SSTP server connection failed

hi
I configured a SSTP servar based on this tutorial:
https://docs.vyos.io/en/latest/vpn/sstp.html

set authentication local-users username test password ‘test123’
set authentication mode ‘local’
set network-settings client-ip-settings gateway-address ‘192.0.2.254’
set network-settings client-ip-settings subnet ‘192.0.2.0/25’
set network-settings name-server ‘8.8.8.8’
set network-settings name-server ‘1.1.1.1’
set ssl ca-cert-file ‘/config/auth/sstp/ca.crt’
set ssl cert-file ‘/config/auth/sstp/server.crt’
set ssl key-file ‘/config/auth/sstp/server.key’

then made this file:
vyos# cat /etc/ppp/peers/vyos
usepeerdns
#require-mppe
#require-pap
require-mschap-v2
noauth
lock
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
#refuse-mschap-v2
nobsdcomp
nodeflate
debug

but I got errors
when Iam trying to connect through Microsoft windows I will got this error:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Error 0x800b0109)

and also in the VyOS itself:
sudo sstpc --cert-warn --log-level 4 --log-stderr --user=test --pass=test123 116.203.60.96 noipdefault refuse-eap noauth
May 1 10:03:44 sstpc[11758]: Resolved 116.203.60.96 to 116.203.60.96
May 1 10:03:44 sstpc[11758]: Connected to 116.203.60.96
May 1 10:03:44 sstpc[11758]: The certificate did not match the host: 116.203.60.96
May 1 10:03:44 sstpc[11758]: Server certificated failed verification, ignoring
May 1 10:03:44 sstpc[11758]: Sending Connect-Request Message
May 1 10:03:44 sstpc[11758]: SEND SSTP CRTL PKT(14)
May 1 10:03:44 sstpc[11758]: TYPE(1): CONNECT REQUEST, ATTR(1):
May 1 10:03:44 sstpc[11758]: ENCAP PROTO(1): 6
May 1 10:03:44 sstpc[11758]: RECV SSTP CRTL PKT(48)
May 1 10:03:44 sstpc[11758]: TYPE(2): CONNECT ACK, ATTR(1):
May 1 10:03:44 sstpc[11758]: CRYPTO BIND REQ(4): 40
May 1 10:03:44 sstpc[11758]: Started PPP Link Negotiation
May 1 10:03:47 sstpc[11758]: Sending Connected Message
May 1 10:03:47 sstpc[11758]: SEND SSTP CRTL PKT(112)
May 1 10:03:47 sstpc[11758]: TYPE(4): CONNECTED, ATTR(1):
May 1 10:03:47 sstpc[11758]: CRYPTO BIND(3): 104
May 1 10:03:47 sstpc[11758]: Connection Established

I changed protocol to MSCHAP-V2
vyos@vyos# show vpn sstp | commands
set authentication local-users username test password ‘test123’
set authentication protocols ‘mschap-v2’
set network-settings client-ip-settings gateway-address ‘192.0.2.254’
set network-settings client-ip-settings subnet ‘192.0.2.0/25’
set network-settings name-server ‘8.8.8.8’
set network-settings name-server ‘1.1.1.1’
set ssl ca-cert-file ‘/config/auth/sstp/ca.crt’
set ssl cert-file ‘/config/auth/sstp/server.crt’
set ssl key-file ‘/config/auth/sstp/server.key’
[edit]

and then add usernames into :
sudo cat /etc/ppp/chap-secrets
Secrets for authentication using CHAP
client server secret IP addresses
test 116.203.60.96 test123 *

sudo sstpc --cert-warn --log-level 4 --log-stderr --user=test --pass=test123 116.203.60.96  noipdefault refuse-eap noauth debug logfile tmp.log require-mschap-v2 refuse-mschap refuse-chap require-mppe

May 1 10:25:37 sstpc[13162]: Resolved 116.203.60.96 to 116.203.60.96
May 1 10:25:37 sstpc[13162]: Connected to 116.203.60.96
May 1 10:25:37 sstpc[13162]: The certificate did not match the host: 116.203.60.96
May 1 10:25:37 sstpc[13162]: Server certificated failed verification, ignoring
May 1 10:25:37 sstpc[13162]: Sending Connect-Request Message
May 1 10:25:37 sstpc[13162]: SEND SSTP CRTL PKT(14)
May 1 10:25:37 sstpc[13162]: TYPE(1): CONNECT REQUEST, ATTR(1):
May 1 10:25:37 sstpc[13162]: ENCAP PROTO(1): 6
May 1 10:25:37 sstpc[13162]: RECV SSTP CRTL PKT(48)
May 1 10:25:37 sstpc[13162]: TYPE(2): CONNECT ACK, ATTR(1):
May 1 10:25:37 sstpc[13162]: CRYPTO BIND REQ(4): 40
May 1 10:25:37 sstpc[13162]: Started PPP Link Negotiation
May 1 10:25:37 sstpc[13162]: RECV SSTP CRTL PKT(20)
May 1 10:25:37 sstpc[13162]: TYPE(6): DISCONNECT, ATTR(1):
May 1 10:25:37 sstpc[13162]: STATUS INFO(2): 12
May 1 10:25:37 sstpc[13162]: Sending Disconnect Ack Message
May 1 10:25:37 sstpc[13162]: SEND SSTP CRTL PKT(8)
May 1 10:25:37 sstpc[13162]: TYPE(7): DISCONNECT ACK, ATTR(0):
May 1 10:25:37 sstpc[13162]: Connection was aborted, Reason was not known
**Error: Connection was aborted, Reason was not known, (-1)
vyos@vyos:~$ May 1 10:25:37 sstpc[13163]: Terminating on Terminated (15)
/dev/pts/2: no device specified and stdin is not a tty

Hi @Keyvan, I think this does not work without a domain name. Can you configure domain name and try to connect again?

Yes, I also tried to set a domain and create a CERT based on the name and then add the domain in hosts file to try it again by name but it failed.

vyos:~ sudo sstpc --cert-warn --log-level 4 --log-stderr --user=test --pass=test123 d.iproute.net noipdefault refuse-eap noauth debug logfile tmp.log require-mschap-v2 refuse-mschap refuse-chap require-mppe May 1 20:04:05 sstpc[27461]: Resolved d.iproute.net to 116.203.60.96 May 1 20:04:05 sstpc[27461]: Connected to d.iproute.net May 1 20:04:05 sstpc[27461]: The certificate did not match the host: d.iproute.net May 1 20:04:05 sstpc[27461]: Server certificated failed verification, ignoring May 1 20:04:05 sstpc[27461]: Sending Connect-Request Message May 1 20:04:05 sstpc[27461]: SEND SSTP CRTL PKT(14) May 1 20:04:05 sstpc[27461]: TYPE(1): CONNECT REQUEST, ATTR(1): May 1 20:04:05 sstpc[27461]: ENCAP PROTO(1): 6 May 1 20:04:05 sstpc[27461]: RECV SSTP CRTL PKT(48) May 1 20:04:05 sstpc[27461]: TYPE(2): CONNECT ACK, ATTR(1): May 1 20:04:05 sstpc[27461]: CRYPTO BIND REQ(4): 40 May 1 20:04:05 sstpc[27461]: Started PPP Link Negotiation May 1 20:04:05 sstpc[27461]: RECV SSTP CRTL PKT(20) May 1 20:04:05 sstpc[27461]: TYPE(6): DISCONNECT, ATTR(1): May 1 20:04:05 sstpc[27461]: STATUS INFO(2): 12 May 1 20:04:05 sstpc[27461]: Sending Disconnect Ack Message May 1 20:04:05 sstpc[27461]: SEND SSTP CRTL PKT(8) May 1 20:04:05 sstpc[27461]: TYPE(7): DISCONNECT ACK, ATTR(0): May 1 20:04:05 sstpc[27461]: Connection was aborted, Reason was not known **Error: Connection was aborted, Reason was not known, (-1) vyos@vyos:~ May 1 20:04:05 sstpc[27462]: Terminating on Terminated (15)
/dev/pts/2: no device specified and stdin is not a tty

anyone has no idea ? how I can have SSTP with MSCHAP authentication?

Hello @Keyvan, let me check how it works on Windows with a self-signed certificate. I guess without a domain name this can’t work, even if you define in /etc/hosts
If you have a correct generated certificate, it should work on sstpc.
I recommend use LetsEncrypt certificates

yes in the second reply ip worte that I use the domain and self-seigned cert and then use the domain name in my hosts file.
but I still got an error

can I have your configuration for this one ?
I followed this guide: https://docs.vyos.io/en/latest/vpn/sstp.html

I can confirm that I have successfully connected Linux sstpc client with self-signed certificates following by https://docs.vyos.io/en/latest/vpn/sstp.html

vyos@RTR1# openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
Generating a RSA private key
.........................................................++++
........................................................++++
writing new private key to '/config/user-data/sstp/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:  
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:198.51.100.1
Email Address []:
[edit]
vyos@RTR1# openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:

sstp CLI commands

set vpn sstp authentication local-users username test password 'test'
set vpn sstp authentication mode 'local'
set vpn sstp authentication protocols 'mschap-v2'
set vpn sstp network-settings client-ip-settings subnet '100.64.2.0/24'
set vpn sstp network-settings name-server '1.1.1.1'
set vpn sstp ssl ca-cert-file '/config/user-data/sstp/ca.crt'
set vpn sstp ssl cert-file '/config/user-data/sstp/server.crt'
set vpn sstp ssl key-file '/config/user-data/sstp/server.key'

And from client-side

 sstpc --cert-warn --log-level 4 --log-stderr --user=test --password=test 198.51.100.1

But before edit /etc/ppp/options and replace auth to noauth

@Keyvan I also ca confirm that SSTP client work on Windows 10 and imported CA and Server certificates. Even without a domain name.

openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.
crt
Generating a RSA private key
…++++
…++++
writing new private key to ‘/config/user-data/sstp/server.key’

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vyos
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:116.203.60.96
Email Address []:
[edit]

vyos@vyos# openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vyos
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:
[edit]

vyos@vyos# show vpn sstp | commands
set authentication local-users username alireza password ‘123456’
set authentication local-users username test password ‘test’
set authentication mode ‘local’
set authentication protocols ‘mschap-v2’
set network-settings client-ip-settings gateway-address ‘100.64.2.1’
set network-settings client-ip-settings subnet ‘100.64.2.0/24’
set network-settings name-server ‘8.8.8.8’
set network-settings name-server ‘1.1.1.1’
set ssl ca-cert-file ‘/config/user-data/sstp/ca.crt’
set ssl cert-file ‘/config/user-data/sstp/server.crt’
set ssl key-file ‘/config/user-data/sstp/server.key’
[edit]

vyos@vyos#

I still getting error

Am I wrong in my configuration ?

I think you have problem with certificate import.
Try to open MMC and import CA and Server certificates to Root trusted

I Import CA and Server cert in trusted root certification authorities
but still same error
I will add these certs in my mobile phone and test it again


Note: If you installed the certificate by double click, this is very bad. Try to create new User in your Windows and install certificates like in the screenshots.

finally it works on MAC :grinning:
but in Win7 still got error

Thanks @Dmitry

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.