SSTP with Win 10 Clients

Hi,

I’m hoping someone can help, I’ll trying to setup a test VyOS box for SSTP access however can’t seem to get it to work with Win 10. I’m getting the below message & event viewer log.

“Can’t connect to Test-SSTP-FW
The token supplied to the function is invalid”

Event viewer log:
Event ID: 20227

CoId={5B3ED370-221B-4212-9D08-F4C38E29CD3B}: The user Domain\User dialed a connection named Test-SSTP-FW which has failed. The error code returned on failure is -2146893048.

Certificate:

I used the below commands to generate:

openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt
openssl req -new -x509 -days 3650 -key /config/auth/server.key -out /config/auth/ca.crt

Used test.sstp.domain.co.uk for the CN and created an A record to point to it

I then imported both ca.cert & server.cert into MMC > Certificates snap-in > Computer account > Trusted Root Certificate Authorities > Certificates

Additional:

editied /etc/ppp/options and replace auth with noauth
editied /etc/ppp/chap-secrets and added username * password *

Hi @Phoenix1993, why you need manipulation with editing /etc/ppp/...?
Docs SSTP — VyOS 1.4.x (sagitta) documentation

Related topic SSTP server connection failed
Provide please also the output of command run show log | match sstp when the client trying to connect.

Hi @Dmitry,

Thank you for getting back to me, I saw these fixes in other posts on the forum for SSTP so I tried making these changes just in case they helped. I have the same issue with or without the changes to /etc/ppp/…

Please see log output below:

On boot

Jun 25 08:00:31 Test-SSTP-FW sudo[2125]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/sh -c /usr/libexec/vyos/conf_mode/vpn_sstp.py
Jun 25 08:00:31 Test-SSTP-FW sudo[2129]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/systemctl restart accel-ppp@sstp.service
Jun 25 08:00:31 Test-SSTP-FW systemd[1]: accel-ppp@sstp.service: Can’t open PID file /run/accel-pppd/sstp.pid (yet?) after start: No such file or directory
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: ssl-pemfile error: error:0909006C:PEM routines:get_name:no start line
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: SSL/TLS support disabled, PROXY support disabled
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup

When trying to connect

Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from x.x.x.77:36380
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [20B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from .x.x.77:30711
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [20B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from x.x.x.77:62167
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [20B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: new connection from x.x.x.77:49397
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: starting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: started
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: [19B blob data]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: send [HTTP <Date: Thu, 25 Jun 2020 07:03:12 GMT>]
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: :: disconnecting
Jun 25 08:03:12 Test-SSTP-FW accel-sstp[2132]: sstp: disconnected

Hi @Phoenix1993, I see something with certificates.
Jun 25 08:00:31 Test-SSTP-FW accel-sstp[2132]: sstp: ssl-pemfile error: error:0909006C:PEM routines:get_name:no start line
Can you try to regenerate certificates like in this post SSTP server connection failed

Note: This modification only for linux SSTP client.

Hi @Dmitry,

Thank you for getting back to me, I’m still getting the same error:

Jun 25 10:02:17 Test-SSTP-FW accel-sstp[2133]: sstp: ssl-pemfile error: error:0909006C:PEM routines:get_name:no start line

I’ve since removed the /etc/ppp/… changes, changed the certificate location to point to /config/user-data/sstp/ and regenerated the certificate files by running.

openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt

Country Name (2 letter code) [AU]: UK
State or Province Name (full name) [Some-State]: .
Locality Name (eg, city) []: .
Organization Name (eg, company) [Internet Widgits Pty Ltd]: .
Organizational Unit Name (eg, section) []: .
Common Name (e.g. server FQDN or YOUR name) []: x.x.x.158
Email Address []: .

I’ve tried using the public IP and FQDN also tried populating all fields instead of leaving blank

Hi @Phoenix1993. I double-checked SSTP implementation, and I can confirm that this is work on the latest rolling.

1. Create a directory and generate certificates

mkdir /config/auth/sstp/

1.1 Generate server key and cert

openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/sstp/server.key -out /config/auth/sstp/server.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:x.x.36.246
Email Address []:

1.2 Generate CA

openssl req -new -x509 -key /config/auth/sstp/server.key -out /config/auth/sstp/ca.crt

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VyOS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:

2. Check if certs and keys exist

vyos@RTR1# sudo ls -lah /config/auth/sstp
total 20K
drwxrwsr-x 2 vyos vyattacfg 4.0K Jun 27 10:32 .
drwxrwsr-x 8 root vyattacfg 4.0K Jun 27 10:32 ..
-rw-rw-r-- 1 vyos vyattacfg 1.9K Jun 27 10:32 ca.crt
-rw-rw-r-- 1 vyos vyattacfg 2.0K Jun 27 10:32 server.crt
-rw------- 1 vyos vyattacfg 3.2K Jun 27 10:32 server.key

3. Configure SSTP

set vpn sstp authentication local-users username test password 'test'
set vpn sstp authentication mode 'local'
set vpn sstp authentication protocols 'pap'
set vpn sstp network-settings client-ip-settings gateway-address '100.64.1.1'
set vpn sstp network-settings client-ip-settings subnet '100.64.2.0/24'
set vpn sstp network-settings name-server '1.1.1.1'
set vpn sstp ssl ca-cert-file '/config/auth/sstp/ca.crt'
set vpn sstp ssl cert-file '/config/auth/sstp/server.crt'
set vpn sstp ssl key-file '/config/auth/sstp/server.key'

4. Export ca.crt and server.crt to Win machine via MMC
5. Create an SSTP connection and try to connect.

Hi @Dmitry,

Thank you very much for your assistance, it’s now working
I was being stupid I was providing the path to the cert and key files but not the file names.

Hi @Phoenix1993, cool. About

You are not stupid, this is a system bug. I will create the task on the phabricator and add a more strong certificates check. Maybe these improvements could save time in future =)