Hello, I have created an SSTP server from my mikrotik hAP_ac2 with version 7.6, I created the signed CA and SERVER certificates.
When connecting it to a Windows 11 PC and installing the CA certificate on it, the VPN connects fine, without the certificate it does not connect.
The server is configured like this:
However, I installed the SSTP Max application on my Android mobile.

https://play.google.com/store/apps/deta ... l=US&pli=1

With it I was able to connect to the VPN with only the username and password, without the need for the certificate.
My doubt, what role does the certificate play in this case?
I always thought that the certificate was also necessary on the client side to achieve a more secure connection.

It is, if the client does not verify the server certificate chain then you are open to man-in-the-middle attacks.

Let's see if I understand, the server allows the connection of any client without a certificate?

Let's see if I understand, the server allows the connection of any client without a certificate?

Yes, that's how Microsoft has designed it. It is only the client that checks the authenticity of the server using a certificate - the certificate Subject-Alt-Name field must contain the IP address or the FQDN to which the client is configured to connect. And only if this is true, the client will accept the authentcation challenge and send the username and the challenge hashed using the password in response.

The app you mention does allow some certificate related settings in the SSL part of the setup.

Mikrotik supports deviation from the Microsoft standard in both ways - it can use a certificate also to authenticate the client, but at the other hand it can also let the client ignore the server certificate, or at least let it not verify that the SAN field matches the IP or FQDN, i.e. it can be set to accept any certificate signed by a certification authority it trusts.

So any client can connect to the server just by knowing the username and password?
From the server side is there any extra way to ensure that the client connecting is the correct one apart from knowing the username and password?
Thank you

From the server side is there any extra way to ensure that the client connecting is the correct one apart from knowing the username and password?

In the Microsoft design, no. The server will accept any client with the proper username and password.

Mikrotik acting as a server can check a client certificate, but the Microsoft client is unable to present it, so if you want Microsoft clients to connect, you cannot require that check on Mikrotik side.

For mutual authentication using certificates, you have to use IKEv2, On Android, it is embedded on contemporary versions and available using Strongswan on older ones.

Thank you, I understand. I thought authentication only by username and password was not completely secure.

Nothing is completely secure, and in general, username/password is indeed less secure than a certificate.