I’m experimenting with SoftEther as the user experience/interface is a lot more polished than WireGuard and OpenVPN and it has wide platform coverages. The Windows administration interfaces are sensibly designed (organized conceptually), unlike the Linux software culture that basically pretend to have a user interface yet it’s just a step away from editing the raw config file. SoftEther’s documentation also has nice graphical illustrations and it’s use cases oriented. The best part of the docs is that they are short and to the point.
Here I have a use case that’s not as quite as common for SoftEther’s users, so I might as well do a quick write up so if I run into this again in the future, I don’t have to do the research again.
Use case: router doubling as VPN server
I made a diagram based on my current understanding of how ethernet router works, and what needs to be done to have the router dual as SoftEther VPN server.
No guarantee that it’s the correct model and the lingo, and I’d appreciate comments to help me improve as I’m still learning (I was in algorithms and non-networking software development, more on the DSP side + light embedded systems, so this area is new to me).
- The part shaded in blue is the new part we are building.
- Installing SoftEther from Entware is just the square block.
- You need to
modprobe tun
to let the SoftEther Server Admin software create the TAP port (made up Ethernet card). - At the same time the TAP port is created, say
tap0
, what SoftEther ‘bridges‘ is NOT the LAN, but the orange link in the diagram that goes to the virtual hub (which belongs to a VPN server instance). This lingo confusion wasted me days. - The ‘bridge’ on SoftEther’s side tells the incoming VPN connection which ‘Ethernet card’ (turns out to the the TAP interface) on the host computer should act on its behalf.
- I felt like something is odd that SoftEther did not ask me what local network should the TAP interface go into so I suspect the TAP is just sitting there not talking to anybody, and it turned out to be the reason why my incoming VPN connection succeed but I’m not getting DHCP assignments.
- I bit the bullet and understand how a Linux router work as if it were a computer with 5 Ethernet cards and one important piece of the puzzle is that the 4 LAN ports aren’t directly talking to the the WAN, but instead they form a bridge (software switch) which the bridge represents them and talk to the processed WAN traffic.
- So the missing link is the double-line on the diagram where I add the TAP interface to the LAN bridge, namely
brctl addif br0 tap_tap0
. Linux adds atap_
prefix to tap interfaces so it’stap_tap0
fortap0
in SoftEther. - One more non-obvious thing here is that you also need to register the
brctl
a few seconds (usingsleep
delay) right after the SoftEther VPN Server service starts and nowhere else. The TAP has to exist before you put it on the LAN bridge and the TAP is programmed correctly to be as short-lived as needed, which is very responsible.
What to watch out for this use case
SoftEther’s interface does support creating a TAP adapter, but it provides scary warnings as this is an unusual settings.
TAP depends on the TUN module being loaded first, but Merlin-WRT’s firmware do not load this out of the box.
Some other websites tells you to install packages ip-full
(for ip
command) and OpenVPN (for the TAP) adapter, but it’s not necessary in some newer releases of Merlin-WRT. It’s all there, just waiting for you to modprobe tun
(load TUN/TAP kernel drivers) before you can create TAP adapters.
If you don’t have the TUN module loaded first, the newly created bridge will show ‘Error’ with no explanation, which is confusing.
I figured out this is the missing part that causes the Error status by learning how TAP interface are created on Linux and speculated the Windows remote server admin interface (Server Manager) calls this under the hood:
ip tuntap add dev {YOUR TAP DEVICE NAME GOES HERE} mode tap
and tried to imitate the call and researched the error messages.
The next hard part is that the TAP adapter created by SoftEther’s is not tied to anything in the router when freshly created by “Local Bridge Setting”! It’s like you just freshly added an extra network card into a computer with the drivers set up, it doesn’t interact with anything on your network before you plug a cable in the right port!
As the last step you will need to SSH into the router to put in brctl addif br0 tap_tap0
.
Obvious preparations
- Prepare USB storage (format it with
amtm
) to host Entware if not already done - install Entware (
amtm
has an installer for it) - install
softethervpn5-server
through Entware (opkg install softethervpn5-server
)
Enable TUN/TAP drivers
By default TUN/TAP kernel module is by default not loaded, so we somehow need to add modprobe tun
to startup scripts.
Out of the box the router is read-only so you cannot get it to remember the startup scripts unless you turn on /jffs
, a small (like 64MB) onboard non-volatile memory to store user data such as startup scripts.
After you turn on /jffs
, you will see tapping points to the startup process provided by executable files located in /jffs/scripts
:
If you haven’t installed anything that has written to services-start
(the earliest point), you can install spdmerlin
(from amtm
), a tool that provides a customized router admin page that creates a dashboard with all admin goodies and it will create services-start
and make it executable if it’s not already there for you to tap in the modprobe tun
line.
If you want to do this yourself, make sure you spell ‘services’ with the plural ‘s’ (the pre-existing ‘service-event’ which the ‘service’ is singular might tempt you to imitate it, which is incorrect) and chmod +x services-start
to make the script executable.
I use nano
to sneak modprobe tun
into /jffs/scripts/services-start
(I also tried init-start
and it works too since modprobe
is very early kernel stuff). Do whatever that’s convenient for you as long as you can sneak modprobe tun
in:
I recommend rebooting right away then run lsmod | grep tun
to make sure the module is indeed loaded. If you can’t spare a reboot (which is like 5 minutes), you can simply run modprobe tun
at the terminal right away and hope the startup script remembers to do it on the next reboot
Use SoftEther Server Manager to remotely configure the softethervpn5-server
installed on the router
The server program on the router did not ask for a password, yet SoftEther asks for it. This UI design is actually a little confusing. Turns out you enter an empty password on the first access/run and the user interface will ask you to create a proper password (just like some routers’ admin pages do).
The first time you set it up, you will be greeted by a Wizard which I cannot find again. This wizard is equivalent to ‘Create a Virtual Hub’ -> [‘Manage Virtual Hub’ -> Add Users] -> Local Bridge Setting. However, you want to skip the last step (create bridge) in the wizard because the wizard version caters basic users and they don’t offer the option to make a TAP adapter for the bridge.
By exiting the wizard at the bridge creation step, you’ve created the ‘Virtual Hub’ (which SoftEther sees ‘Virtual Hub’ as an instance of VPN server which you can run in parallel. Confusing lingo for beginners, but it might be sensible with the logic of the architecture). Click on the ‘Local Bridge Setting’ to finish the step that was not done by the Wizard
Bridging is a matter of hardware, so it’s universal across all Virtual Hub (or VPN server instances). This is why it’s at the top level outside your VPN server instance (Virtual Hub) configs.
Softether is trying to be helpful but we know what we doing something unusual here (using the router itself as a computer that plugs into the router). Don’t get scared by the warning and just click Yes to continue
If you remember to start the TUN kernel module, the Status should turn from Error to Operating in a split second. If it stays in the Error, go back and check if you have TUN running properly.
Oversimplified view of LAN bridges
From an end-user perspective, a bridge can be thought of in terms of switches despite the order of evolution is the other way round.
You can think of a bridge as a switch where the computer that hosts it gets a free ride on the switch without the extra physical switch NIC port, physical ethernet cable, and physical device/computer NIC port. I called it ‘implied’ in the diagram on top of this post.
Say for example with 1 ethernet adapter computer A connects to the upstream (say Internet and home network managed by a router above) and let’s call it NIC-A. Then we install an extra network card/interface called NIC-B that’s for serving other devices.
By creating a bridge BR0 formed by NIC-A and NIC-B, you created an illusion of NIC-A behaving as two network cards NIC-A and NIC-B with 2 cables connected to the upstream LAN directly despite only 1 card (NIC-A) is physically there. So what NIC-A did in the bridge BR0 is it act as a software switch which it gets a free ride (implied) and the downstream Computer B rides on the switch that’s served by Computer A.
Add the TAP interface to the existing LAN bridge
brctl
is the command line interface for managing bridges
addif
adds an interface to the bridge. Here’s the manual page for the syntax:
In this forum post user miscell reversed the order and typed the interface first, which you’ll get a ioctl error complaining that you’re trying to write to an unwritable file.
However, since we are in a router, these changes won’t stick on reboot so we need to put this somewhere. Turns out it’s a colossal pain in the butt to figure this out because the tap0
adapter is correctly programmed to exist only when the SoftEther VPN server service is running and disappear when the service stops. In other words, the TAP adapters created and managed by SoftEther is ephemeral.
Since the TAP does not exist before the SoftEther VPN Server service (S05vpnserver
) starts and vanished when the service stops, the ONLY place you should attach the bridging operation is within the start)
section of /opt/etc/init.d/S05vpnserver
, right after the core service completely finished starting so the TAP is fully created. I monitored the output of ifconfig
and realize I need a few seconds of delay before adding the TAP interface to the bridge because the TAP bridge has to exist first. Add the highlighted line to the right place
with the chunk repeated here if your LAN bridge is called br0
and the TAP is called tap0
in SoftEther:
sleep 3
brctl addif br0 tap_tap0
I also tested it and it seems like the bridge association is removed when the TAP adapter was cleaned up when the service is stopped, so I didn’t bother to add the brctl delif
in the stop)
section.
/opt
is actually points to your entware folder (I choose not to show the raw path because it contains my usb partition label which you’ll have to substitute your own) so the data is not volatile and it’s living in your USB entware storage. Basically the SoftEther VPN server registry lives in Entware’s /init.d
as S05vpnserver
.
Double check the naming on your router with say ifconfig
instead of trusting the tap_
prefix which might not be universal across routers. Also check if your router’s LAN bridge is indeed named br0
and replace the interface names accordingly. You can also adapt this to other routers as long as you know where to sneak in the startup scripts
Bonus: Firewall instructions
The firewall rules in MerlinWRT just quit working so the table I entered doesn’t do anything when I turn the firewall on. It doesn’t seem like it’s placing firewall exceptions the way I intended.
There’s also another weird behavior that if the port is firewall blocked, the server admin program intermittently still connect but it connects to a blank state server (blank config). WTF!
You won’t run into these problems if the firewall is turned off, but if you want to keep the firewall on, here’s the SoftEther VPN Server Firewall instructions.
Suggestion to SoftEther: Add a LAN bridging UI to the TAP option
Since this is an unusual concept, I copied the diagram from 3.6 Local Bridges – SoftEther VPN Project and overlay it to illustrated the ‘Local (VPN) Bridge’ has nothing to do with your LAN bridge which is necessary for the TAP adapter to do anything useful.
Right now there’s too little help on this topic which SoftEther considers it as advanced. Turns out putting SoftEther on a router isn’t too uncommon of a thing to ask for once people find out that it’s not impossible.
It’d save us who want to put SoftEther on a Linux router a lot of grief if SoftEther has an extra UI section in the dialog with a pulldown menu that states what bridge it can optionally join:
This is better done inside SoftEther instead of outside it because the users do not have to anticipate the names of the TAP adapters administrators create in the UI. Don’t worry about this extra option of adding it to a LAN bridge could confuse new users, as the lack of such option is way more confusing because there’s a TAP adapter created just to not connect to anything and it shoves new users to a dead end!
In the worst case you can throw a dialog box when users choose a non-blank item from the bridge list saying that this is for advanced users and make sure you know what you are doing (it’d be helpful to remind this could be used for installing SoftEther server on a Linux router).
Extras (feel free to skip it): First-time Wizard
Under no circumstance you should pick one of the LAN ports like /eth0
to bridge. This made no sense (btw /eth0
is usually the WAN interface) and I tried it just out of curiosity and it bricked the router by boot loop (luckily there’s self-recovery to fresh state after a few crashes).
The wizard isn’t that useful as soon as you notice the so called ‘VPN server (instance)’ is called ‘Virtual Hub’ and the buttons on the screen make intuitive sense that requires little explanation.