Seriously people, has anyone ever managed to use the SSTP Server on Mikrotik???
All available tutorials are useless. I keep getting "0x80072746: An existing connection was forcibly closed by the remote host."
The very moment I connect, I'am kicked out.
Log contains nothing useful, some sstp_input lines with negotiation probably, but it's hard to tell and immediately after that:
21:19:12 sstp,ppp,debug sstp_: : LCP lowerdown
21:19:12 sstp,ppp,debug sstp_: : LCP down event in initial state
21:19:12 sstp,ppp,debug sstp_: : LCP lowerdown
21:19:12 sstp,ppp,debug sstp_: : LCP down event in initial state
That damn device is useless...
-
-
nescafe2002
Forum Veteran
- Posts: 897
- Joined:
- Location: Netherlands
Re: SSTP Server, does it REALLY work for anyone??
There is very useful information on the wifi, have you tried that?
https://wiki.mikrotik.com/wiki/Manual:I ... n_Examples
Please share your config (/export hide-sensitive) if you are stuck. Which clients are connecting?
(Multiple sstp tunnels and road warrior setups running fine..)
https://wiki.mikrotik.com/wiki/Manual:I ... n_Examples
Please share your config (/export hide-sensitive) if you are stuck. Which clients are connecting?
(Multiple sstp tunnels and road warrior setups running fine..)
Re: SSTP Server, does it REALLY work for anyone??
i use SSTP mostly to manage mikrotik remotely, works almost everywhere and very useful to avoid NAT problems, but the performance leaves much to desire to move a lot of traffic i will not recommend it
-
-
vecernik87
Forum Veteran
- Posts: 882
- Joined:
Re: SSTP Server, does it REALLY work for anyone??
I have SSTP up and running without any issue. Clients are mostly Win10 machines but I tested it successfully with android phone as well.
I agree with @chechito that performance is not great (on 50/20Mbit connection with 60ms latency I get only 12/3Mbit through tunnel) but thats expected issue with any tcp-based VPN. My main concern was to have it available from everywhere since both ipsec or pptp are sometime blocked.
I agree with @chechito that performance is not great (on 50/20Mbit connection with 60ms latency I get only 12/3Mbit through tunnel) but thats expected issue with any tcp-based VPN. My main concern was to have it available from everywhere since both ipsec or pptp are sometime blocked.
-
-
nosatishtakor
just joined
- Posts: 4
- Joined:
Re: SSTP Server, does it REALLY work for anyone??
I managed to move slightly forward, but still far away from the solution.
I created CA and Server certificate (plus private key) as manual says.
When I connect from Windows machine, I get "The certificate's CN name does not match the passed value". The CN is correct (some.ddns.server.com), but MikroTik is behind ISP's DSL modem/router.
Port 443 is forwarded and I see connection attempt on MikroTik, but it fails. I guess two NATs are a deal breaker...
Any suggestions?
I created CA and Server certificate (plus private key) as manual says.
When I connect from Windows machine, I get "The certificate's CN name does not match the passed value". The CN is correct (some.ddns.server.com), but MikroTik is behind ISP's DSL modem/router.
Port 443 is forwarded and I see connection attempt on MikroTik, but it fails. I guess two NATs are a deal breaker...
Any suggestions?
-
-
nosatishtakor
just joined
- Posts: 4
- Joined:
Re: SSTP Server, does it REALLY work for anyone??
One more update... I managed to establish a connection from the Windows machine.
Every tutorial says how CA must be created (signed) and then server certificate and private key must be created and signed with the CA.
But, you cannot have the same CN entry in CA and in server certificate. Therefore, I tried to provide only CA certificate + private key to the SSTP server on MikroTik and I imported that same CA to the Windows certificate store. CA's CN is the same as before and now it works.
Is that normal?? No server certificate or the key, just CA certificate.
Thnx.
Every tutorial says how CA must be created (signed) and then server certificate and private key must be created and signed with the CA.
But, you cannot have the same CN entry in CA and in server certificate. Therefore, I tried to provide only CA certificate + private key to the SSTP server on MikroTik and I imported that same CA to the Windows certificate store. CA's CN is the same as before and now it works.
Is that normal?? No server certificate or the key, just CA certificate.
Thnx.
Re: SSTP Server, does it REALLY work for anyone??
You don't need to make a certificate chain, but I'd consider it good practice. You'd install 1 self-signed certificate that's marked as a Certificate Authority (CA) on your windows computers then you can create more certificates and sign them with your CA certificate and the computers will trust them. For common name of the CA certificate, I use CompanyName-CA and not a URL.
When you install the CA certificate, you have to install it to the local system store. By default windows selects the user profile store. For SSTP VPNs, it must go to the local system store.
Then create a new key and new certificate where CN=YourURL.ddns.org and sign it with your CA certificate.
Now install that certificate and it's private key into the Mikrotik. The Mikrotik does not need the CA certificate installed unless you will be using client side certificates as well that will be verified.
When importing the Key and Cert on the Mikrotik, I use PEM format. Some of the other formats didn't work for me. There is an order to import on the Mikrotik and I can't remember. Key then Cert or Cert then Key. Winbox will show the certificate as having a private key, flag=K.
Then of course, don't forget to set the cert in the SSTP server. If you don't, it doesn't tell you in the log, the VPN just gets forcibly closed.
SSTP VPNs do encryption in the CPU and will be slower than L2TP/IPSec. SSTP VPNs work entirely over TCP/443 so it's very NAT friendly. L2TP/IPSec is UDP port 4500. Since SSTP uses the same port as HTTPS, it's the most likely VPN to get around firewalls. If your SSTP VPN maxes out your CPU in the Mikrotik, you'll have packet loss and your internet will become flaky.
My SSTP implementations have worked very well.
When you install the CA certificate, you have to install it to the local system store. By default windows selects the user profile store. For SSTP VPNs, it must go to the local system store.
Then create a new key and new certificate where CN=YourURL.ddns.org and sign it with your CA certificate.
Now install that certificate and it's private key into the Mikrotik. The Mikrotik does not need the CA certificate installed unless you will be using client side certificates as well that will be verified.
When importing the Key and Cert on the Mikrotik, I use PEM format. Some of the other formats didn't work for me. There is an order to import on the Mikrotik and I can't remember. Key then Cert or Cert then Key. Winbox will show the certificate as having a private key, flag=K.
Then of course, don't forget to set the cert in the SSTP server. If you don't, it doesn't tell you in the log, the VPN just gets forcibly closed.
SSTP VPNs do encryption in the CPU and will be slower than L2TP/IPSec. SSTP VPNs work entirely over TCP/443 so it's very NAT friendly. L2TP/IPSec is UDP port 4500. Since SSTP uses the same port as HTTPS, it's the most likely VPN to get around firewalls. If your SSTP VPN maxes out your CPU in the Mikrotik, you'll have packet loss and your internet will become flaky.
My SSTP implementations have worked very well.
-
-
canaris1780
just joined
- Posts: 4
- Joined:
Re: SSTP Server, does it REALLY work for anyone??
Sure it works, just fine.
Code: Select all
[andrei@MH26] > /ip address print where interface ~"sstp"
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 D 10.0.8.1/32 10.0.8.10 <sstp-mama-sstp>