Sat May 07, 2022 6:31 am
OK so, I got it working. Ill post my setup here (mistakes as well) and how I solved them.
A) My Setup:
1. Mikrotik with Valid (paid) Wilcard SSL Certificate.
2. No certificate on the client side.
3. No clients are registered on the Mikrotik, all users authenticate against a RADIUS Server. (This has NO effect on the SSL and Server Settings).
4. Each client gets a Public IP Address from the Mikrotik (No Nat, No Private IP Addresses)
B) The Server Setup.
1. Hostname: The server has to have a valid FQDN. In my case I use sstp01.domain.com. This needs to be done at System --> Identity.
2. DNS: The server must have Values on TWO places, the server itself at IP ----> DNS and at the PPP Profile Level. I used the "Default Encryption" profile. The Profile needs to have a DNS Server, otherwise when clients connect they will have a hard time resolving queries.
3. The PPP Profile has to have the "Use Encryption" set to yes. (at least in my setup)
4. The SSTP Server Tab is set to:
4.1 Port: 443
4.2 Max MTU and MRU: 1500 (defaults)
4.3 Authentication: mschap2 ONLY
4.4Other Checks: Force AES and PFS. NO client certificate verification.
C) Users / Secrets.
Since I am using a centralized system for this (FreeRADIUS backend and Daloradius as Frontend) I did not add any users/secrets here however, this should work just fine.
If anyone out there is trying to set this up against a radius server, make sure to:
1. On the PP Tab, Navigate to Secrets and then PPP Authentication & Accounting, here, just click on "Use Radius". Make sure Accounting is also selected.
2. On System ---> Users ---> AAA, check the "Use Radius" option.
3. On the RADIUS Tab, make sure you add your Radius Server there with all your Radius Info.
D) The Damn SSL Certificates.
This was the most difficult thing to setup because of the lack of documentation out there for PAID certificates. On top of that, I am using a Wilcard SSL Certificate, which makes things a bit trickier.
My Mistake: My FQDN at the start of this was sstp01.ch01.domain.com HOWEVER, this is wrong, the FQDN can only go back one level:
BAD FQDN: sstp01.ch01.domain.com
GOOD FQDN: sstp01.domain.com
Now, lets talk about the SSL itself.
1. Dont bother generating the SSL on the Mikrotik itself, at least for me is way easier doing it on a Linux box.
I know, some people will say to keep CSR (the Certificate Signing Request) file only on the box itself however, i think we can take care of the files without issues.
Command used to generate the CSR which will then be used to purchase the Certificate from a Certificate Authority (CA).
1.1 Command: openssl req -new -newkey rsa:2048 -nodes -keyout *.yourdomain.com.key -out sstp01.csr
1.2 You will use the CSR to purchase the SSL. Make sure to keep the Key file safe.
1.3 Next, you will need to upload TWO files to the Mikrotik Box: The Key File (in this case *.yourdomain.com.key) and the Certificate you got from the CA.
NOTE: If you are using a single host certificate, the file should be something like vpn.yourdomain.com.key instead of *.yourdomain.com.key
1.4 You can drag the files into the Mikrotik, or if you are using a Linux Box like me and that for some reason doesnt work, you can always FTP into your mikrotik and PUT the file there.
1.5 Once the files are uploaded, you must import them. Import the certificate you got from the CA FIRST, this is important, THEN after this, import your key.
1.6 After this is done, then go back to PPP ----> SSTP Server and make sure to select the certificate you just imported, to be used by the SSTP Server.
E) The Windows Client
I am using a Windows 10 VM to test this.
1. Create a VPN profile as you would normally do, use the FQDN you setup, not an IP Address and make sure to select SSTP as the protocol to be used.
2. Save your settings and Open the Network and Sharing Center, you will need to make a few modifications to the VPN profile you just created.
3. Right-Click on the SSTP profile and click on Propierties ---> Security. Make sure Encryption IS required and select mschap2 as the authentication protocol.
Thats it (i think i didint miss anything)
Enjoy