SSTP VPN

SSTP VPN

SSTP (Secure Socket Tunneling Protocol) is a Microsoft VPN protocol that tunnels PPP traffic over TLS on TCP port 443. Because it uses the same port as HTTPS, SSTP passes through most firewalls and web proxies without special configuration — making it the best choice when L2TP/IPsec or WireGuard ports are blocked.

RouterOS supports SSTP as both a server and client. The Windows built-in VPN client supports SSTP natively on all versions since Windows Vista.

---

How SSTP Works

SSTP wraps PPP frames inside an HTTPS-like TLS session on TCP/443. The router presents a TLS server certificate during handshake; the client validates it against its trusted CA store. After TLS is established, PPP authentication (MSCHAPv2) and IP address assignment proceed normally.

Key characteristics:

Property	Value
Transport	TCP/443 (TLS)
Encryption	TLS (AES-256/AES-128)
Authentication	MSCHAPv2 over PPP
NAT traversal	Excellent — TCP/443 is rarely blocked
Client support	Native on Windows; available on Linux via sstp-client
RouterOS objects	/interface sstp-server, /ppp profile, /ppp secret

---

Prerequisites

• RouterOS 7.x
• A public IP address or hostname reachable on TCP/443
• A server certificate trusted by connecting clients
• TCP/443 open in the firewall input chain

---

Step 1 — Create or Import a Server Certificate

SSTP requires a TLS server certificate. You have two options:

Option A — Self-Signed Certificate (Testing / Internal Use)

Generate a CA and server certificate directly on the router:

# Create the Certificate Authority
/certificate add \
    name=sstp-ca \
    common-name=sstp-ca \
    key-usage=key-cert-sign,crl-sign \
    days-valid=3650

/certificate sign sstp-ca

# Create the server certificate
/certificate add \
    name=sstp-server \
    common-name=vpn.example.com \
    subject-alt-name=IP:203.0.113.1 \
    key-usage=tls-server \
    days-valid=3650

/certificate sign sstp-server ca=sstp-ca

Replace vpn.example.com and 203.0.113.1 with your router’s hostname or public IP. The common-name and subject-alt-name must match the address the Windows client uses to connect, or TLS validation will fail.

Export the CA certificate so you can install it on Windows clients:

/certificate export-certificate sstp-ca export-passphrase=""

This creates sstp-ca.crt in the router’s Files section. Download it via WebFig → Files or Winbox.

Option B — Publicly Trusted Certificate (Production)

If your router has a public hostname with a certificate from Let’s Encrypt or a commercial CA, Windows clients will trust it automatically with no certificate import required.

Import the certificate and key files after uploading them to the router:

/certificate import file-name=server.crt passphrase=""
/certificate import file-name=server.key passphrase=""
/certificate import file-name=ca.crt passphrase=""

Verify the certificate is marked trusted and has T (trusted) and KU: tls-server flags:

/certificate print detail where name=server

---

Step 2 — Create an IP Pool

/ip pool add name=sstp-pool ranges=10.10.10.10-10.10.10.254

---

Step 3 — Create a PPP Profile

/ppp profile add \
    name=sstp-profile \
    local-address=10.10.10.1 \
    remote-address=sstp-pool \
    use-encryption=required \
    dns-server=8.8.8.8,8.8.4.4

local-address is the router’s tunnel-side IP. use-encryption=required ensures PPP encryption is always active.

---

Step 4 — Enable the SSTP Server

/interface sstp-server server set \
    enabled=yes \
    certificate=sstp-server \
    authentication=mschap2 \
    default-profile=sstp-profile \
    verify-client-certificate=no

Parameter	Description
certificate	Name of the server TLS certificate
authentication	PPP auth methods; mschap2 is required for Windows built-in client
verify-client-certificate	Set to yes to require mutual TLS (client certs); no for username/password only
port	Defaults to 443; change only if 443 is in use for something else

---

Step 5 — Add VPN Users

/ppp secret add \
    name=vpnuser \
    password=StrongUserPass \
    service=sstp \
    profile=sstp-profile

Add one entry per user. service=sstp prevents the credential from being used on other PPP interfaces.

---

Step 6 — Open the Firewall

Add this rule before any drop rule in the input chain:

/ip firewall filter add \
    chain=input \
    action=accept \
    protocol=tcp \
    dst-port=443 \
    in-interface-list=WAN \
    comment="Allow SSTP"

Note: If port 443 is also used for RouterOS web management (WebFig), change the SSTP server to a different port (/interface sstp-server server set port=8443) and open that port instead, or disable WebFig on the WAN interface.

---

Windows Client Configuration

Windows has native SSTP support. No additional software is needed.

Install the CA Certificate (Self-Signed Setup Only)

If you generated a self-signed CA on the router, install it on Windows before connecting. Skip this step if you used a publicly trusted certificate.

1. Copy sstp-ca.crt to the Windows machine
2. Double-click the file → Install Certificate
3. Select Local Machine → Next
4. Choose Place all certificates in the following store → Browse
5. Select Trusted Root Certification Authorities → OK → Next → Finish

The certificate must be in the Local Machine store, not the Current User store, for Windows VPN to use it.

Create the VPN Connection

1. Open Settings → Network & Internet → VPN → Add a VPN connection
2. Set VPN provider to Windows (built-in)
3. Enter the router’s public IP or hostname in Server name or address — this must match the certificate CN or SAN exactly
4. Set VPN type to Secure Socket Tunneling Protocol (SSTP)
5. Set Type of sign-in info to User name and password
6. Enter the PPP username and password (from /ppp secret)
7. Click Save, then Connect

Verify with PowerShell (Optional)

# Create the VPN profile non-interactively
Add-VpnConnection -Name "MikroTik SSTP" `
    -ServerAddress "vpn.example.com" `
    -TunnelType Sstp `
    -AuthenticationMethod MSChapv2 `
    -EncryptionLevel Required `
    -RememberCredential

---

Verification

On the router, confirm the session is active:

# Check active PPP sessions
/ppp active print

# Check SSTP-specific interface
/interface sstp-server print

# View SSTP log entries
/log print where message~"sstp"

A successful connection creates an entry in /ppp active with the client’s assigned IP, username, and uptime.

---

Troubleshooting

TLS handshake fails / “Can’t connect to server”

The server certificate is not trusted by the client.

• Confirm the CA certificate is installed in Local Machine → Trusted Root Certification Authorities (not Current User)
• Verify the server address in the Windows VPN profile matches the certificate’s CN or SAN exactly (hostname vs IP matters)
• Check the certificate is not expired: /certificate print detail where name=sstp-server

authentication failed (PPP)

The PPP username or password is wrong, or the user’s service is not sstp:

/ppp secret print where name=vpnuser

Connection refused / timeout

TCP/443 is not reaching the router:

• Verify the firewall input rule exists and is above any drop rules
• If the router is behind NAT, ensure TCP/443 is forwarded to the router
• Check whether WebFig is also using port 443 (/ip service print)

“Error 0x80092013” on Windows

Windows cannot verify the certificate revocation list (CRL). This typically happens with self-signed certificates that include a CRL distribution point the client cannot reach. Fix by disabling CRL checking for the VPN interface in the Windows registry, or regenerate the certificate without a CDP extension.

Enable verbose logging

/system logging add topics=sstp,!debug action=memory
/log print follow where topics~"sstp"

Remove after debugging:

/system logging remove [find topics~"sstp"]

---

RouterOS SSTP Client

RouterOS can also act as an SSTP client, connecting an upstream SSTP server (another MikroTik, Windows Server RRAS, or any compatible SSTP endpoint). This is commonly used for site-to-site tunnels.

Create the SSTP Client Interface

/interface sstp-client add \
    name=sstp-out1 \
    connect-to=vpn.example.com \
    port=443 \
    user=vpnuser \
    password=StrongPass123 \
    verify-server-certificate=yes \
    authentication=mschap2 \
    profile=default-encryption \
    disabled=no

Parameter	Description
connect-to	FQDN or IP of the SSTP server — must match the server certificate’s CN or SAN
port	Server port (default 443)
user / password	PPP credentials matching a /ppp secret entry on the server
verify-server-certificate	yes (recommended) validates the server TLS certificate; requires the server’s CA to be imported and trusted on this router
certificate	Only needed for mutual TLS — the client certificate to present to the server
authentication	Must include mschap2 to match the server’s accepted methods
profile	PPP profile controlling IP assignment and encryption settings

Import the Server CA (Required when verify-server-certificate=yes)

Upload the server’s CA certificate to the router’s Files, then import it:

/certificate import file-name=sstp-ca.crt passphrase=""

Verify it appears as trusted (T flag):

/certificate print where name~"sstp-ca"

If the server uses a publicly trusted CA (Let’s Encrypt, DigiCert, etc.), RouterOS trusts well-known CAs by default and no import is needed.

Route Traffic Through the Tunnel

Full tunnel — all traffic via SSTP:

/ip route add dst-address=0.0.0.0/0 gateway=sstp-out1 distance=2

Set a higher distance than your default route so the SSTP route only takes precedence for traffic you intend.

Split tunnel — only remote LAN via SSTP:

/ip route add dst-address=192.168.50.0/24 gateway=sstp-out1

Verify the Client Connection

# Check interface status (look for "R" running flag)
/interface sstp-client print

# Check active PPP session
/ppp active print

# Ping remote LAN through tunnel
/ping 192.168.50.1 interface=sstp-out1

---

Comparison: SSTP vs L2TP/IPsec vs WireGuard

	SSTP	L2TP/IPsec	WireGuard
Transport	TCP/443	UDP 500/4500 + ESP	UDP (configurable port)
Encryption	TLS (AES)	IPsec (AES)	ChaCha20-Poly1305
Authentication	Certificate + MSCHAPv2	PSK or certificate + MSCHAPv2	Public key pairs
NAT traversal	Excellent (TCP/443 is rarely blocked)	Moderate (requires UDP 500/4500 + ESP)	Good (single UDP port; keepalive maintains NAT bindings)
Performance	Lower under packet loss (TCP-over-TCP penalty)	Moderate (double encapsulation overhead)	Highest (lean protocol, hardware-friendly crypto)
Windows client	Built-in, all versions	Built-in	Third-party app required
Linux/macOS client	sstp-client (not built-in)	Built-in (macOS removing in recent versions)	Built-in or app
Mobile (iOS/Android)	No native client	Built-in (Android 12+ removing L2TP)	App required
Best use case	Restrictive networks blocking non-HTTPS	Legacy client compatibility	Best throughput; modern deployments

Choose SSTP when clients are behind strict firewalls or proxies that block UDP and non-standard TCP ports.

Choose L2TP/IPsec when you need to support many different OS/device types with zero client software installation, and firewall restrictions are not a concern.

Choose WireGuard when throughput and simplicity matter most, clients can install an app, and the VPN port is not restricted.