comparison guide self-hosted · April 18, 2026 · 9 min read

StrongSwan vs LibreSwan vs SoftEther: Best Self-Hosted VPN Gateway 2026

Compare StrongSwan, LibreSwan, and SoftEther for self-hosted VPN gateways. Detailed Docker setups, configuration guides, and performance benchmarks for IPSec and multi-protocol VPN deployments.

OpenSwap Guide Team Editorial Team

When you need a self-hosted VPN gateway for site-to-site connectivity, remote access, or secure network bridging, the choice of VPN software matters. While tools like wireguard and OpenVPN dominate the consumer space, enterprise-grade deployments often require the flexibility and proven security of IPSec or multi-protocol VPN solutions.

In this guide, we compare three mature, open-source VPN gateway implementations: StrongSwan, LibreSwan, and SoftEther VPN. Each serves a different niche, and understanding their strengths helps you pick the right tool for your infrastructure.

Why Self-Host Your VPN Gateway

Running your own VPN gateway gives you full control over traffic routing, encryption standards, and access policies. You avoid vendor lock-in, reduce monthly subscription costs, and keep sensitive network topology data on your own hardware. For organizations with compliance requirements (SOC 2, HIPAA, GDPR), a self-hosted VPN ensures that authentication logs and connection metadata never leave your infrastructure.

Self-hosted VPN gateways are particularly valuable for:

Site-to-site connectivity between offices, data centers, or cloud VPCs
Remote access for distributed teams and contractors
Network segmentation with granular access control
Compliance where traffic must not traverse third-party infrastructure

For related reading, see our complete VPN solutions guide and WireGuard VPN comparison.

StrongSwan: The IPSec Standard

StrongSwan is the most widely deployed open-source IPSec implementation. Originally a fork of FreeS/WAN in 2004, it has become the reference implementation for IKEv2 and is the default IPSec stack on many Linux distributions, Android, and macOS.

Attribute	Detail
GitHub	strongswan/strongswan
Stars	2,832
Last Updated	April 2026
Language	C
License	GPL-2.0
Protocols	IKEv1/IKEv2, IPSec, EAP, XAuth
Platforms	Linux, FreeBSD, macOS, Android

Key Features

Full IKEv1 and IKEv2 support with EAP authentication
RADIUS, LDAP, and SQL backends for user authentication
Network Access Manager (charon) with multi-threaded architecture
Support for virtual IPs, traffic selectors, and MOBIKE
Extensive plugin system (150+ plugins)
Built-in certificate management and OCSP/CRL support
Integration with systemd, NetworkManager, and Android

docker Setup

StrongSwan can be containerized using the official Docker image. Here is a production-ready Docker Compose configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
version: "3.8"
services:
  strongswan:
    image: strongswan:latest
    container_name: strongswan
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
    environment:
      - VPN_IKE_PROPOSALS=aes256gcm16-prfsha512-ecp384!
      - VPN_ESP_PROPOSALS=aes256gcm16-ecp384!
    volumes:
      - ./ipsec.conf:/etc/ipsec.conf:ro
      - ./ipsec.secrets:/etc/ipsec.secrets:ro
      - ./strongswan.conf:/etc/strongswan.conf:ro
      - /etc/strongswan/ipsec.d:/etc/ipsec.d
    ports:
      - "500:500/udp"
      - "4500:4500/udp"
    restart: unless-stopped
    network_mode: host

Core ipsec.conf for a road warrior setup:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-roadwarrior
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256gcm16-prfsha512-ecp384!
    esp=aes256gcm16-ecp384!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.example.com
    leftcert=server.cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightdns=8.8.8.8
    rightsendcert=never
    rightsourceip=10.10.0.0/24

When to Choose StrongSwan

StrongSwan is the best choice when you need IKEv2 road warrior access with certificate-based authentication, especially for mobile clients. Its Android integration is unmatched, and it is the backbone of many commercial VPN services. If your primary use case is remote access for laptops and phones, StrongSwan should be your first choice.

LibreSwan: The Enterprise IPSec Fork

LibreSwan is a fork of Openswan (2013) that focuses on enterprise-grade IPSec deployments. It powers the ipsec service in many enterprise Linux distributions and is the foundation for cloud VPN offerings.

Attribute	Detail
GitHub	libreswan/libreswan
Stars	939
Last Updated	April 2026
Language	C
License	GPL-2.0
Protocols	IKEv1/IKEv2, IPSec, XAuth
Platforms	Linux, FreeBSD

Key Features

Pluggable authentication modules (PAM, NSS, SQL)
XFRM kernel interface for Linux-native IPSec processing
Support for up to 64,000 concurrent tunnels
IKEv2 with EAP-TLS, EAP-MSCHAPv2, and certificate auth
L2TP/IPSec support for legacy Windows clients
IPsec-in-IPsec nesting for complex routing scenarios
SELinux integration for hardened deployments
Automatic key rotation and DPD (Dead Peer Detection)

Docker Setup

LibreSwan requires more kernel capabilities than typical containers. Here is a working Docker Compose configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
version: "3.8"
services:
  libreswan:
    image: ghcr.io/libreswan/libreswan:latest
    container_name: libreswan
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.accept_redirects=0
      - net.ipv4.conf.all.send_redirects=0
    environment:
      - VPN_IPSEC_PSK=my-strong-psk-here
      - VPN_USER=vpnuser
      - VPN_PASSWORD=changeme123
    volumes:
      - ./ipsec.d:/etc/ipsec.d
      - /lib/modules:/lib/modules:ro
    ports:
      - "500:500/udp"
      - "4500:4500/udp"
      - "1701:1701/udp"
    restart: unless-stopped
    network_mode: host

Site-to-site configuration example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
conn site-to-site
    auto=start
    type=tunnel
    iketype=ikev2
    keyexchange=ikev2
    authby=secret
    left=10.0.1.1
    leftsubnet=10.0.1.0/24
    leftid=@office-a
    leftnexthop=%defaultroute
    right=203.0.113.50
    rightsubnet=10.0.2.0/24
    rightid=@office-b
    ike=aes256-sha2_512-modp2048!
    esp=aes256-sha2_512!
    dpddelay=30
    dpdtimeout=120
    dpdaction=%restart

When to Choose LibreSwan

LibreSwan excels in site-to-site VPN deployments where you need persistent, high-throughput tunnels between fixed locations. Its L2TP/IPSec support is useful when you must accommodate legacy Windows clients. If your use case involves connecting branch offices or data centers with always-on tunnels, LibreSwan’s robust tunnel management and SELinux integration make it a strong candidate.

SoftEther VPN: The Multi-Protocol Powerhouse

SoftEther VPN takes a fundamentally different approach. Instead of focusing on a single protocol, it implements multiple VPN protocols (SSL-VPN, L2TP/IPSec, OpenVPN, MS-SSTP) through a single server process. This makes it uniquely versatile for environments with diverse client requirements.

Attribute	Detail
GitHub	SoftEtherVPN/SoftEtherVPN
Stars	13,148
Last Updated	April 2026
Language	C
License	GPL-2.0 / Apache-2.0
Protocols	SSL-VPN, L2TP/IPSec, OpenVPN, MS-SSTP, EtherIP
Platforms	Linux, Windows, FreeBSD, macOS

Key Features

Four VPN protocols in one server: SSL-VPN, L2TP/IPSec, OpenVPN, MS-SSTP
Built-in NAT traversal and firewall bypass
Ethernet bridge mode for layer-2 connectivity
User-friendly management GUI (vpncmd and Server Manager)
Dynamic DNS support for changing public IPs
Packet inspection and logging per user/session
Clustering support for load balancing across multiple servers
Clone of physical Ethernet networks across VPN

Docker Setup

SoftEther VPN has community-maintained Docker images. Here is a production-ready setup:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
version: "3.8"
services:
  softether:
    image: siomiz/softethervpn:latest
    container_name: softether
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
    environment:
      - PSK=my-vpn-secret-key
      - USERNAME=admin
      - PASSWORD=secure-password-here
    ports:
      - "500:500/udp"
      - "1701:1701/udp"
      - "4500:4500/udp"
      - "1194:1194/udp"
      - "5555:5555/tcp"
      - "443:443/tcp"
    volumes:
      - ./softether_config:/opt/vpnserver
    restart: unless-stopped

Server manager CLI configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Connect to the SoftEther server
vpncmd localhost:5555 /SERVER /PASSWORD:your-password

# Create a Virtual Hub
HubCreate MyVPN /PASSWORD:hub-password

# Enable SecureNAT for easy client connectivity
SecureNatEnable

# Create a user
UserCreate vpnuser /GROUP:none /REALNAME:"VPN User"
UserPasswordSet vpnuser /PASSWORD:client-password

When to Choose SoftEther

SoftEther is the right choice when you need multi-protocol support from a single server. If your user base includes Windows, macOS, Linux, iOS, and Android clients with varying protocol preferences, SoftEther eliminates the need to run multiple VPN servers. Its SSL-VPN mode is particularly effective at bypassing restrictive firewalls that block standard VPN protocols.

Head-to-Head Comparison

Feature	StrongSwan	LibreSwan	SoftEther
Primary Protocol	IKEv2/IPSec	IKEv1/IKEv2/IPSec	SSL-VPN, L2TP, OpenVPN, SSTP
Mobile Support	Excellent (Android native)	Good (L2TP/IPSec)	Good (OpenVPN client)
Site-to-Site	Yes	Excellent	Yes
Road Warrior	Excellent	Good	Excellent
Firewall Bypass	Moderate (MOBIKE)	Limited	Excellent (SSL/HTTPS)
Windows Native	Limited	L2TP/IPSec	SSTP + L2TP
Docker Ready	Official image	Community	Community images
GUI Management	No (CLI only)	No (CLI only)	Yes (Server Manager)
Max Throughput	High	High	High
Learning Curve	Moderate	Steep	Moderate
Community Size	Large	Moderate	Large
Stars (2026)	2,832	939	13,148

Protocol Compatibility

Client OS	StrongSwan	LibreSwan	SoftEther
Windows 10/11	IKEv2 (built-in)	L2TP/IPSec	SSTP, L2TP, OpenVPN
macOS	IKEv2 (built-in)	IKEv2	OpenVPN, L2TP
Linux	Native	Native	OpenVPN, L2TP
Android	Native (strongSwan app)	L2TP/IPSec	OpenVPN
iOS	IKEv2 (built-in)	IKEv2	OpenVPN

Security Comparison

Security Feature	StrongSwan	LibreSwan	SoftEther
AES-256-GCM	Yes	Yes	Yes
ChaCha20	Yes	Partial	No
Perfect Forward Secrecy	Yes	Yes	Yes
Certificate Auth	Yes	Yes	Yes
EAP-TLS	Yes	Yes	No
EAP-MSCHAPv2	Yes	Yes	No
SELinux Support	Yes	Yes	No
FIPS 140-2	With plugin	Partial	No

Installation on Linux

StrongSwan (Ubuntu/Debian)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
sudo apt update
sudo apt install strongswan strongswan-pki libcharon-extra-plugins

# Generate server certificate
ipsec pki --gen --type ed25519 --outform pem > server.key.pem
ipsec pki --self --in server.key.pem --dn "CN=vpn.example.com" --ca --lifetime 3650 > ca.cert.pem

# Install certificates
sudo cp ca.cert.pem /etc/ipsec.d/cacerts/
sudo cp server.key.pem /etc/ipsec.d/private/
sudo cp server.cert.pem /etc/ipsec.d/certs/

LibreSwan (RHEL/CentOS)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
sudo dnf install libreswan

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-ipsec.conf

# Configure firewall
sudo firewall-cmd --permanent --add-service=ipsec
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

# Start and enable
sudo systemctl enable --now ipsec

SoftEther VPN (Ubuntu/Debian)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
sudo apt update
sudo apt install build-essential libreadline-dev libssl-dev libncurses5-dev zlib1g-dev

# Download and compile
wget https://github.com/SoftEtherVPN/SoftEtherVPN/releases/download/v5.02.5180/softether-vpnserver-v5.02.5180-beta-2025.12.31-linux-x64-64bit.tar.gz
tar xzf softether-vpnserver-*.tar.gz
cd vpnserver
sudo make

# Start the server
sudo ./vpnserver start

# Register as systemd service
cat << 'EOF' | sudo tee /etc/systemd/system/vpnserver.service
[Unit]
Description=SoftEther VPN Server
After=network.target

[Service]
Type=forking
ExecStart=/opt/vpnserver/vpnserver start
ExecStop=/opt/vpnserver/vpnserver stop

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable --now vpnserver

FAQ

Which VPN gateway is best for remote workers?

StrongSwan is generally the best choice for remote worker access. Its native IKEv2 implementation works seamlessly with built-in VPN clients on Windows, macOS, iOS, and Android. The MOBIKE extension allows seamless reconnection when users switch between WiFi and cellular networks.

Can I run multiple VPN protocols on one server?

Yes, SoftEther VPN supports SSL-VPN, L2TP/IPSec, OpenVPN, and MS-SSTP simultaneously on a single server instance. This is its primary advantage over StrongSwan and LibreSwan, which focus exclusively on IPSec.

Is IPSec more secure than OpenVPN?

Both protocols are considered secure when properly configured with strong cipher suites (AES-256-GCM, SHA-2, and ECDH key exchange). IPSec operates at the network layer (Layer 3) while OpenVPN operates at the transport layer (Layer 4). IPSec has better native OS integration, while OpenVPN is easier to configure through restrictive firewalls.

Do these VPN gateways support two-factor authentication?

StrongSwan and LibreSwan both support EAP-based authentication with RADIUS backends, which can integrate with TOTP, hardware tokens, or SMS-based 2FA. SoftEther supports user password authentication and can be combined with external RADIUS for 2FA.

Which is easiest to set up?

SoftEther has the lowest barrier to entry thanks to its graphical management tool (Server Manager for Windows, vpncmd for Linux) and built-in SecureNAT feature that handles DHCP and NAT automatically. StrongSwan requires manual certificate and configuration management but has extensive documentation. LibreSwan has the steepest learning curve with its configuration file syntax.

Can these replace commercial VPN services like NordVPN or ExpressVPN?

These tools provide the VPN server infrastructure but do not include the global server network that commercial services offer. They are designed for connecting to your own private network, not for anonymizing your internet traffic through third-party servers. For remote access to your own infrastructure, they are excellent replacements.

What ports need to be open on the firewall?

StrongSwan/LibreSwan (IPSec): UDP 500 (IKE), UDP 4500 (NAT-T), protocol 50 (ESP)
SoftEther: TCP 443 (SSL-VPN), TCP 5555 (management), UDP 1194 (OpenVPN), UDP 500/4500 (IPSec), UDP 1701 (L2TP)

Advertise here

Why Self-Host Your VPN Gateway

StrongSwan: The IPSec Standard

Key Features

docker Setup

When to Choose StrongSwan

LibreSwan: The Enterprise IPSec Fork

Key Features

Docker Setup

When to Choose LibreSwan

SoftEther VPN: The Multi-Protocol Powerhouse

Key Features

Docker Setup

When to Choose SoftEther

Head-to-Head Comparison

Protocol Compatibility

Security Comparison

Installation on Linux

StrongSwan (Ubuntu/Debian)

LibreSwan (RHEL/CentOS)

SoftEther VPN (Ubuntu/Debian)

FAQ

Which VPN gateway is best for remote workers?

Can I run multiple VPN protocols on one server?

Is IPSec more secure than OpenVPN?

Do these VPN gateways support two-factor authentication?

Which is easiest to set up?

Can these replace commercial VPN services like NordVPN or ExpressVPN?

What ports need to be open on the firewall?

Related Articles

Firezone vs Pritunl vs NetBird: Self-Hosted WireGuard VPN Management 2026

Best Self-Hosted Network Traffic Analysis Tools 2026: Zeek vs Arkime vs ntopng

UFW vs Firewalld vs iptables: Best Linux Firewall for Self-Hosted Servers 2026