Mikrotik – SSTP VPN Server Setup Guide

Overview

I’ve played with L2TP/IPSec, IKEv2, PPTP, and SSTP VPN Servers. SSTP is now my go-to for business clients, and here is a step-by-step guide to help you set one up on a Mikrotik Router :-).

Benefits over L2TP/IPSec

  1. Multiple clients can connect from the same Public IP. Important if you have multiple employees that travel to the same site, like a hotel or other business. On L2TP, it’s one device per WAN IP.
  2. No timeouts, you can stay connected for an indefinite amount of time.
  3. More reliable in bad conditions (weak WiFi signal, cell-hotspot), less likely to drop than L2TP/IPSec, because SSTP is TCP based, and less sensitive to latency.
  4. Works on almost any network. Since it runs over TCP443, the same port as HTTPS, almost every network allows it’s traffic through if there is outbound filtering.
  5. Setup for Windows clients is built in, reliable, and simple. Mac clients require a bit more work, but it functions the same.
  6. Due to being TCP based, and less sensitive to latency, you can get much higher throughput for bad connections.

Cons – Slightly Harder Setup

  1. You must connect by DNS address, e.g. vpn.company.com, IP addresses are not an option.
  2. You must have a SSL certificate that includes your public DNS address (vpn.company.com). Wildcards work great, along with standard SSLs.
  3. The SSL you use, needs to have the private key included, takes extra work to extract.

Once it’s setup and working, SSTP beats L2TP every time hands down!

 

SSL Export and Config

The only part not included in this guide is creating a publicly signed SSL request, and getting it signed. Here are a two detailed SSL creation/install guides from GoDaddy if need help with this step:

 

We need to export the installed SSL on the server into two types: A PKCS#12 “.PFX” (Contains Private Key) and an BASE64-encoded X509 “.CER” (Public Cert Only).

Easiest to perform these steps on the server that created the SSL (so it has the private key and matching certificate).

If you cannot export the private key, it means you are on a server that did not create the key – check other servers within that company, like Exchange or RDS.

  • Start > run > mmc.exe
  • File > Add Snap In > Computer Account > Local > OK
  • Expand Certificates (Local Computer) > Personal > Certificates > Right-Click Your SSL > All Tasks > Export > “Yes, export the Private Key” > Export to: … > File Type: *.PFX > Protect with YourPassword
  • Expand Certificates (Local Computer) > Personal > Certificates > Right-Click Your SSL > All Tasks > Export > “No, do not export the Private Key” > BASE64 Encoded Binary X.509 > Export to: … > File Type: *.CER

Get both of these files to your workstation running Winbox.

Login to the Mikrotik

Files > Drag in both files to the Files window

  1. System > Certificates > Import > SSL.CER (Base64) > Password: <leave blank>
    1. Left column, only “LT” (revocation List, Trusted)
  2. System > Certificates > Import > SSL.PFX (PKCS12) > Password: YourPassword
    1. Left column “KLT (private Key, revocation List, Trusted)

Now go to Mikrotik > PPP > Interface Tab > SSTP Server (Button) > Certificate: Select your SSL (X509)

Mikrotik – SSTP Server Setup

Only thing to change for a default setup is the DNS Server. Paste into Mikrotik Terminal.

#Change this to the on-site Domain Controller/DNS Server.
:global DNSServer "192.168.1.5"
#IP Address of VPN Bridge
:global VPNGateway "192.168.200.1"
#VPN Client LAN IP Range -- IPs the clients should get
:global VPNRange "192.168.200.100-192.168.200.200"
#Network Address of the Target Network
:global VPNNetwork "192.168.200.0/24"


#Add the bridge
/interface bridge add name=vpn-bridge
#Give the bridge an IP and network
/ip address add interface=vpn-bridge address=($VPNGateway."/24") comment="VPN Bridge IP"
#Add an IP Pool for clients to be assigned when they connect
/ip pool add name="vpn-pool" ranges=$VPNRange
#Configure the VPN profile for users to use.
/ppp profile add dns-server=$DNSServer local-address=$VPNGateway name=sstp-profile remote-address=vpn-pool bridge=vpn-bridge
#Turn it on!
/interface sstp-server server set authentication=mschap2 default-profile=sstp-profile enabled=yes

Mikrotik – Add an Local User Account

#Add the User’s Account into the Mikrotik

:global Username "johnsmith"
:global Password  "johns super password"

/ppp secret add name=$Username password=$Password profile=sstp-profile

Setup SSTP Client Connection (Windows 7 or 10)

Adjust names, ServerAddress, username, and password as appropriate.

#In PowerShell
Add-VpnConnection -Name "Company SSTP VPN" -ServerAddress "vpn.company.com" -TunnelType SSTP -EncryptionLevel Required -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential $true
Set-VpnConnectionUsernamePassword -connectionname “Company SSTP VPN” -username johnsmith -password “johns super password”



#Or, in GUI
Click Network Icon near clock in system tray > Network and Internet Settings

VPN (Left) > Add a VPN connection:
VPN Provider: Windows (built-in)
Connection Name “Company SSTP VPN”
Server Name or Address: vpn.company.com
VPN Type: Secure Socket Tunneling Protocol (SSTP)
Username: johnsmith
Password: johns super password
Remember: Checked
SAVE

#Connecting
Click Network Icon near clock in system tray > Select “Company SSTP VPN > Connect

Leave a Reply

Your email address will not be published. Required fields are marked *