Site icon System Zone

MikroTik SSTP VPN Server Configuration with Windows 10

VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a private network user can send and receive data to any remote private network through VPN tunnel as if his/her network device was directly connected to that private network.

Secure Socket Tunneling Protocol (SSTP) transports PPP tunnel over TLS channel. SSTP uses TLS channel over TCP port 443. So, SSTP VPN can virtually pass through all firewalls and proxy servers. Because of using TLS channel, encrypted data passes over SSTP Tunnel. So, there is no chance to steal data by a middle man attacker and data can send and receive across public network safely. MikroTik SSTP Server can be applied in two methods.

The goal of this article is to connect a remote client device over secure SSTP VPN Tunnel across public network. So, in this article I will only show how to configure MikroTik SSTP VPN Server for connecting a remote workstation/client (Windows 10 Client).

How SSTP Connection Established

To establish a SSTP VPN tunnel across public network, the following mechanisms are occurred.

SSTP How Works

Network Diagram

To configure a Client-Server SSTP VPN Tunnel between a MikroTik Router and a Windows 10 SSTP Client, we are following the below network diagram.

Client-Server SSTP Diagram

In this network diagram, a MikroTik Router’s ether1 interface is connected to public network having IP address 117.58.247.198/30 and ether2 interface is connected to LAN having IP network 10.10.11.0/24.

We will configure SSTP Server in this MikroTik Router on TCP port 443. So, Windows 10 SSTP Client can be connected to this SSTP Server and can be able to access remote network resources as if the device is connected to that remote network.

SSTP VPN Server and SSTP Client Configuration

We will now start SSTP Server and Client configuration. Complete SSTP configuration can be divided into two parts.

Part 1: SSTP Server Configuration in MikroTik Router

According to the network diagram, MikroTik Router is our SSTP VPN Server. So, we will enable and configure SSTP VPN Server in MikroTik Router. It is assumed that MikroTik WAN and LAN networks have been configured and are working without any issue.

Complete MikroTik SSTP Server configuration can be divided into the following three steps.

Step 1: Creating TLS Certificate for SSTP Server

SSTP Server configuration requires TLS certificate because SSTP VPN uses TLS certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required SSTP Server certificate from MikroTik RouterOS. SSTP Server requires two types of certificates:

Creating CA certificate

MikroTik RouterOS provides a self-signed certificate and self-signed certificate must have a CA (Certification Authority) Certificate to sign Server Certificate. This CA certificate will also be installed in SSTP Client devices otherwise Server Certificate cannot be verified.  The following steps will show how to create a CA certificate in MikroTik RouterOS.

Creating CA Certificate for SSTP Server

Creating Server Certificate

After creating CA certificate, we will now create Server Certificate that will be signed by the created CA. The Server Certificate will be used by SSTP Server. The following steps will show how to create Server Certificate in MikroTik RouterOS.

Enabling SSTP Server in MikroTik Router

SSTP Server is now running in MikroTik Router. As MikroTik SSTP VPN is limited to use username and password for successful VPN connection, we will now create PPP users who will be able to connect to MikroTik SSTP Server and get IP information.

Step 3: Creating SSTP Users

MikroTik SSTP uses username and password to validate legal connection. So, we have to create username and password to allow any user. The complete user configuration for SSTP Server can be divided into the following three parts.

IP Pool Configuration

Usually multiple users can connect to SSTP Server. So, it is always better to create an IP Pool from where connected user will get IP address. The following steps will show how to create IP Pool in MikroTik Router.

SSTP User IP Pool

User Profile Configuration

After creating IP Pool, we will now configure user profile so that all users can have similar characteristics. The following steps will show how to configure user profile for SSTP Users.

OpenVPN User Profile Configuration

SSTP User Configuration

After creating user profile, we will now create users who will be connected to SSTP Server. The following steps will show how to create SSTP users in MikroTik RouterOS.

SSTP User Configuration

We have created a user for SSTP Server. Similarly, we can create more users that we require.

SSTP Server configuration in MikroTik Router has been completed. In the next part we will configure SSTP Client in Windows 10 Operating System.

Part 2: SSTP Client Configuration in Windows 10

After configuring SSTP Server in MikroTik Router, we will now configure SSTP Client in Windows 10 Operating System. SSTP Client configuration in Windows 10 can be divided into the following two steps.

Installing CA Certificate in Windows 10

Exported CA Certificate must be installed in Windows Trusted Root Certification Authorities otherwise SSTP Client cannot verify SSTP Server Certificate. To install CA Certificate in Windows 10, do the following steps.


Click mouse right button on the Exported CA Certificate and choose Install Certificate option.
CA Certificate Installation in Windows 10

You will now find Certificate Import Wizard window and it will ask for choosing certificate Store Location. From Sore Location panel, choose Local Machine radio button and then click Next button.

Certificate Import Wizard

The next window will ask for choosing a specific certificate store. Exported CA must be placed in Trusted Root Certification Authorities store. So, click on Place all certificate in the following store radio button and then click on Browse button and choose Trusted Root Certificate Authorities and then click Next button.

Placing CA Certificate to Trusted Root Certification Authorities

The next Certificate Import Wizard will show a summery and ask to click Finish button. So, click Finish button and you will find a certificate importation successful message.

SSTP Client Configuration in Windows 10

After importing CA certificate in Trusted Root Certification Authorities, we will now configure SSTP Client in Windows 10 Operating System. The Following steps will show how to configure SSTP Client in Windows 10 OS.

How to Configure MikroTik SSTP VPN Server with Windows 10 Operating System has been discussed in this article. I hope you will now be able to configure SSTP Server and Client with MikroTik Router and Windows 10 Operating System. However, if you face any confusion to configure SSTP VPN Server and Client, feel free to discuss in comment or contact me from Contact page.  I will try my best to stay with you.

Exit mobile version