It can be seen as a 'port knock' solution using tls-host.
Approach:
- host web sites on a nginx server (or iis, apache) with SNI support and appropriate certificates (let's encrypt works fine)
- run sstp-server on a different port (e.g. 8443)
- use mangle rule to catch sstp directed traffic and nat subsequent connections to port 8443 for a limited time period
- postpone fasttrack for a few kB per connection (or disable fasttrack for port 443/tcp) to make sure tls-host matcher works
Limitation:
Each connection requires at least two connection attempts.
Web server:
Create a dummy virtual host for the endpoint https://vpn.company.com with appropriate certificate.
The start page is nothing special (Welcome to nginx!).
MikroTik:
Code: Select all
# Make sure to import the certificate with matching host name (in this config vpn.company.com.crt_0)
/interface sstp-server server
# Enable sstp server on port 8443
set certificate=vpn.company.com.crt_0 enabled=yes port=8443
/ip firewall mangle
# Add potential sstp clients to address list 'sstp-conn'
add action=add-src-to-address-list address-list=sstp-conn \
address-list-timeout=5s chain=prerouting \
dst-address-type=local dst-port=443 protocol=tcp \
tls-host=vpn.company.com
/ip firewall nat
# Forward potential sstp clients to sstp server
add action=dst-nat chain=dstnat dst-address-type=local \
dst-port=443 protocol=tcp src-address-list=sstp-conn \
to-ports=8443
# Route regular http(s) traffic else to Nginx (192.168.88.2)
add action=dst-nat chain=dstnat dst-address-type=local \
dst-port=80,443 protocol=tcp to-addresses=192.168.88.2
To make sure tls-host is matched correctly, either disable fasttrack for port 443 or postpone fasttracking for a few kilobytes:
Code: Select all
/ip firewall filter
# Either disable fasttrack for port 443:
add chain=forward dst-port=443 connection-state=established,related
# Or, fasttrack after 10kB ( found here: https://forum.mikrotik.com/viewtopic.php?f=2&t=133997&p=659329#p659329 )
add action=fasttrack-connection chain=forward \
connection-bytes=10240-0 connection-state=established,related
What happens now, if you connect to sstp vpn.company.com:
- Nginx can't handle the request and will return 400 ("SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1 400")
- Windows will display an error ("The network connection was aborted by the local system.")
- MikroTik has added the client ip to the address list for 5 seconds based on matching tls-host
- On second attempt within 5 seconds, the connection will be established successfully
And after these 5 seconds, the address list entry will disappear so further https request from this client will be routed to Nginx again.
Debugging hint: disable keep-alive if you want to test tls-host functionality with a web browser.