SSTP step-by-step

From MikroTik Wiki
Jump to: navigation, search

I'm not good at creating pretty documentation and I rarely make documentation, so hopefully someone will step in and clean this up a bit.

I tried to follow Mikrotik's example, but they just don't tell you enough for a newbie to be able to do it without retries and Googling. I've taken a lot of information from the Mikrotik manual Manual:Interface/SSTP#Connecting_Remote_Client.

Before you setup SSTP, you'll need certificates. I do have real certificates somewhere for my mail servers (wildcard), but I was in a rush and didn't want to try to track it down. I probably lost all of the private stuff anyway. Because of this, I went completely self-signed. Most of this is also stolen from Manual:Create Certificates

One thing to keep in mind is that your CNs must be unique in each certificate you create (CA, server and client). I used the FQDN I made for my VPN box for the server. For CA and client, I think I just used those words, CA and client.

  • First step is to build the CA private key and CA certificate pair.
    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
    

    During the process you will have to fill few entries (Common Name (CN), Organization, State or province .. etc). Created CA certificate/key pair will be valid for 10 years (3650 days).

  • Now create private-key/certificate pair for the server
    openssl genrsa -des3 -out server.key 4096
    openssl req -new -key server.key -out server.csr
    
    openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
    
  • Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.
    openssl genrsa -des3 -out client.key 4096
    openssl req -new -key client.key -out client.csr
    
    openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
    

To examine certificate run following command:

openssl x509 -noout -text -in server.crt -purpose

I looked at all three certificates to make sure there were no warnings or errors.

Import certificates

To import newly created certificates to your router, first you have to upload server.crt and server.key files to the router via FTP. Now go to /certificate submenu and run following commands:

[admin@test_host] /certificate> import file-name=ca.crt
passphrase: 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
[admin@test_host] /certificate> import file-name=ca.key 
passphrase: 
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
[admin@test_host] /certificate> import file-name=server.crt
passphrase: 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
[admin@test_host] /certificate> import file-name=server.key 
passphrase: 
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

I made sure to rename the certificates from certX to CA and server. That'll come in later when you want to know which one is which.


If everything is imported properly then certificate should show up with KR flag.

[admin@test_host] /certificate> print 
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0 KR name="cert1" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddress=xxx@mt.lv 
      issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xxx@mt.lv serial-number="01"
      email=xxx@mt.lv invalid-before=jun/25/2008 07:24:33 
      invalid-after=jun/23/2018 07:24:33 ca=yes 

Now it is time to create a user

[admin@RemoteOffice] /ppp secret> add name=Laptop service=sstp password=123
local-address=10.1.101.1 remote-address=10.1.101.100
[admin@RemoteOffice] /ppp secret> print detail
Flags: X - disabled
  0   name="Laptop" service=sstp caller-id="" password="123" profile=default
      local-address=10.1.101.1 remote-address=10.1.101.100 routes==""

[admin@RemoteOffice] /ppp secret>

Notice that SSTP local address is the same as routers address on local interface and remote address is form the same range as local network (10.1.101.0/24).


Next step is to enable sstp server and sstp client on the laptop.

[admin@RemoteOffice] /interface sstp-server server> set certificate=server
[admin@RemoteOffice] /interface sstp-server server> set enabled=yes
[admin@RemoteOffice] /interface sstp-server server> set authentication=mschap2
[admin@RemoteOffice] /interface sstp-server server> print
                     enabled: yes
                        port: 443
                     max-mtu: 1500
                     max-mru: 1500
                        mrru: disabled
           keepalive-timeout: 60
             default-profile: default
                 certificate: server
  verify-client-certificate: no
              authentication: mschap2

[admin@RemoteOffice] /interface sstp-server server>

Notice that authentication is set to mschap. These are the only authentication options that are valid to establish secure tunnel.


SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.

Please, consult the respective manual on how to set up a SSTP client with the software You are using. If you set up SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to trusted root.


On Windows 7 x64 SP1, I had to import the CA.crt into "Trusted Root Certification Authorities\Local Computer". I found that by checking "Show physical stores." I imported my client.crt into "Personal\Local Computer" discovered the same way.