sagar/softether-go
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
softether-go/docs/usage.md
Git Sagar 17c1063e1f refactor: extract session/netcfg/tunnel, add mac/dhcp/policy-route flags 
- Split cmd/softether-go into main.go (flags, reconnect loop) and
  session.go (session lifecycle, DHCP orchestration)
- Extract network config to pkg/netcfg (TAP config, routing, DNS, policy routes)
- Move frame bridging to pkg/client/tunnel.go as Bridge() method
- Add -mac, -dhcp, -policy-route-table CLI flags
- Add SetMAC() to pkg/tap for deterministic DHCP assignments
- Update all docs to reflect new structure and flags

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-06 16:43:12 +05:30

5.1 KiB
Raw Blame History

Usage

softether-go [flags]

Required flags

Flag Description
-host SoftEther server hostname or IP
-user Authentication username

Optional flags

Flag Default Description
-pass "" Authentication password
-port 443 Server port
-hub DEFAULT Virtual hub name
-tap (auto) TAP interface name (kernel-assigned if empty)
-mac (auto) TAP interface MAC address (e.g. 5E:3B:6F:63:A8:3E)
-plain-password false Send password as plaintext (AuthType 2, for RADIUS/external auth)
-insecure false Skip TLS certificate verification
-dhcp true Run built-in DHCP client after connecting
-accept-default-gateway false Install DHCP-provided gateway as default route
-accept-static-routes false Install DHCP classless static routes (option 121/249)
-accept-dns false Set /etc/resolv.conf from DHCP-provided DNS servers
-policy-route-table 0 Policy routing table number (0 = disabled)
-reconnect-delay 5s Delay between reconnection attempts

Authentication

Two authentication modes are supported:

Hashed password (AuthType 1) — the default. Password is hashed with SHA-0 and combined with the server's random challenge to produce a SecurePassword. Used for local user accounts on the SoftEther server.

softether-go -host vpn.example.com -user admin -pass secret

Plaintext password (AuthType 2) — enabled with -plain-password. Password is sent as-is over TLS. Used when the server delegates authentication to an external system like RADIUS.

softether-go -host vpn.example.com -user admin -pass secret -plain-password

Network configuration flags

These flags control what the client does with the DHCP lease it receives from the VPN server.

-mac

Sets a specific MAC address on the TAP interface before connecting. Useful for deterministic DHCP assignments — the server sees the same MAC across reconnects and can assign the same IP.

softether-go -host vpn.example.com -user admin -mac 5E:3B:6F:63:A8:3E

-dhcp

Enabled by default. Runs the built-in DHCP client through the VPN tunnel after connecting. Disable with -dhcp=false if the TAP interface will be configured manually or by an external DHCP client.

-accept-default-gateway

Adds a default route via the DHCP-provided gateway on the TAP interface with metric 50. Before doing this, the client adds a /32 host route to the VPN server via the current default gateway so the tunnel itself is not routed through the VPN.

Without this flag, only the subnet route (implicit from the assigned IP/mask) is added.

-accept-static-routes

Installs classless static routes from DHCP option 121 (RFC 3442) or option 249 (Microsoft variant). These are non-default routes pushed by the DHCP server, such as routes to specific subnets via the VPN gateway.

If a static route entry has destination 0.0.0.0/0 (default route), it is only installed when -accept-default-gateway is also set. Per RFC 3442, when option 121 is present it takes precedence over option 3 (Router).

-accept-dns

Overwrites /etc/resolv.conf with the DNS servers from the DHCP lease. The original file is backed up in memory and restored when the session ends (disconnect, reconnect, or shutdown).

-policy-route-table

Enables policy routing for asymmetric return paths. Set to a routing table number (e.g. 200). When enabled, the client adds:

ip rule add from <VPN_IP> table 200
ip route replace default via <VPN_GW> dev <TAP> table 200

This ensures reply packets from the VPN IP are routed back through the VPN tunnel, not the default route. Needed when the VPN server forwards ports to the client — without it, reply packets leave via the home router and get dropped.

Cleaned up on disconnect and shutdown.

Examples

Minimal connection:

softether-go -host vpn.example.com -user admin -pass secret

Full setup with routing, DNS, and policy routing:

softether-go \
  -host vpn.example.com \
  -port 992 \
  -hub DEFAULT \
  -user admin \
  -pass secret \
  -plain-password \
  -tap vpn0 \
  -mac 5E:3B:6F:63:A8:3E \
  -insecure \
  -accept-default-gateway \
  -accept-static-routes \
  -accept-dns \
  -policy-route-table 200

No DHCP (manual configuration):

softether-go -host vpn.example.com -user admin -pass secret -dhcp=false -tap vpn0

Docker

The client works in containers with NET_ADMIN capability and the TUN device:

docker run --rm -it \
  --cap-add NET_ADMIN \
  --device /dev/net/tun \
  -v ./softether-go:/usr/bin/softether-go \
  alpine \
  softether-go -host vpn.example.com -user admin -pass secret \
    -plain-password -insecure -tap vpn0 \
    -accept-default-gateway -accept-dns

The container needs iproute2 installed (apk add iproute2 on Alpine) for the ip command.

Signals

  • SIGINT / SIGTERM — clean shutdown: closes tunnel, flushes TAP addresses, restores DNS, removes server host route, cleans up policy routes
  • During reconnect delay, a signal triggers immediate shutdown instead of waiting