set authentication local-users username test password ‘test123’
set authentication mode ‘local’
set network-settings client-ip-settings gateway-address ‘192.0.2.254’
set network-settings client-ip-settings subnet ‘192.0.2.0/25’
set network-settings name-server ‘8.8.8.8’
set network-settings name-server ‘1.1.1.1’
set ssl ca-cert-file ‘/config/auth/sstp/ca.crt’
set ssl cert-file ‘/config/auth/sstp/server.crt’
set ssl key-file ‘/config/auth/sstp/server.key’
then made this file:
vyos# cat /etc/ppp/peers/vyos
usepeerdns #require-mppe #require-pap
require-mschap-v2
noauth
lock
refuse-pap
refuse-eap
refuse-chap
refuse-mschap #refuse-mschap-v2
nobsdcomp
nodeflate
debug
but I got errors
when Iam trying to connect through Microsoft windows I will got this error:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Error 0x800b0109)
and also in the VyOS itself:
sudo sstpc --cert-warn --log-level 4 --log-stderr --user=test --pass=test123 116.203.60.96 noipdefault refuse-eap noauth
May 1 10:03:44 sstpc[11758]: Resolved 116.203.60.96 to 116.203.60.96
May 1 10:03:44 sstpc[11758]: Connected to 116.203.60.96
May 1 10:03:44 sstpc[11758]: The certificate did not match the host: 116.203.60.96
May 1 10:03:44 sstpc[11758]: Server certificated failed verification, ignoring
May 1 10:03:44 sstpc[11758]: Sending Connect-Request Message
May 1 10:03:44 sstpc[11758]: SEND SSTP CRTL PKT(14)
May 1 10:03:44 sstpc[11758]: TYPE(1): CONNECT REQUEST, ATTR(1):
May 1 10:03:44 sstpc[11758]: ENCAP PROTO(1): 6
May 1 10:03:44 sstpc[11758]: RECV SSTP CRTL PKT(48)
May 1 10:03:44 sstpc[11758]: TYPE(2): CONNECT ACK, ATTR(1):
May 1 10:03:44 sstpc[11758]: CRYPTO BIND REQ(4): 40
May 1 10:03:44 sstpc[11758]: Started PPP Link Negotiation
May 1 10:03:47 sstpc[11758]: Sending Connected Message
May 1 10:03:47 sstpc[11758]: SEND SSTP CRTL PKT(112)
May 1 10:03:47 sstpc[11758]: TYPE(4): CONNECTED, ATTR(1):
May 1 10:03:47 sstpc[11758]: CRYPTO BIND(3): 104
May 1 10:03:47 sstpc[11758]: Connection Established
I changed protocol to MSCHAP-V2
vyos@vyos# show vpn sstp | commands
set authentication local-users username test password ‘test123’
set authentication protocols ‘mschap-v2’
set network-settings client-ip-settings gateway-address ‘192.0.2.254’
set network-settings client-ip-settings subnet ‘192.0.2.0/25’
set network-settings name-server ‘8.8.8.8’
set network-settings name-server ‘1.1.1.1’
set ssl ca-cert-file ‘/config/auth/sstp/ca.crt’
set ssl cert-file ‘/config/auth/sstp/server.crt’
set ssl key-file ‘/config/auth/sstp/server.key’
[edit]
and then add usernames into :
sudo cat /etc/ppp/chap-secrets
Secrets for authentication using CHAP
client server secret IP addresses
test 116.203.60.96 test123 *
May 1 10:25:37 sstpc[13162]: Resolved 116.203.60.96 to 116.203.60.96
May 1 10:25:37 sstpc[13162]: Connected to 116.203.60.96
May 1 10:25:37 sstpc[13162]: The certificate did not match the host: 116.203.60.96
May 1 10:25:37 sstpc[13162]: Server certificated failed verification, ignoring
May 1 10:25:37 sstpc[13162]: Sending Connect-Request Message
May 1 10:25:37 sstpc[13162]: SEND SSTP CRTL PKT(14)
May 1 10:25:37 sstpc[13162]: TYPE(1): CONNECT REQUEST, ATTR(1):
May 1 10:25:37 sstpc[13162]: ENCAP PROTO(1): 6
May 1 10:25:37 sstpc[13162]: RECV SSTP CRTL PKT(48)
May 1 10:25:37 sstpc[13162]: TYPE(2): CONNECT ACK, ATTR(1):
May 1 10:25:37 sstpc[13162]: CRYPTO BIND REQ(4): 40
May 1 10:25:37 sstpc[13162]: Started PPP Link Negotiation
May 1 10:25:37 sstpc[13162]: RECV SSTP CRTL PKT(20)
May 1 10:25:37 sstpc[13162]: TYPE(6): DISCONNECT, ATTR(1):
May 1 10:25:37 sstpc[13162]: STATUS INFO(2): 12
May 1 10:25:37 sstpc[13162]: Sending Disconnect Ack Message
May 1 10:25:37 sstpc[13162]: SEND SSTP CRTL PKT(8)
May 1 10:25:37 sstpc[13162]: TYPE(7): DISCONNECT ACK, ATTR(0):
May 1 10:25:37 sstpc[13162]: Connection was aborted, Reason was not known
**Error: Connection was aborted, Reason was not known, (-1)
vyos@vyos:~$ May 1 10:25:37 sstpc[13163]: Terminating on Terminated (15)
/dev/pts/2: no device specified and stdin is not a tty
Yes, I also tried to set a domain and create a CERT based on the name and then add the domain in hosts file to try it again by name but it failed.
vyos:~ sudo sstpc --cert-warn --log-level 4 --log-stderr --user=test --pass=test123 d.iproute.net noipdefault refuse-eap noauth debug logfile tmp.log require-mschap-v2 refuse-mschap refuse-chap require-mppe
May 1 20:04:05 sstpc[27461]: Resolved d.iproute.net to 116.203.60.96
May 1 20:04:05 sstpc[27461]: Connected to d.iproute.net
May 1 20:04:05 sstpc[27461]: The certificate did not match the host: d.iproute.net
May 1 20:04:05 sstpc[27461]: Server certificated failed verification, ignoring
May 1 20:04:05 sstpc[27461]: Sending Connect-Request Message
May 1 20:04:05 sstpc[27461]: SEND SSTP CRTL PKT(14)
May 1 20:04:05 sstpc[27461]: TYPE(1): CONNECT REQUEST, ATTR(1):
May 1 20:04:05 sstpc[27461]: ENCAP PROTO(1): 6
May 1 20:04:05 sstpc[27461]: RECV SSTP CRTL PKT(48)
May 1 20:04:05 sstpc[27461]: TYPE(2): CONNECT ACK, ATTR(1):
May 1 20:04:05 sstpc[27461]: CRYPTO BIND REQ(4): 40
May 1 20:04:05 sstpc[27461]: Started PPP Link Negotiation
May 1 20:04:05 sstpc[27461]: RECV SSTP CRTL PKT(20)
May 1 20:04:05 sstpc[27461]: TYPE(6): DISCONNECT, ATTR(1):
May 1 20:04:05 sstpc[27461]: STATUS INFO(2): 12
May 1 20:04:05 sstpc[27461]: Sending Disconnect Ack Message
May 1 20:04:05 sstpc[27461]: SEND SSTP CRTL PKT(8)
May 1 20:04:05 sstpc[27461]: TYPE(7): DISCONNECT ACK, ATTR(0):
May 1 20:04:05 sstpc[27461]: Connection was aborted, Reason was not known
**Error: Connection was aborted, Reason was not known, (-1)
vyos@vyos:~ May 1 20:04:05 sstpc[27462]: Terminating on Terminated (15)
/dev/pts/2: no device specified and stdin is not a tty
Hello @Keyvan, let me check how it works on Windows with a self-signed certificate. I guess without a domain name this can’t work, even if you define in /etc/hosts
If you have a correct generated certificate, it should work on sstpc.
I recommend use LetsEncrypt certificates
vyos@RTR1# openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
Generating a RSA private key
.........................................................++++
........................................................++++
writing new private key to '/config/user-data/sstp/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:198.51.100.1
Email Address []:
[edit]
vyos@RTR1# openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:
sstp CLI commands
set vpn sstp authentication local-users username test password 'test'
set vpn sstp authentication mode 'local'
set vpn sstp authentication protocols 'mschap-v2'
set vpn sstp network-settings client-ip-settings subnet '100.64.2.0/24'
set vpn sstp network-settings name-server '1.1.1.1'
set vpn sstp ssl ca-cert-file '/config/user-data/sstp/ca.crt'
set vpn sstp ssl cert-file '/config/user-data/sstp/server.crt'
set vpn sstp ssl key-file '/config/user-data/sstp/server.key'
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.
crt
Generating a RSA private key
…++++
…++++
writing new private key to ‘/config/user-data/sstp/server.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vyos
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:116.203.60.96
Email Address []:
[edit]
vyos@vyos# openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vyos
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:
[edit]
vyos@vyos# show vpn sstp | commands
set authentication local-users username alireza password ‘123456’
set authentication local-users username test password ‘test’
set authentication mode ‘local’
set authentication protocols ‘mschap-v2’
set network-settings client-ip-settings gateway-address ‘100.64.2.1’
set network-settings client-ip-settings subnet ‘100.64.2.0/24’
set network-settings name-server ‘8.8.8.8’
set network-settings name-server ‘1.1.1.1’
set ssl ca-cert-file ‘/config/user-data/sstp/ca.crt’
set ssl cert-file ‘/config/user-data/sstp/server.crt’
set ssl key-file ‘/config/user-data/sstp/server.key’
[edit]
Note: If you installed the certificate by double click, this is very bad. Try to create new User in your Windows and install certificates like in the screenshots.
