SoftEther VPN 5 (Modified Fork)

A modified fork of SoftEther VPN 5 with custom profile key authentication, enhanced L2TP/PPP protocol handling, and simplified TAP interface management. Built and packaged with Nix Flakes.

Upstream: SoftEtherVPN/SoftEtherVPN Version: 5.02.5187 Platforms: x86_64-linux, aarch64-linux

Features

Custom Patches Over Upstream

Patch	Description
ipb-profile-key.patch	Profile key authentication via UV_TOKEN for OpenVPN and L2TP clients
simplify_l2tp_auth.patch	Switches L2TP/PPP from EAP to PAP, increases timeouts (90s/120s) for reliability
prevent-dmesg-call.patch	Disables VM detection via dmesg to avoid unnecessary system calls
tap-name-no-prefix.patch	Removes prefix from TAP interface names (uses instance name directly)

Supported VPN Protocols

• OpenVPN - with custom profile key authentication
• L2TP/IPsec - with enhanced timeout handling and PAP authentication
• SSTP (Secure Socket Tunneling Protocol)
• Native SoftEther VPN Protocol

SHA-0 Utility

Included companion tool for converting SoftEther configuration passwords. Implements SHA-0 hashing used by SoftEther's internal password storage.

sha0 <string>    # outputs 20-byte SHA-0 hash in hexadecimal

Building

Prerequisites

• Nix with Flakes enabled

Build with Nix

# Build SoftEther VPN server
nix build .

# Build SHA-0 utility
nix build .#sha0

Manual Build (without Nix)

Requires: cmake, pkg-config, libsodium, openssl, readline, ncurses, zlib

cmake -B build \
  -DSE_PIDDIR=/run/softether \
  -DSE_LOGDIR=/var/log/softether \
  -DSE_DBDIR=/var/lib/softether \
  -DCMAKE_INSTALL_SYSTEMD_UNITDIR=

cmake --build build
cmake --install build --prefix /usr/local

For a debug build, add -DCMAKE_BUILD_TYPE=Debug.

Configuration

Default Directories

Directory	Default Path	Purpose
PID	/run/softether	Process ID files
Logs	/var/log/softether	Server and connection logs
Database	/var/lib/softether	Configuration database

NixOS Module

The flake exports a NixOS package with configurable options:

{
  inputs.softether5.url = "git+ssh://forgejo@git.sagar.ch:2255/sagar/softether-5.git";

  # In your NixOS configuration:
  environment.systemPackages = [ inputs.softether5.packages.${system}.default ];
}

Package options available in package.nix:

Option	Default	Description
logDir	/var/log/softether	Log file directory
pidDir	/run/softether	PID file directory
dbDir	/var/lib/softether	Database directory
dataDir	(derived)	Data file directory
debug	false	Enable debug build

Authentication

Standard Authentication

SoftEther supports username/password and certificate-based authentication out of the box.

Profile Key Authentication (Custom)

This fork adds profile key authentication for integration with external systems:

1. OpenVPN clients - Profile keys are extracted from peer info as UV_TOKEN
2. L2TP clients - Profile keys are passed via the standard username/password fields
3. The first 6 characters of the token are used as the initial key, concatenated with the password

L2TP/PPP Authentication

Simplified from upstream:

• Uses PAP (Password Authentication Protocol) instead of EAP
• Packet receive timeout: 90 seconds (upstream: 15s)
• Data timeout: 120 seconds (upstream: 20s)
• CHAP/EAP and IPv6CP protocol negotiation removed for streamlined L2TP handling

Project Structure

.
├── flake.nix              # Nix Flakes entry point
├── flake.lock             # Locked dependency versions
├── package.nix            # SoftEther package derivation
├── patches/
│   ├── ipb-profile-key.patch
│   ├── prevent-dmesg-call.patch
│   ├── simplify_l2tp_auth.patch
│   └── tap-name-no-prefix.patch
└── sha0/
    ├── default.nix        # SHA-0 utility build config
    ├── sha0.c             # SHA-0 hash implementation
    ├── main.c             # CLI interface
    └── types.h            # Type definitions

Dependencies

Build-time

• cmake
• pkg-config
• libsodium

Runtime

• OpenSSL
• readline
• ncurses
• zlib

License

Based on upstream SoftEther VPN licensing. The SHA-0 implementation is sourced from the Android Open Source Project (AOSP).