Protocol: PPTP/L2TP/IPSec/OpenVPN/SSTP/SoftEther

protocol logo
To download these tutorials for OFFLINE viewing or for archive purposes please (Click here to download)
(Clicking the “.zip” will open the Archive, un-zip the .mht files then use one of the plugins below to view them)

You can open .mht WebArchive files directly inside FireFox Or Google Chrome by installing a plugin


Different types of VPN Protocol Explained.

Below is all the different types of protocol that most VPN services offer in their packages.
Most only support PPTP/OpenVPN but recently alot of services have added IPSec/SoftEther.

We are going to give a detail of what these different Protocols do, and why they are used.
This information isn’t by opinion, it’s from information found freely on the internet for all to learn from.

PPTP:

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement security functionality. However, the most common PPTP implementation shipping with the Microsoft Windows product families implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide security levels and remote access levels comparable with typical VPN products.

A specification for PPTP was published in July 1999 as RFC 2637 and was developed by a vendor consortium formed by Microsoft, Ascend Communications (today part of Alcatel-Lucent), 3Com, and others. PPTP has not been proposed nor ratified as a standard by the Internet Engineering Task Force.

A PPTP tunnel is instantiated by communication to the peer on TCP port 1723.
This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer.

The PPTP GRE packet format is non standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.

The GRE tunnel is used to carry encapsulated PPP packets, allowing the tunnelling of any protocols that can be carried within PPP
including IP, NetBEUI and IPX.

In the Microsoft implementation, the tunneled PPP traffic can be authenticated with PAP, CHAP, MS-CHAP v1/v2 .

Implementations

PPTP was the first VPN protocol that was supported by Microsoft Dial-up Networking. All releases of Microsoft Windows since Windows 95 OSR2 are bundled with a PPTP client, although they are limited to only 2 concurrent outbound connections. Microsoft Windows Mobile 2003 and higher also support the PPTP protocol. The Routing and Remote Access Service for Microsoft Windows contains a PPTP server. The Microsoft implementation uses single DES in the MS-CHAP authentication protocol which many find unsuitable for data protection needs.

Windows Vista and later support the use of PEAP with PPTP. The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates). Windows Vista removed support for using the MSCHAP-v1 protocol to authenticate remote access connections.

Linux server-side support for PPTP is provided by the PoPToP daemon and kernel modules for PPP and MPPE. Client-side Linux implementations of PPTP appeared in 1997, but the first widely used server-side Linux PPTP implementation was developed by Matthew Ramsay in 1999and initially distributed under the GNU GPL by Moreton Bay. However, Linux distributions initially lacked full PPTP support because MPPE was believed to be patent encumbered. Full MPPE support was added to the Linux kernel in the 2.6.14 release on October 28, 2005. SuSE Linux 10 was the first Linux distribution to provide a complete working PPTP client. There is also ACCEL-PPP – PPTP/L2TP/PPPoE server for Linux  which supports PPTP in kernel-mode.

OpenBSD and FreeBSD both include PoPToP in their ports trees.

OS X and iOS include a built-in PPTP client, and OS X Server includes a PPTP service.
Cisco and Efficient Networks sell PPTP clients for older Mac OS releases.

Palm PDA devices with Wi-Fi are bundled with the Mergic PPTP client.

Many different Mobile phones with Android as the operating system support PPTP as well.

Security

PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.

A summary of these vulnerabilities is below:

  • MS-CHAP-v1 is fundamentally unsecured. Tools exist to trivially extract the NT Password hashes from a captured MSCHAP-v1 exchange.
  • When using MSCHAP-v1, MPPE uses the same RC4 session key for encryption in both directions of the communication flow. This can be cryptanalysed with standard methods by XORing the streams from each direction together.
  • MS-CHAP-v2 is vulnerable to dictionary attack on the captured challenge response packets. Tools exist to perform this process rapidly.
  • In 2012, it was shown that brute-force attack on MSCHAP-v2 is equivalent to single DES key brute-force attack. Online service was presented, which is capable to restore MSCHAP-v2 passphrase’s MD4 in 23 hours.
  • MPPE uses RC4 stream cipher for encryption. There is no method for authentication of the ciphertext stream and therefore the ciphertext is vulnerable to a bit-flipping attack. An attacker could modify the stream in transit and adjust single bits to change the output stream without possibility of detection. These bit flips may be detected by the protocols themselves through checksums or other means.

EAP-TLS is seen as the superior authentication choice for PPTP; however, it requires implementation of a public-key infrastructure for both client and server certificates. As such it is not a viable authentication option for many remote access installations.

PPTP Features:

  • Overall Speed is very fast (As fast as you’re broadband can carry data)
  • Encryption & Secure Browsing is a big down fall of this protocol, it’s very very poor
  • Stability of this protocol is about medium, it very rarely has issues with stack overflows.
  • Media Streaming works very well with PPTP, hardly any problems will arise
  • Torrent/P2P if not blocked by the provider, will again work really well without much problems.
  • Compatable with Windows/MacOSX and most popular devices/phones/tablets/ipads etc.

L2TP/IPSec

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.

The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram. It is common to carry PPP sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec (discussed below).

The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this, an L2TP session (or ‘call’) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP.

The packets exchanged within an L2TP tunnel are categorized as either control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel.

L2TP allows the creation of a virtual private dialup network (VPDN) to connect a remote client to its corporate network by using a shared infrastructure, which could be the Internet or a service provider’s network.

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:

  1. Negotiation of IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called “pre-shared keys”), public keys, or X.509 certificates on both ends, although other keying methods exist.
  2. Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP’s 6 and UDP’s 17). At this point, a secure channel has been established, but no tunneling is taking place.
  3. Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA’s secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms tunnel and secure channel. The term tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/PPP, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel.

Windows implementation

Windows Vista provides two new configuration utilities that attempt to make using L2TP without IPsec easier, both described in sections that follow below:

  • an MMC snap-in called “Windows Firewall with Advanced Security” (WFwAS), located in Control Panel → Administrative Tools
  • the “netsh advfirewall” command-line tool

Both these configuration utilities are not without their difficulties, and unfortunately, there is very little documentation about both “netsh advfirewall” and the IPsec client in WFwAS. One of the aforementioned difficulties is that it is not compatible with NAT. Another problem is that servers must be specified only by IP address in the new Vista configuration utilities; the hostname of the server cannot be used, so if the IP address of the IPsec server changes, all clients will have to be informed of this new IP address (which also rules out servers that addressed by utilities such as DynDNS).

L2TP in ISPs’ networks

L2TP is often used by ISPs when internet service over for example ADSL or cable is being resold. From the end user, packets travel over a wholesale network service provider’s network to a server called a Broadband Remote Access Server (BRAS), a protocol converter and router combined. On legacy networks the path from end user customer premises’ equipment to the BRAS may be over an ATM network. From there on, over an IP network, an L2TP tunnel runs from the BRAS (acting as LAC) to an LNS which is an edge router at the boundary of the ultimate destination ISP’s IP network. See example of reseller ISPs using L2TP.

L2TP/IPSec Features:

  • Overall Speed is very fast (As fast as you’re broadband can carry data)
  • Encryption & Secure Browsing is very secure, more so than PPTP connections.
  • Stability of this protocol is actually very good, it very rarely has issues with stack overflows.
  • Media Streaming works very well with L2TP/IPSec, hardly any problems will arise
  • Torrent/P2P if not blocked by the provider, will again work really well without much problems.
  • Compatable with Windows/MacOSX and most popular devices/phones/tablets/ipads etc.

OpenVN

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocolthat utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.

Encryption

OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an “HMAC Firewall” by the creator). It can also use hardware acceleration to get better encryption performance.  Support for PolarSSL is available starting from version 2.3.

Authentication

OpenVPN has several ways to authenticate peers with each other. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. In version 2.0 username/password authentications can be enabled, both with or without certificates. However to make use of username/password authentications, OpenVPN depends on third-party modules. See the Extensibility paragraph for more info.

OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port (RFC 3948 for UDP). From 2.3.x series on, OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6. 

It has the ability to work through most proxy servers (including HTTP) and is good at working through Network address translation (NAT) and getting out through firewalls. The server configuration has the ability to “push” certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic.

OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original “one tunnel per process” restriction on the 1.x series.

OpenVPN’s use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, “business grade,” service tier.

Security

OpenVPN offers several internal security features. It has up to 256-bit Encryption through OpenSSL library although some service providers may offer lower rates effectively making the connection faster.  It runs in userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.

OpenVPN runs a custom security protocol based on SSL and TLS.OpenVPN offers support of smart cards via PKCS#11 based cryptographic tokens.

Extensibility

OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points.The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on.

The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source codethere are some examples of such plug-ins, including a PAM authentication plug-in. Several third party plug-ins also exist to authenticate against LDAP or SQL databases such as SQLite and MySQL. There is an overview over many of these extensions in the related project wiki page for the OpenVPN community.

Platforms

It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7.
While some mobile phone OSes (Palm OS, etc.) do not support OpenVPN, it is available for Maemo,Windows Mobile 6.5 and below,

iOS 3GS+ devices,  jailbroken iOS 3.1.2+ devices,Android 4.0+ devices, and Android devices that have had the Cyanogenmod aftermarket firmware flashed or have the correct kernel module installed. It is not a “web-based” VPN, meaning that it is not shown as a web page such as Citrix or Terminal Services Web access – the program is installed independently and configured by editing text files manually, rather than through a GUI-based wizard.

OpenVPN is not compatible with IPsec or any other VPN package. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used.

Firmware implementations

OpenVPN has been integrated into router firmware packages such as Vyatta, pfSense, DD-WRT, OpenWrt  and Tomato,allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, facilitates users within that network to access their VPN without having to install OpenVPN on each computer on that network.

Firmware Package Cost Developer Link
DD-WRT Free NewMedia-NET GmbH dd-wrt.com
IPFire Free Community driven development ipfire.org
OpenWRT Free Community driven development OpenWRT.org
PfSense Free BSD Perimeter LLC pfsense.org
Tomato Free Keith Moyer tomatovpn.keithmoyer.com

OpenVPN has also been implemented in some default manufacturer router firmware, such as the D-Link DSR-250  and all recent MikroTik Routers.

Software implementations

OpenVPN has been integrated into SoftEther VPN, an open-source multi-protocol VPN server,
to allow users connect to the VPN server from existing OpenVPN clients.

OpenVPN Features:

  • Overall Speed is very slow.
  • Encryption & Secure Browsing is very secure, more so than most other protocols
  • Stability of this protocol is actually very poor. It’s more like an experimental protocol
  • Media Streaming works very poorly with OpenVPN. You will get alot of media buffering.
  • Torrent/P2P if not blocked by the provider, will again work extremely poorly.
  • Compatable with Windows/MacOSX and most popular devices/phones/tablets/ipads etc.

SSTP:

Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.

SSTP servers must be authenticated during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP.

SSTP is available for Linux, BSD, and Windows.MikroTik’s RouterOS also includes an SSTP client and server.
SoftEther VPN Server, a cross-platform open-source VPN server, also supports SSTP as one of its multi-protocol capability.

Similar functionality can be obtained by using open-source solutions like OpenVPN.

For Windows, SSTP is available on Windows Vista SP1 and later, in RouterOS, and in SEIL since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon or smart card authentication, remote access policies and the Windows VPN client.The protocol is also used by Windows Azure for Point-to-Site Virtual Network.

SSTP was intended only for remote client access, it generally does not support site-to-site VPN tunnels.
The RouterOS version has no such restrictions.

SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire.

If this becomes untrue, performance falls off dramatically. This is known as the “TCP meltdown problem.

SSTP Features:

  • Overall Speed is quite good, not as good as PPTP or L2TP but it’s fair.
  • Encryption & Secure Browsing is very secure, more so than most other protocols
  • Stability of this protocol is set at medium. It’s a very old type of protocol so be warned.
  • Media Streaming works very well with SSTP. You will NOT get alot of media buffering.
  • Torrent/P2P if not blocked by the provider, will again work extremely well with sstp.
  • Compatable with Windows, Linux, that’s it! No Apple/Mac ipads or android devices.

SoftEther:

SoftEther VPN is a free open-source, cross-platform, multi-protocol VPN solution developed as part of Daiyuu Nobori’s Master Thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN and Microsoft Secure Socket Tunneling Protocol) are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014.

The architecture of SoftEther VPN was designed for firewall penetration. Support for NAT traversal is provided making it possible to setup a VPN Server behind an organization or government’s firewall. Firewalls performing deep packet inspection are unable to detect SoftEther’s VPN transport packets as a VPN tunnel because HTTPS is used to camouflage the connection.

Performance optimization was another objective for SoftEther VPN. It employs strategies such as full Ethernet frame utilization, reducing memory copy operations, parallel transmission, and clustering. Together, these reduce latency normally associated with VPN connections while increasing throughput.

The software includes a VPN Server, VPN Bridge, VPN Client, VPN Server Manager for Windows, and VPN Command-Line Admin Utility.

Interoperability

The VPN Server and VPN Bridge support Windows, Linux, Mac OS (but not 10.9.x), FreeBSD and Solaris operating systems. SoftEther VPN provides its own type of VPN connection as well as interoperability with OpenVPN, Microsoft Secure Socket Tunneling Protocol (SSTP), SSL VPN, EtherIP, L2TPv3 and IPsec. Mobile devices running iOS, Android, and Windows Phone are supported via L2TP/IPsec. SoftEther’s native VPN Client is supported on Windows, Linux, and Mac. VPN clients and endpoints supporting the other VPN protocols may also be used; this includes a wide variety of routers from companies such as Cisco, Juniper, Linksys (with DD-WRT), Asus, and many others.

VPN Server

SoftEther VPN Server implements the VPN server function to listens and accepts connections from VPN Client or VPN Bridge with several VPN protocols.

A VPN Server can have several Virtual Hubs and Virtual Layer-3 Switches. A Virtual Hub has full layer-2 Ethernet packet-switching functions like a physical Ethernet switch. Additionally, a Virtual Hub can be configured to define IP packet filter entries to filter the packets through the Virtual Hub. A Virtual Layer-3 Switch has layer-3 IP static routing functions like a physical router.

A VPN Server can have local-bridges. A local bridge is the layer-2 packet-switching fabric between a physical Ethernet network-adapter and a Virtual Hub. The administrator defines a local-bridge between the Virtual Hub and the existing corporate network to build a remote-access VPN server or a site-to-site VPN server.

VPN Client

SoftEther VPN Client is a VPN client program which has the virtualized function of an Ethernet network adapter. A computer with installed SoftEther VPN Client can establish a VPN connection to the VPN Server. Since the VPN Server has the support for multiple VPN protocols such as L2TP/IPsec or MS-SSTP VPN, VPN users are not required to install SoftEther VPN Client on client computers. When a user uses L2TP/IPsec or MS-SSTP VPN to connect to the VPN Server, the built-in VPN client programs on the operating system can be used to establish a VPN to the VPN Server. However, SoftEther VPN Client has advanced functions (e.g. more detailed VPN communication settings) than OS built-in VPN clients.

To exploit the full performance of SoftEther VPN Server, it is recommended to install SoftEther VPN Client on each client computer.

VPN Bridge

SoftEther VPN Bridge is a VPN program for building a site-to-site VPN. To build a site-to-site VPN network, the system administrator has to install SoftEther VPN Server on the central site, and has to install SoftEther VPN Bridge on one or more remote sites. A VPN Bridge connects to the central VPN Server by cascade connection. A cascade connection is similar to, but a virtualized of, an uplink connection (cross-cable connection) between two physical Ethernet switches.

The GUI Tool is the administrative tool for SoftEther VPN Server and SoftEther VPN Bridge. It is a program runs on both Windows and Linux with WINE. A system administrator installs the GUI Tool on his laptop PC, and make it connect to the remote VPN Server or VPN Bridge for administration. The connection is made by SSL session, and management commands are transported as RPC over SSL.

Features

  • Free and open-source software.
  • Easy to establish both remote-access and site-to-site VPN.
  • SSL-VPN Tunneling on HTTPS to pass through NATs and firewalls.
  • Revolutionary VPN over ICMP and VPN over DNS features.
  • Resistance to highly restricted firewall.
  • Ethernet-bridging (L2) and IP-routing (L3) over VPN.
  • Embedded dynamic-DNS and NAT-traversal so that no static nor fixed IP address is required.
  • AES 256-bit and RSA 4096-bit encryptions.
  • Sufficient security features such as logging and firewall inner VPN tunnel.
  • 1Gbit/s-class high-speed throughput performance with low memory and CPU usage.
  • Windows, Linux, Mac, Android, iPhone, iPad and Windows Phone are supported.
  • SSL-VPN (HTTPS) and 6 major VPN protocols (OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP) are all supported as VPN tunneling underlay protocols.
  • The OpenVPN clone function supports legacy OpenVPN clients.
  • IPv4 / IPv6 dual-stack.
  • The VPN server runs on Windows, Linux, FreeBSD, Solaris and Mac OS X.
  • Configure All settings on GUI.
  • Multi-languages (English, Japanese and Simplified-Chinese).
  • No memory leaks. High quality stable codes, intended for long-term runs. We always verify that there are no memory or resource leaks before releasing the build.
  • RADIUS / NT Domain user authentication function
  • RSA certificate authentication function
  • Deep-inspect packet logging function
  • Source IP address control list function
  • Syslog transfer function
  • SoftEther VPN is safe from the Heartbleed vulnerability of OpenSSL. (April 11, 2014)

Full Ethernet Virtualization

The key concept of the method of realizing VPN by SoftEther VPN is the full virtualization of Ethernet segments, layer-2 Ethernet switches and Ethernet adapters.

Since SoftEther VPN tunnels the Internet and establish a VPN Session between remote sites with full capabilities to transmit any Ethernet packets, SoftEther VPN has unlimited protocol transparency as exact same as physical Ethernet segments. There are many of protocols which can be used on Ethernet. For example, IPv4 (TCP, UDP, ICMP, ESP, GRE etc.), IPv6 (the next generation of IP), NetBEUI, IPX/SPX, PPPoE, RIP, STP and so on. All protocols can be transmitted on the tunnel by SoftEther VPN.

Legacy VPN systems with L2TP, IPsec or PPTP can transmit only IPv4. Because these VPN protocols can carry only the upper layer of equal or more than layer-3. Contrariwise, SoftEther VPN can carry any packets which are equal or more than layer-2.

The user can derive a benefit from this advantage. The user can any legacy and latest protocols within the VPN session of SoftEther VPN. If the user’s company uses some specified protocol for controlling a manufacturing machine, the user can use it on the SoftEther VPN session. No modifications on the software are needed to use such a protocol on the layer-2 VPN.

A Virtual Hub is the software-emulated virtual Ethernet switch. It learns and maintains its own forwarding-database table inside. Although traditional physical Ethernet switches implements this function by hardware, SoftEther VPN implements the same function by software. A VPN Server can have several Virtual Hubs. Each Virtual Hub is isolated. A Virtual Hub performs the packet-switching between concurrently connected VPN sessions to realize the communication between VPN Clients and VPN Bridges.

When there are several Virtual Hubs in a single instance of VPN Server, these Virtual Hubs are isolated for security. Each different administrator can have the delegated privilege for each correspondent Virtual Hub. An administrator for a Virtual Hub can define user-objects and ACLs, limited only the delegated Virtual Hub.

A Virtual Network Adapter is the software-emulated virtual Ethernet adapter. A VPN Client can create several Virtual Network Adapters on the client computer. A VPN user can establish a VPN session between the Virtual Network Adapter and the destination Virtual Hub of the remote VPN Server. While the VPN session is established, the VPN user can communicate to the remote VPN network through the Virtual Network Adapter. Since the Virtual Network Adapter works as if it is the physical one, any applications or operating system components can be used without any modification.

Virtual Layer-3 Switch

A Virtual Layer-3 Switch is the software-emulated virtual IP router. Several Virtual Layer-3 Switch can be created on a single VPN Server instance. A Virtual Layer-3 Switch has virtual IP interfaces connected to Virtual Hubs. It also has several static routing table entries.

The Virtual Layer-3 Switch is useful to make a large-scale site-to-site VPN network. Although the easy way to make a site-to-site VPN network is to build the layer-2 bridging based VPN, if the number of computers are huge the number of broadcasting packets will increase to load the inter-site links. To prevent that scaling problem, the VPN administrator isolates IP networks by Virtual Layer-3 switch.

Cascade Connection between Virtual Hubs

The administrator can define a cascade connection between local or remote Virtual Hubs. After the cascade connection will be established, the originally-isolated two Ethernet segments are combined to the single Ethernet segment. Therefore, the cascade connection function is used to build the site-to-site layer-2 Ethernet bridging.

Local Bridge between Virtual Hubs and Physical Ethernet Segment

Since Virtual Hubs and Virtual Network Adapters are only the software-emulated virtual Ethernet devices, the Ethernet packets through these virtual devices cannot communicate with physical Ethernet devices. Therefore, the bridge between the virtual and the physical is necessary to build a remote-access VPN or site-to-site VPN. To make a bridge, the Local Bridge function exchanges the Ethernet packets between a Virtual Hub and a physical Ethernet network adapter to combine the both isolated Ethernet segment to the single Ethernet segment.

After defining the Local Bridge on SoftEther VPN Server, any VPN Client can connect to the VPN Server and communicate to all existing Ethernet devices (e.g. servers or network equipment) through the Local Bridge. This is called a remote-access VPN.

If the network administrator set up the remote-site VPN Bridge, and defines two Local Bridges on both VPN Server and VPN Bridge, and defines a cascade connection between VPN Server and VPN Bridge, then the remote two Ethernet segments are connected directly in layer-2 Ethernet level. This is called a site-to-site VPN.

One of the key features of SoftEther VPN is the transparency for firewalls, proxy servers and NATs (Network Address Translators). To do this, SoftEther VPN supports SSL-VPN and NAT Traversal. SoftEther VPN uses HTTPS protocol in order to establish a VPN tunnel. HTTPS (HTTP over SSL) protocol uses the 443 (may vary) of TCP/IP port as destination.

Parallel Transmission Mechanism of Multiple SSL-VPN Tunnels

When the user chooses SSL-VPN protocol between the VPN Client and VPN Server, SoftEther VPN Server and VPN Client uses the parallel transmission mechanism to improve the throughput of the SSL-VPN tunnel. A user can set up the number of concurrent parallel transmission channels 1 to 32. In the environment such as slow and delaying network, this performance tuning will be a faster result for throughputs. When this function is enabled, the logical VPN Session will consist of several TCP (HTTPS) connections. All packets will be added to one of the appropriate TCP connections with calculations of optimizing modules. If some packet losses have been detected on a TCP connection of the logical VPN Session, then the new packet will use another health VPN connection. This fast-switching optimization to determine the processing TCP connection enables high throughput.

NAT Traversal

Traditional VPN systems require the user to ask the firewall’s administrator of the company to open an endpoint (TCP or UDP port) on the firewall or NAT on the border between the company and the Internet. In order to reduce the necessity to open an endpoint on the firewall, SoftEther VPN Server has the NAT Traversal function. NAT Traversal is enabled by default. During it is enabled, SoftEther VPN Client computers can connect to your VPN Server behind the firewall or NAT. No special settings on the firewall or NAT are necessary.

VPN over ICMP, and VPN over DNS

A few very-restricted networks only permit to pass ICMP or DNS packets. On such a network, TCP or UDP are filtered. Only ICMP and DNS are permitted. In order to make it possible to establish SoftEther VPN client-server session via such a very-restricted network, SoftEther VPN has the “VPN over ICMP” and the “VPN over DNS” function.

This function is very powerful to penetrate such a restricted firewall. All VPN packets are capsuled into ICMP or DNS packets to transmit over the firewall. The receiver-side endpoint extracts the inner packet from the capsuled packet. This is very useful for exploiting public Wi-Fi. Some public Wi-Fi can pass only ICMP or DNS packets. They filter TCP or UDP packets. If you have a VPN Server installed on your home or office in advance to go outdoor, you can enjoy protocol-free network communication by using such a restricted network.

SoftEther Features:

  • Overall Speed is very fast, one of the very best protocols for speed.
  • Encryption & Secure Browsing is very secure, more so than most other protocols
  • Stability of this protocol is set at high! It’s a very new and secure type of protocol.
  • Media Streaming works very well with SoftEther. You will NOT get alot of media buffering.
  • Torrent/P2P if not blocked by the provider, will again work extremely well with SoftEther.
  • Windows, Linux, Mac, Android, iPhone, iPad and Windows Phone are supported.

That’s it! All the VPN protocols have been covered in great detail! Now you know everything!