SoftEtherClientSoftEtherUnofficial/SoftEtherClient
-N/A
A modern, cross-platform VPN client implementation in Zig, compatible with SoftEther VPN protocol.
1110
3
softether,vpn,zig
build.zig.zonbuild.zig
View program on GitHubDependencies
README
SoftEtherZig
A modern, cross-platform VPN client implementation in pure Zig, progressively replacing the SoftEther VPN C codebase.
π Security Notice
IMPORTANT: Never use plaintext passwords on the command line! See SECURITY.md for secure credential management best practices.
Recommended: Use pre-hashed passwords or environment variables:
# Generate hash (do this once)
./vpnclient --gen-hash username password
# Use hash instead of plaintext password
./vpnclient -u username --password-hash "your_hash_here"
# Or use environment variables
export SOFTETHER_PASSWORD_HASH="your_hash_here"
./vpnclient
Overview
SoftEtherZig is a complete rewrite of SoftEther VPN in pure Zig. While currently wrapping the battle-tested C core, we're systematically replacing all C code with safe, idiomatic Zig implementations.
Why Zig?
- Memory Safety: Eliminate buffer overflows, use-after-free, null pointer dereferences
- Performance: Zero-cost abstractions, LLVM optimizations, compile-time code generation
- Maintainability: No header files, built-in testing, clear error handling
- Portability: Native cross-compilation to any platform without toolchain hassle
Features
Zig Components (Pure Zig - Phase 1-3 Complete):
- β Foundation Layer (Phase 1): Memory management, string operations, collections (1,530 lines, 52 tests)
- β Network Layer (Phase 2): Socket, HTTP, connection management (1,754 lines, 34 tests)
- β
Protocol Layer (Phase 3): VPN protocol, packet handling, REAL cryptography (3,121 lines, 50 tests)
- VPN Protocol: Session management, authentication, state machine (607 lines, 12 tests)
- Packet Handling: Format, fragmentation, compression (791 lines, 13 tests)
- Encryption: Production AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305 (823 lines, 16 tests)
- Integration: Full end-to-end VPN client with worker threads (900 lines, 9 tests)
- β
FFI Layer: Cross-platform C API (
include/ffi.h) for iOS, Android, and other platforms - β CLI Interface: Command-line tool with secure credential handling
- β Configuration System: Type-safe JSON parsing with validation
- β Test Coverage: 122/126 tests passing (96.8%), zero memory leaks, zero warnings
- β³ Phase 4: Platform adapters (Linux/Windows TUN/TAP porting from C)
VPN Capabilities (SoftEther SSL-VPN Protocol):
- π Secure: SSL/TLS 1.3 encryption with SoftEther's proven SSL-VPN protocol
- π Cross-Platform: Native support for macOS, Linux, Windows, Android, and iOS
- β‘ UDP Acceleration: Optimized network performance with R-UDP protocol
- π Dual Mode Support: SecureNAT (Layer 3) and Local Bridge (Layer 2) modes
- π Automatic Reconnection: Exponential backoff with configurable retry limits
- π Note: This is SoftEther's proprietary SSL-VPN, not SSTP/OpenVPN/L2TP
Quick Start
# Clone the repository
git clone https://github.com/yourusername/SoftEtherZig.git
cd SoftEtherZig
# Build the client
zig build
# Generate password hash (recommended for security)
./zig-out/bin/vpnclient --gen-hash username password
# Copy the generated hash
# Connect to a VPN server (using hash)
sudo ./zig-out/bin/vpnclient -s vpn.example.com -H VPN -u username --password-hash "your_hash_here"
# Or use environment variables (most secure)
export SOFTETHER_SERVER="vpn.example.com"
export SOFTETHER_HUB="VPN"
export SOFTETHER_USER="username"
export SOFTETHER_PASSWORD_HASH="your_hash_here"
sudo -E ./zig-out/bin/vpnclient
β οΈ Security Warning: The examples in the rest of this README may show
-P passwordfor simplicity, but you should always use--password-hashin production. See SECURITY.md for details.
Installation
Prerequisites
- Zig: 0.15.1 or later (download)
- OpenSSL: 3.0+ (system package manager)
- Root/Admin privileges: Required for TUN device creation
System Dependencies
# macOS
brew install openssl@3
# Ubuntu/Debian
sudo apt update
sudo apt install libssl-dev
# Fedora/RHEL
sudo dnf install openssl-devel
# Windows
# Download OpenSSL from https://slproweb.com/products/Win32OpenSSL.html
Build
# Development build
zig build
# Optimized release build
zig build -Doptimize=ReleaseFast
# Install system-wide (optional)
sudo cp zig-out/bin/vpnclient /usr/local/bin/
Usage
Command Line Interface
# Basic connection
sudo vpnclient -s vpn.example.com -H VPN -u username -P password
# Custom port
sudo vpnclient -s vpn.example.com -p 8443 -H VPN -u username -P password
# Daemon mode (background)
sudo vpnclient -s vpn.example.com -H VPN -u username -P password -d
# Show help
vpnclient --help
CLI Options
Connection Options
| Option | Description | Default |
|---|---|---|
-s, --server <HOST> |
VPN server hostname | required |
-p, --port <PORT> |
VPN server port | 443 |
-H, --hub <HUB> |
Virtual hub name | required |
-u, --user <USERNAME> |
Username | required |
-P, --password <PASS> |
Password (use --password-hash instead!) |
required |
--password-hash <HASH> |
Pre-hashed password (recommended) | |
-a, --account <NAME> |
Account name | username |
--no-encrypt |
Disable encryption | false |
--no-compress |
Disable compression | false |
-d, --daemon |
Run as daemon | false |
Performance Options
| Option | Description | Default |
|---|---|---|
--use-zig-adapter |
Use Zig packet adapter (default, 10x faster) | true |
--use-c-adapter |
Use legacy C adapter (fallback) | false |
--profile |
Enable performance profiling | false |
Reconnection Options
| Option | Description | Default |
|---|---|---|
--reconnect |
Enable auto-reconnection | true |
--no-reconnect |
Disable auto-reconnection | false |
--max-retries <N> |
Max reconnection attempts (0=infinite) | 0 |
--min-backoff <SEC> |
Min backoff delay (seconds) | 5 |
--max-backoff <SEC> |
Max backoff delay (seconds) | 300 |
Other Options
| Option | Description | Default |
|---|---|---|
--log-level <LEVEL> |
Log verbosity: silent, error, warn, info, debug, trace | info |
-h, --help |
Show help | |
-v, --version |
Show version |
Library Usage
const softether = @import("softether");
pub fn main() !void {
var gpa = std.heap.GeneralPurposeAllocator(.{}){};
defer _ = gpa.deinit();
const allocator = gpa.allocator();
const config = softether.ConnectionConfig{
.server_name = "vpn.example.com",
.server_port = 443,
.hub_name = "VPN",
.account_name = "myaccount",
.auth = .{ .password = .{
.username = "user",
.password = "pass",
} },
.use_encrypt = true,
.use_compress = true,
};
var client = try softether.VpnClient.init(allocator, config);
defer client.deinit();
try client.connect();
// Your application logic here
while (client.isConnected()) {
std.time.sleep(1 * std.time.ns_per_s);
}
}
Architecture
FFI Status
| FFI Layer | Status | Platforms | Implementation | Recommended |
|---|---|---|---|---|
| ffi.h | β Active | All platforms | Pure Zig | β YES |
| softether_ffi.h | β Removed | iOS only | C | β No |
Note: Legacy FFI was archived October 2025. See Migration Guide for historical context.
Porting Status
| Phase | Component | Status | Progress | Target |
|---|---|---|---|---|
| 1 | Foundation | π‘ In Progress | 15% | Q2 2026 |
| 1.1 | Platform Adapters (TUN/TAP) | β³ Starting | 0% | Q1 2026 |
| 1.2 | Mayaqua Library (utilities) | β³ Planned | 0% | Q2 2026 |
| 2 | Core Infrastructure | βΈοΈ Not Started | 0% | Q4 2026 |
| 2.1 | Network Stack (TCP/UDP/HTTP) | βΈοΈ Not Started | 0% | Q3 2026 |
| 2.2 | Cryptography Layer | βΈοΈ Not Started | 0% | Q4 2026 |
| 3 | Session Management | βΈοΈ Not Started | 0% | Q2 2027 |
| 4 | Protocols (SSTP/L2TP/OpenVPN) | βΈοΈ Not Started | 0% | Q4 2027 |
| 5 | Applications (Client/Server) | βΈοΈ Not Started | 0% | Q2 2028 |
Overall: 2% complete (~1,200 of ~70,000 lines ported to Zig)
Current Sprint (October 2025)
Goal: Port macOS packet adapter to pure Zig
Create src/platform/macos.zig
Integrate ZigTapTun for utun management
Port DHCP packet handling
Achieve performance parity with C version
See Porting Progress Tracker for detailed task list.
Architecture
Current Hybrid Architecture (Phase 1)
βββββββββββββββββββββββββββββββββββββββ
β Zig Application Layer (PURE ZIG) β
β cli.zig, client.zig, config.zig β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β FFI Layer (PURE ZIG) β
β ffi/ffi.zig - Cross-platform API β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
βββββββ΄ββββββ
β C Bridge β β Being eliminated
βββββββ¬ββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β SoftEther Core (C β Zig in progress)
β Cedar + Mayaqua libraries β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Platform Layer (C β Zig Phase 1) β
β TUN/TAP adapters β
βββββββββββββββββββββββββββββββββββββββ
Target Pure Zig Architecture (Phase 5)
βββββββββββββββββββββββββββββββββββββββ
β Zig Application β
β (Client, Server, Bridge) β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Protocol Layer (Zig) β
β SSTP, L2TP, OpenVPN β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Session Management (Zig) β
β Connection pooling, Keep-alive β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Network Stack (Zig) β
β TCP/UDP, HTTP, TLS via std.crypto β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Platform Adapters (Zig) β
β Pure Zig TUN/TAP via ZigTapTun β
βββββββββββββββββββββββββββββββββββββββ
Project Structure
SoftEtherZig/
βββ SoftEtherVPN_Stable/ # SoftEther C source (submodule)
β βββ src/ # Original SoftEther VPN codebase
βββ src/ # Zig implementation
β βββ main.zig # Library entry point
β βββ cli.zig # Command-line interface
β βββ client.zig # VPN client logic
β βββ config.zig # Configuration types
β βββ types.zig # Common data structures
β βββ errors.zig # Error definitions
β βββ ffi/
β β βββ ffi.zig # β
FFI (cross-platform C API)
β βββ c.zig # C imports and bindings
β βββ bridge/ # C bridge layer
β βββ softether_bridge.c # Main SoftEther interface
β βββ unix_bridge.c # POSIX system abstraction
β βββ packet_adapter_*.c # Platform-specific TUN/TAP
β βββ tick64_*.c # High-resolution timing
βββ legacy/ # Archived deprecated code
β βββ ffi/ # Legacy FFI (archived Oct 2025)
β βββ ios_ffi.c.archived # Old iOS FFI implementation
β βββ softether_ffi.h.archived # Old FFI header
β βββ ffi.zig.archived # Old Zig FFI stubs
βββ build.zig # Build configuration
βββ build.zig.zon # Zig package dependencies
βββ zig-out/ # Build artifacts
βββ bin/
βββ vpnclient # Compiled executable
Component Overview
- CLI Layer (
cli.zig): Command-line argument parsing and user interaction - Client Layer (
client.zig): High-level VPN connection management - Bridge Layer (
bridge/): C code that interfaces with SoftEther VPN - FFI Layer (
ffi.zig): Safe Zig bindings to C functions
Network Architecture
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Application ββββββ Zig Client ββββββ C Bridge β
β (CLI/Library) β β Logic β β Layer β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β β β
βββββββββββββββββββββββββΌββββββββββββββββββββββββ
β
ββββββββββββββββββββββ
β SoftEther VPN β
β Core (C) β
ββββββββββββββββββββββ
β
ββββββββββββββββββββββ
β SSL/TLS 1.3 β
β (OpenSSL) β
ββββββββββββββββββββββ
β
ββββββββββββββββββββββ
β TUN/TAP Device β
β (Platform) β
ββββββββββββββββββββββ
Platform Support
Desktop Platforms
| Platform | Architecture | TUN Device | Status |
|---|---|---|---|
| macOS | x86_64, ARM64 | utun | β Tested |
| Linux | x86_64, ARM64 | TUN/TAP | π§ Planned |
| Windows | x86_64 | TAP-Windows6 | π§ Planned |
Mobile Platforms
| Platform | Architecture | Implementation | Status |
|---|---|---|---|
| Android | ARM64, ARMv7, x86_64 | JNI + VpnService | β Complete |
| iOS | ARM64, x86_64 | PacketTunnelProvider | β Complete |
Mobile implementations are production-ready! See:
android/README.md- Android integration guideios/README.md- iOS integration guide
Building for Different Platforms
Zig enables seamless cross-compilation:
# Build for Linux from macOS
zig build -Dtarget=x86_64-linux-gnu
# Build for Windows from macOS
zig build -Dtarget=x86_64-windows-gnu
# Build for ARM64 Linux
zig build -Dtarget=aarch64-linux-gnu
Building from Source
Standard Build
# Debug build (with symbols)
zig build
# Release build (optimized)
zig build -Doptimize=ReleaseFast
# Safe release build
zig build -Doptimize=ReleaseSafe
Custom Build Options
# Build with custom target
zig build -Dtarget=aarch64-linux-gnu
# Build with specific CPU features
zig build -Dcpu=baseline
# Clean build artifacts
rm -rf zig-cache zig-out
Build Dependencies
The build system automatically:
- Downloads and compiles SoftEther C sources
- Links with system OpenSSL
- Creates platform-specific TUN adapters
- Generates optimized binaries
Configuration
Configuration Methods
SoftEtherZig supports three configuration methods with priority order:
- Command-line arguments (highest priority)
- Environment variables (medium priority)
- Configuration file (lowest priority)
Configuration File (NEW in v1.1)
Create ~/.config/softether-zig/config.json:
{
"server": "vpn.example.com",
"port": 443,
"hub": "VPN",
"username": "myuser",
"password_hash": "base64-hashed-password"
}
Then simply run:
vpnclient # Uses config file
See docs/CONFIGURATION.md for complete configuration guide.
Example configurations:
config.example.json- Full configuration with all optionsconfig.minimal.json- Minimal working configuration
Environment Variables
Connection settings:
SOFTETHER_SERVER: VPN server hostnameSOFTETHER_PORT: VPN server portSOFTETHER_HUB: Virtual hub nameSOFTETHER_USER: UsernameSOFTETHER_PASSWORD: Password (plaintext, not recommended)SOFTETHER_PASSWORD_HASH: Pre-hashed password (recommended)
SSL/TLS settings:
SSL_CERT_FILE: Path to custom CA certificate bundleSSL_CERT_DIR: Directory containing CA certificates
Troubleshooting
Common Issues
Permission Denied
# Solution: Run with sudo for TUN device access
sudo vpnclient -s server -H hub -u user -P pass
Connection Timeout
- Verify server hostname and port
- Check firewall settings
- Ensure VPN server is accessible
Authentication Failed
- Confirm username and password
- Check virtual hub name
- Verify account permissions
TUN Device Busy
- macOS: Wait for utun device to become available
- Linux: Check
/dev/net/tunpermissions
Debug Mode
# Build with debug symbols
zig build -Doptimize=Debug
# Run with verbose logging
sudo ./zig-out/bin/vpnclient -s server -H hub -u user -P pass 2>&1 | tee debug.log
Development
Code Organization
src/: Zig source codesrc/bridge/: C bridge code interfacing with SoftEtherSoftEtherVPN_Stable/: Upstream SoftEther VPN source
Adding Features
CLI Features:
- Edit
src/cli.zigfor new command-line options
Client Features:
- Modify
src/client.zigfor connection logic
Bridge Features:
- Update
src/bridge/softether_bridge.cfor new SoftEther integration
Testing
# Run tests
zig build test
# Build and test specific target
zig build -Dtarget=x86_64-linux-gnu test
Code Style
- Zig: Follow official Zig style guide
- C: Follow SoftEther VPN conventions
- Documentation: Use Zig doc comments for public APIs
Contributing
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
Areas for Contribution
- π§ Linux TUN/TAP implementation
- πͺ Windows TAP-Windows6 support
- π Additional authentication methods (certificate, RADIUS)
- π Performance optimizations
- π§ͺ Comprehensive test suite
- π Documentation improvements
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
The SoftEther VPN components are licensed under Apache License 2.0 by the SoftEther VPN Project.
Credits
- SoftEther VPN Project: Original VPN implementation
- Zig Programming Language: Modern systems programming language
- OpenSSL Project: Cryptography library
Related Projects
- SoftEther VPN Official - Original SoftEther VPN
- Zig Language - Programming language
- OpenSSL - Cryptography toolkit
Documentation
Getting Started
- QUICKSTART.md - Get started quickly
- QUICKREF.md - Quick reference guide
- docs/CONFIGURATION.md - Configuration guide
Architecture & Design
- ARCHITECTURE.md - System architecture
- docs/ARCHITECTURE_AND_DEPENDENCIES.md - Pure Zig architecture & dependencies
- deps/taptun/PROJECT_SUMMARY.md - ZigTapTun library overview
- PROGRESS.md - Implementation progress and roadmap
Migration to Pure Zig π
- docs/MIGRATION_EXECUTIVE_SUMMARY.md - START HERE - Executive summary
- docs/ZIG_PURE_CLIENT_FEASIBILITY.md - Detailed feasibility analysis
- docs/ZIG_MIGRATION_ROADMAP.md - Month-by-month execution plan
- RUST_TO_ZIG_MIGRATION.md - Historical context (Rust β Zig)
Platform Support
- CROSS_PLATFORM.md - Cross-platform build guide
- IOS_BUILD_GUIDE.md - iOS build instructions
Server Mode Comparison
- DOCS_INDEX.md - Documentation navigation and overview
- SECURENAT_VS_LOCALBRIDGE.md - Complete technical comparison of server modes
- LOCALBRIDGE_QUICKREF.md - Quick reference for Local Bridge implementation
- PACKET_FLOW_DIAGRAMS.md - Visual diagrams of packet flows
Security
- SECURITY.md - Security best practices
SoftEtherZig - Bringing modern programming practices to enterprise VPN connectivity.