Guide to Configuring WireGuard on a SoftEther VPN Server Blog
Feb 11, 2025 07:39 PM
Guides

Guide to Configuring WireGuard on a SoftEther VPN Server

LinuxSoftetherUbuntuUDPvpncmdWireGuard

SoftEther is a sophisticated, multi-protocol VPN solution that supports a wide range of VPN protocols, including WireGuard, OpenVPN, L2TP/IPsec, SSTP, and more. In this guide, we focus on configuring the WireGuard protocol on a SoftEther VPN Server using the vpncmd utility – the only currently supported setup method for WireGuard on SoftEther.

Note: This guide is intended for advanced users who are comfortable with command-line interfaces and manual server configuration.

Prerequisites

Before you begin, ensure that:

  • You have a running, up-to-date SoftEther VPN Server installed on a Linux machine. This guide uses SoftEther Version 5.02 Build 5185 on Ubuntu OS.
  • Your server is operating in standalone mode (i.e., not as a cluster controller or member), as WireGuard connections can only be established on a standalone server.
  • You have administrative access to the SoftEther server and have the vpncmd utility installed either on the same server or remotely.
  • You have a fully configured virtual hub that will be used for connecting WireGuard clients.

Step 1: Configuring the UDP Port for WireGuard

Ensure you have administrator privileges for the VPN server before setting up the WireGuard connection. Start by running the vpncmd utility, selecting option #1 and logging in as Administrator:

./vpncmd

To verify if your SoftEther server is listening on a UDP port, execute the following command:

PortsUDPGet

If no UDP port is active, add one using the command below. You can set any port number, provided it does not conflict with existing ports on your Linux server:

PortsUDPSet 51820

Note: You can specify multiple ports simultaneously by separating them with commas. Ensure that these ports are not blocked by your server’s firewall or iptables.

Step 2: Setting the Default Gateway and Subnet for WireGuard

Because WireGuard doesn’t support DHCP (which relies on broadcast messages that don’t work over a point-to-point VPN tunnel), each peer must have a manually configured (static) IP address to ensure proper encryption and routing. Switch to your virtual hub and configure the default gateway and subnet mask that your WireGuard clients with static IP addresses will use:

Hub myhub
SetStaticNetwork /GATEWAY=192.168.1.1 /SUBNET=255.255.255.0

Replace 192.168.1.1 and 255.255.255.0 with the appropriate gateway IP and subnet mask – the same as your hub’s DHCP server provides to connected clients. Verify that Hub’s static network has been configured correctly by running this command:

OptionsGet myhub

Step 3: Enabling the WireGuard Protocol

Although WireGuard support is typically enabled by default, verify its activation by running the following command:

ProtoOptionsSet wireguard /NAME=enabled /VALUE=true

Step 4: Generating and Assigning User Keys

WireGuard uses X25519 key pairs for secure communication. You can generate these keys using the vpncmd utility or an external tool. In the example below, keys are generated via vpncmd.

Exit vpncmd and relaunch it, then select option #3 to enter Tools mode. Run the following command to generate a key pair:

GenX25519

The tool will generate a pair of keys – a Private Key and a Public Key. Copy and securely store these keys. If you have multiple hubs or users that require a WireGuard connection, generate a separate key pair for each.

After generating the keys, login to vpncmd as administrator again and assign each user’s Public X25519 key to the appropriate hub:

WgkAdd "WFPFO/s8UXD6HNH+2P2UjfbkUP8BFITa7TXKculvDUk=" /HUB=myhub /USER=myuser

Replace WFPFO/s…ulvDUk=, myhub, and myuser with your actual public key, hub name, and username. Make sure that this user exits on specified hub.

Now, you can verify that the WireGuard keys were added correctly with the following command:

WgkEnum

Step 5: Creating a Sample WireGuard Client Configuration

Below is a sample configuration file. Copy it to a text editor and replace the placeholders with your actual values, which we’ll explain in a moment:

[Interface]
PrivateKey = WFPFO/s8UXD6HNH+2P2UjfbkUP8BFITa7TXKculvDUk=
Address = 192.168.1.15/32
DNS = 9.9.9.9,149.112.112.112

[Peer]
PublicKey = pbnWflgIl4CUqYkgZKrtQg/jMAyytyS/AufEt4OAq3Y=
PresharedKey = s/8eDb4r6BUtAMZEY8a+VC4Qs4HYzUJVqD8YzSNFzuk=
AllowedIPs = 0.0.0.0/0
Endpoint = 150.151.152.153:51820
PersistentKeepalive = 21

[Interface] Section

  • PrivateKey: Enter the private key from the X25519 key pair generated in Step 4.
  • Address: Assign a static IP address on your hub for this user. Ensure the IP is within the static network and subnet defined in Step 2. WireGuard requires the IP to end with /32 to denote a single host.
    Note: If your virtual hub is managed by a DHCP server, it’s best to reserve a dedicated static IP pool solely for WireGuard connections to prevent IP address conflicts.
  • DNS: Specify the DNS servers used by your network. In this example, Quad9’s servers are configured.

[Peer] Section

  • PublicKey: Enter your server’s public key. First, retrieve your server’s private key by running the following command in Admin mode: 
    ProtoOptionsGet wireguard
    Copy the private key and then run the following command in vpncmd Tools mode to obtain the corresponding public key: 
    GetPublicX25519 YourServerPrivateKey
    Replace YourServerPrivateKey with your server’s actual private key.
  • PresharedKey: Retrieve the preshared key by executing: 
    ProtoOptionsGet wireguard
  • AllowedIPs: Setting AllowedIPs = 0.0.0.0/0 directs all IPv4 traffic through the VPN tunnel, making the VPN peer the default gateway.
  • Endpoint: Specify your server’s IP address and the UDP port (as set in Step 1) instead of 150.151.152.153:51820.
  • PersistentKeepalive: A setting of 21 instructs the client to send a keepalive packet every 21 seconds, ensuring that the connection remains active, particularly for peers behind NAT or firewalls.

By setting the UDP port, configuring the default gateway and subnet, enabling the WireGuard protocol, generating and assigning keys, and creating a client configuration file, you should now be able to establish a secure connection to your SoftEther virtual hub via WireGuard. Once connected, check if your traffic is routed through the WireGuard tunnel to your SoftEther server.

FAQ

SoftEther VPN is a free, open-source VPN that supports multiple protocols (SSL-VPN, L2TP/IPsec, OpenVPN, SSTP, WireGuard) for secure, cross-platform connectivity. Its efficient design and robust encryption provide high performance and reliable remote access for both individuals and enterprises.
WireGuard is a modern, high-performance VPN protocol known for strong encryption. SoftEther allows to setup WireGuard connections via the vpncmd utility on standalone servers.
Start by running vpncmd in admin mode, verify UDP ports with 'PortsUDPGet' command, and set a port (e.g., PortsUDPSet 51820) to enable WireGuard connections.
Because WireGuard doesn’t support DHCP (which relies on broadcasts), each client’s IP must be statically assigned - using a /32 subnet ensures precise, secure routing.
Use vpncmd’s 'Tools' mode to run the GenX25519 command for generating X25519 key pairs, then assign the public key to a hub with the 'WgkAdd' command.
First, retrieve the server’s private key using 'ProtoOptionsGet wireguard', then generate its public key with the 'GetPublicX25519' command in Tools mode.
Verify that the correct UDP port is set, check that static IP addresses match your SoftEther Hub network’s settings, ensure keys are properly generated/assigned, and confirm the server is in standalone mode.
Avoid misconfiguring UDP ports, neglecting the static network requirements for WireGuard, using incorrect key pairs, and running the server in a clustered mode instead of standalone.