How to Setup SSTP VPN Client in Windows Using Certificate from Mikrotik

Posted on by
Setting SSTP VPN Client in Windows is more complicated than setting a PPTP VPN Client. This happens because the use of SSTP VPN is much more secure (secure) than PPTP VPN, where the SSTP VPN connection in Windows must use SSL Certificate (Secure Sockets Layer). Another thing with PPTP VPN that does not need to bother using SSL Certificate, just a little setting can already connect.
In this Mikrotik Tutorial, we will discuss Tutorial How to Setting SSTP VPN Client in Windows 10 by first create SSL Certificate from Mikrotik Device. Before proceeding to this Tutorial, make sure you have read the previous Mikrotik Tutorial about:

Creating SSL Certificates CA, Server, and Client in Mikrotik

1. Create an SSL Certificate in Mikrotik for CA (Certificate Authority). Go to System Menu -> Certificates -> Add new certificate with detail as below:
CA (Certificate Authority)
CA (Certificate Authority)
Noteworthy is the Name and Common Name (CN) fields.
  • In the column, Name fill CA.
  • In the Common Name, field fill in the IP Address (public) or domain name of the SMTP Server.
  • For other columns please tailored to your respective data
2. Create an SSL Certificate for Client and Server. The way is the same as the first step, just replace the Name and Common Name.
SSL Certificate for Client and Server. 
SSL Certificate for Client and Server.

SSL Certificate for Client and Server. 

3. Sign the third SSL Certificate by clicking the Sign option on each certificate.

SSL CA Certificate Sign:

At the time of sign, in the Certificate column select, CA -> Column CA CRL Host fill in the Public Address IP or domain name SSTP Server
SSL CA Certificate Sign
SSL CA Certificate Sign

Sign Certificate SSL Server:

At sign in, in the Certificate field select Server -> CA column: select CA -> CA CRL Host: empty
Sign Certificate SSL Server
Sign Certificate SSL Server
3. After Certificate in Sign, make sure everything is already marked T which means Trusted. If not, go to its certificate -> check Trusted
4. Export Certificate of CA and its Client. Right, click on Certificate -> select Export option.
Export Certificate
Export Certificate
5. The Export Certificate results will appear in the Files menu with the .crt extension. Copy the Certificate file to the computer.
6. Paste the Certificate file to one of the Folders on the Computer. Then Install both the Certificate by right click -> Install Certificate
7. Create the DHCP VPN IP Pool :
Select [IP > Pool] and configure the pool as needed or as shown below. This part is technically not necessary since we’re only using a single client to connect to the VPN. However, I’m going to assume that the VPN we’re creating is going to be used by many clients connecting to a single site. If so, we’re going need to create a pool from which clients will be assigned IP addresses by the MikroTik upon establishing a VPN connection. In this example, I’ve chosen IP addresses between 10.10.100.10 and 10.10.100.254. Note that 10.10.100.1 to 10.10.100.9 have been excluded from the pool. I like to keep a number of IP addresses available from the pool should I need them later. For instance, I will be using 10.10.100.1 in the next step of this guide as the VPN gateway or otherwise known as the “Local Address” during the PPP Profile setup. The remaining excluded IP addresses can be used for additional VPN connection gateways, such as OpenVPN (10.10.100.2), L2TP/IPSec (10.10.100.3) etc, but for now – I digress, we won’t be covering these VPN types in this guide. What’s important here is that we create a pool of IP addresses dedicated to connecting VPN clients and that we purposely excluded the IP address that we will be using for our SSTP VPN gateway.
IP Pool
IP Pool
8. Create the PPP Profile
PPP secret (user/client)
PPP secret (user/client)

9.  Create   a  PPP secret (user/client)
PPP secret (user/client)

10.  Configre and enable the SSTP server:

Select PPP on the left-hand side of Winbox and navigate to the Interface tab. Select the SSTP Server button and apply the following settings to configure/enable the SSTP Server. Note that the Default Profile field is using the recently created SSTP01 profile and that the Certificate field is using the “Server” certificate that was created at the beginning of this guide. Also, notice the port that is being used – port 443. We’ll be using this port in the next step to create the firewall rule.

NOTE 04/25/18: In the screenshot above, TLS Version is currently set to “only-1.2”. The VPN connection will fail if the Operating System does not support TLS 1.2. I ran into this issue with Windows 7 SSTP clients. To resolve the connection issue, I changed this particular setting from “only-1.2” to “any”.

11.Create  SSTP    firewall  filter  and  nat  rules

Select [IP > Firewall]

In this example, keep in mind that once the VPN is established, the VPN client(s) will be pulling IP addresses from the previously created DHCP VPN IP Pool (10.10.100.10 – 10.10.100.254).

The following commands will add additional rules that will allow traffic from the VPN’s subnet to/through the router. Once the rules have been created, they need to be placed under the previously created “Allow SSTP” rule (the screenshots above). Again, these rules are very broad, they will allow all traffic from the VPN’s subnet to/through the MikroTik. These rules may need to be modified or additional rules created to comply with your network security policy. Keep in mind that the subnet 10.10.100.0/24 represents the previously created VPN DHCP pool and that the “src-address” value of “ether1” represents the MirkoTik’s WAN interface – change this value as needed.

In addition, if VPN clients require internet access through the VPN, the following NAT (masquerade) rule will need to be added.

12.  Allow remote DNS request

Select IP > DNS and tick the Allow Remote Requests box shown in the screenshot below.

It would be advisable to create a firewall rule to drop DNS requests from the WAN. I’ve provided the following commands below to accomplish this. These commands can be pasted directly into the MikroTik Terminal. Keep in mind that the “in-interface” value will need to reflect the name of the WAN port on your Mikrotik

Allow remote DNS request
Allow remote DNS request
13. Create   static DNS entries (optional)
I’ve marked this section as optional, since this may not be required for the majority of the network environments out there.

WINDOWS 10: INSTALL THE “CA” CERTIFICATE

We’ve completed the SSTP VPN setup for SiteX on the Mikrotik and will now need to configure the VPN on the client-side for ClientX’s Windows 10 machine. Earlier in this guide, we exported the “CA” certificate using the MikroTik at SiteX.

  1. In Winbox, select Files on the left-hand side. If you’ve been following the naming conventions of this guide, the file should be named “cert_export_CA.crt”. Drag or Download (right-click > download) the file to a safe location on your computer.
  2. Now that the CA certificate has been downloaded from the MikroTik, we will need to transfer the certificate to ClientX’s Windows 10 machine, I’ll let you decide how this is done.
  3. After transferring the CA certificate to ClientX, right-click on the certificate and select “Install Certificate” from the context menu and use the following screenshots below to complete the CA certificate setup for ClientX’s SSTP VPN:

WINDOWS 10: CREATE THE VPN/NETWORK ADAPTER (NON-SPLIT TUNNEL)

We’ve completed the Windows 10 “CA” certificate install for ClientX and now need to create ClientX’s Windows 10 VPN/network adapter. In the Windows 10 Control Panel, open Network and Sharing Center. Select “Set up a new connection or network” and use the following screenshots below to create the VPN/network adapter.

OPTION 2: WINDOWS 10 – CREATE/CONFIGURE THE VPN/NETWORK ADAPTER WITH SPLIT TUNNELING

This second option involves creating a brand new adapter via the Connection Manager Administration Kit (CMAK), a feature that can be added to Windows and used to create executable files for the deployment/setup of VPNs. This method is being used because of its ability to add custom route tables post connection. The route table is added to ClientX’s Windows 10 machine after the VPN connection is established, all traffic destined for SiteX is routed through the VPN gateway to SiteX, while all other traffic is routed through ClientX’s local gateway.

views 415