for now and set every one of them to be disabled.

VPN Azure in SoftEther is not related in any way to Microsoft Azure. It's totally a different product with the same name.

Step 6 : Create Users

VPN clients are required to have user credentials to connect to your VPN Server. User credentials can be created on the Virtual Hub Management. To navigate to Virtual Hub Management double click on one of the Virtual Hub Name. To create new user select Manage Users > New.

Enter the required field such as username and full name, and then select your preferred method of authentication. Password authentication is the easiest and the most standard form of authentication. If your organization concerns more about security, you can choose more advanced authentication type such as Certificate Authentication.

Step 7 : Enable SecureNAT

You need to enable Virtual NAT and Virtual DHCP for the server to automatically assigns virtual IP addresses to every client and enabling clients to access the private network through the server.

On the Virtual Hub Management window, select Virtual NAT and Virtual DHCP Server (SecureNAT) > Enable Secure NAT.

Step 8 : Allow TCP Port Access

Last but not least, TCP ports on the machine need to be opened to allow external access. For security reasons, Azure by default blocks every port (except RDP port) on the machine, so you need to specify explicitly which port number to be opened.

You can choose SoftEther listens to one of these TCP ports:

  • 443 (HTTPS)
  • 992 (Telnet)
  • 5555

To open TCP port access on the machine, on the Azure Portal, select [VPN server VM name] > Network Interfaces  > [network interface name].

And then, select Network Security Group > [network security group name]

Select Inbound Security Rules > Add. 

Choose your preferred port to use and then select "Allow". The default naming convention for security rule is allow-<port/port-range>. For demonstration I use port 443 (HTTPS).

 Select OK to finish. 

That is everything that you need to do to Setup a Multi-Protocol VPN Server Using SoftEther on Microsoft Azure with Windows Server. You can test your VPN connection by establishing a session to your server public IP address on the specified port number with SoftEther Client application.