Blog / Articles / SoftEther VPN: VPS Installation Guide Using Docker

SoftEther VPN: VPS Installation Guide Using Docker

SoftEther VPN: VPS Installation Guide Using Docker

In today's digital age, keeping our online activities safe and private is super important. That's where VPNs, or Virtual Private Networks, come to the rescue! But here's the thing – not all VPNs are created equal. Some brilliant minds spotted these differences and thought, "Why not make a better one?" Say hello to SoftEther VPN.

Born from the innovative minds at Japan's University of Tsukuba, SoftEther was designed to go beyond the usual VPN limitations. Instead of just one method, it gives users a variety of options to pick what's best for them. Plus, since it's open-source, anyone can jump in and help make it better!

So, ready to learn more about this awesome VPN and how to set it up on your Virtual Private Server (VPS)? Let's get started! In this article, we'll explore what makes SoftEther special, see how it stands against other VPNs, and guide you on setting it up on a Virtual Private Server (VPS). Let's dive in.

Why SoftEther VPN?

In today's crowded VPN landscape, SoftEther VPN carves out a unique niche for itself. Here's a closer look at the distinguishing factors that make SoftEther a preferred choice for many:

Versatility: Unlike many VPNs that are limited to one or two protocols, SoftEther stands out by supporting a wide array, including SSL-VPN, L2TP, and OpenVPN, to name a few. This adaptability ensures that users can select the best protocol for their specific use case.

  • High-Speed Performance: In an era where speed is paramount, SoftEther doesn't disappoint. It's fine-tuned to ensure swift data throughput and minimal latency, offering a seamless browsing experience.

  • Open Source Nature: One of SoftEther's most commendable attributes is its open-source foundation. This not only ensures transparency but also invites a global community of developers to contribute, refine, and enhance its features, making it a tool truly built for the community, by the community.

  • Strong Security Features: The digital age comes with its fair share of threats. SoftEther rises to the challenge with its advanced encryption and authentication methods, safeguarding user data from potential breaches.

  • Cross-Platform Compatibility: SoftEther isn't just restricted to one platform. Whether you're on Windows, Linux, macOS, or even a mobile device, SoftEther has got you covered, offering broad support across various operating systems.

  • Unique Features: Beyond the standard VPN functionalities, SoftEther boasts features like NAT traversal, IPv6 support, and local bridge capabilities, further enhancing its versatility and applicability in diverse networking scenarios.

When evaluating VPN options, it's essential to understand the comparative strengths and weaknesses of different VPN protocols. Below, we have compiled a detailed comparison table, evaluating SoftEther alongside other popular VPN implementations such as OpenVPN, WireGuard, Shadowsocks, and IKEv2. The evaluation criteria include aspects like speed, security, ease of use, obfuscation, and customization.

Use-Cases SoftEther OpenVPN WireGuard Shadowsocks IKEv2
Speed ±
Ease of Use ± ±
Obfuscation ± ± ±
Customization ±

In simple terms, SoftEther VPN isn't just another VPN option out there. What really sets it apart are its top features like obfuscation and the ability to work with different protocols. These qualities make it a top pick for anyone looking to improve their online privacy and security. It's more than just a name — it's a powerful tool with standout features.

SoftEther VPN Installation on a VPS using Docker


  • VPS Selection: Choose a VPS provider located in a country that respects online privacy. Countries like Switzerland and Iceland are often considered safe havens for data privacy due to their stringent data protection laws and policies. Ensure you conduct some research on your chosen provider and the country's stance on online privacy before making a final decision.

  • Minimal Requirements: While SoftEther VPN can run on a variety of hardware configurations, for optimal performance, a VPS with at least 1GB of RAM and 20GB of storage is recommended. It's always good to check with your VPS provider to understand the specifics.

  • Operating System: For the purpose of this guide, we'll be using the latest version of Ubuntu. Make sure your VPS has Ubuntu installed, or follow the provider's documentation to set up Ubuntu on your VPS.

  • Docker: Docker is a platform used to develop, ship, and run applications inside containers. Using Docker for this guide allows us to streamline the SoftEther VPN installation process, ensure consistency across different setups, and encapsulate the VPN service in an isolated environment, boosting both security and reliability. If Docker is not yet installed on your Ubuntu VPS, don't worry – we'll guide you through the installation steps.

Step 1: Install Docker on Ubuntu

If you haven't installed Docker yet, follow the simple steps below.

Update your system packages:

sudo apt update

Install Docker:

sudo apt install

Start and enable Docker:

sudo systemctl start docker 
sudo systemctl enable docker

Verify Docker is installed:

docker --version

Step 2: Pull the SoftEther VPN Docker Image

Run the following command to pull the SoftEther VPN image designed for Ubuntu:

docker pull siomiz/softethervpn:ubuntu

This image contains the SoftEther VPN server configured with:

  • L2TP/IPSec PSK and OpenVPN protocols.
  • SecureNAT enabled:  Secure Network Address Translation (SecureNAT) allows the VPN server to function as a NAT router for connected VPN clients.
  • Perfect Forward Secrecy (DHE-RSA-AES256-SHA): PFS ensures that even if a malicious actor were to obtain the private key of the server, they would not be able to decrypt past communications. This is achieved by generating a new key for each session.

Step 3: Run the SoftEther VPN Docker Container

The command below will initiate a SoftEther VPN server container. It will accept connections from both L2TP/IPSec and OpenVPN clients (copy and run this command as a whole):

docker run -d \
--restart=always \
--cap-add NET_ADMIN \
-p 500:500/udp \
-p 4500:4500/udp \
-p 1701:1701/tcp \
-p 1194:1194/udp \
-p 5555:5555/tcp \


  • -d: This runs the container in detached mode, meaning it will run in the background.
  • --restart=always: When container restart policy is set to 'always', Docker will restart the container whenever your Ubuntu system boots.
  • --cap-add NET_ADMIN: This grants the container additional networking privileges.
  • The `-p` flags map a number of ports on the host to the container. These ports correspond to various VPN protocols and need to be accessible for SoftEther to function properly.

By default, if you don't specify any user credentials, the container will generate a random username and password. To retrieve the generated username and password for your SoftEther VPN server, you'll need to access the logs of the Docker container. Here's how:

1. Find the Container ID or Name: 

First, identify the ID or name of your running SoftEther VPN server container. You can do this with the following command:

docker ps

This command will list all the running containers along with their IDs, names, and other details.

2. Access the Logs:

Once you have identified the ID or name of your SoftEther VPN container, you can retrieve its logs using the following command:

docker logs [CONTAINER_ID_OR_NAME]

Replace [CONTAINER_ID_OR_NAME] with the actual ID or name of your container. For example, if your container ID is 'abcdef123456', the command would be:

docker logs abcdef123456

3. Retrieve the Username and Password:

After executing the logs command for the Docker container, you'll be presented with an output that includes the randomly generated username and password for your SoftEther VPN server. Specifically, you should look for the following format in the logs:

# ========================
# userXXXX
# ========================

Here, `userXXXX` represents the auto-generated username, and the sequence `YYYYY.YYYYY.YYYYY.YYYYY.YYYYY` is the corresponding password. It's crucial to record these details for future reference.

Additionally, within the same logs, you'll find the VPN configuration details that are necessary for setting up a VPN client. To save these configurations:

  1. Open a new text file on your computer and name it `config.ovpn`.
  2. Scroll through the Docker logs output, and copy the content starting from the generated password up to the line that reads: ​
    # [initial setup OK]
  3. Paste the copied content into the `config.ovpn` file you created.

With the saved `config.ovpn` and the generated username and password, you're all set to connect to your SoftEther VPN server using any compatible OpenVPN client. Remember to keep your credentials confidential and avoid sharing them carelessly.

Step 4: Customize credentials and prepare for L2TP/IPSec connections (Optional)

Before beginning with the customization process, understand that while OpenVPN is operational on the server using the default or prior configurations, L2TP/IPSec offers an alternative method of connection. Setting up L2TP/IPSec requires some extra steps. If you've previously launched the SoftEther VPN server using the `docker run` command, you'll need to stop and remove that container to prevent any potential conflicts:

  1. Find the container ID:
    docker ps
  2. Halt the container using its ID (put your own container's ID instead of 'CONTAINER_ID_OR_NAME'):
    docker stop CONTAINER_ID_OR_NAME
  3. Delete the container using its ID (put your own container's ID instead of 'CONTAINER_ID_OR_NAME'):
    docker rm CONTAINER_ID_OR_NAME

After handling previous containers, follow the below instructions:

Setting up L2TP/IPSec Connections (PSK):

L2TP over IPSec mandates a Pre-Shared Key (PSK) to solidify a secure connection. This key serves as a confidential passphrase exchanged between the server and the client.

-e PSK - by adding this string to the 'docker run' command, you set the Pre-Shared Key necessary for L2TP/IPSec connections. The default is "notasecret" if not designated. When connecting via L2TP/IPSec from your client device, this PSK, alongside your username and password, will be required. After setting this up, you can connect to the L2TP server using built-in VPN clients like the one provided in Windows.

Defining User Credentials (USERS):

-e USERS - This string facilitates the definition of multiple usernames and passwords. As an example, `user1:pass1;user2:pass2;user3:pass3` constitutes three separate users.

Setting Management Passwords (SPW & HPW):

-e SPW - This string determines the SoftEther VPN server's management password.

-e HPW - This string sets the management password for the "DEFAULT" hub.

To manage the server after setup, you can use the VPN Server Manager software provided by SoftEther. It allows for robust administration and management of your VPN server. Ensure to use the `SPW` and `HPW` credentials when accessing and making configurations using this software.

To kick-start the SoftEther VPN server with the management passwords, pre-set PSK, user credentials, and to ensure its auto-restart after any server reboots, utilize the following command (ensure to copy and paste it entirely):

docker run -d --cap-add NET_ADMIN \
-p 500:500/udp \
-p 4500:4500/udp \
-p 1701:1701/tcp \
-p 1194:1194/udp \
-p 5555:5555/tcp \
-e PSK=mysecretpsk \
-e USERS=myuser:mypass \
-e SPW=your_server_password \
-e HPW=your_hub_password \
--restart=always \

NOTE: Make sure to use your own usernames and strong passwords instead of 'mysecretpsk' and 'myuser:mypass'.

If done properly, your L2TP server is up and properly configured, you can now connect to the L2TP server using the built-in VPN client in Windows:

  1. Open Settings:

    • Click on the Windows Start button and select "Settings" (the gear icon).
  2. Navigate to VPN Settings:

    • Choose "Network & Internet".
    • On the left sidebar, select "VPN".
  3. Add a VPN Connection:

    • Click on "Add a VPN connection".
  4. Fill in the Details:

    • For "VPN provider", choose "Windows (built-in)".
    • In "Connection name", enter a name for this connection (e.g., "My L2TP Server").
    • For "Server name or address", enter your VPS server's IP address.
    • Set "VPN type" to "L2TP/IPsec with pre-shared key".
    • In the "Pre-shared key" field, input the PSK you set up earlier (e.g., mysecretpsk).
    • Under "Type of sign-in info", choose "Username and password".
    • Enter the username and password you specified earlier in the corresponding fields.
  5. Connect:

    • Once you've added the VPN connection, go back to the VPN settings page.
    • Select the VPN connection you just created and click "Connect".
  6. Verify:

    • Once connected, you should see a status indicating that you're connected to the VPN.

To connect to your SoftEther VPN server using OpenVPN protocol, retrieve your configuration using 'docker logs' command as described in Step 3. If you want to manage your server using the VPN Server Manager: open the manager program, enter your server's IP address with any open port (e.g. 5555) and your SPW password and then hit the 'Connect' button.

Step 5: Disable Logging (Optional)

By default, SoftEther logs a lot of data. If you wish to prevent this (for privacy or disk space reasons), you can redirect the logs to `/dev/null`. Here's how.

 Stop and remove the running container to prevent any potential conflicts:

  1. Find the container ID:
    docker ps
  2. Halt the container using its ID (put your own container's ID instead of 'CONTAINER_ID_OR_NAME'):
    docker stop CONTAINER_ID_OR_NAME
  3. Delete the container using its ID (put your own container's ID instead of 'CONTAINER_ID_OR_NAME'):
    docker rm CONTAINER_ID_OR_NAME

After handling previous containers, run the command below (as always, ensure to replace password and username placeholders with your actual values):

docker run -d --cap-add NET_ADMIN \
-p 500:500/udp \
-p 4500:4500/udp \
-p 1701:1701/tcp \
-p 1194:1194/udp \
-p 5555:5555/tcp \
-e PSK=mysecretpsk \
-e USERS=myuser:mypass \
-e SPW=your_server_password \
-e HPW=your_hub_password \
--restart=always \
-v /dev/null:/usr/vpnserver/server_log \
-v /dev/null:/usr/vpnserver/packet_log \
-v /dev/null:/usr/vpnserver/security_log \

The -v flag in the docker run command is used to bind mount a volume, which essentially means mapping a file or directory on the host system to a file or directory in the container.  In this case '-v /dev/null:/some/path/in/container' means that the file or directory '/some/path/in/container' inside the container is being mapped to '/dev/null' on the host system. In Unix-like systems, '/dev/null' is a special file that discards all data written to it and provides no data when read from. In other words, anything written to this file is effectively "thrown away" and ignored.

All Set!

Congratulations on your accomplishment! By meticulously following the steps in this guide, you've successfully set up and configured a robust SoftEther VPN server on your Ubuntu VPS using Docker. This not only showcases your technical prowess but also emphasizes the importance you place on secure and private digital communication.

As you journey forward, it's crucial to remember that the digital landscape is ever-evolving. Thus, the onus lies on you to ensure the continued security and privacy of your server. Regularly monitoring for updates is essential, as they often contain important patches and enhancements. Additionally, always stay informed about any security advisories or potential vulnerabilities related to the software you're using. By doing so, you'll ensure that your server remains a bastion of security in an ever-changing digital world. Best of luck with your continued endeavors!

⏴ Back to Blog

Article Summary

How do I set up a SoftEther VPN server on Ubuntu using Docker?

To set up a SoftEther VPN server on Ubuntu via Docker, you initiate the server container with specific port and protocol mappings. You can further customize the setup using environment variables for credentials, PSK, and management passwords.

What is the default Pre-Shared Key (PSK) for L2TP/IPSec on SoftEther Docker container?

The default PSK for L2TP/IPSec on the SoftEther Docker container is "notasecret". However, for enhanced security, it's recommended to set your own unique PSK.

How can I disable logging in SoftEther VPN server on Docker?

To disable logging, you can redirect SoftEther logs to /dev/null by using volume flags like -v /dev/null:/usr/vpnserver/server_log during your Docker run command.

How do I make my SoftEther VPN server configuration persistent across reboots?

To make the configuration persistent, utilize the --restart=always flag when running the Docker container. Additionally, you can mount a pre-configured SoftEther VPN config file to ensure settings remain intact.

Can I use the built-in VPN client in Windows to connect to a SoftEther L2TP server?

Yes, after setting up the SoftEther L2TP server with a PSK, you can utilize built-in VPN clients, including the one provided in Windows, for a secure connection.

What ports do I need to map for a SoftEther VPN server on Docker?

For SoftEther to function properly, map ports for various VPN protocols like 500/udp, 4500/udp, 1701/tcp, 1194/udp, and 5555/tcp.

How can I specify my own credentials for SoftEther on Docker?

Use environment variables like -e USERS=username:password to define your desired credentials during the Docker run command.

How do I access the randomly generated credentials from SoftEther VPN server on Docker?

You can retrieve the auto-generated credentials by accessing the Docker logs using the 'docker logs CONTAINER_ID_OR_NAME' command.

What's the significance of the '--cap-add NET_ADMIN' flag when running SoftEther on Docker?

The --cap-add NET_ADMIN flag grants the Docker container additional networking privileges, which are essential for the VPN functionalities.

How do I retrieve the ovpn config from my Docker container logs for SoftEther VPN server?

Access the Docker logs and look for the relevant configuration details, then copy them into a config.ovpn file on your local machine.

How do I set the server and hub management passwords for SoftEther VPN server on Docker?

Utilize the environment variables '-e SPW=your_server_password' and -'e HPW=your_hub_password' respectively during your Docker run command.

Is there a risk of exposing credentials when specifying them as environment variables in Docker?

Yes, if you specify credentials using environment variables, they might be exposed via the process list on the host or docker inspect. It's more secure to mount a pre-configured SoftEther VPN config file containing hashed passwords.

Can I use both L2TP/IPSec and OpenVPN with SoftEther on Docker?

Yes, the SoftEther VPN server container can accept connections from both L2TP/IPSec and OpenVPN clients when configured properly.

Why should I redirect SoftEther logs to /dev/null?

Redirecting logs to /dev/null effectively discards them, which can be useful if you want to prevent logging for privacy reasons or to save disk space.

How do I manage the SoftEther VPN server after setting it up on Docker?

Once configured, you can manage the SoftEther VPN server using the management tools provided by SoftEther. Ensure to use the appropriate management passwords you've set or the default ones if you haven't specified any.