SSTP and certificates

RouterOS General
1

I’ve recent adopted a VPN solution, and upon reviewing it it seems they haven’t installed any certificate, let alone a valid one, on the server.

Am I right to think that sstp has the client send the username/password to the server, and thus is open to MITM attacks?

They have about 120 clients on the network.

I certainly don’t want the overhead of maintaining 120 client certificates, it seems I need a valid certificate.

Some quesitons

  1. Do mikrotik clients trust normal SSL providers (specifically letsencrypt) by default for sstp-client, or will I need to import my own CA anyway?
  2. Are there any other protocols which would work well for road warriror site-to-site connections? I use eoip with “ipsec-secret” on fixed sites, but that relies on a known public IP on both ends. Openvpn seems to have the same certificate problems.

Thanks

2

It’s in the manual:

You have to wonder why it’s even possible, but it’s there.

About other questions, there are no built-in CAs in RouterOS, you have to manually add what you need. If you want to avoid certificates completely, there’s L2TP/IPSec or plain IPSec.