Quirks of SoftEther VPN Server that came with DD-WRT

DD-WRT came with SoftEther VPN and it looked pretty scary because it shows no user interface and a box for you to enter a config file!

Turns out SoftEther VPN’s Remote Admin interface is basically a tool that takes all user settings, generate a config file and upload it to the server behind the scenes!

However out of the box the DD-WRT did not specify which config file to tie to (or open with by default) so the config received from the Server Manager only stays in memory and is not written anywhere! WTF!

So every time I reboot, the settings are totally lost and I have to re-enter it from scratch. Linux mentality again! People did the hardest fun work showing off how smart they are yet their software doesn’t gain the mainstream adoption because nobody ties up the loose ends so the 95% excellent work got sabotaged by the 5% loose ends that are not tied!

Here’s the tutorial on how to fix this nonsense: DD-WRT :: View topic – SoftEther Working after reboots *Special Way with JFFS2* but it the path was stale, so I’m writing this tutorial to explain the reasoning behind it instead of just parroting the cookbook instructions.

Concepts to know

vpn_server.config is the core file the defines the server.

SoftEther VPN Server Manager (The remote admin program) is basically a tool to generate the config text string from the UI and pass it to the server’s memory (not file yet until the server stops and flushes its config state out)

Config file’s file access/update mechanism

SoftEther’s explicitly stated that their config file (vpn_server.config) handling mechanism does not flush the current state in use to the file until the server stops. So it has the following behavioral implications:

  • Changes made by the admin program is reflected immediately despite no file is updated
  • If you change the config file while the server is running, the changes will be lost/overwritten as the server flushes the data on RAM to disk
  • If you abruptly power off the server, the changes made while the server is running (through the remote admin program) is lost as it doesn’t have a chance to flush the updated state out.
  • If you read the config file while the server is running, you are not getting the changes that are currently done through the Manager (Remote Admin) program.
  • In summary the config file is stale while the server is running.
  • When loading the config file to the server by any means (command or GUI), the server parses the entire file and immediately scan and act on the new state defined by the config file (eager execution), not waiting for the next turn the specific state is accessed (lazy execution).

Why this nonsensical starting from blank slate on boot crap!?

Note that the above describes a WRITE-ONLY mechanism. It says nothing about READs. I suspect what causes the dd-wrt developer to overlook the obvious is that the program by default (without the config filename passed as an argument) do not read from the default config file it writes to!

So unless intervened by specifying a config file location that will be read on launch then flushed out (write) to on server stopping, the server always starts in a blank state (because there’s no config file to read and SoftEther do not define a default location), yet the server always write out to the default file on close.

This is why every time you reboot the router, it’s going to read from nothing (starting the server in a blank slate) and writes to a config file (on proper shutdown) that the server is never going to read on the next launch! WTF!

This is a very odd design choice. SoftEther VPN is a hell lot more polished than most linux mess I’ve seen, but this loose end requires the developer downstream to put proper wrappers/indirections to make it intuitively work out of the box, but apparently this odd user trap just slips right through.

Default location of the config file

SoftEther by default reads and writes the vpn_server.config file which controls everything in a JFFS folder. So you are better off identifying it by doing a path search:

find /jffs -name vpn_server.config

So for my case the core file path is


DD-WRT’s text entry box for config string

The text box in DD-WRT’s UI for SoftEther VPN is hardwired to /tmp/vpn_server.config, which is freaking used by nowhere unless the user points to it. WTF?! This is very unpolished and wastes people a lot more time than it saves. At least drop people a hint with a text note saying this is not done yet and the rail connects to nowhere!

Messy solution

  1. The server always start blank on boot/reboot. No ifs-and-buts
  2. Use a one-liner command to load the config file into the the VPN server’s volatile config memory on start.
  3. Give the text edit box on DD-WRT productive life by symbolic linking

This is the dd-wrt startup command/script given in the forum (the path is stale) so I’ll update it below and deconstruct what it does

Step 1: Load the config file into the running server’s memory on start

vpncmd is a prompt based command line user interface like diskpart, but there’s a shortcut to log into the server and execute a command like ConfigSet in one line instead of starting vpncmd first then type the syntax, which is the /CMD switch:

vpncmd localhost:5555 /SERVER /PASSWORD: /CMD ConfigSet //jffs//var//softethervpn//vpn_server.config

Note that the program uses ‘//’ for the path names to prevent the ‘/’ symbol from being misinterpreted as a command switch.

The path I have is the default path mentioned above. Technically you can load any config file anywhere, but if you want to read the config file SoftEther VPN server flushes out (the most updated state after your changes through the Remote Admin interface), stick with loading the default path. This is likely what most people wanted.

/SERVER merely means the remote admin interface is going to administer a SoftEther VPN Server/Bridge, not Client, or VPN tools mode. Yes, you can puppeteer the Client setup managing connections from elsewhere with the all-in-one vpncmd tool, so the distinction is necessary.

/PASSWORD: should be left empty as the SoftEther VPN server ALWAYS start in a blank state (with a blank password) until you explicitly tells the server program to load a config file into its memory. The server starts blank is the reason we had to go through this drivel in the first place. If you had a set password, you already had a config file loaded.

Step 2 (Optional): Activate the text edit box at the DD-WRT interface

Just use a symbolic link to point the hard-wired /tmp/vpn_server.config to where your default config file path is. This is a mere convenience for you to view what just loaded because when the server is running, this file is guaranteed stale. If you want to read the updated copy or make changes, you have to Disable the SoftEther VPN server using the radio button, wait a few second and refresh so

ln -s /jffs/var/softethervpn/vpn_server.config /tmp/vpn_server.config

Remember to delete /tmp/vpn_server.config first before creating the symbolic link because the node you want it to redirect should not be occupied by an existing file. Obviously back up the content if you want to use it elsewhere.

Step 1 + Step 2 on DD-WRT’s interface

vpncmd localhost:5555 /SERVER /PASSWORD: /CMD ConfigSet //jffs//var//softethervpn//vpn_server.config
ln -s /jffs/var/softethervpn/vpn_server.config /tmp/vpn_server.config

Step 3: Add the TAP adapter to the LAN Bridge

This part is described in my other article for a different router firmware platform (Merlin WRT), but the same idea translates here: you need a TAP adapter to put SoftEther VPN Server on a Router, despite SoftEther UI has the option to create the TAP adapter, it doesn’t have the feature to add that newly created TAP adapter to the LAN bridge and therefore renders the feature useless out of the box the way it came with DD-WRT!

The good part about DD-WRT is that the tun kernel module is already loaded so SoftEther VPN server can freely make the TAP adapter (for Merlin you need to modprobe tun first).

Since the TAP adapter only appears when SoftEther’s VPN is running WITH with config file that defines the TAP adapter, you have to make sure the command to add the TAP to the LAN bridge happens a little right after the TAP is created by SoftEther VPN server, namely when the server just started the config file you know that contains the TAP adapter (and you know the said TAP adapter’s name).

If you call your TAP adapter tap0 in SoftEther’s config, it’s called tap_tap0 in Linux when it exist. Most often the LAN bridge is called br0, so if you have these common default names, the command to add the TAP interface to the LAN bridge is

brctl addif br0 tap_tap0

Of course replace the names accordingly. You can check the names by ifconfig or ip link show, or use whichever tool you know that lists all network device and adapters.

Since I noticed that DD-WRT and the VPN service /opt/etc/init.d files merely enable/disable the incoming connections and the admin service remain on (which means the config is not flushed out to the file) despite I ‘stopped’ the service. I agree with the original author that startup script is the right place to put the command to load the configuration (and therefore “add TAP interface to bridge” should immediately follow it after it finishes creating the TAP adapter).

As with what I learned from doing the same on Merlin WRT, add a few seconds (I used 3 seconds) of delay right after the config defining the TAP adapter is loaded so the OS got enough time to finish creating it before you try to add that TAP adapter to the bridge or else it’d fail silently.

Do it all in one page:

vpncmd localhost:5555 /SERVER /PASSWORD: /CMD ConfigSet //jffs//var//softethervpn//vpn_server.config
ln -s /jffs/var/softethervpn/vpn_server.config /tmp/vpn_server.config
sleep 3
brctl addif br0 tap_tap0


Notify of
Inline Feedbacks
View all comments