VPN into LAN behind Verizon Wireless NAT using SoftEther


Today’s Question is From Tom:

Hey Ben,

Could you share a post or details on how you configured your SoftEther VPN in order to reach the internal network from the outside, on Verizon? I’m in the same predicament, which an unlimited 4G connection, but am unable to reach files due to Verizon’s 4G NAT firewall. If you have some time, after the holidays, would you be so kind as to publish a write-up? Right now I am connecting to a Private Internet Access VPN on my local machine in order to increase download speeds.


Hi, Tom.  I setup a SoftEther VPN server on my LAN under a VMware VM, but you can also run SoftEther on your desktop or on pretty much any  server.  Here’s how mine is setup in ESXi 5.5.

Enable Promiscuous Mode on the VMware vSwitch that’s connected to the network that you will VPN into (most likely you only have one vSwitch in VMware) by going to Configuration, Networking, vSwitch Properties, choose vSwitch, Edit, Security tab, and change Promiscuous Mode to Accept.


Create a VM for SoftEther, you can use just about any OS, however SoftEther says it works best with Linux and recommends a RHEL compatible OS.  I’ve built it on Ubuntu 14.04 and not had any issues, but for this post I’ll show how to do it with CentOS 7.  Here’s my VM settings…


Pretty standard CentOS 7 install, choose infrastructure server and development tools.  And of course don’t forget to configure and enable networking before hitting begin installation… I always seem to miss that.


Install updates…

# yum upgrade

Disable SE Linux by setting SELINUX=disabled in /etc/selinux/config and then reboot or

# echo 0 > /selinux/enforce

Disable the firewall…

# service firewalld disable
# systemctl disable firewalld

Follow the SoftEther Install on Linux and Initial Configurations document.   By the end of that document you should have a running SoftEther service but it still won’t be configured.

Download the SoftEther Server Manager for Windows and connect to your VM… the first time you connect you’ll be prompted to set an Administrator password.


And you’ll be presented with a Setup Wizard…



SoftEther can do DDNS if you like so you can pick a sub-domain….


You can optionally choose to enable IPSEC / L2TP but it’s not needed if you’ll be using the SoftEther client.

You can also enable SoftEther’s free VPN Azure service.  This is a nice backup if you can’t connect directly using NAT traversal.


Then create a user and set the local bridge to the network adapter on the network that you want to be able to access.


Now on the client…

You can connect to example.softether.net  resolves to your Verizon Wireless external IPv4 IP address… By default SoftEther continually sends out UDP packets to traverse the NAT, so when a client attempts to connect it follows the packets back through.

Sometimes this UDP hole punching technique doesn’t work for NAT traversal,  I seem to have noticed issues if the VPN client is also behind a NAT or some restricted network like at a hotel.  That’s what the VPNAzure address is for.  SoftEther maintains a reverse tunnel by connecting to vpnazure so you can access your network using example.vpnazure.net which will relay your connection back to your VPN server.  I don’t think it matters what port you connect on, I usually use port 5555 but sometimes networks block those ports in which case I’ll use 443.


A couple of other settings you may be interested in… under Advanced Settings I usually check “Use Data Compression” to speed things up a bit.  And if all you’re using your VPN for is to access resources on your network, and not tunnel all your internet traffic you can check the  “No Adjustments of Routing Table” which prevents your internet connection from being routed through your VPN.

Hope that helps.