SSTP Linux server Windows client

Posted on Edited on

SoftEther VPN Server has a “clone function” of Microsoft SSTP VPN Server. You can connect to a SoftEther VPN server from Windows with the built-in SSTP VPN client.

Create VPS

You need a VPS and a domain name.

Instantiate a VPS with 1 GB RAM running a recent version of Debian or Ubuntu.

Create a DNS entry pointing from your server’s fully qualified domain name to your server’s IP address.

Prepare VPS

Update the existing packages:

1
apt update && apt upgrade

Open the server’s firewall for input on ports 80/tcp and 443/tcp. How you do this depends on whether your server uses ufw, iptables, nftables, security groups, or some other firewall software. Consult the documentation for your firewall software.

Obtain a TLS certificate for the server:

1
snap install core; sudo snap refresh core
1
snap install --classic certbot
1
ln -s /snap/bin/certbot /usr/bin/certbot

SoftEther VPN software supports only RSA 1024-bit or 2048-bit certificates. Request a certificate and key:

1
certbot certonly --standalone --preferred-challenge http --key-type rsa --rsa-key-size 2048 --agree-tos --register-unsafely-without-email

Enter your server’s fully qualified domain name. Example:

1
demo14.cscot.buzz

Using the example of a fully qualified domain name of demo14.cscot.buzz, on successful issuance the certificate and key are store in files:

  • /etc/letsencrypt/live/demo14.cscot.buzz/fullchain.pem
  • /etc/letsencrypt/live/demo14.cscot.buzz/privkey.pem

Test automatic renewal for your certificates by running this command:

1
certbot renew --dry-run

Install SoftEther VPN server

Use your workstation’s browser to determine the latest version of SoftEther VPN Server source for Linux on AMD64 from https://www.softether-download.com/en.aspx?product=softether.

Download the latest version of the source to your server, e.g.

1
wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.41-9782-beta/softether-vpnserver-v4.41-9782-beta-2022.11.17-linux-x64-64bit.tar.gz

Extract the archive:

1
tar xzvf softether-vpnserver-v4.41-9782-beta-2022.11.17-linux-x64-64bit.tar.gz

Change into the extracted directory:

1
cd vpnserver

Install the prerequisites to compile SoftEther from source:

1
apt install build-essential binutils gzip libreadline-dev libssl-dev libncurses5-dev libncursesw5-dev libpthread-stubs0-dev

Make the software from source:

1
make

Move the binary into place:

1
2
cd ..
mv vpnserver /usr/local/

Run SoftEther VPN server

Create a file /etc/systemd/system/vpnserver.service.

Insert the following lines in this file:

1
2
3
4
5
6
7
8
9
10
11
12
[Unit]
Description=SoftEther VPN server
After=network-online.target
After=dbus.service

[Service]
Type=forking
ExecStart=/usr/local/vpnserver/vpnserver start
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Save the file.

Start the VPN server:

1
systemctl enable vpnserver
1
systemctl start vpnserver
1
systemctl status vpnserver

Configure SoftEther VPN Server

1
/usr/local/vpnserver/vpncmd

Select 1 for server management.

For hostname, put 127.0.0.1:5555.

For virtual hub name, press Enter for now.

Enter and confirm a SoftEther VPN server password:

1
ServerPasswordSet

Example:

1
123456

Select the virtual hub to manage as DEFAULT:

1
Hub DEFAULT

Create a user named cscot (for example):

1
UserCreate cscot

Leave group, name, and description blank by just pressing Enter.

Set a password for your username. For example, for user name cscot:

1
UserPasswordSet cscot

Example password: 123456.

Enable secure NAT:

1
SecureNatEnable

Set your TLS certificate:

1
ServerCertSet

Enter your TLS certificate and key locations. For example, if your server’s fully quaified domain name is demo14.cscot.buzz, they will be at:

  • /etc/letsencrypt/live/demo14.cscot.buzz/fullchain.pem
  • /etc/letsencrypt/live/demo14.cscot.buzz/privkey.pem

Enable SSTP server:

1
SstpEnable yes

Enable virtual IP address allocation to clients:

1
DhcpSet

You can enter responses which are pretty much the defaults as per the manual:

Question Answer
Start Point for Distributed Address Band 192.168.30.10
End Point for Distributed Address Band 192.168.30.200
Subnet Mask 255.255.255.0
Lease Limit (Seconds) 7200
Default Gateway 192.168.30.1
DNS Server 1 192.168.30.1
DNS server 2 Press Enter
Domain Name demo14.cscot.buzz
Save Log yes

Exit VPN server management:

1
exit

Exit your SSH session with the server:

1
exit

Use Windows built-in VPN client

On your Windows PC, go to Settings > Network & Internet > VPN.

Click Add a VPN connection.

Field Value
VPN provider Windows (built-in)
Connection name e.g. demo14
Server name or address e.g. demo14.cscot.buzz
VPN type Secure Socket Tunneling Protocol (SSTP)
Type of sign-in info User name and password
User name (optional) e.g. cscot
Password e.g. 123456

Check the box to remember your sign-in info, and click Save.

Select the row for this VPN connection.

Connect the VPN client to the VPN server.