Scribd
Upload
332 views14 pages

SSTP Server For Windows 10

This document provides steps to set up an SSTP server on a Mikrotik router for Windows 10 clients to connect. It explains that an SSTP connection requires a server certificate and CA certificate on the router. It then outlines 10 steps to generate these certificates, enable the SSTP server on the router, create a user secret, export the CA certificate, install it on a Windows 10 client, and create the SSTP connection. This allows Windows 10 clients to connect to the router using SSTP VPN.

Uploaded by

Marlo Tina
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
332 views14 pages

SSTP Server For Windows 10

This document provides steps to set up an SSTP server on a Mikrotik router for Windows 10 clients to connect. It explains that an SSTP connection requires a server certificate and CA certificate on the router. It then outlines 10 steps to generate these certificates, enable the SSTP server on the router, create a user secret, export the CA certificate, install it on a Windows 10 client, and create the SSTP connection. This allows Windows 10 clients to connect to the router using SSTP VPN.

Uploaded by

Marlo Tina
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Mikrotik: Setup SSTP Server for Windows 10

Client
Basic how-to on SSTP for a windows 10 machine and a Mikrotik Router.

A workflow on how SSTP works:

1. The SSTP client establishes a TCP connection with the SSTP server on dst-port TCP 443.
2. The SSTP client sends SSL Client-Hello message.
3. The SSTP server sends its server certificate to the SSTP client.
4. The SSTP client validates the computer certificate, determines the encryption method
(AES I believe is by default and cannot be changed in Windows 10 Home edition),
generates an SSL session key and then encrypts it with the public key of the SSTP
servers certificate.
5. The SSTP client sends the encrypted form of the SSL session key to the SSTP server.
6. The SSTP server decrypts SSL session key with the private key of its computer
certificate. All future communication between the SSTP client and the SSTP server is
encrypted.
7. The SSTP client sends an HTTP over SSL request message to the SSTP server.
8. The SSTP client negotiates an SSTP tunnel with the SSTP server.
9. The SSTP client negotiates a PPP connection with the SSTP server. This negotiation
includes authenticating the users credentials against a PPP secret and configuring
settings for IPv4 or IPv6 traffic.
10. The SSTP client begins sending IPv4 or IPv6 traffic over the PPP link.

Thats the basic of SSTP, from the list we can see that we need:

A Server Certificate.
A CA, so the client can trust the server certificate based on a trusted CA.

In case youre using a Mikrotik to Mikrotik SSTP you also need a client for the client Mikrotik
but in my case I dont need the client cert for Windows 10.
Before starting, some disclaimers:

The site contains Adds, you may click on them and help me pay for hosting or you may
choose your favorite add blocker if they annoy you.
Im not a Mikrotik certified trainernot even certified at all! I encourage you to look into
format training at www.mikrotik.com/training
Step 0: Before you start, I suggest you get a dynamic dns if you dont have one or a static IP
address. When we create the certificate youll need that on the CN, if the CN is different from
the connection name in Windows 10 it wont let you connect and itll come up with an error
saying the Certificate name doesnt match the connection name.

Step 1: Creating the certificate and CA on the Mikrotik router.

Go to System > Certificates and start with a new Cert:

Fill out the fields, one thing to note is the dynamic dns name I talked about on step 0, the other
thing is you want to make the expiration date more than a year on the CA, I simply added a 0 so
it is 3650 days, or 10 years.

Change the key usage as you wont need this cert for more than crl and key signing.
Click apply when youre done, then click copy so you wont have to fill out everything again for
the server certificate.

Step 2: Server certificate

If you clicked copy youll have pretty much everything pre-filled for the server cert, just change
a few things.

The CN doesnt matter on this one for SSTP so you can leave the same as the Name.
One thing we need to change on this is the key usage, just remove all the check boxes.

Click Apply, then OK, then just in case open the certificate one more time and make sure the
Key Usage is empty.
Step 3: Signing you self-signed certificate for the CA

Here you basically self-sign your certificate, open up the CA certificate and click Sign on the
right.

(I just created a new CA named test for the purpose of this post, yours should be named CA
or something like that)

CA CRL Host is where the Certificate Revocation List will be, in this case the Mikrotik so we
choose the dynamic dns there or public static IP address if you have one.

Click Sign, wait a few minutes,a nd now you have the CA self-signed and Trusted (be sure
Trusted is selected)
At this point you cant change anything on the CA certificate and youll see on the Certificates
console that displays a KAT (Private Key, Authority, Trusted)

Step 4: Now that you have the CA, its time to sign the Server certificate

In this case youll use the new CA to sign the server certificate:

And youll the certificate along with KI (Private Key, Issued)

Thats pretty much it for the certificates part.

Step 5: Enable SSTP server and create Secret.

Go to PPP and enable the SSTP server, make sure you leave only mschap2 as Authentication
method, select your CA as certificate and un-check the verify client certificate option. then hit
OK and move on to Secrets.
Create a new Secret for the remote user:

Name: your username for the connection

Local Address: Local LAN address for your Mikrotik

Remote Address: The IP address you want to give to your remote client when they connect vis
SSTP.

Here you can use different profiles, create a DHCP pool, this is just the easy way.
Step 6: Make sure you open port 443 on your firewall.

Step 7: Exporting the CA cert and installing it on our Windows 10 client.

On RouterOS go to System > Certificates one more time, double click the CA cert and click
Export, remember teh password and choose a strong one.

Now go to Files and copy the file CA.crt from your Mikrotik to your Windows 10 laptop/PC.

Right click on CA.crt and choose Install Certificate


Follow the steps and remember the CA need to be trusted by the machine, so the certificate
should be installed on the Trusted Root Certificate for the Computer Certificate Store.
Now hit Windows + R and run the command certlm.msc, that will open the certificate store for
the Local Machine, double check that the CA certificate is installed, the name will be whatever
you chose on the Certificate CN and not the Name on Mikrotik, you wont see CA instead
youll see your-domain.changeip.net or whatever you chose.

Step 8: Create the STTP connection on Windows 10

Were almost there, you only need to create the connection now, go to the setting on your
Windows 10 > Network & Internet > VPN and Add a VPN Connection and follow the steps.
Remember Username & Password is whatever you used on your Secret.
Step 10: After connecting you should see the active client on the Mikrotik router
If youre unsure about the connection I suggest you run Wireshark on your laptop/remote PC
and check that all the packets are using the SSTP connection, one filter I use on Wireshark !arp
and !nbns and ip.addr == 10.10.10.10 and !ssl.record.version (change the IP to use yours).

You might also like