SoftEther VPN Lab

I deployed and evaluated IPSec and TLS VPN architectures with SoftEther, including packet-level verification and protocol trade-off analysis.

Repository

VPNnetworkingWiresharkIPSecTLSnetwork forensics

SoftEther-VPN-Guardian

Politecnico di Torino

Developed as part of a Politecnico Di Torino cybersecurity course under Prof. Fulvio Valenza and Prof. Daniele Bringhenti.

GNS3 Public IP VPN Across the Internet

A comprehensive GNS3-based laboratory demonstrating advanced VPN technologies through SoftEther VPN Server's multi-protocol capabilities. This project showcases the implementation of both IPSec and TLS/SSL tunneling protocols over simulated public Internet infrastructure, utilizing Cisco routing equipment and containerized services.

Project Overview
SoftEther VPN Technology
Network Architecture
Multi-Protocol VPN Implementation
Infrastructure Components
Laboratory Setup
Security Considerations
Performance Analysis
Repository Structure
References & Further Reading

Project Overview

This laboratory environment demonstrates the deployment of enterprise-grade VPN solutions using SoftEther VPN Server, a powerful open-source multi-protocol VPN platform developed at the University of Tsukuba, Japan. The project emphasizes the practical implementation of secure site-to-site connectivity across public Internet infrastructure, showcasing both traditional IPSec protocols and modern TLS/SSL-based tunneling.

Key Learning Objectives

Multi-Protocol VPN Design: Understanding how a single VPN server can simultaneously support multiple tunneling protocols
Network Address Translation: Implementing proper NAT/PAT configurations for VPN traffic traversal
Public Key Infrastructure: Managing certificates and authentication mechanisms for TLS-based VPNs
Performance Comparison: Analyzing the characteristics of IPSec vs. TLS tunneling protocols

SoftEther VPN Technology

SoftEther VPN represents a significant advancement in VPN technology, offering unprecedented protocol compatibility and performance. Originally developed as an academic research project, it has evolved into a production-ready solution supporting multiple VPN protocols through a unified server platform.

Core Capabilities

Multi-Protocol Support: Native compatibility with IPSec/L2TP, OpenVPN, SSTP, L2TPv3, and EtherIP
SSL-VPN Technology: Advanced TLS 1.3 encryption with certificate-based authentication
Dynamic DNS Integration: Built-in DDNS client for dynamic IP environments
Clustering Support: High-availability configurations for enterprise deployments
Deep Packet Inspection Evasion: Sophisticated techniques to bypass restrictive firewalls

Architecture Benefits

The server's Virtual Hub architecture allows multiple isolated VPN instances on a single platform, each supporting different protocols and authentication methods. This design enables our laboratory to demonstrate both IPSec site-to-site tunneling and remote access TLS connections simultaneously.

Network Architecture

The laboratory topology simulates a realistic Internet service provider environment with two geographically separated sites requiring secure interconnection.

    Internet Cloud (Simulated)
            │
    ┌───────┴───────┐
    │   ISP Router   │
    │  (Provider PE) │
    └───┬───────┬───┘
        │       │
    Site A      Site B
   ┌─────┴─┐   ┌─────┴─┐
   │Router2│   │Router3│
   │(Edge) │   │(Edge) │
   └───┬───┘   └───┬───┘
       │           │
  ┌────┴────┐ ┌────┴────┐
  │SoftEther│ │  VPN    │
  │ Server  │ │ Client  │
  │Container│ │Container│
  └─────────┘ └─────────┘

IP Addressing Scheme

The network utilizes RFC 5737 documentation addresses for public IP simulation, ensuring no conflicts with production networks while maintaining realistic routing behaviors.

Network Segment	CIDR Block	Purpose
Site A (Server)	10.0.1.0/24	SoftEther VPN Server
Site B (Client)	10.0.2.0/24	VPN Client Network
WAN Link A	203.0.113.0/24	Server Public Access
WAN Link B	198.51.100.0/24	Client Public Access

Multi-Protocol VPN Implementation

This project demonstrates SoftEther's ability to provide concurrent VPN services using different protocols, each optimized for specific use cases.

IPSec Implementation

Internet Protocol Security (IPSec) provides network-layer encryption and authentication, ideal for site-to-site connectivity requirements.

Technical Configuration

IKE Version: IKEv1 for broader compatibility with legacy systems
Encryption: AES-256 (Phase 1) / AES-128 (Phase 2) for optimal security-performance balance
Authentication: SHA-1 HMAC with pre-shared key infrastructure
Perfect Forward Secrecy: Diffie-Hellman Group 14 (2048-bit) for key exchange
NAT Traversal: Automatic UDP encapsulation on port 4500 for firewall traversal

The IPSec implementation utilizes SoftEther's built-in IPSec server functionality, eliminating the need for separate IPSec gateway appliances while maintaining full RFC compliance.

TLS/SSL Implementation

Transport Layer Security (TLS) tunneling provides application-layer encryption with enhanced firewall traversal capabilities.

Technical Configuration

Protocol: OpenVPN-compatible TLS tunnel over TCP/443
Encryption: AES-128-CBC with SHA-256 authentication
Certificate Authority: Self-signed PKI infrastructure for development environments
Authentication: Dual-factor using certificates + username/password
Compression: LZO compression for bandwidth optimization

The TLS implementation leverages SoftEther's SSL-VPN engine, which can operate over HTTPS (port 443), making it virtually indistinguishable from regular web traffic to deep packet inspection systems.

Infrastructure Components

Cisco Router Configuration

The edge routers implement Policy-Based Routing (PBR) and Network Address Translation (NAT) to simulate realistic Internet gateway behavior. Key configurations include:

Static NAT: Port forwarding for VPN protocols (UDP 500/4500, TCP 443)
Dynamic NAT: Overload (PAT) for general Internet access
Access Control Lists: Traffic filtering for security policy enforcement

Docker Containerization

The laboratory utilizes Docker containers to provide isolated, reproducible environments:

SoftEther Server: siomiz/softethervpn:latest with persistent configuration storage
VPN Clients: Ubuntu-based containers with pre-installed VPN client software
Volume Mounting: Configuration files and certificates stored on host filesystem

GNS3 Integration

Graphical Network Simulator 3 (GNS3) provides the network emulation platform, offering:

Device Virtualization: Full Cisco IOS emulation with realistic hardware behavior
Docker Integration: Seamless container management within network topologies
Traffic Capture: Built-in packet capture for protocol analysis
Scalability: Support for complex multi-vendor network scenarios

Security Considerations

Cryptographic Implementation

The project emphasizes cryptographic best practices while maintaining compatibility with common enterprise environments:

Key Management: Secure distribution and storage of pre-shared keys and certificates
Algorithm Selection: Balance between security strength and computational efficiency
Perfect Forward Secrecy: Ensuring session key compromise doesn't affect historical communications

Network Security

Firewall Rules: Restrictive access control lists permitting only necessary VPN traffic
Anti-Replay Protection: Sequence number verification to prevent replay attacks
DPD (Dead Peer Detection): Automatic tunnel restoration after connectivity failures

Performance Analysis

Protocol Comparison

Metric	IPSec	TLS/SSL
Throughput	Higher	Moderate
CPU Overhead	Lower	Higher
Firewall Bypass	Moderate	Excellent
Setup Complexity	Higher	Lower
Mobile Support	Limited	Excellent

Monitoring and Diagnostics

The laboratory includes comprehensive monitoring capabilities:

Connection Status: Real-time tunnel state monitoring
Traffic Analysis: Bandwidth utilization and packet loss statistics
Log Aggregation: Centralized logging for troubleshooting and audit trails

References & Further Reading

Primary Sources

SoftEther VPN Project: Official Documentation - Comprehensive technical documentation and white papers
RFC 3948: UDP Encapsulation of IPsec ESP Packets - NAT traversal specifications
RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
RFC 4301: Security Architecture for the Internet Protocol - IPSec framework

Academic Research

Nobori, D., & Shinjo, Y. (2014). "VPN Gate: A volunteer-run global distributed public VPN relay system." ACM Transactions on Information and System Security
Frankel, S., & Krishnan, S. (2011). "IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap." RFC 6071

Implementation Guides

GNS3 Academy - Network simulation best practices
Cisco IOS Security Configuration Guide
Docker Networking Documentation

Security Standards

NIST SP 800-77: Guide to IPsec VPNs
NIST SP 800-52: Guidelines for the Selection and Use of Transport Layer Security
ISO/IEC 27001: Information Security Management Systems

SoftEther-VPN-Guardian

GNS3 Public IP VPN Across the Internet

Table of Contents

Project Overview

Key Learning Objectives

SoftEther VPN Technology

Core Capabilities

Architecture Benefits

Network Architecture

IP Addressing Scheme

Multi-Protocol VPN Implementation

IPSec Implementation

Technical Configuration

TLS/SSL Implementation

Technical Configuration

Infrastructure Components

Cisco Router Configuration

Docker Containerization

GNS3 Integration

Security Considerations

Cryptographic Implementation

Network Security

Performance Analysis

Protocol Comparison

Monitoring and Diagnostics

References & Further Reading

Primary Sources

Academic Research

Implementation Guides

Security Standards