In this two part series I will explain how to install an SSTP VPN server and how to deploy the VPN connection to Windows clients.

Geoff Kendal

Geoff Kendal is a Windows/Linux systems administrator, scripter and problem solver, with over 12 years experience, based in Leeds, UK.

I’m sure most network administrators will know how useful a VPN can be, although we have probably all encountered issues with firewalls not always letting the required traffic through which can prevent them from working. For example for PPTP VPN’s require your router to handle GRE protocol traffic, similarly L2TP requires ESP protocol traffic. The whole point of VPNs is to allow access to your network form anywhere, which is why SSTP VPNs are so great.

SSTP (Secure Socket Tunnelling Protocol) transports your VPN traffic by encapsulating the traffic via an SSL link, all over the standard HTTPS port (TCP 443), which is rarely blocked (most web browsing wouldn’t work without it!). So not only does SSTP get through 99% of firewalls, but it also ensures that your VPN traffic is encrypted.

SSTP is supported on Windows Vista SP1 and later versions of Windows. If you’re also a Mac shop, it isn’t integrated into the OS yet, but there are open source SSTP clients that may help you.

If you’re running Windows 2008/2008R2/2012, you’ve already got everything you need to get started, as it is powered by the Routing and Remote Access Services in Windows server. I’ll be going through setting it up on Windows Server 2012, although the steps on 2008 are essentially the same.

Installing the required roles ^

Start the ‘Add roles & features’ wizard from server manager, and add the ‘Remote Access’ to the server of your choice. You’ll be prompted to add some other requested roles/features, such as IIS – you will need to add these too.

Adding the IIS & RAS roles
Adding the IIS & RAS roles

As part of the wizard, we’ll be asked which role services we wish to install, for this go with the default ‘Direct Access & RAS’. Continue through the wizard, and allow the server to restart if required.

Generating & installing the SSL certificate ^

Once the server has restarted, we will want to obtain a SSL certificate for use by the VPN. For my internal domain, I use a .local extension, so will be generating a certificate signing request (CSR) for my external domain name, then sending it to a certification authority (StartSSL.com in this instance, as they offer free SSL certificates.)

From Server Manager, select ‘Internet Information Services (IIS) manager’ from the tools menu. Once the IIS console has started select the server name in the tree on the left. Once selected, click the ‘Server certificates’ icon in the main area, and select the ‘Create new certificate request’ option from the actions pane on the right.

When creating the CSR, it is critical that the common name is set to the hostname that clients will use to connect to the VPN. For instance, your server may be internally called RAS02.4sysops.local – this obviously won’t resolve externally, so we point vpn.4sysops.com at the server for external clients to use. Further to this, you may need to setup port-forwarding and firewall rules, so that traffic connecting to this external address on port 443 gets directed to your VPN server.

Creating the certificate signing request
Creating the certificate signing request

In this example we must enter vpn.4sysops.com as the common name. On the next screen in the CSR wizard, ensure that the bit-length is set to 2048 if you are using StartSSL – they won’t accept 1024 bit CSRs.
Finally save the CSR to a file, then open the file in notepad and copy all of the contents to your clipboard.

We will now need to get a certification authority to sign a certificate for us. Provide your certification authority of choice the CSR we just generated via the wizard. Once they have verified your details, they should provide you with a certificate file that we can load into IIS to complete the SSL steps.

Once you have the certificate file, select ‘complete certificate request’ from the IIS actions pane on the right, and browse to the certificate file. You should now see the certificate listed in IIS.

Setting up the VPN ^

We now need to configure the RAS service. Select ‘Routing and Remote Access’ from the tools menu of server manager. Once the MMC has loaded, right click the server name on the left, and select the configure option. From the wizard, choose the ‘custom’ option at the end of the list. On the following page, tick the VPN checkbox. The wizard will complete, and start the service.

The RRAS configuration wizard
The RRAS configuration wizard

All being well, clients should now be able to connect to the VPN via SSTP, as long as they can make a HTTPS connection to the server name you specified when creating the certificate. You can double check that things are OK by testing with a web browser (i.e. https://vpn.4sysops.com) – You’ll probably just see a 404 error, but as long as there are no certificate errors and you can see the padlock icon, then all is well.

The final stage before we make the connection is to make sure that any users requiring access have dial-in/VPN rights. Find your users in ‘Active Directory Users & Computers’, under the dial-in tab select allow (We’re not using NPS in this basic setup, so that option won’t work).

Connecting a client ^

From a client system, create a new VPN connection (Via the Network & Sharing Center ). When creating the connection, ensure that the internet address is the same one as used in the certificate. Once the connection has been created, click the ‘Change adapter settings’ link on the left side of the Network and Sharing Center, and edit the properties of the new VPN connection. On the security tab, change the type to SSTP.

The VPN connection properties
The VPN connection properties

Once this change has been made, we should be able to connect to our SSTP VPN successfully from practically anywhere!

In my next article, we’ll look at how we can deploy our SSTP VPN connection to all of our client systems.

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

3 Comments
  1. Gerard bulger 4 years ago

    http://www.softether.org/

    This is the answer to VPN working behind firewalls and more flexible than windows VPN services and easier to set up. Almost plug and play.

    1 Cross platform including even PowerPC so in theory could use it on WDLIVE Drive NAS. easy to install on Linux (I have it on UBUNTU Linux VPS) and on Windows Client and I also have it on a Windows 2008 VPS server). No raspberry pi version yet.

    2 Works through all firewalls (use any port such as 443) and can used https or socks proxy as well

    3 Lovely GUIs for configuring clients and servers and can configure servers remotely.

    4 Works with other protocols, IPSEC and SSTP and Openvpn

    5 Can generate for you an openvpn script so you can use openvpn client on your phone make it use VPN, and as a gateway. I have never managed openvpn to be so easy!

    6 So much easier than openvpn. For basic home/office set up Softethrvpn is pretty much plug and play, but it is flexible allowing daisy chaining and more, so you could use it to set up a complex corporate network.

    I give it 5 stars. Free, supported by Japanese university with English manuals are in near perfect English.

    0

  2. seeker 3 years ago

    When you say "When creating the CSR, it is critical that the common name is set to the hostname that clients will use to connect to the VPN." Do you mean the hostname of the server? Because I'm currently trying to set up VPN using SSTP. I have a domain name example.us it has a ssl certificate assigned to example.com. I have a subdomain forwarding assigned to the domain it looks like this server.example.us. When setting up the VPN I keep getting the same error message connection was refused by target machine. I set up the port forwarding on the router to allow the incoming connection. I even tried changing the port that the server listened to for SSTP, but I still keep getting the same error. If you can help me at all that would be greatly appreciated.

    1+

  3. james bond 2 years ago

    hey, when setting up the client, isn't the client supposed to have a the root CA of the server for encryption?

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2018

Log in with your credentials

or    

Forgot your details?

Create Account