Any alternative to native Windows SSTP client?

Hi, I’m fed up with freaks of Windows 10 SSTP VPN client, today it works (using mikrotik certificate), after tomorrow gives error without reasons, the same exact procedure on another computer works, the same exact procedure on a third computer fails. That’s crazy how Windows manage certificates, and also crazy how it doesn’t give any useful feedback to correct the problem, for a such stupid needs of certificates that I don’t care, probably nobody cares, on Android I use SSTP Max and it works without certificates.

I?m fed up losing hours trying to install in all different modes possible, manually remove and reinstall again, that’s not a way at all, time values.
So I’m looking for a third party SSTP client for Windows, I really hope there is one that doesn’t care of useless certificates, looking like Wireguard client for example. Anything aroud? Gooogling I haven’t valid results.
Thank you

I was about to mention Wireguard …

I need a client for SSTP protocol, only SSTP works under some firewalls.
As there is a client for wireguard able to route all traffic into there there may be a client VPN that supports SSTP..

I’m sorry I can’t be more helpful, but generally the in-built clients on Windows are really hard to manage. Often updates screw with defaults, and a lot of times registry entries have to be setup just so for things to work. Of course with joining a domains/groups policy things tend to be better.

If the firewall is not that picky, quite often OpenVPN tcp tunneling over port 443 works fine. If the firewall is protocol-aware, it depends on the exact policy settings, e.g. SSTP is also easy to identified by the “Upgrade: SSTP” type HTTP header…

I now what you mean, but here they also advice the SSTP.. reducing or killing the connection, it’s crazy.
What a bad news, if for windows only native client is available.. I hate it

the first time i approached to sstp i had the problems, in fact never been able to make it working with self signed certificate

because of that we tryed buying a certificate from a recognized provider
since that day
we have used native SSTP client many years without any problem
but i make it clear
using a certificate from a recognized provider and renewing it every year (paying the respective fees)

maybe is not the solution you are searching for, sharing my experience is the only way i can contribute to this topic

1 Like

I use the same Let’s Encrypt TLS certificate that RouterOS obtains for www-ssl for SSTP and User Manager. The Windows SSTP clients never had any problem with that.

There a a couple of little things that need to be addressed at certificate renewal though. Because I use my domains and not the one from IP → Cloud, I need a script that temporarily opens port 80 (but only on the IPv6 firewall, luckily), enables the www service, request the Let’s Encrypt renewal, then shutdowns www and closes port 80 again. The second issue is that although the renewal process automatically updates the setting of www-ssl with the new certificate, it doesn’t make changes to SSTP server or User Manager and they still have the old certificate. So the script also has to make sure that those settings are updated.

Mates, thank you for replying and share your experience.

Facts are that the same router, with the same certificate, installed on all PC (Win10 64) in this moment in the same way, let SSTP works in the computer A, but doesn’t work on the computer B, was working but no more for an unknow reason on computer C.
The procedure is correct, no dubts about that, the only difference that can matter is that these PC are connected by different providers, but all of them use google dns 8.8.8.8..

How can I trubeshot the windows error? There should be a way to know why it is failing.
The PC B doesn’t want to connect with any of SSTP I created on different routers, placed on different public IPs, using for all of them the mikrotik DDNS. It looks like the PC B has troubles with certificates, I’ve tried to remove mine manually from all possible places, something went wrong inside windows. On PC C can happen the same. How can I fix certification problems on WIn10?
Thanks

the thing is that when you make changes to force the PC to accept a certificate not signed by a recognized entity as a valid you are circunventing security built in the operating system in that matter, dont expect that “solution” or fix to be reliable.

Yeah, that’s why OP should try the Let’s Encrypt issued certificate like I wrote above, if he doesn’t want to spend money on certificates from commercial providers.

1 Like

I wrote a post but this new forum thought to unlog me and I’ve losted it :((
Ok I got, I would know why Win 10 A works and Win 10 C not more, there should be a reason, but I guess too difficult to understand.
Ok for Let’s Encrypt, I opened their page, hard for me to understand how to proceed, should I use the bot? What to do here? No way to go futher. Thank you for your kind help about that

Another vote for using the Let’s Encrypt certificate. It works fine on multiple devices for me (Windows laptops, iPad, iPhone).

If you use the acme.sh script to get and renew the certificate from a Linux box, you can set it to also deploy the cert to RouterOS via SSH using the built-in RouterOS deployment hook. That hook can also take a parameter (“Additional services”) that will add the new cert to other services like SSTP.

thanks mates, well, what you wrote sounds familiar, but I’ve never done it yet. I guess I’ve to spend hgours looking for infos and experimenting. Can somebody please write a short guide with steps to do?
How this cerbot is running? I can’t find a way, it’s not an exe program for windows, it’s not a telnet server, what should I do there?
Should I invoke certbot from the same IP I’m gong to register? can I do it with Mikrotik somehow?
How then can I use the result certificate? I simply install it on Windows or should I kink this certificate to mikrotik’s SSTP server too? How?
To renovate certificate, can Mikrotik do it somehow? Or should I do with another device from the same IP? Thank you a lot

I’ve found now a guide, https://mikrotikmasters.com/mikrotik-with-lets-encrypt-ssl-certificate/
obtain certficate is exremely easy and needs one line on the terminal:

certificate enable-ssl-certificate dns=<the dns sting generated by Mikrotik DDNS, under /IP/cloud>

I’ve trusted it, I’ve removed manually the previous one from PC B (the WIn10-64 new installed that doesn’t want to work), tested and gives certificated error, then I exported and installed the new cerificate manually, also it doesn’t work.
What to do? Where I am wrong?

The current version of RouterOS 7 has built-in support for Let’s Encrypt certificate request and renewal. Here is the relevant part in the documentation:

Certificates - RouterOS - MikroTik Documentation

In case you use the IP Cloud subdomain provided by MikroTik (xxxxxx.sn.mynetname.net), you’ll only need to run this once:

/certificate enable-ssl-certificate

and the router will automatically request a LE certificate for the IP Cloud subdomain, and will also perform the future renewals.

But if you use your own subdomain instead, you’ll need to ensure the followings at the moment of certificate request and renewals:

  • The service www must be running.
  • TCP Port 80 to the router (chain input) must not be blocked for incoming requests from the internet, for either IPv4 or IPv6 or both (you can block access for IPv4 while keep it open for IPv6 and it would work too).

The command for certificate request/renewal would then be:

/certificate enable-ssl-certificate dns-name=my.domain.com

The certificate will be listed under System → Certificates and can be used by SSTP. Of course, the SSTP clients will have to use the same subdomain to establish the connection to the router.

While the certificate can be automatically renewed by the router, RouterOS only automatically updates the certificate setting for the www-ssl service and will not modify the setting of the SSTP server after renewal. You’ll need to do it manually or schedule a script that does it for you.

Furthermore, in case you use a custom domain, and not the one provided by IP Cloud (xxxxxx.sn.mynetname.net), you’ll have to make sure that www is running and port 80 is open when the automatic renewal runs. However, it’s normally not wise to have www and port 80 expose to the internet. It would be better if you keep the service disabled and the port blocked by the firewall, and write your own scheduled script that performs these steps every 80 days or so:

  • Temporarily enable the www service
  • Unblock TCP port 80 on chain input (only for IPv6 if you have IPv6, otherwise for IPv4)
  • Execute /certificate enable-ssl-certificate dns-name=my.domain.com
  • Block TCP port 80 on chain input again
  • Disable the www service
  • Update SSTP with the certificate name currently assigned to www-ssl

(Or you can manually perform those tasks every 80 days if you don’t know how to script)

Please note that if you use the generated Let’s Encrypt certificate for SSTP server, you don’t need to export the certificate and install it on the clients at all! All the clients need is to use the same domain/subdomain as remote host address of the SSTP server.

And of course, don’t forget to select that certificate under PPP → SSTP Server → Certificate!

Thank you dear for this explanation, now it looks really friendly.
Yes I changed the certification into the SSTP server, there are 2 available, one of them is called intermediate and if I choose it Win10 suddenly displays and error that the remote host (mikrotik) refuses to connect, with the other one I’ve the same old problem.
Do I need to wait time somehow?

PS: on PC B I’ve added and tested another SSTP server, nuw subsribed with Let’s Encrypt, same error. On PC A I’ve removed certificates manually and work with both.
Mistery of Windows

I’ve tested with a fourth PC, it’s working, the method is valid and I summarize here for who may need in future.
Detailed guide here:
https://mikrotikmasters.com/mikrotik-with-lets-encrypt-ssl-certificate/

  1. Enable DDNS under /IP/cloud and copy the address, open terminal and paste
certificate enable-ssl-certificate dns=<the DDNS address you copied>
  1. to renew the certificate automatically go to /system/sheduler and create a new task, every 88days with the same string above as command to execute
  2. go to /system/certificates and trust both certificate
  3. use the certificate with DDNS address (not the second one named “intermediate”) into the SSTP server settings. If you configured the SSTP server properly with user and password it will work in Windows.

on the second computer it doesn’t work, somethign wrong there with wndows, if you know how to fix that.. how to rebuild the vpn features, please advice me, thank you!

With PC C, Win10 64 that was connecting SSTP with Mikrotik certificate since 1 month ago, then refused, also Let’s Encrypt doesn’t help.
Something went wrong in windows, it ask to correct network parameters, I’ve checked but they are ok. On Mikrotik dice I have an “authenticated”, login password are ok, but suddenly after a client disconnected.
Windows is not checking certificates in the proper way, I’ve removed the certificate but doesn’t help, maybe I need to reboot?

The link article was for an older version of RouterOS, and quite a few changes have been made to the related functionality, as I wrote in my previous posts:

  • The parameter name for specifying is no longer dns but dns-name.
  • If you use the xxxxxx.sn.mynetname.net URL provided by IP Cloud (omit the dns-name parameter), then the certificate will be requested/renewed using DNS-01 challenge and you no longer need to have the www service running with TCP port 80 accessible anymore.
  • RouterOS now attempts to automatically renew the certificate (when 80% of its validity period has passed), which means you don’t need the scheduled script from the article anymore. You only need your own scheduled script when you have specific needs like I mentioned above (using custom domain and blocking port 80 by default, or needing to update the certificate for services like SSTP Server or User Manager).
  • Also, the intermediate certificate (normally R10 or R11) is also something that recent version of RouterOS start to add to the certificate list, that was not the case when that article was written.