SoftEther Episode I – Adventures in Layer 2 Tunneling

These are my adventures in Layer 2 Tunneling using SoftEther. May you find them useful!

Episode I – Adventures in Layer 2 Tunneling
Episode II – Roar Warrior
Episode III – Basic Site to Site
Episode IV – Is it a Bridge? Is it a Switch?
Episode V – What about my Gateway?
Episode VI – Where to insert Layer 3

So what’s the problem? No Layer 2 connectivity between sites and need for a simple fast Road Warrior VPN.

One of the biggest things that was missing from my lab was Layer 2 tunneling. “Why would you want Layer 2 connectivity between sites?” people ask and there are two answers. The first is that many of my customers have Layer 2 connections between locations and I want to be able to replicate customer environments. The second answer is because I am putting a particular focus on hybrid cloud workload portability and this feature is important in that space.

I don’t have MPLS, dark fiber, or Nexus 7k’s in my lab. The infrastructure overhead and networking costs to implement multicast and BGP on my perimeter are out of scope for a lab and whatever I do, I want it to be extensible to the cloud. So what’s the right approach?

I was looking for novel replacement for OpenVPN Access server and I found SoftEther. It’s a Layer 2 VPN software that’s very easy to install and continues to deliver impressive features as I need them. First it is amazingly simple for a Road Warrior setup especially for non-static environments like a home lab. I personally implement dynamic DNS so I can always find my home router but it’s not necessary with SoftEther. With SoftEther’s dynamic DNS you just register a Cname with and you can always get to your VPN Server. It even supports firewall and NAT traversal meaning that you can literally connect to anywhere the server happens to be with no network configuration at all. But that’s just where this started.

SoftEther supports Site to Site Layer 2 connections. Take a look here at some of the reasons that this has not been a popular option in the past.

MTU Hell and Extra Mangling with GRE, IPSEC, and NFQUEUE
Layer 2 Tunnel with SSH Taps? Yes you can

Accomplishing a Layer 2 link that actually works well isn’t trivial and EVPN / VXLAN are for another day. With SoftEther you just point and click using a friendly GUI or workable CLI. You can fine tune things and implement strong security as well.

Next Episode: Road Warrior

Blog at

Up ↑

Create your website at
Get started