VPN verbinding over SSTP in Debian Ubuntu

Guide on how to connect to a Windows Server VPN using the Secure Socket Tunneling Protocol (SSTP) from a Linux client.

What is SSTP?

SSTP (Secure Socket Tunneling Protocol) is a Microsoft VPN protocol that uses SSL/TLS (TCP port 443). This makes it very firewall-friendly, as it looks like regular HTTPS traffic.

Installation

You need a third-party client because Linux does not support SSTP natively out of the box.

Step 1: Install sstp-client

sudo apt update
sudo apt install sstp-client network-manager-sstp network-manager-sstp-gnome

Connection Method 1: Network Manager (GUI)

The easiest way for desktop users.

1. Open Settings > Network.
2. Click the + (Plus) icon next to VPN.
3. Select Secure Socket Tunneling Protocol (SSTP).
4. Enter your connection details:
   • Gateway: vpn.yourcompany.com (Hostname is mandatory for SSL validation)
   • Username: Your domain username
   • Password: Your password
5. Click Identity settings if you need to verify the CA certificate (Recommended).
   • If using a self-signed certificate, check "Ignore certificate warnings" (Not secure).
6. Click Add.
7. Toggle the switch to connect.

Connection Method 2: Command Line (CLI)

Useful for servers or headless setups.

1. Connect command:

   sudo sstpc --log-stderr --cert-warn --save-server-route --user "USERNAME" --password "PASSWORD" vpn.example.com

2. Explanation of flags:

   • --log-stderr: Output logs to screen (useful for debugging).
   • --cert-warn: Allow connection even if certificate verification fails slightly (use --cert-unknown for self-signed).
   • --save-server-route: Automatically add routes pushed by server.

Troubleshooting

"Connection Refused"

• Check if Port 443 is open on the server.
• Ensure the server actually keeps the SSTP service running (RRAS).

"Certificate Verify Failed"

SSTP requires a valid SSL certificate matched to the hostname.

• Fix: Connect using the DNS name (e.g., vpn.example.com), NOT the IP address.
• Fix: Ensure the Root CA certificate is installed in /etc/ssl/certs on the client.

MPPE/MPPC errors

• Detailed encryption settings might mismatch.
• Add require-mppe within ppp options if needed.