Introduction

Secure remote access remains a top priority for site operators, enterprise IT teams, and developers. SSTP (Secure Socket Tunneling Protocol) is an excellent choice for remote VPN connectivity because it tunnels PPP over TLS (typically TCP/443), offering good firewall traversal and strong cryptographic protection. MikroTik RouterOS includes a mature SSTP server implementation that can be deployed on commodity routers or virtual appliances. This guide walks through a practical, secure SSTP setup on MikroTik devices with step-by-step configuration, certificate handling, firewall/NAT rules, client setup and troubleshooting tips.

Why choose SSTP on MikroTik?

Before diving into the configuration, it’s useful to reiterate why SSTP is often selected:

  • Firewall friendliness: SSTP runs over TCP/443, which is almost always allowed on restrictive networks and captive portals.
  • Strong encryption: SSTP uses TLS for encryption and authentication, benefiting from modern TLS cipher suites and certificate-based trust.
  • PPP features: Because SSTP tunnels PPP, RouterOS can use PPP profiles, address pools, route/policy pushes, and per-user settings such as specifying a dedicated IP.
  • Integration with MikroTik features: You can combine SSTP with RouterOS routing, firewall, QoS, address lists, and monitoring tools for enterprise-grade deployments.

High-level deployment plan

The setup can be broken down into the following major tasks:

  • Generate a CA and server certificate (or obtain a public certificate).
  • Import the certificate into MikroTik and enable the SSTP server.
  • Create a PPP profile, IP pool and PPP secrets for user authentication.
  • Configure firewall rules and NAT for secure traffic flow.
  • Configure clients (Windows and Linux) and validate connectivity.

Step 1 — Creating TLS certificates

For production use, a certificate issued by a public CA is simplest because clients will trust it automatically. For internal or testing deployments, you can create your own CA and sign a server certificate. Example OpenSSL commands to generate a CA and a server certificate:

Generate CA key and certificate:

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj “/C=US/ST=State/L=City/O=Org/OU=IT/CN=MyVPN-CA”

Generate server key and CSR:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj “/C=US/ST=State/L=City/O=Org/OU=IT/CN=vpn.example.com”

Sign server CSR with CA (include SANs if necessary):

To include subjectAltName, create a small config file (san.cnf) with:

[req] distinguished_name = req_distinguished_name
[req_distinguished_name] [SAN] subjectAltName = DNS:vpn.example.com,IP:203.0.113.10

Then sign:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 825 -sha256 -extfile san.cnf -extensions SAN

Combine key and cert into PEM for MikroTik (optional):

cat server.key server.crt > server.pem

Step 2 — Import certificate into MikroTik RouterOS

Transfer the certificate files to the MikroTik router (use WinSCP, FTP, or WebFig/File upload). Then import from the terminal or WinBox:

/certificate import file-name=server.crt
/certificate import file-name=server.key (if required)
or import a combined PEM: /certificate import file-name=server.pem

After importing, verify the certificate list and note the certificate names:

/certificate print

If you used a private CA, upload the CA certificate as well so clients can validate the chain when necessary.

Step 3 — Configure SSTP server on MikroTik

Create an IP pool and PPP profile that will be used to assign addresses to SSTP clients. Use a dedicated subnet for VPN clients to make routing and firewalling easier.

/ip pool add name=sstp-pool ranges=10.10.10.2-10.10.10.254

/ppp profile add name=sstp-profile local-address=10.10.10.1 dns-server=8.8.8.8 remote-address=sstp-pool use-encryption=yes

Create user accounts (PPP secrets). You can also set a specific remote-address in the secret to guarantee a dedicated IP per user.

/ppp secret add name=user1 password=StrongPassword profile=sstp-profile service=sstp remote-address=10.10.10.10

Enable the SSTP server and reference your server certificate:

/interface sstp-server server set enabled=yes certificate=server.crt default-profile=sstp-profile authentication=mschap2 require-client-certificate=no mschap2=yes

Notes:

  • Set require-client-certificate=yes for mutual TLS if you distribute client certificates (increases security).
  • authentication can include pap (not recommended), chap, and mschap2. Use mschap2 where possible.

Step 4 — Firewall and NAT setup

At minimum, allow TCP/443 to reach the router’s input chain and accept established/related states. Adjust chains if you place SSTP behind another device.

/ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept comment=”Allow SSTP”
/ip firewall filter add chain=input connection-state=established,related action=accept

If the router also serves other services on 443, consider using a dedicated public IP or SNI-based termination on a front-facing proxy.

Enable NAT (masquerade) so VPN clients can access the internet via the router’s WAN interface. If you want split-tunneling, skip or restrict NAT accordingly.

/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 out-interface=ether1 action=masquerade comment=”NAT for SSTP clients”

Fine-grained security rules:

  • Limit who can authenticate using firewall address lists.
  • Create input and forward rules to restrict access to internal services from VPN clients.
  • Log and monitor repeated failed authentication attempts.

Step 5 — Routing, DNS and pushing routes

By default, client traffic will route based on the client’s routing table. To push routes or enforce full-tunnel routing, adjust the PPP profile. For example, to push a specific route into the client:

/ip route add dst-address=172.16.0.0/16 gateway=10.10.10.1 distance=1

To push DNS and routes using RouterOS PPP profile scripts, ensure the profile contains desired values (dns-server). For “redirect all traffic” behavior, create appropriate routes and use NAT as shown above.

Client configuration examples

Windows (built-in SSTP client)

1. Open Settings → Network & Internet → VPN → Add a VPN connection.
2. Provider: Windows (built-in). Connection name: choose a friendly name.
3. Server name or address: vpn.example.com (must match server certificate CN or SAN).
4. VPN type: Secure Socket Tunneling Protocol (SSTP).
5. Type of sign-in info: Username and password. Enter PPP secret credentials.
6. If you used a private CA, import ca.crt into Trusted Root Certification Authorities on the client machine (mmc → Certificates).

Connect and verify the assigned IP (ipconfig /all) and test connectivity (ping internal hosts, check public IP to confirm NAT).

Linux (sstpc + ppp)

On Debian/Ubuntu install sstp-client:

sudo apt-get install sstp-client ppp

Create /etc/ppp/peers/sstp-vpn with:

pty “sstpc –cert-warn –user user1 –passwd /etc/ppp/psk-vpn –server vpn.example.com –save-address”
name user1
require-mschap-v2
ipparam sstp-vpn

Create /etc/ppp/psk-vpn with the password and secure it (chmod 600). Then start the connection with:

sudo pon sstp-vpn

Check logs via /var/log/syslog or journalctl -u sstp-client for troubleshooting.

Advanced security recommendations

  • Use certificate-based server authentication (public CA for public deployments or private CA plus client trust distribution for internal systems).
  • Enable mutual TLS (require-client-certificate=yes) for high-assurance environments: issue per-client certificates and revoke compromised ones with a CRL.
  • Use strong PPP passwords and MSCHAPv2. Enforce password policies and consider integrating with RADIUS for centralized authentication and accounting.
  • Restrict source IPs and use address-lists to limit who can reach TCP/443 on your router to known networks where possible.
  • Monitor logs — use /log print and remote syslog to detect brute force or unusual patterns; enable security alerting.
  • Keep RouterOS updated — MikroTik regularly ships fixes for security and TLS improvements.

Troubleshooting

  • Check the SSTP server status: /interface sstp-server server print
  • Inspect PPP active sessions: /ppp active print
  • View logs for TLS or authentication failures: /log print where message~”sstp” or check system logs
  • If clients cannot validate the server certificate, verify the CN/SAN matches the server name used by the client and that the CA chain is trusted on the client.
  • For connectivity issues, check firewall filter and nat rules; use ping/traceroute from the router to test upstream reachability.
  • If using captive portals or restrictive networks, test connectivity over TCP/443 to ensure the path is open.

Operational notes and scaling

For larger deployments, consider integrating SSTP with a RADIUS server for authentication, accounting and central user management. Use logging and monitoring to track concurrent connections and resource utilization. If you need to serve many concurrent SSTP clients, ensure the router hardware can handle the TLS load—TLS handshakes are CPU-intensive. In high-scale scenarios, you might terminate TLS at a front-end load balancer or dedicated SSL offloader and forward the decrypted SSTP to backend routers in a trusted network.

Conclusion

Setting up a secure SSTP VPN on MikroTik RouterOS is straightforward but requires careful attention to certificates, authentication, and firewall/NAT policy. Following the steps above lets you deploy a reliable SSTP service with per-user addresses, routed access to internal networks, and strong cryptographic protection. For enterprises and developers who need simple firewall traversal and TLS-level security, SSTP on MikroTik is a practical and flexible solution.

For further reading and related VPN deployment guides, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.