SSTP VPN Server
SSTP VPN Server
Posted inTutorials VPN

SSTP VPN Server on a MikroTik Router

Setting Up an SSTP VPN Server on a MikroTik Router and Configuring Windows Clients

This tutorial covers step-by-step instructions to set up an SSTP (Secure Socket Tunneling Protocol) VPN server on a MikroTik router, including generating and exporting SSL certificates, and configuring a Windows client.

Step 1: Generate SSL Certificates

Generate a Certificate Authority (CA)

/certificate add name=ca-cert common-name=ca-cert key-usage=key-cert-sign,crl-sign days-valid=3650

Generate a Server Certificate

/certificate add name=server-cert common-name=<your-domain-or-ip> key-usage=digital-signature,key-encipherment,tls-server days-valid=3650

Sign the Certificates

/certificate sign ca-cert ca-crl-host=<your-domain-or-ip>
/certificate sign server-cert ca=ca-cert

Export the CA Certificate

/certificate export-certificate ca-cert export-passphrase="yourpassword"

This exports the CA certificate to /files on the MikroTik router.

Download the CA Certificate Open WinBox, navigate to “Files,” and download the .crt and .key files to your local machine.

Step 2: Configure the SSTP Server

Enable SSTP Server

/interface sstp-server server set enabled=yes certificate=server-cert default-profile=default-encryption authentication=mschap2 pfs=yes

Configure IP Pool for SSTP Clients

/ip pool add name=vpn_pool ranges=10.1.254.10-10.1.254.200

Create a PPP Profile for SSTP

/ppp profile add name=sstp-profile local-address=10.1.254.1 remote-address=vpn_pool use-encryption=yes

Add SSTP Users

/ppp secret add name=andrew password=helloworld123 service=sstp profile=sstp-profile

Set Firewall Rules (Optional: If MikroTik is directly internet facing and without another firewall/filter device). Add rules to allow SSTP traffic (port 443):

/ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept

Step 3: Configure Windows Client

Import the CA Certificate

  1. Double-click the downloaded .crt file on the Windows machine.
  2. Click “Install Certificate.”
  3. Select “Local Machine” and proceed.
  4. Choose “Place all certificates in the following store” and select “Trusted Root Certification Authorities.”
  5. Complete the wizard.

Create a New VPN Connection

  1. Open “Network and Sharing Center” > “Set up a new connection or network.”
  2. Choose “Connect to a workplace” > “Use my Internet connection (VPN).”
  3. Enter your MikroTik router’s public IP or domain name in “Internet Address.”
  4. Provide a name for the connection, e.g., “MikroTik SSTP VPN.”
  5. Click “Next.”

Configure VPN Properties

  1. Open the “Network” adapter settings.
  2. Right-click the new VPN connection > “Properties.”
  3. Go to the “Security” tab.
  4. Set “VPN type” to “Secure Socket Tunneling Protocol (SSTP).”
  5. Ensure “Microsoft CHAP Version 2 (MS-CHAP v2)” is checked.

Connect to the VPN

  1. Click the network icon in the taskbar.
  2. Select the VPN connection and click “Connect.”
  3. Enter the username and password created on the MikroTik router.

Step 4: Verify the Connection

Check MikroTik Active Connections – Ensure the client is listed as connected.

/interface sstp-server monitor 0

Verify IP Configuration on Windows Run ipconfig in the command prompt and confirm the assigned IP address matches the SSTP pool.

Confirm Public IP matches that of the remote MikroTik

Optional Enhancements

  • Dynamic DNS: Use MikroTik’s dynamic DNS to avoid relying on a static IP.
  • Certificate Validity: Renew certificates before they expire using the same steps.

By following these steps, you’ll have a secure SSTP server on your MikroTik router and Windows clients configured to connect seamlessly.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *