Today we will setup a Mikrotik Router, to work as a SSTP Server, so you can connect to your local network using certificate for authentication and username and password.
Why is SSTP better than the others, well as far as I know it’s safer and has one HUGE advantage comparing to L2TP and PPTP. It uses port 443 for connection, meaning that it will work almost anywhere, since the port 443 is a port used for majority of web pages, meaning it is always allowed in all the networks. If you ever used mobile network or a free WiFi in a hotel, you will know that some block outgoing traffic by port and only allow port 80 and 443 for internet access, so if you are using PPTP you are out of luck if you want to connect to your network, since your traffic to port 1723 will be blocked.
I personally used SSTP to bypass P2P blocking restrictions. In a hotel I was for a week there was nothing on TV so I tried to download some movies, to no surprise P2P traffic was blocked. So what I did was connect to my home router via SSTP so all my traffic went through the encrypted tunnel and the hotel router could not block it since it could not decrypt the traffic. Well the download speed was shitty but it worked and I got my movies downloaded through the night. J
So let’s start with this.
FIRST we need to import our certificates to the router. If you don’t have the certificates, see my previous blog how to create them.
Open Winbox and click on files and drag and drop the two files with certificate and private key to the router.
Open the terminal and type this in or copy paste with your correct password:
/certificate import file-name=ca.crt passphrase=yourpassword
/certificate import file-name=ca.key passphrase=yourpassword
Now type: /certificate print
You should see letters K and T in front of the certificate. Meaning it is trusted and has the right Key.
It should look a bit like this. Ii MUST have the KT or else it will not work.
As you can see the name of the cert is cert_1 so you remember that as you will need this info later.
Now that the hard part is over let’s go to the simpler stuff.
On WinBox click on the PPP and go to the Profiles tab and Click +
Here create the profile for your SSTP Connection. As seen in the pictures. The name you can change to your liking. The only thing I need to tell you here is the local and remote address. Here I use my DHCP server for assigning IP addresses to VPN clients. Oh jea, and as you can see I added bridge local to the profile. Why? Well if you add bridge-local to SSTP profile and then go to interfaces and enable proxy-ARP (as seen in the picture below) you will be able to ping and access other machines on that network behind the router. If you don’t do that the VPN will still work as it should but you will not have connectivity with internal network.
Now you need to create username and passwords for users to connect. Look at the picture. Yes. So simple I will not even bother to explain.
And last but not least you need to enable SSTP Server in the PPP/Interface/SSTP Server. Use settings below just remember to pick the right certificate. Apply and OK.
That is the whole magic.
Now you need to import the ca.crt certificate to your computer, as a local machine certificate in Trusted Root Certificate store. If you don’t know how to do that here is a link :
Caution : The link I provided describes the process to add a certificate in a personal certificate store. You need to add your certificate in a trusted root certificate store. Choose your folder accordingly.
Now setup the VPN Connection on your computer/laptop and connect. I will not go to that process so here is another link for SSTP Client setup on Windows 7. The process for Windows 8 and 10 is similar. Use your username and password that you specified in the PPP/Secrets tab on Mikrotik.
Here is my connection – Working.
I hope this has been clear and informative if you have any troubles and questions please leave them at the comment section below.
May the force be with you, and happy holidays and Merry Christmas and all that stuff.