Git Sagar
829ca73b1b
Built-in DHCP (raw Ethernet frames through tunnel), automatic reconnection, host route management, classless static routes (option 121/249), DNS config. Single static binary, Linux only. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.9 KiB
Usage
softether-go [flags]
Required flags
| Flag | Description |
|---|---|
-host |
SoftEther server hostname or IP |
-user |
Authentication username |
Optional flags
| Flag | Default | Description |
|---|---|---|
-pass |
"" |
Authentication password |
-port |
443 |
Server port |
-hub |
DEFAULT |
Virtual hub name |
-tap |
(auto) | TAP interface name (kernel-assigned if empty) |
-plain-password |
false |
Send password as plaintext (AuthType 2, for RADIUS/external auth) |
-insecure |
false |
Skip TLS certificate verification |
-accept-default-gateway |
false |
Install DHCP-provided gateway as default route |
-accept-static-routes |
false |
Install DHCP classless static routes (option 121/249) |
-accept-dns |
false |
Set /etc/resolv.conf from DHCP-provided DNS servers |
-reconnect-delay |
5s |
Delay between reconnection attempts |
Authentication
Two authentication modes are supported:
Hashed password (AuthType 1) — the default. Password is hashed with SHA-0 and combined with the server's random challenge to produce a SecurePassword. Used for local user accounts on the SoftEther server.
softether-go -host vpn.example.com -user admin -pass secret
Plaintext password (AuthType 2) — enabled with -plain-password. Password is sent as-is over TLS. Used when the server delegates authentication to an external system like RADIUS.
softether-go -host vpn.example.com -user admin -pass secret -plain-password
Network configuration flags
These flags control what the client does with the DHCP lease it receives from the VPN server.
-accept-default-gateway
Adds a default route via the DHCP-provided gateway on the TAP interface with metric 50. Before doing this, the client adds a /32 host route to the VPN server via the current default gateway so the tunnel itself is not routed through the VPN.
Without this flag, only the subnet route (implicit from the assigned IP/mask) is added.
-accept-static-routes
Installs classless static routes from DHCP option 121 (RFC 3442) or option 249 (Microsoft variant). These are non-default routes pushed by the DHCP server, such as routes to specific subnets via the VPN gateway.
If a static route entry has destination 0.0.0.0/0 (default route), it is only installed when -accept-default-gateway is also set. Per RFC 3442, when option 121 is present it takes precedence over option 3 (Router).
-accept-dns
Overwrites /etc/resolv.conf with the DNS servers from the DHCP lease. The original file is backed up in memory and restored when the session ends (disconnect, reconnect, or shutdown).
Examples
Minimal connection:
softether-go -host vpn.example.com -user admin -pass secret
Full setup with routing and DNS:
softether-go \
-host vpn.example.com \
-port 992 \
-hub DEFAULT \
-user admin \
-pass secret \
-plain-password \
-tap vpn0 \
-insecure \
-accept-default-gateway \
-accept-static-routes \
-accept-dns
Named TAP interface with custom reconnect delay:
softether-go \
-host vpn.example.com \
-user admin \
-pass secret \
-tap myvpn \
-reconnect-delay 10s
Docker
The client works in containers with NET_ADMIN capability and the TUN device:
docker run --rm -it \
--cap-add NET_ADMIN \
--device /dev/net/tun \
-v ./softether-go:/usr/bin/softether-go \
alpine \
softether-go -host vpn.example.com -user admin -pass secret \
-plain-password -insecure -tap vpn0 \
-accept-default-gateway -accept-dns
The container needs iproute2 installed (apk add iproute2 on Alpine) for the ip command.
Signals
- SIGINT / SIGTERM — clean shutdown: closes tunnel, flushes TAP addresses, restores DNS, removes server host route
- During reconnect delay, a signal triggers immediate shutdown instead of waiting