Hi,
I’m hoping someone can help, I’ll trying to setup a test VyOS box for SSTP access however can’t seem to get it to work with Win 10. I’m getting the below message & event viewer log.
“Can’t connect to Test-SSTP-FW
The token supplied to the function is invalid”
Event viewer log:
Event ID: 20227
CoId={5B3ED370-221B-4212-9D08-F4C38E29CD3B}: The user Domain\User dialed a connection named Test-SSTP-FW which has failed. The error code returned on failure is -2146893048.
Certificate:
I used the below commands to generate:
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt
openssl req -new -x509 -days 3650 -key /config/auth/server.key -out /config/auth/ca.crt
Used test.sstp.domain.co.uk for the CN and created an A record to point to it
I then imported both ca.cert & server.cert into MMC > Certificates snap-in > Computer account > Trusted Root Certificate Authorities > Certificates
Additional:
editied /etc/ppp/options and replace auth with noauth
editied /etc/ppp/chap-secrets and added username * password *
Hi @Phoenix1993, why you need manipulation with editing /etc/ppp/...?
Docs SSTP Server — VyOS 1.4.x (sagitta) documentation
Related topic SSTP server connection failed
Provide please also the output of command run show log | match sstp when the client trying to connect.
Hi @Dmitry,
Thank you for getting back to me, I saw these fixes in other posts on the forum for SSTP so I tried making these changes just in case they helped. I have the same issue with or without the changes to /etc/ppp/…
Please see log output below:
On boot
Jun 25 08:00:31 Test-SSTP-FW sudo[2125]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/sh -c /usr/libexec/vyos/conf_mode/vpn_sstp.py
Jun 25 08:00:31 Test-SSTP-FW sudo[2129]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/systemctl restart [email protected]
Jun 25 08:00:31 Test-SSTP-FW systemd[1]: [email protected]: Can’t open PID file /run/accel-pppd/sstp.pid (yet?) after start: No such file or directory
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: ssl-pemfile error: error:0909006C:PEM routines:get_name:no start line
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: SSL/TLS support disabled, PROXY support disabled
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
When trying to connect
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from x.x.x.77:36380
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [20B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from .x.x.77:30711
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [20B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from x.x.x.77:62167
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [20B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from x.x.x.77:49397
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [19B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Hi @Phoenix1993, I see something with certificates.
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: ssl-pemfile error: error:0909006C:PEM routines:get_name:no start line
Can you try to regenerate certificates like in this post SSTP server connection failed - #9 by Dmitry
Note: This modification only for linux SSTP client.
Hi @Dmitry,
Thank you for getting back to me, I’m still getting the same error:
Jun 25 10:02:17 Test-SSTP-FW accel-sstp[2133]: sstp: ssl-pemfile error: error:0909006C:PEM routines:get_name:no start line
I’ve since removed the /etc/ppp/… changes, changed the certificate location to point to /config/user-data/sstp/ and regenerated the certificate files by running.
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
Country Name (2 letter code) [AU]: UK
State or Province Name (full name) [Some-State]: .
Locality Name (eg, city) []: .
Organization Name (eg, company) [Internet Widgits Pty Ltd]: .
Organizational Unit Name (eg, section) []: .
Common Name (e.g. server FQDN or YOUR name) []: x.x.x.158
Email Address []: .
I’ve tried using the public IP and FQDN also tried populating all fields instead of leaving blank
Hi @Phoenix1993. I double-checked SSTP implementation, and I can confirm that this is work on the latest rolling.
mkdir /config/auth/sstp/
1.1 Generate server key and cert
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/sstp/server.key -out /config/auth/sstp/server.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:x.x.36.246
Email Address []:
1.2 Generate CA
openssl req -new -x509 -key /config/auth/sstp/server.key -out /config/auth/sstp/ca.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:
vyos@RTR1# sudo ls -lah /config/auth/sstp
total 20K
drwxrwsr-x 2 vyos vyattacfg 4.0K Jun 27 10:32 .
drwxrwsr-x 8 root vyattacfg 4.0K Jun 27 10:32 ..
-rw-rw-r-- 1 vyos vyattacfg 1.9K Jun 27 10:32 ca.crt
-rw-rw-r-- 1 vyos vyattacfg 2.0K Jun 27 10:32 server.crt
-rw------- 1 vyos vyattacfg 3.2K Jun 27 10:32 server.key
set vpn sstp authentication local-users username test password 'test'
set vpn sstp authentication mode 'local'
set vpn sstp authentication protocols 'pap'
set vpn sstp network-settings client-ip-settings gateway-address '100.64.1.1'
set vpn sstp network-settings client-ip-settings subnet '100.64.2.0/24'
set vpn sstp network-settings name-server '1.1.1.1'
set vpn sstp ssl ca-cert-file '/config/auth/sstp/ca.crt'
set vpn sstp ssl cert-file '/config/auth/sstp/server.crt'
set vpn sstp ssl key-file '/config/auth/sstp/server.key'
MMC
Hi @Dmitry,
Thank you very much for your assistance, it’s now working 
I was being stupid I was providing the path to the cert and key files but not the file names.
Hi @Phoenix1993, cool. About
You are not stupid, this is a system bug. I will create the task on the phabricator and add a more strong certificates check. Maybe these improvements could save time in future =)