I'm not good at creating pretty documentation and I rarely make documentation, so hopefully someone will step in and clean this up a bit.
I tried to follow Mikrotik's example, but they just don't tell you enough for a newbie to be able to do it without retries and Googling. I've taken a lot of information from the Mikrotik manual Manual:Interface/SSTP#Connecting_Remote_Client.
Before you setup SSTP, you'll need certificates. I do have real certificates somewhere for my mail servers (wildcard), but I was in a rush and didn't want to try to track it down. I probably lost all of the private stuff anyway. Because of this, I went completely self-signed. Most of this is also stolen from Manual:Create Certificates
One thing to keep in mind is that your CNs must be unique in each certificate you create (CA, server and client). I used the FQDN I made for my VPN box for the server. For CA and client, I think I just used those words, CA and client.
- First step is to build the CA private key and CA certificate pair.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
During the process you will have to fill few entries (Common Name (CN), Organization, State or province .. etc). Created CA certificate/key pair will be valid for 10 years (3650 days).
- Now create private-key/certificate pair for the server
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
- Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
To examine certificate run following command:
openssl x509 -noout -text -in server.crt -purpose
I looked at all three certificates to make sure there were no warnings or errors.
To import newly created certificates to your router, first you have to upload server.crt and server.key files to the router via FTP.
Now go to
/certificate submenu and run following commands:
[admin@test_host] /certificate> import file-name=ca.crt passphrase: certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 [admin@test_host] /certificate> import file-name=ca.key passphrase: certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 [admin@test_host] /certificate> import file-name=server.crt passphrase: certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 [admin@test_host] /certificate> import file-name=server.key passphrase: certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
I made sure to rename the certificates from certX to CA and server. That'll come in later when you want to know which one is which.
If everything is imported properly then certificate should show up with KR flag.
[admin@test_host] /certificate> print Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 0 KR name="cert1" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddressfirstname.lastname@example.org issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddressemail@example.com serial-number="01" firstname.lastname@example.org invalid-before=jun/25/2008 07:24:33 invalid-after=jun/23/2018 07:24:33 ca=yes
Now it is time to create a user
[admin@RemoteOffice] /ppp secret> add name=Laptop service=sstp password=123 local-address=10.1.101.1 remote-address=10.1.101.100 [admin@RemoteOffice] /ppp secret> print detail Flags: X - disabled 0 name="Laptop" service=sstp caller-id="" password="123" profile=default local-address=10.1.101.1 remote-address=10.1.101.100 routes=="" [admin@RemoteOffice] /ppp secret>
Notice that SSTP local address is the same as routers address on local interface and remote address is form the same range as local network (10.1.101.0/24).
Next step is to enable sstp server and sstp client on the laptop.
[admin@RemoteOffice] /interface sstp-server server> set certificate=server [admin@RemoteOffice] /interface sstp-server server> set enabled=yes [admin@RemoteOffice] /interface sstp-server server> set authentication=mschap2 [admin@RemoteOffice] /interface sstp-server server> print enabled: yes port: 443 max-mtu: 1500 max-mru: 1500 mrru: disabled keepalive-timeout: 60 default-profile: default certificate: server verify-client-certificate: no authentication: mschap2 [admin@RemoteOffice] /interface sstp-server server>
Notice that authentication is set to mschap. These are the only authentication options that are valid to establish secure tunnel.
SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a SSTP client with the software You are using. If you set up SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to trusted root.
On Windows 7 x64 SP1, I had to import the CA.crt into "Trusted Root Certification Authorities\Local Computer". I found that by checking "Show physical stores." I imported my client.crt into "Personal\Local Computer" discovered the same way.