08/18/2015 by h
Mikrotik: Setup SSTP Server for Windows 10 Client
Basic how-to on SSTP for a windows 10 machine and a Mikrotik Router.
A workflow on how SSTP works:
- The SSTP client establishes a TCP connection with the SSTP server on dst-port TCP 443.
- The SSTP client sends SSL Client-Hello message.
- The SSTP server sends its server certificate to the SSTP client.
- The SSTP client validates the computer certificate, determines the encryption method (AES I believe is by default and cannot be changed in Windows 10 Home edition), generates an SSL session key and then encrypts it with the public key of the SSTP server’s certificate.
- The SSTP client sends the encrypted form of the SSL session key to the SSTP server.
- The SSTP server decrypts SSL session key with the private key of its computer certificate. All future communication between the SSTP client and the SSTP server is encrypted.
- The SSTP client sends an HTTP over SSL request message to the SSTP server.
- The SSTP client negotiates an SSTP tunnel with the SSTP server.
- The SSTP client negotiates a PPP connection with the SSTP server. This negotiation includes authenticating the user’s credentials against a PPP secret and configuring settings for IPv4 or IPv6 traffic.
- The SSTP client begins sending IPv4 or IPv6 traffic over the PPP link.
That’s the basic of SSTP, from the list we can see that we need:
- A Server Certificate.
- A CA, so the client can trust the server certificate based on a trusted CA.
In case you’re using a Mikrotik to Mikrotik SSTP you also need a client for the client Mikrotik but in my case I don’t need the client cert for Windows 10.
Before starting, some disclaimers:
- The site contains Adds, you may click on them and help me pay for hosting or you may choose your favorite add blocker if they annoy you.
- I’m not a Mikrotik certified trainer…not even certified at all! I encourage you to look into format training at www.mikrotik.com/training
Step 0: Before you start, I suggest you get a dynamic dns if you don’t have one or a static IP address. When we create the certificate you’ll need that on the CN, if the CN is different from the connection name in Windows 10 it won’t let you connect and it’ll come up with an error saying the Certificate name doesn’t match the connection name.
Step 1: Creating the certificate and CA on the Mikrotik router.
Go to System > Certificates and start with a new Cert:
Fill out the fields, one thing to note is the dynamic dns name I talked about on step 0, the other thing is you want to make the expiration date more than a year on the CA, I simply added a 0 so it is 3650 days, or 10 years.
Change the key usage as you won’t need this cert for more than crl and key signing.
Click apply when you’re done, then click copy so you won’t have to fill out everything again for the server certificate.
Step 2: Server certificate
If you clicked copy you’ll have pretty much everything pre-filled for the server cert, just change a few things.
The CN doesn’t matter on this one for SSTP so you can leave the same as the Name.
One thing we need to change on this is the key usage, just remove all the check boxes.
Click Apply, then OK, then just in case open the certificate one more time and make sure the Key Usage is empty.
Step 3: Signing you self-signed certificate for the CA
Here you basically self-sign your certificate, open up the CA certificate and click Sign on the right.
(I just created a new CA named “test” for the purpose of this post, your’s should be named CA or something like that)
CA CRL Host is where the Certificate Revocation List will be, in this case the Mikrotik so we choose the dynamic dns there or public static IP address if you have one.
Click Sign, wait a few minutes,a nd now you have the CA self-signed and Trusted (be sure Trusted is selected)
At this point you can’t change anything on the CA certificate and you’ll see on the Certificates console that displays a KAT (Private Key, Authority, Trusted)
Step 4: Now that you have the CA, it’s time to sign the Server certificate
In this case you’ll use the new CA to sign the server certificate:
And you’ll the certificate along with KI (Private Key, Issued)
That’s pretty much it for the certificates part.
Step 5: Enable SSTP server and create Secret.
Go to PPP and enable the SSTP server, make sure you leave only mschap2 as Authentication method, select your CA as certificate and un-check the “verify client certificate” option. then hit OK and move on to Secrets.
Create a new Secret for the remote user:
Name: your username for the connection
Local Address: Local LAN address for your Mikrotik
Remote Address: The IP address you want to give to your remote client when they connect vis SSTP.
Here you can use different profiles, create a DHCP pool, this is just the easy way.
Step 6: Make sure you open port 443 on your firewall.
Step 7: Exporting the CA cert and installing it on our Windows 10 client.
On RouterOS go to System > Certificates one more time, double click the CA cert and click “Export”, remember teh password and choose a strong one.
Now go to Files and copy the file CA.crt from your Mikrotik to your Windows 10 laptop/PC.
Right click on CA.crt and choose Install Certificate
Follow the steps and remember the CA need to be trusted by the machine, so the certificate should be installed on the Trusted Root Certificate for the Computer Certificate Store.
Now hit Windows + R and run the command certlm.msc, that will open the certificate store for the Local Machine, double check that the CA certificate is installed, the name will be whatever you chose on the Certificate CN and not the Name on Mikrotik, you won’t see “CA” instead you’ll see your-domain.changeip.net or whatever you chose.
Step 8: Create the STTP connection on Windows 10
We’re almost there, you only need to create the connection now, go to the setting on your Windows 10 > Network & Internet > VPN and Add a VPN Connection and follow the steps. Remember Username & Password is whatever you used on your Secret.
Step 10: After connecting you should see the active client on the Mikrotik router
If you’re unsure about the connection I suggest you run Wireshark on your laptop/remote PC and check that all the packets are using the SSTP connection, one filter I use on Wireshark !arp and !nbns and ip.addr == 10.10.10.10 and !ssl.record.version (change the IP to use yours).
If you spot any mistakes please let me know @ contactme__at__dr0u.com