SSTP VPN for multiple client

niren · January 19, 2014, 3:04pm

I have implemented SSTP server in our mikrotik router by these links http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP and http://wiki.mikrotik.com/wiki/SSTP_step-by-step. Right now it is working fine, but I can’t implement multiple clients with different certificates.

As of Now: For Mulitple clients, I need to install same certificates(ca.crt and client.crt) in all clients remote laptop to connect to SSTP server of Mikrotik router and I need to install same ca.crt and server.crt certificates in Mikrotik router, then I can have different secrets for all clients.

I want: I need to create different certificates with different validation period for all clients to connect to same SSTP server. Is this possible in SSTP VPN?

niren · February 4, 2014, 9:30am

@all if any one doesn’t understand please let me

patrickmkt · February 4, 2014, 2:54pm

You should be able to use a different client certificates in each client as long as it is signed by the same ca.

Serveur: CA.crt + Server.crt (signed by CA) + Server.key

Client1: CA.crt + Client1.crt (signed by CA) + Client1.key
Client2: CA.crt + Client2.crt (signed by CA) + Client2.key

I have been using it so far without any issue on sstp up to v6.7 as v6.9 has something broken in the encryption stack.
It is also working with OVPN.

niren · February 6, 2014, 3:17pm

SSTP is not working as I expected. I have created certificate Manually as per this link: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Import_certificates

Certificate Installed in SSTP server: server.crt + ca.crt
Certificate Installed in SSTP client: client.crt + ca.crt

Certificated selected in SSTP server: ca.crt (If I select server.crt, connection won’t be established)
SSTP Client = ca.crt in TrustedRootCertificates, client.crt in Personal.

Regardless of client.crt is installed or not, connection is established once I import ca.crt in TrustedRootCerificate since SSTP server has selected ca.crt. so connection got established after I installed ca.crt in both end, there is no need of server.crt and client.crt to be installed.

If I import and select server.crt in SSTP server and import client.crt in Personal at client side, connection could not be established.

mrz · February 6, 2014, 3:34pm

Since you are talking about import ca.crt in TrustedRootCerificate I assume that clients are windows.
As far as I know Micosoft does not support two way certificate validation.
Microsoft client just checks if server certificate is signed by CA in trusted root.
This is also mentioned in documentation
http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP#Certificates

patrickmkt · February 6, 2014, 6:56pm

what you call server.crt, ca.crt and client.crt are they certificate with key (public and private part of the cert) or not?
If you enter the full ca certificate (with its key) on both side that would explain why it’s working on your setup.
None of the server nor the clients should have the private part of the ca, just the public (what I called ca.crt). The private part (ca.key) should be used only on another machine for the only purpose of signing the client and server certificates.

To summarize what I wrote before:
on the server you should have the public certificates for ca and server, and the private key for server. Server should be a cert signed by ca.
On the client you should have the public certificate for ca and client, and the private key for client. Client cert should be signed by ca.