VPN Plus transforms your Synology Router into a powerful VPN server and promises easy setup, secure access, and smooth connection. For your company's remote workforce, you can effortlessly set up a virtual office that adapts to their flexible schedules and work styles.
Fast, Hassle-free Synology SSL VPN
Sudo pon sstp-test Invoking sstpc using the the call command. Sstpc -ipparam sstp-test sstp-test.yourdomain.com call sstp-test-nopty. The sstp-test-nopty is a pppd script you need to create in /etc/ppp/peers, and you can clone the example sstp-test above; but you must omit the pty statement in the peers configuration. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later). SSTP supports up to 128 concurrent connections only regardless of the gateway SKU. IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above). It has various VPN protocols such as PPTP, SoftEther, SSTP, L2TP/IPsec, OpenVPN and IKEv2 It comes with AES 256-bit encryption with 8192-bit keys. Hideme works on MacOS, Windows, iOS, Android, Routers, Linux, Smart TVs, and Consoles. This is a sstp GUI client for Mac, use a modified sstp-client as backend which support server-name TLS extension. Some servers(ex:.vpnazure.net) require server-name, otherwise the sstp connection will be rejected. The reason for being the best bet is that this is the only one (to my knowledge) SSTP client for Mac.
Synology SSL VPN allows you to access web-based and non-web-based services in your company's network — fast, secure, and simple.1
Easy setup
The lightweight client for Windows, Mac, Ubuntu, iOS, and Android requires only minimal setup to help you connect within a minute.
Security
SSL/TLS encryption offers security levels suitable for your company's network, keeping sensitive data safe at all times.
Performance
Synology SSL VPN builds connections safer, faster, and more stable than many other VPN protocols.
Easy, Secure Remote Desktop
Remote Desktop enables employees to access software exclusively installed on their computer at work. 2
Work anywhere, anytime
Remote Desktop allows employees to work remotely, at any hour and from anywhere.
Full control
Self-hosted Remote Desktop facilitates thorough administration of each connection.
Site-to-Site VPN
For companies with branch offices in multiple locations, Site-to-Site VPN allows them to share resources across different networks through secure IPsec tunnels over the Internet. This eliminates the need for employees to configure VPN settings on individual computers.3
High Speed
Delivering an outstanding throughput of up to 650Mbps, Site-to-Site VPN significantly increases business productivity by boosting cross-premises file transfer speeds.4
Validated by Microsoft® Azure™
Aside from other products supporting IPsec VPN, Synology Router can also work with Azure VPN gateways, allowing you to achieve a hybrid solution which combines on-premises and virtual networks in the cloud. Learn more
Monitor & Manage
VPN Plus comes with powerful tools to help you monitor and manage connections in real time.
Real-time monitoring
Identify network traffic anomalies and suspicious users
Bandwidth control & block list
Optimize network traffic and keep critical resources from unwanted access
Connection history
Inspect previous user connections and data usage
Configuration & connection logs
View and export logs for regular auditing
Active Directory and LDAP support
Support for authentication through AD and LDAP ensures seamless integration with a company's existing account system
Traffic Report
Traffic Report groups and visualizes statistics from all VPN services, offering administrators an insightful way to manage and monitor usage with ease.
IT administrators can easily identify abnormal employee usage by monitoring usage statistics of all active users.
IT administrators will be able to analyze visitor distributions with the top 10 visited domains through the WebVPN service.
See the bandwidth usage of each VPN service and individual Site-to-Site VPN tunnels to make tracking easier for IT administrators.
Comprehensive Protocol Support
In addition to Synology SSL VPN, WebVPN, and Remote Desktop, VPN Plus supports four commonly used VPN protocols to adapt to your network environment.
Deploy a virtual office solution using VPN Plus
Watch the video to learn how to quickly set up a virtual office for your telecommuting employees.
Note
- Access for one concurrent account is available for free and shared by WebVPN, Synology SSL VPN, and SSTP. Client VPN Access License is available to add more concurrent accounts.
- Remote Desktop supports Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) sessions.
- Site-to-Site VPN License is required to activate this feature. A one-time 30-day trial is available to each VPN Plus supported Synology product. For the maximum number of Site-to-Site VPN tunnels, please refer to the product's specifications.
- Tested in a Synology simulated environment with one site using Synology RT2600ac. Real performance may vary depending on the factors including, but not limited to, your network conditions, equipment, etc.
Applies to RouterOS:v5, v6+
- 2Certificates
- 3SSTP Client
- 4SSTP Server
- 6Application Examples
Summary
Standards:SSTP specification
Package:ppp
Secure Socket Tunneling Protocol (SSTP) transports a PPP tunnel over a TLS channel. The use of TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
SSTP connection mechanism
- TCP connection is established from client to server (by default on port 443);
- SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn down. (But see note below)
- The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
- PPP negotiation over SSTP. Client authenticates to the server and binds IP addresses to SSTP interface
- SSTP tunnel is now established and packet encapsulation can begin.
Note: Starting from v5.0beta2 SSTP does not require certificates to operate and can use any available authentication type. This feature will work only between two MikroTik routers, as it is not in accordance with Microsoft standard. Otherwise to establish secure tunnels mschap authentication and client/server certificates from the same chain should be used. Read more>>
Currently, SSTP clients exist in Windows Vista, Windows 7, Windows 8, Linux and RouterOS.
Note: While connecting to SSTP server, Windows does CRL (certificate revocation list) checking on server certificate which can introduce a significant delay to complete a connection or even prevent the user from accessing the SSTP server at all if Windows is unable to access CRL distribution point! Custom generated CA which does not include CRLs can be used to minimize connection delays and certificate costs (signed certificates with known CA usually are not for free), but this custom CA must be imported into each Windows client individually. It is possible to disable CRL check in Windows registry, but it is supported only by Windows Server 2008 and Windows 7 http://support.microsoft.com/kb/947054
Certificates
Note: Starting from RouterOS v6rc10 SSTP respects CRL
To set up a secure SSTP tunnel, certificates are required. On the server, authentication is done only by username and password, but on the client - the server is authenticated using a server certificate. It is also used by the client to cryptographically bind SSL and PPP authentication, meaning - the clients sends a special value over SSTP connection to the server, this value is derived from the key data that is generated during PPP authentication and server certificate, this allows the server to check if both channels are secure.
If SSTP clients are Windows PCs then only way to set up a secure SSTP tunnel when using self-signed certificate is by importing the 'server' certificate on SSTP server and on the Windows PC adding CA certificate in trusted root.
Note: If your server certificate is issued by a CA which is already known by Windows, then the Windows client will work without any additional certificates.
Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats.
Similar configuration on RouterOS client would be to import the CA certificate and enabling verify-server-certificate option. In this scenario Man-in-the-Middle attacks are not possible.
Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished. This scenario is not compatible with Windows clients.
It is also possible to make a secure SSTP tunnel by adding additional authorization with a client certificate. Configuration requirements are:
- certificates on both server and client
- verification options enabled on server and client
This scenario is also not possible with Windows clients, because there is no way to set up client certificate on Windows.
Certificate error messages
When ssl handshake fails, you will see one of the following certificate errors:
- certificate is not yet valid - notBefore certificate date is after the current time.
- certificate has expired - notAfter certificate expiry date is before the current time.
- invalid certificate purpose - the supplied certificate cannot be used for the specified purpose.
- self signed certificate in chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally.
- unable to get issuer certificate locally - CA certificate is not imported locally.
- server's IP address does not match certificate - server address verification is enabled, but address provided in certificate does not match server's address.
Hostname verification
Server certificate verification is enabled on SSTP client, additionally if IP addresses or DNS name found in certificate's subjectAltName or common-name then issuer CN will be compared to the real servers address.v5.7 adds new parameter verify-server-address-from-certificate to disable/enable hostname verification.
SSTP Client
Sub-menu:/interface sstp-client
Properties
| Property | Description |
|---|---|
| add-default-route (yes | no; Default: no) | Whether to add SSTP remote address as a default route. |
| authentication (mschap2 | mschap1 | chap | pap; Default: mschap2, mschap1, chap, pap) | Allowed authentication methods. |
| certificate (string | none; Default: none) | |
| comment (string; Default: ) | Descriptive name of an item |
| connect-to (IP:Port; Default: 0.0.0.0:443) | Remote address and port of SSTP server. |
| default-route-distance (byte [0..255]; Default: 1) | sets distance value applied to auto created default route, if add-default-route is also selected |
| dial-on-demand (yes | no; Default: no) | connects to AC only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established. |
| disabled (yes | no; Default: yes) | Whether interface is disabled or not. By default it is disabled. |
| http-proxy (IP:Port; Default: 0.0.0.0:443) | Address and port of HTTP proxy server. |
| keepalive-timeout (integer | disabled; Default: 60) | Sets keepalive timeout in seconds. |
| max-mru (integer; Default: 1500) | Maximum Receive Unit. Max packet size that SSTP interface will be able to receive without packet fragmentation. |
| max-mtu (integer; Default: 1500) | Maximum Transmission Unit. Max packet size that SSTP interface will be able to send without packet fragmentation. |
| mrru (disabled | integer; Default: disabled) | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >> |
| name (string; Default: ) | Descriptive name of the interface. |
| password (string; Default: ') | Password used for authentication. |
| pfs (yes | no; Default: no) | Enables 'Perfect Forward Secrecy' which will make sure that private encryption key is generated for each session. Must be enabled on both server and client to work. |
| profile (name; Default: default-encryption) | Used PPP profile. |
| user (string; Default: ) | User name used for authentication. |
| tls-version (any | only-1.2; Default: any) | Specifies which TLS versions to allow |
| verify-server-certificate (yes | no; Default: no) | If set to yes, then client checks whether certificate belongs to the same certificate chain as server's certificate. To make it work CA certificate must be imported. |
| verify-server-address-from-certificate (yes | no; Default: yes) | If set to yes, server's IP address will be compared to one set in certificate. Read More >> |
Quick example
This example demonstrates how to set up SSTP client with username 'sstp-test', password '123' and server 10.1.101.1
SSTP Server
Sub-menu:/interface sstp-server
This sub-menu shows interfaces for each connected SSTP client.
An interface is created for each tunnel established to the given server. There are two types of interfaces in SSTP server's configuration
- Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
- Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.
Note: in both cases PPP users must be configured properly - static entries do not replace PPP configuration.
Server configuration
Sub-menu:/interface sstp-server server
Properties:
| Property | Description |
|---|---|
| authentication (pap | chap | mschap1 | mschap2; Default: pap,chap,mschap1,mschap2) | Authentication methods that server will accept. |
| certificate (name | none; Default: none) | Name of the certificate that SSTP server will use. |
| default-profile (name; Default: default) | |
| enabled (yes | no; Default: no) | Defines whether SSTP server is enabled or not. |
| force-aes (yes | no; Default: no) | Force AES encryption (AES256 is supported). If enabled windows clients (supports only RC4) will be unable to connect. |
| keepalive-timeout (integer | disabled; Default: 60) | If server during keepalive period does not receive any packet, it will send keepalive packets every second five times. If the server does not receives response from the client, then disconnect after 5 seconds.Logs will show 5x 'LCP missed echo reply' messages and then disconnect. |
| max-mru (integer; Default: 1500) | Maximum Receive Unit. Max packet size that SSTP interface will be able to receive without packet fragmentation. |
| max-mtu (integer; Default: 1500) | Maximum Transmission Unit. Max packet size that SSTP interface will be able to send without packet fragmentation. |
| mrru (disabled | integer; Default: disabled) | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >> |
| pfs (yes | no; Default: no) | Enables 'Perfect Forward Secrecy' which will make sure that private encryption key is generated for each session. Must be enabled on both server and client to work. |
| port (integer; Default: 443) | Port for SSTP service to listen on. |
| tls-version (any | only-1.2; Default: any) | Specifies which TLS versions to allow |
| verify-client-certificate (yes | no; Default: no) | If set to yes, then server checks whether client's certificate belongs to the same certificate chain. |
Warning: It is very important that the date on the router is within the range of the certificate's date of expiration. To overcome any certificate verification problems, enable NTP date synchronization on both server and client.
Monitoring
Monitor command can be used to monitor status of the tunnel on both client and server.
Read-only properties
| Property | Description |
|---|---|
| status () | Current SSTP status. Value other than 'connected' indicates that there are some problems estabising tunnel. |
| uptime (time) | Elapsed time since tunnel was established. |
| idle-time (time) | Elapsed time since last activity on the tunnel. |
| user (string) | Username used to establish the tunnel. |
| mtu (integer) | Negotiated and used MTU |
| caller-id (IP:ID) |
Application Examples
Connecting Remote Client
The following example shows how to connect a computer to a remote office network over secure SSTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without the need for bridging over EoIP tunnels)
Consider following setup:
Office router is connected to internet through ether1. Workstations are connected to ether2.Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).
Before you begin to configure SSTP you need to create a server certificate and import it into the router (instructions here).
Now it is time to create a user:
Notice that SSTP local address is the same as the router's address on the local interface and the remote address is from the same range as the local network (10.1.101.0/24).
Next step is to enable SSTP server and SSTP client on the laptop:
Notice that authentication is set to mschap. These are the only authentication options that are valid to establish a secure tunnel.
SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a SSTP client with the software you are using. If you set up SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to trusted root.
Note: Currently, SSTP is only fully supported on recent Windows OS releases such as Vista SP1, Windows 7, Windows 8, Windows 2008 etc. With other OS's such as Linux, results cannot be guaranteed.
To verify if SSTP client is connected
At this point (when SSTP client is successfully connected) if you try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface
After proxy-arp is enabled client can successfully reach all workstations in the local network behind the router.
Site-to-Site SSTP
The following is an example of connecting two Intranets using SSTP tunnel over the Internet.
Consider following setup:
Office and Home routers are connected to internet through ether1, workstations and laptops are connected to ether2.In this example both local networks are routed through SSTP client, thus they are not in the same broadcast domain. To overcome this problem as with any other ppp tunnel, SSTP also supports BCP which allows it to bridge SSTP tunnel with a local interface.
First step is to create a user:
Notice that we set up SSTP to add a route whenever the client connects. If this option is not set, then you will need a static routing configuration on the server to route traffic between sites through the SSTP tunnel.
Now we need to upload and import CA and server/client certificates. Assuming that the files are already uploaded use following commands:
Edit names to something more meaningful:
Do the same on client side, but instead of server's certificate import client's certificate.
Next step is to enable SSTP server on the office router:
Now configure SSTP client on the Home router:
Sstap Macos
Now we need to add static route on Home router to reach local network behind Office router:
After tunnel is established you should be able to ping remote network.
Troubleshooting
Easy Sstp For Mac
- After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?
- MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.
- I get following error when trying to connect Windows 7 client. Error 0x80070320 The oplock that was associated with this handle is now associated with a different handle.
- Disable verify-client-certificate option on the server.
Sstp For Mac
- I get following error 'Encryption negotiation rejected”.
- Disable use-encryption option in ppp profile.
Sstap For Mac
Read More
- Free trusted Class1 certificates from startssl.com
- Free Linux SSTP Client
Easysstp
[Top | Back to Content]
Sstp Client For Macos