• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » FREE SSTP VPN server on Linux with SoftEther

FREE SSTP VPN server on Linux with SoftEther

May 18, 2020 - by Zsolt Agoston - last edited on September 20, 2020

Always Hot Café needs a fast and cheap way to set up a VPN solution for it's workers. They don't want to invest in expensive hardware, or software. Also, the employees have Windows laptops and they want to use the built-in VPN client capability, the Windows computers already have. SSTP is the Microsoft proprietary flavor of SSL VPN protocols. It uses SSL channels just like OpenVPN to build up the VPN tunnel between the client and the server. This way the connection is likely won't be blocked by strict firewalls when users are away, staying in hotels, etc. As data transmission happens on port 443/tcp, the firewall will not be able to distinguish between VPN traffic or simple web browsing, unlike in case of PPTP or L2TP where dedicated ports need to be used to form the VPN tunnel.

We'll use SoftEther, a very versatile VPN server created by the University of Tsukuba, Japan. Not only it is free, but are able to configure it with  auto-renewing Let's Encrypt SSL certificates, so we don’t need to care about SSL renewals. We pretty much install the server, then we can forget about it!

Before You Begin

After CentOS basic install:

# Installing prerequisites
yum update -y
yum install -y wget tar
yum groupinstall -y "Development Tools"

Download SoftEther:

wget -P /usr/local https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.34-9745-beta/softether-vpnserver-v4.34-9745-beta-2020.04.05-linux-x64-64bit.tar.gz

Extract SoftEther to /usr/local

tar -C /usr/local -xzf /usr/local/softether-vpnserver-v4.34-9745-beta-2020.04.05-linux-x64-64bit.tar.gz

1. Install SoftEther

We are ready to install SoftEther. This means we extract it, set the right permissions on the config files and set the service to start. Compile the executables first:

cd /usr/local/vpnserver
make
FREE SSTP VPN server on Linux with SoftEther

Now we change the permission on the files inside the vpnserver directory so unauthorized users won't be able to access them

cd /usr/local/vpnserver/
chmod -R 600 *
chmod 700 vpncmd
chmod 700 vpnserver

2. Create the Startup Script

Use your favorite text editor or the command line to create the /etc/init.d/vpnserver file as per https://www.softether.org/4-docs/1-manual/7._Installing_SoftEther_VPN_Server/7.3_Install_on_Linux_and_Initial_Configurations with the following content:

/etc/init.d/vpnserver

#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

 

Now change the permissions on the file so only the owner can write it:

chmod 755 /etc/init.d/vpnserver

Run the script to start the server

/etc/init.d/vpnserver start

Lastly run the script and set it to run automatically at boot:

systemctl enable vpnserver

 

3. Change the admin password

It's time to set the admin password on the vpn service. Whenever we'll need to make amendments to the server configuration, we'll need to provide these credentials to the application.

[root@vpn ~]# /usr/local/vpnserver/vpncmd
VPN Server> ServerPasswordSet

 

FREE SSTP VPN server on Linux with SoftEther

4. Create Virtual Hub

A virtual hub is a pool of users and accepted protocols. We need to have at least one hub configured. We go with the name of AHC, where we'll set up a test user called Alice and enable SSTP and IPSec protocols.

VPN Server/AHC>HubCreate AHC
VPN Server/AHC>Hub AHC
FREE SSTP VPN server on Linux with SoftEther

5. Enable SecureNAT

We can use the server with SecureNAT or with Local Bridge that requires DHCP to be set separately. We don't want the VPN clients to use up IP addresses in our DHCP pool, so we go with SecureNAT for simplicity. This way the VPN server will create a separate subnet for them and they will be NAT-ted through the single IP of the VPN server.

VPN Server/AHC>SecureNatEnable

6. Create a vpn user for the Windows 10 client to make the SSTP connection

VPN Server/AHC>UserCreate alice
VPN Server/AHC>UserPasswordSet alice
FREE SSTP VPN server on Linux with SoftEther

7. Set up the SSL certificate for SSTP

SSTP will not work (at least out of the box) without a valid SSL certificate that is signed by a public CA. We acquire a Let's Encrypt wildcard certificate for this purpose. For the whole LetsEncrypt SSL cert guide, click here.

The certificate files are located under /etc/letsencrypt/live/alwayshotcafe.com. After checking they are there, we proceed.

FREE SSTP VPN server on Linux with SoftEther

To install the certificate, we connect to our AHC hub again (/usr/local/vpnserver/vpncmd), and issue the following command that will ask for the public and private key files:

VPN Server/AHC>ServerCertSet

# Public key:
/etc/letsencrypt/live/alwayshotcafe.com/cert.pem

# Private key:
/etc/letsencrypt/live/alwayshotcafe.com/privkey.pem

Note, if you use a different Certificate Authority (like DigiCert, Comodo, etc), the file names and file location might differ.

FREE SSTP VPN server on Linux with SoftEther

Finally, we can enable SSTP on the server:

VPN Server/AHC>SstpEnable yes
FREE SSTP VPN server on Linux with SoftEther

Enable IPSec as well, also set the default HUB to the newly created AHC hub. This way single usernames will be accepted. Otherwise the client needs to use the [Hub name]\[username] format when connecting (AHC\alice in this example)

FREE SSTP VPN server on Linux with SoftEther

8. Enable the SSTP port on the firewall

It is important to allow incoming connections on port 443/tcp, otherwise clients will not be able to connect:

[root@vpn ~]# firewall-cmd --permanent --zone=public --add-port=443/tcp
[root@vpn ~]# firewall-cmd --reload

Connect with a client

1. Open Network and Sharing Center on the Windows 10 client. Select the "New Connection" option.

FREE SSTP VPN server on Linux with SoftEther

2. After selecting the VPN connection type, we add the server name which is vpn.alwayshotcafe.com, and an arbitrary name that helps us to identify the connection later. Here we call it simply "AHC VPN"

FREE SSTP VPN server on Linux with SoftEther

After the connection is created, open it's properties and make sure the VPN type is set to SSTP and the authentication is MS-CHAPv2

FREE SSTP VPN server on Linux with SoftEther

Now Alice is ready to connect!

FREE SSTP VPN server on Linux with SoftEther
FREE SSTP VPN server on Linux with SoftEther

Reader Interactions

Comments

  1. Leonid Chertkov says

    June 14, 2023 at 00:26

    Hi, can I use this software from Mac computer?

    Reply

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Before You Begin
  • 1. Install SoftEther
  • 2. Create the Startup Script
  • 3. Change the admin password
  • 4. Create Virtual Hub
  • 5. Enable SecureNAT
  • 6. Create a vpn user for the Windows 10 client to make the SSTP connection
  • 7. Set up the SSL certificate for SSTP
  • 8. Enable the SSTP port on the firewall
  • Connect with a client

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}