3.2 Operating Modes - SoftEther VPN Project

3.2 Operating Modes

    The user can operate the SoftEther VPN Server in two modes: Service Mode and User Mode. Below is an explanation of these two modes.

     

    3.2.1 Service Mode

    Service Mode is the normal operating mode. Installing and operating the SoftEther VPN Server in Service Mode will cause the SoftEther VPN Server to operate in the background as a part of the OS, launch when the OS launches prior to user log in and await VPN session connection as the VPN server. In addition, the server will automatically shutdown when the operating system shuts down.

    The word "service" here refers to a background system service in Windows and some UNIX operating systems and is sometimes referred to as a daemon in other operating systems.

    When the VPN Server is operating in Service Mode, said operation is not depended upon by users currently logged onto the operating system. That is why we recommend running the VPN Server in Service Mode on most occasions.

    When using the VPN Server in Service Mode, the VPN Server process (executable file name vpnserver) typically runs on system or root authority.

    The executable file name for the 32-bit Windows version SoftEther VPN Server is "vpnserver.exe", while the file name for the 64-bit version is "vpnserver_x64.exe". The description in this manual assumes use of the 32-bit version, so please apply the relevant changes in the case of the 64-bit version.

     

    Installing the VPN Server in Service Mode

    The method for installing the VPN Server in Service Mode on the Windows version differs to that of other UNIX versions.

    • Installing the Windows version SoftEther VPN Server from the installer results in the installation of the Service Mode and automatic initiation of its operation as a background service. For details, please refer to 7.2 Install on Windows and Initial Configurations.
    • In order to install the SoftEther VPN Server in Service Mode on the Linux version or other UNIX versions, it is necessary to register it on the system as a daemon process. For details, please refer to 7.3 Install on Linux and Initial Configurations.

    Service Mode cannot be used in the following situations, in which case the VPN Server should be used in User Mode.

    • When the system on which the SoftEther VPN Server is to operate does not have System Administrator authority.
    • When the client wishes to install and use the SoftEther VPN Server temporarily rather than continuously.
    • When the client wishes to launch the SoftEther VPN Server with general user authority for security reasons.

    Service Mode for Windows Version SoftEther VPN Server

    We recommend using the installer when installing the Windows version VPN Server in Service Mode. This method automatically launches and runs the VPN Server as a service without the need for any special operation by the client. Even if the system is rebooted, the VPN Server will automatically begin operating upon system start-up. Because the VPN Server is launched as a background task, the computer on which the server is installed can be used for other tasks without the client having to be aware of said server's installation.

    In addition, the Windows version SoftEther VPN Server service can be commenced or terminated by attaching the relevant command line argument to the executable file name (vpnserver.exe), or can be removed or re-registered from the Windows system via the Windows system service list.

    The shortened service name of the SoftEther VPN Server service registered on the Windows system is "sevpnserver" and the long service name is "SoftEther VPN Server".

    In order to register vpnserver.exe as a service when the SoftEther VPN Server service is not currently installed on the Windows system, insert the following from the command prompt and execute vpnserver.exe (System Administrator authority is required).

    > vpnserver /install 

    To delete the SoftEther VPN Server service when it is already installed on the Windows system, insert the following from the command prompt and execute vpnserver.exe (System Administrator authority is required).

    > vpnserver /uninstall 

    Furthermore, attaching the /start or /stop arguments enables the service to be commenced or terminated. For details on other arguments which can be designated in the vpnserver program, please refer to the message box which appears when directly executing vpnserver.exe.

    The service can also be started and terminated by accessing Control Panel > Administrative Tools > Services (or Control Panel > Services in the case of Windows NT 4.0). It is possible to change the server from Automatic to Manual startup by selecting SoftEther VPN Server from the Services list, then clicking open Startup type. Changing the startup type to Manual means that the service does not launch automatically on startup, and does not operate until initiated by a user with Administrator authority.

    It is also possible to start and stop the SoftEther VPN Server service using the net command. Enter net start sevpnserver to start the service, and net stop sevpnserver to terminate the service.

    The SoftEther VPN Server emulates the service system of Windows NT or later when operating on an older OS. There may be several limitations in this case, such as the process terminating when the user logs off.
     

    3-2-1.png

    SoftEther VPN Server registered as a service.

    Service Mode for UNIX Version SoftEther VPN Server

    Please refer to 7.3 Install on Linux and Initial Configurations for details on installing and launching the Linux and other UNIX versions of the SoftEther VPN Server in Service Mode.

    3.2.2 User Mode

    User Mode is a special type of operating mode. Operating the SoftEther VPN Server in User Mode causes the SoftEther VPN Server to run in the background as a user process. To operate the SoftEther VPN Server in User Mode, it is necessary to log onto the system as a user and launch the vpnserver executable file each time the server is launched. Operations may differ depending on the operating system as described below.

    • Launching the VPN Server in User Mode on the Windows OS will result in the server process running in the background only while the user is logged on, and the process will terminate at the same time that the user logs off.
    • Meanwhile, launching the VPN Server in User Mode on a UNIX OS will result in the VPN Server's server process creating a child process at that time, and running that in the background, thereby enabling separation of the process from the user session. Consequently, the VPN Server process will remain operational on the OS even if the user logs off, and will continue running until the system is shutdown or rebooted.

    User Mode for Windows Version SoftEther VPN Server

    To launch the Windows version VPN Server in User Mode, attach the /usermode option to the vpnserver.exe executable file and then launch.

    > vpnserever /usermode

    Once the launch is complete, an icon will appear in the task tray and the VPN Server will have launched in User Mode. In this mode, the VPN Server program operates as one which can be executed with general user authority, similar to other application programs operating in User Mode (such as Word, calculator and so on). That is why absolutely no System Administrator authority is required to launch the VPN Server in User Mode. However, the VPN Server process also terminates at the same time that the user logs off. We recommend saving the above /usermode option attached to the command line as a shortcut on the desktop or setting it up in the [Startup] folder in order to facilitate the frequent launch of the VPN Server in User Mode.

    3-2-2.png

    SoftEther VPN Server launched in User Mode.

    To terminate the User Mode once it has been launched, right click on the icon in the task tray and select Exit SoftEther VPN Server.

    Furthermore, clicking on Hide task tray icon, hides the icon in the task tray display. This function is available when the VPN Server is launched regularly in User Mode and the icon display becomes a hindrance. Note, however, that the VPN Server cannot be terminated from the menu when the task tray icon is hidden. In this case, press the Ctrl + Alt + Del keys to open the Task Manager and end the vpnserver.exe process. When launching vpnserver.exe the next time in User Mode, the task tray icon can be restored by attaching the /usermode_showtray option.

    3-2-3.png

     

    When using the SoftEther VPN Server, rather than operating the server by using System Administrator authority and registering the server as a system service, operating the server in User Mode with general user authorization may enable security to be enhanced. Launching the SoftEther VPN Server in User Mode may, however, result in the inability to use the local bridge function.

    User Mode for Unix Version SoftEther VPN Server

    To launch the VPN Server in User Mode on UNIX systems including Linux, rather than registering the vpnserver executable file in the system as a daemon, attach the start argument from the command line as shown below as if launching a normal application command (such as ls, cat, etc.) and launch vpnserver.

    $ ./vpnserver start
    SoftEther VPN Server Service Started.
    $ 

    If control returns to the shell after the message [SoftEther VPN Server Service Started.] is output, this means that the VPN Server was properly launched in User Mode. To terminate the VPN Server once it has been launched, attach the stop argument and launch the vpnserver as follows.

    $ ./vpnserver stop
    SoftEther VPN Server Service Stopped.
    $  

    When the VPN Server is launched on UNIX in User Mode, the process operates and becomes a background process with that user's authority. Therefore, the vpnserver process continues to operate even if the user logs out or disconnects the SSH connection. The process continues to operate until the system is rebooted or until the process is forcibly terminated by root.

    As described in 7.3 Install on Linux and Initial Configurations, daemonizing and using the vpnserver process in UNIX operating systems is simply a matter of registering it so as to instruct the operating system's startup script to call up vpnserver start. Even when running the VPN Server in Service Mode, something equivalent to the procedure described here is automatically performed by a system with root authority so there is fundamentally no difference. Accordingly, the items described below also apply generally to the daemonized VPN Server.

    As shown below, the vpnserver process is launched in two stages on the UNIX version VPN Server. First, the first process named execsvc is launched as a background process, after which that process creates a child process using the fork() system call, and this child process carries out the actual VPN processing. The parent process (process ID 1549 in the example below) constantly monitors the child process (process ID 1550 in the example below) and in the event that an abnormal error occurs, immediately terminates the process and launches it again to attempt recovery (see 3.3 VPN Server Administration for details). The example below was actually runs on a particular Linux system so it may not appear the same on different Linux or other operating systems. In addition, in order to display multiple threads as multiple processes in the case of versions with old Linux kernels (i.e. versions not compatible with native threads), the actual vpnserver processes created may be more than those in the example below but this is a display issue and operation is in fact normal.

    $ ps auxf
    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    neko 1549 0.0 0.8 5188 560 ? S< Nov24 0:00 /tmp/vpnserver execsvc
    neko 1550 0.0 4.0 11888 2520 ? S< Nov24 0:08 \_ /tmp/vpnserver execsvc 

    Although this only occurs rarely, in the event that the VPN Server process launched in User Mode goes out of control for some reason such as a hardware malfunction (a memory shortage, for instance) and is unable to be stopped by vpnserver /stop, first forcibly terminate the parent vpnserver process (process ID 1549 in the example above) by sending a signal to it using kill -KILL, then forcibly terminate the remaining process (process ID 1550 in the above example) by sending a signal to it with kill -KILL. Forcibly terminating the child process first may cause the parent process to determine that the child process terminated abnormally and launch it again. Depending on the system, killall -KILL vpnserver may enable the simultaneous termination of all vpnserver processes.

    Moreover, when the vpnserver receives the TERM signal (the normal termination request signal), it performs termination processing properly.

    The use of TCP/IP ports with a port number less than 1024 in standby mode is not permitted for processes operating with general user authority in the case of UNIX operating systems. That is why TCP/IP listener ports with a port number less than 1024 cannot be opened when operating the SoftEther VPN Server in User Mode with general user authority rather than operating it after registration as a system service with System Administrator authority. Please note that although the SoftEther VPN Server attempts to open the three ports 443, 992 and 5555 in default as listener ports, operating the server in User Mode means that only the 5555 port goes into listen mode. Additionally, launching the SoftEther VPN Server in User Mode may result in inability to use the local bridge function.