Page 1 of 1

Hosting sstp and apache/nginx/iis on same port (443)

Posted: Mon May 14, 2018 2:30 am
by nescafe2002
This is an example to host both https web sites and sstp server on the same port (443). It's not perfect but the best possible way I could host these services on the same port, being able to serve web sites and allow me to connect to my own network from different locations with different network policies (port 443 is usually open).

It can be seen as a 'port knock' solution using tls-host.

Approach:
  • host web sites on a nginx server (or iis, apache) with SNI support and appropriate certificates (let's encrypt works fine)
  • run sstp-server on a different port (e.g. 8443)
  • use mangle rule to catch sstp directed traffic and nat subsequent connections to port 8443 for a limited time period
  • postpone fasttrack for a few kB per connection (or disable fasttrack for port 443/tcp) to make sure tls-host matcher works

Limitation:
Each connection requires at least two connection attempts.

Web server:
Create a dummy virtual host for the endpoint https://vpn.company.com with appropriate certificate.
The start page is nothing special (Welcome to nginx!).

MikroTik:
# Make sure to import the certificate with matching host name (in this config vpn.company.com.crt_0)

/interface sstp-server server

# Enable sstp server on port 8443
set certificate=vpn.company.com.crt_0 enabled=yes port=8443

/ip firewall mangle

# Add potential sstp clients to address list 'sstp-conn'
add action=add-src-to-address-list address-list=sstp-conn \
    address-list-timeout=5s chain=prerouting \
    dst-address-type=local dst-port=443 protocol=tcp \
    tls-host=vpn.company.com

/ip firewall nat

# Forward potential sstp clients to sstp server
add action=dst-nat chain=dstnat dst-address-type=local \
   dst-port=443 protocol=tcp src-address-list=sstp-conn \
   to-ports=8443

# Route regular http(s) traffic else to Nginx (192.168.88.2)
add action=dst-nat chain=dstnat dst-address-type=local \
    dst-port=80,443 protocol=tcp to-addresses=192.168.88.2


To make sure tls-host is matched correctly, either disable fasttrack for port 443 or postpone fasttracking for a few kilobytes:
/ip firewall filter

# Either disable fasttrack for port 443:
add chain=forward dst-port=443 connection-state=established,related

# Or, fasttrack after 10kB ( found here: https://forum.mikrotik.com/viewtopic.php?f=2&t=133997&p=659329#p659329 )
add action=fasttrack-connection chain=forward \
    connection-bytes=10240-0 connection-state=established,related

What happens now, if you connect to sstp vpn.company.com:
  • Nginx can't handle the request and will return 400 ("SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1 400")
  • Windows will display an error ("The network connection was aborted by the local system.")
  • MikroTik has added the client ip to the address list for 5 seconds based on matching tls-host
  • On second attempt within 5 seconds, the connection will be established successfully

And after these 5 seconds, the address list entry will disappear so further https request from this client will be routed to Nginx again.

Debugging hint: disable keep-alive if you want to test tls-host functionality with a web browser.