I’m currently on a cruise ship whose WiFi blocks Wireguard tunnels. The Wireguard client just shows that it’s sending multiples of 148 bytes, but there is no connectivity. My router, on the other end of the tunnel, doesn’t register any connections.
I was able while in port to configure a SSTP server on the router. I downloaded the iOS SSTP Connect app for the client. I got it working but have a couple questions/concerns:
I was able to log in with a username and password I configured under
/ppp secret
. How can I disable password authentication and only use certificates?
I want the SSTP interface to be part of the LAN for firewall purposes, so I added it to the default “LAN” interface list. In the terminal, the SSTP interface showed in purple and not blue like the others. It seems that after disconnecting the vpn, the SSTP interface disappeared. When I reconnected I couldn’t access the network because the
/interface list member
had garbage in the interface name instead of the configured SSTP tunnel interface. How do I permanently make the SSTP interface part of the LAN group?
Any other best practices I should be aware of for security/usability/anything else?
The only SSTP client that can authenticate itself using a certificate is the Mikrotik one. So for non-Mikrotik clients, the best available practice is to use server side certificate (which you obviously do, otherwise the iOS client would not connect) and username/password authentication of the client; if you want to improve security a bit, you can consider setting up the user-manager as a RADIUS server to store the usernames and passwords instead of the /ppp server table, which would allow you to use the TOTP extension of the password. It depends on your router model whether you can install the user-manager package directly on it. It is also a tad more secure if the RADIUS server is not running on the router itself, ideally its management interface would not be accessible from the router, but that’s not something you can do remotely.
The *2e or something similar It is not garbage, it is an internal ID pointing to another configuration object that could not be translated to any object name as the object has disappeared. The SSTP interfaces representing the tunnels towards clients are indeed created dynamically, there are two ways to deal with this. You can either create a static interface and link it to the user name using /interface sstp-server add name=some-nice-name user=your-username, or instead you can add interface-list=LAN to the /ppp profile row to which the /ppp secret row or the /interface sstp-server server configuration refer. That way, the ephemeral interface is always added to the address list as it is created. The latter method is somewhat better as it can happen that the client loses connection and establishes a new one before the server notices that, and in such a case, if the old connection was bound to the static port, the new one will create an ephemeral interface anyway because the static one is occupied at the time it gets established.
Oh neat. So I could configure Google Authenticator or the like to provide a one time code for login if I use RADIUS? I’ll check it out.
Yes, I tried several ports including 1701 and 443 and one or two random ones. The Wireguard protocol has a well defined and easy to spot handshake that makes it easy to block with DPI. There is a Wireguard fork called Amnezia that allows you to configure some randomness with the handshake to avoid detection, but MikroTik would need to support it.
I was surprised they bothered blocking it too. Last year on the same ship it worked fine. It is a big ship with 4000 passengers and crew aboard. The ship has an IT team. It doesn’t surprise me that they do traffic shaping and DPI to ensure that everyone gets the connectivity they need, including for vessel operation and business needs. It uses Starlink, which is kinda cool. I’ve gotten 25Mbps down at non peak times but have never seen less than about 4Mbps.