How to install VPN with SSTP for RRAS on Windows Server?

1. Install IIS and RRAS

In Server Manager:

1. Go to Manage → Add Roles and Features.
2. Check Remote Access and Web Server (IIS).
3. In the Features pane, select Remote Server Administration Tools and all submodules.
4. In Remote Access Role Services, select DirectAccess and VPN (RAS) and Routing.

2. Install WACS for LetsEncrypt

Download WACS to generate your SSL certificate:

• Win-ACME Website
• GitHub Repository

3. Configure RRAS

1. Run rrasmgmt.msc.
2. Right click server → Configure and Enable Routing and Remote Access.
3. Select Custom Configuration → VPN Access & Demand-dial connections.
4. Start the service.

Properties Configuration

Right click the server → Properties:

• IPv4 Tab:
  • Select Static address pool.
  • Choose an appropriate IP range for VPN clients (e.g. 192.168.25.40 - 192.168.25.80).

4. SSTP & SNI Configuration

The Default Web Site host in IIS has an HTTPS binding. Important: The Require Server Name Indication (SNI) box must be UNTICKED! The host used for a SSTP VPN must NOT require SNI.

Remove Conflicting Certificates

To get rid of any existing certificates bindings that might conflict with the VPN host (vpn.company.com):

Run this in an Administrator PowerShell:

$hostname = "vpn.company.com"
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match $hostname} | Remove-Item

Original Post

VPN with SSTP and LETSENCRYPT for RRAS on Windows Server

How to install VPN with SSTP for RRAS on Windows Server?

Install IIS and RRAS

In Server Manager, Manager → Add Roles and Features, check Remote Access and Web Server (IIS).

In Features pane select Remote Server Administration Tools and all submodules and in Remote Access Role Services select DirectAccess, VPN and Routing.

Install WACS for LetsEncrypt

https://www.win-acme.com/ https://github.com/PKISharp/win-acme

Run rrasmgmt.msc

Right click server → Configure → Custom Configuration → VPN Access & Demand-dial connections

Start the service

Right click the server → Properties

IPv4 tab, select static address pool and choose an appropriate IP range for VPN clients (e.g. 192.168.25.40 , 192.168.25.80)

Default Web Site host in IIS has an HTTPS binding, and Server Name Identification box UNTICKED! The host used for a SSTP VPN must NOT require SNI!

To get rid of any certificates for the VPN host do this:

In admin terminal:

$ $hostname = "vpn.company.com" $ Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match $hostname} | Remove-Item