Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Настройка SSTP VPN на примере Ubuntu
maxqfz/SSTP
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Установка SSTP VPN на примере Ubuntu 16.04
- Установите python3 версии не ниже 3.4.4 sudo apt-get install python3
- Установите pip3 sudo apt-get install -y python3-pip
- Установите pppd sudo apt-get install ppp
- Установите openssl sudo apt-get install openssl
Генерация SSL-сертификата и ключа
На данном этапе есть возможность получить изначально доверенный сертификат, если привязать IP-адрес сервера к домену, либо сгенерировать свой сертификат для IP-адреса сервера и добавить его в раздел доверенных на своей системе.
Получение доверенного сертификата для домена
Для начала привяжите IP-адрес Вашего сервера к домену, путём добавления A-записи в DNS домена.
Далее следует установить приложение certbot:
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot
Теперь, осталось лишь выпустить сертификат для нашего домена командой sudo certbot certonly —standalone -d example.com .
Генерация своего сертификата
Для того, чтобы сгенерировать SSL-сертификат и ключ, необходимо выполнить следующую команду: openssl req -newkey rsa:2048 -nodes -keyout privkey.pem -x509 -days 365 -out cert.pem
Все параметры можете оставить пустыми, кроме параметра Common Name — здесь необходимо указать внешний IP-адрес Вашего VPN-сервера.
После этого следует скопировать сертификат на компьютеры клиентов, которые будут подключаться к VPN-серверу и установить его в раздел «Доверенные корневые центры сертификации».
Установка и настройка sstpd-server
Установите sstp-server с помощью pip3: pip3 install sstp-server
Также его можно установить напрямую из GitHub создателя: pip3 install git+https://github.com/sorz/sstp-server.git
Создайте конфигурационный файл /etc/ppp/options.sstpd с помощью команды nano /etc/ppp/options.sstpd и добавьте в него следующее содержимое:
name sstpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 nologfd nodefaultroute ms-dns 8.8.8.8 ms-dns 8.8.4.4
Теперь необходимо создать файл с данными для входа. Для этого выполните команду nano /etc/ppp/chap-secrets и укажите ваши данные для входа в формате логин сервер пароль IP-адреса , например:
user sstpd strongpassword * max sstpd "" 55.66.77.88
Создайте конфигурационный файл sstp-server командой nano /etc/sstpd.ini и добавьте в него следующее содержимое:
[DEFAULT] # 1 to 50. Default 20, debug 10, verbose 5 ;log_level = 20 # OpenSSL cipher suite. See ciphers(1). ;cipher = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH # Path to pppd ;pppd = /usr/bin/pppd # pppd config file path ;pppd_config = /etc/ppp/options.sstpd # SSTP port listen = 0.0.0.0 listen_port = 443 # PEM-format certificate with key. pem_cert = /path/to/cert.pem pem_key = /path/to/privkey.pem # Address of server side on ppp. local = 192.168.10.1 # If RADIUS is used to mangle IP pool, comment it out. remote = 192.168.10.0/24
Осталось лишь запустить наш сервер командой sudo nohup sstpd -f /etc/sstpd.ini & > sstpd.log
VPN сервер запущен! Теперь нужно настроить доступ в интернет для клиентов.
Настройка доступа в интернет через VPN
Для того, чтобы у клиентов заработал интернет, необходимо выполнить несколько пунктов:
- Для начала нужно включить перенаправление трафика, отредактировав файл /etc/sysctl.conf nano /etc/sysctl.conf
- Добавьте или раскомментируйте строку net.ipv4.ip_forward=1
- После этого необходимо запустить команду sysctl -p для применения изменений.
Также следует добавить следующие правила IPTABLES:
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT iptables -I INPUT -p gre -j ACCEPT iptables -t nat -I POSTROUTING -o ethernet> -j MASQUERADE iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 192.168.10.0/24 -j TCPMSS --clamp-mss-to-pmtu
Теперь у Вас есть свой SSTP VPN сервер с доступом к интернету!
Чтобы VPN-сервер запускался каждый раз при запуске компьютера, следует создать файл службы. Это делается путём создания файла в папке systemd nano /etc/systemd/system/sstpd.service со следующим содержимым:
[Unit] Description=SSTP VPN server After=network.target [Service] Type=simple ExecStart=/usr/local/bin/sstpd -f /etc/sstpd.ini ExecStartPost=/sbin/iptables -I INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ExecStartPost=/sbin/iptables -I INPUT -p gre -j ACCEPT ExecStartPost=/sbin/iptables -I POSTROUTING -t nat -o ethernet> -j MASQUERADE ExecStartPost=/sbin/iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 192.168.10.0/24 -j TCPMSS --clamp-mss-to-pmtu ExecStopPost=/sbin/iptables -D INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ExecStopPost=/sbin/iptables -D INPUT -p gre -j ACCEPT ExecStopPost=/sbin/iptables -D POSTROUTING -t nat -o ethernet> -j MASQUERADE ExecStopPost=/sbin/iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -s 192.168.10.0/24 -j TCPMSS --clamp-mss-to-pmtu Restart=on-failure RestartSec=30 [Install] WantedBy=multi-user.target
После этого осталось включить автозапуск службы командой systemctl enable sstpd.service и запустить VPN-сервер командой systemctl start sstpd.service .
Рекомендуется запретить ping к серверу: Одноразово это можно сделать командой echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all . Для отключения насовсем:
- Отредактируйте файл /etc/sysctl.conf nano /etc/sysctl.conf
- Добавьте или раскомментируйте строку net.ipv4.icmp_echo_ignore_all=1
- После этого необходимо запустить команду sysctl -p для применения изменений.
Для автоматического обновления сертификата (если используется certbot ) следует добавить в планировщик crontab -e данную строку 0 4 * * 1 certbot renew && systemctl restart sstpd .
Также рекомендуется сменить размер MTU путём добавления в конфигурационный файл /etc/ppp/options.sstpd строчки mru 1396
How to set up an SSTP Server
Is there a way to set up a linux based, preferably ubuntu, SSTP server? I know there is a SSTP client available on sourceforge, but I can’t find a server. To be clear: I do NOT want openVPN, I want SSTP.
6 Answers 6
Yes, there is a Linux (and Windows/Mac) based SSTP (and lot more) VPN Server. It is called SoftEther VPN (http://www.softether.org). I used it on Ubuntu 13.04 release. Best of off, it is free. Granted, there are couple of limitations with the free version (for example, cannot use external authentication, client certificates etc.)
In general, it seems to work fine. It is quite easy to install, use and manage. Has decently good documentation. Has quite a few options. It does serve my SSTP server needs.
This SoftEther VPN seem to me a very interesting new project. It seem to do SSTP among the others. I read the site and they say it is freeware and is planned to be open-source software (GNU General Public License) in the middle of 2013. On paper there are many intresting features but I have not tried it so perhaps other feedbacks are needed.
It’s open source since January 4, 2014. So most probably the restrictions don’t apply anymore (haven’t checked that).
UPDATE
Shortly after this answer was written, the University of Tsukuba released their first release of SoftEther, which runs on Linux and does provide a Microsoft-compatible SSTP server implementation.
ORIGINAL
There is no SSTP server software for Linux currently available. There is an SSTP client available for Linux and SSTP server implementations available for Windows (as Microsoft developed the protocol) and RouterOS. There is an open specification, so there isn’t a reason why someone couldn’t develop the server. It just hasn’t been done.
The reasons you probably haven’t seen much open-source development on this are:
- SSTP is a relatively new VPN protocol
- SSTP is a Microsoft-pushed technology
- OpenVPN already fulfills the particular needs for open-source solutions
If you want SSTP because firewalls already let through TCP port 443 traffic, OpenVPN already supports running a TCP-based server on any port, including 443. OpenVPN setups using TCP port 443 are quite common for this reason, although they’re rightly not the recommended setup because running IP over TCP (especially TCP over TCP) generally gives poor performance.
VPN, Virtual Private Network, is currently used by a large number of employees working from home for secured connection to a remote corporate network. VPN SSTP, which is one of the many VPN types, we use and offer very often in our datacenter and we will show you how to set it up on the operating system Windows and the Linux distribution Ubuntu 20.04.
There are several types of security protocols in using the VPN, which have many advantages but also disadvantages. We can mention the protocols PPTP, L2TP, IKEv2, however very widespread protocol, which we also provide in our datacenter as a service, is VPN SSTP (Secure Socket Tunneling Protocol. Its great advantage is easy setting and bypassing firewalls.
The VPN SSTP was developed by Microsoft Corporation and designed primarily for secure connections through operating system Windows. Nevertheless, nowadays, it can be used also on open source distributions such as Ubuntu and Debian. And how to install SSTP on Debian 20.04, we will describe for you step by step below.
For successful connection via SSTP VPN, you will need the following information and files that should be provided to you by the VPN server administrator:
- VPN account (user name a password)
- VPN server certificate (file)
- VPN server name
1) Add repository (package repository with SSTP client)
Enter the terminal and use the following command (you will be asked for your password, if you use sudo command for the first time). By this command, you will add new repository with SSTP client to your current package repository list.
2) Update of packages list and installation of the SSTP client
If the previous command ran smoothly without any problem, you can proceed to the next step, which is the list update of all available packages, including the newly added ones:
The information about all packages in the system is up-to-date now. You can proceed with your own installation of the SSTP client:
If a control or test of VPN from the command line was your goal, now, you can do it with the command:
3) Optional – plugin installation of GUI GNOME
If you want to add and configure the SSTP VPN connection conveniently, directly from the GNOME GUI (default for Ubuntu 20.04), install the following package, which will make this option available to you in the GUI:
This package should be installed automatically with the previous package (if the system correctly detects GNOME), so this step should not be needed at all.
4) Create VPN in the graphical interface
Click on the power icon in the upper right corner of your desktop (main system menu) and select Settings. In the open window, find and select Network item and then click the + sign in the VPN section.
A new window will be created with custom settings of SSTP VPN. This window has several tabs. Click on Identity tab and fill following data:
- Name of VPN connection (optional)
- VPN server name (VPN administrator should provided to you)
- Path to VPN server certificate (VPN administrator should provided to you)
- User name and password (VPN administrator should provided to you)
Please, all settings save and you can test it by using the on/off switch located next to your newly added VPN. If everything is alright, the VPN connection will be established within a few seconds. The system will inform you about the result in the form of a new icon on the system panel and a message on the screen.
We hope, you have secured connection now and that our tutorial was helpful. In the next part, we will show you how to set up VPN SSTP on devices with operating system Windows.
Have many secured connections with SSTP VPN and if you are interested in using this type of VPN
on your server in our datacenter, do not hesitate to contact us.