Hello,
Please note that Softether plugin reported:
os-softether-devel (misconfigured)
I would reach the local network from Windows Softether VPN Client. No chance.
https://sites.google.com/view/softether-dhcp-bridge
Best regards.
Softether in FreeBSD quite limited when it codes to bridging.
Misconfigured is not a problem, you can resolve conflicts in System : Firmware
The current RTM 4.44. build 9807 works quite well, as mimugmail mentioned, bridging works in a special way, packets go beside any FW rules.
What makes the plugin unusable for me, is the fact that after a while, even without bridging, the vpnserver process goes to almost 100% CPU load, even disconnecting all connections does not solve this. One has to restart the daemon.
Does anybody encounter this problem too ?
The FreeBSD Implementation is really unstable, to me this plugin is only a PoC
In discussion with Michael we're going to remove it in 25.7.3 -- it was never released officially and feedback was very low and inconclusive over the years. Better VPN alternatives exist these days.
Cheers,
Franco
Quote from: franco on August 29, 2025, 12:30:19 PM...we're going to remove it in 25.7.3
Hi,
If there is any way to change your mind or to merely plead for this decision to be reversed, please reconsider. We have had great success with Softether on OPNsense for years, in production, for both road-warrior and site-to-site scenarios. It's in production on over a dozen instances serving quite a few sites and users.
It does require a touch of configuration (specifically not using its kernel IP NAT engine) but has been rock-solid and its removal from 25.7.3 would force us into a difficult bind regarding either delayed upgrades or a significant network overhaul.
Many thanks,
Matt
Hm, so we have 2 options:
1. You contribute a nice and detailed documentation to the OPNsense docs
2. I add the pkg and plugin to my community repo
Tbh I never read about a successful implementation, so I agreed with Franco to remove it as it never left dev status.
First and foremost, a heartfelt "thank you" for the response, flexibility and community spirit.
Both options are great. I'd be happy to contribute back to the community, relaying our experience within the scope of our specific use case. Softether is pretty broad in its configuration options. I'll put together an outline and DM you (mimugmail) the draft. The main thing to understand is that it essentially operates its own independent IP stack, and hence would best be separated from both the kernel and IP address of the OPNsense instance. Once you wrap your head around that, everything becomes pretty straightforward as you configure routing between two separate virtual devices with separate IP addresses that peacefully coexist.
Thinking about it, the final disposition for the softether package may probably best be within the mimugmail community repo. We already use it for the cloudflared package as undoubtedly many others do for the vast array of other useful packages it brings that are "just outside" what would otherwise be within the core scope of the OPNsense project itself, and IMHO that would aptly be true for softether as well in this case.
Thanks again,
Matt
Quote from: franco on August 29, 2025, 12:30:19 PMIn discussion with Michael we're going to remove it in 25.7.3 -- it was never released officially and feedback was very low and inconclusive over the years. Better VPN alternatives exist these days.
Oh what a pity... just noticed on a new install that this is not installable anymore.
I contributed the patch to have it follow carp state. I am using this on roughly 40 HA pairs to connect remote offices with datacenter backends. We explicitly migrated to softether from openvpn because in the dual HA configuration this works very well, the active tunnel endpoint on each side just follows CARP master.
Usually if there is no feedback, it just works [tm].
I would obviously be interested to a) be able to install it again and b) receive updates for it.
Same here, we use it in production and as per the above I offered to contribute documentation for it. It's been very stable for us, for many years, on many different systems and in multiple use cases.
All that users need to grasp is that it behaves like its own IP stack side-by-side to the OS, and once you wrap your head around that everything falls into place. Most of the trouble people have is when it tries to compete with OPNsense itself for the same addresses etc.
I wish there was a way to get it installable again, either from the main repo or from the mimugmail repo. Please!! :-)
Quote from: fhloston on December 18, 2025, 04:24:33 PMQuote from: franco on August 29, 2025, 12:30:19 PMIn discussion with Michael we're going to remove it in 25.7.3 -- it was never released officially and feedback was very low and inconclusive over the years. Better VPN alternatives exist these days.
Oh what a pity... just noticed on a new install that this is not installable anymore.
I contributed the patch to have it follow carp state. I am using this on roughly 40 HA pairs to connect remote offices with datacenter backends. We explicitly migrated to softether from openvpn because in the dual HA configuration this works very well, the active tunnel endpoint on each side just follows CARP master.
Usually if there is no feedback, it just works [tm].
I would obviously be interested to a) be able to install it again and b) receive updates for it.
I added it today on my repo.