Debian – Configuring SSTP client on Debian

debianvpn

I would need to connect my Debian (stable) server to a Windows Server 2008R2 server, which is acting as a SSTP VPN server. I have managed to install sstp-client on my Debian server, but I do not know how to configure the connection so that I can run it in the background. Furthermore, there are quite many things that I do not understand about the whole configuration process.

Following some advice I found on the Internet, I disabled authentication of remote server by adding noauth to /etc/ppp/options. Furthermore, I added there the options refuse-pap, refuse-eap, refuse-chap, refuse-mschap and require mppe to force MS-CHAP-v2 authentication (the Windows server is configured to accept that and not the others).

If I run from terminal

sstpc --log-level 4 --log-stderr --user USERNAME --password PASSWORD SERVER_IP

the connection works, and opening another terminal, I can access a web page that can only be accessed over the VPN.

I have tried to create the file etc/ppp/peers/sstp-1 with the contents

remotename sstp-1
linkname sstp-1
ipparam sstp-1
pty "sstpc --ipparam sstp-1 --log-level 4 --save-server-route --nolaunchpppd --user USERNAME --password PASSWORD SERVER_IP"
name USERNAME
plugin sstp-pppd-plugin.so
sstp-sock /var/run/sstpc/sstpc-sstp-1
usepeerdns
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mppe
noauth

and then running from the command line sudo pon sstp-1. The connection fails, and sudo plog shows

pppd[4813]: Plugin sstp-pppd-plugin.so loaded.
pppd[4814]: pppd 2.4.5 started by root, uid 0
pppd[4814]: Using interface ppp0
pppd[4814]: Connect: ppp0 <--> /dev/pts/1
pppd[4814]: Could not connect to sstp-client (/var/run/sstpc/sstpc-sstp-1), Connection refused (111)
pppd[4814]: Exit.

I have couple of questions regarding all this:

  1. How to set up the /etc/ppp/peers/sstp-1 so that I can connect/disconnect to the VPN in background (to be used in a script)?
  2. The Windows server encrypts the VPN traffic using a self-signed certificate. Why, using the above connection configuration, I do not need to install the certificate on the client machine? Is the traffic encrypted at all?

Thank you already in advance,
Joel Lehikoinen

Best Answer

  1. What broke the config was providing --user and --password as command line options on the line beginning with pty. The username is already given on the next line and password should be provided in /etc/ppp/chap-secrets. The problem was fixed by changing that line to

    pty "sstpc --ipparam sstp-1 --nolaunchpppd SERVER_IP"

    in addition, there is no need to edit /etc/ppp/options, since the configuration parameters are already given in the SSTP config file /etc/ppp/peers/sstp-1

  2. It would seem that, at least with the noauth option, which I thought would only disable the server authentication in PPP, sstp-client also accepts a self-signed SSL server certificate without any complaints.

    As a work-around, one possibility seems to be creating a self-signed CA certificate, signing the server certificate with that, and providing --ca-cert /path/to/snakeoil-ca.pem as a command-line options to sstp-client (i.e., on the "pty" line of the file), which constraints the server SSL certificate to a known value.

Related Question