I would need to connect my Debian (stable) server to a Windows Server 2008R2 server, which is acting as a SSTP VPN server. I have managed to install sstp-client on my Debian server, but I do not know how to configure the connection so that I can run it in the background. Furthermore, there are quite many things that I do not understand about the whole configuration process.
Following some advice I found on the Internet, I disabled authentication of remote server by adding noauth
to /etc/ppp/options
. Furthermore, I added there the options refuse-pap
, refuse-eap
, refuse-chap
, refuse-mschap
and require mppe
to force MS-CHAP-v2 authentication (the Windows server is configured to accept that and not the others).
If I run from terminal
sstpc --log-level 4 --log-stderr --user USERNAME --password PASSWORD SERVER_IP
the connection works, and opening another terminal, I can access a web page that can only be accessed over the VPN.
I have tried to create the file etc/ppp/peers/sstp-1
with the contents
remotename sstp-1
linkname sstp-1
ipparam sstp-1
pty "sstpc --ipparam sstp-1 --log-level 4 --save-server-route --nolaunchpppd --user USERNAME --password PASSWORD SERVER_IP"
name USERNAME
plugin sstp-pppd-plugin.so
sstp-sock /var/run/sstpc/sstpc-sstp-1
usepeerdns
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mppe
noauth
and then running from the command line sudo pon sstp-1
. The connection fails, and sudo plog
shows
pppd[4813]: Plugin sstp-pppd-plugin.so loaded.
pppd[4814]: pppd 2.4.5 started by root, uid 0
pppd[4814]: Using interface ppp0
pppd[4814]: Connect: ppp0 <--> /dev/pts/1
pppd[4814]: Could not connect to sstp-client (/var/run/sstpc/sstpc-sstp-1), Connection refused (111)
pppd[4814]: Exit.
I have couple of questions regarding all this:
- How to set up the
/etc/ppp/peers/sstp-1
so that I can connect/disconnect to the VPN in background (to be used in a script)? - The Windows server encrypts the VPN traffic using a self-signed certificate. Why, using the above connection configuration, I do not need to install the certificate on the client machine? Is the traffic encrypted at all?
Thank you already in advance,
Joel Lehikoinen
Best Answer
What broke the config was providing
--user
and--password
as command line options on the line beginning withpty
. The username is already given on the next line and password should be provided in/etc/ppp/chap-secrets
. The problem was fixed by changing that line toin addition, there is no need to edit
/etc/ppp/options
, since the configuration parameters are already given in the SSTP config file/etc/ppp/peers/sstp-1
It would seem that, at least with the
noauth
option, which I thought would only disable the server authentication in PPP, sstp-client also accepts a self-signed SSL server certificate without any complaints.As a work-around, one possibility seems to be creating a self-signed CA certificate, signing the server certificate with that, and providing
--ca-cert /path/to/snakeoil-ca.pem
as a command-line options to sstp-client (i.e., on the "pty" line of the file), which constraints the server SSL certificate to a known value.