Why combine SSTP with Dynamic DNS?

Secure Socket Tunneling Protocol (SSTP) is a reliable SSL/TLS-based VPN protocol originally developed by Microsoft. Because it runs over TCP port 443, SSTP is highly firewall-friendly and often able to bypass restrictive networks that block other VPN protocols. Dynamic DNS (DDNS) solves the common problem of a changing public IP address by providing a stable hostname you can use to connect to your server.

For administrators, developers and enterprises that need a compact, dependable remote-access solution without costly static IPs or complex network reconfiguration, pairing SSTP with DDNS is an excellent, cost-effective choice. This guide walks through a secure, production-oriented setup with concrete steps, configuration tips and security hardening techniques.

High-level architecture and prerequisites

Before starting, ensure you have the following:

  • A server (on-prem or cloud VM) with a public-facing port, or a router that supports port forwarding.
  • A DDNS hostname (e.g., yoursite.ddns.net) provided by a DDNS provider like No-IP, DuckDNS or a dynamic DNS record under a domain you control.
  • A valid TLS certificate for that hostname (Let’s Encrypt recommended) or a signed certificate from a trusted CA. SSTP requires a certificate that matches the hostname.
  • Administrative access to the server and router/firewall to open and forward TCP 443.
  • For Windows-based SSTP: Windows Server with RRAS (Routing and Remote Access Service). For Linux: an open-source SSTP server implementation (sstp-server / Accel-PPP / strongSwan with SSTP frontend depending on distribution) or use SoftEther (supports SSTP).

Step 1 — Register dynamic DNS and keep it updated

Choose a DDNS provider and create a hostname that points to your current public IP. Example providers:

  • No-IP (https://www.noip.com/) — good UI and client updater.
  • DuckDNS (https://www.duckdns.org/) — free, script-friendly.
  • Cloudflare or a registrar DNS with an API — you can update a subdomain via API for more control.

Install a DDNS update client on your network gateway or an always-on host. For example, a simple curl-based DuckDNS updater on Linux:

Command (Linux cron):
curl -s “https://www.duckdns.org/update?domains=YOURDOMAIN&token=YOURTOKEN&ip=”

Verify the hostname resolves to the public IP after the update.

Step 2 — Obtain and install a TLS certificate

SSTP requires a certificate whose Common Name (CN) or SAN matches your DDNS hostname. The recommended approach is to use Let’s Encrypt (ACME) and automating renewals with acme.sh or certbot.

Example with acme.sh and DNS API (recommended if port 80 is already used):

  • Install acme.sh: curl https://get.acme.sh | sh
  • Issue certificate using DNS API (example Cloudflare): acme.sh –issue –dns dns_cf -d yourhost.ddns.net
  • Install cert to the server paths required by your SSTP server: acme.sh –install-cert -d yourhost.ddns.net –key-file /etc/sstp/server.key –fullchain-file /etc/sstp/server.crt

If you cannot use DNS-01, use HTTP-01 and ensure port 80 can be reached from the internet during issuance. For quick testing you may use a self-signed certificate, but browsers and clients will warn; production deployments should use CA-signed certs.

Step 3 — Configure the SSTP server

Below are two common server choices with configuration highlights.

Windows Server (RRAS)

  • Install the Remote Access role and enable VPN (SSTP).
  • Install your certificate to the Local Computer personal store and ensure it is trusted and matches your DDNS hostname.
  • Configure RRAS to enable SSTP: in the RRAS console, right-click server → Properties → Security → SSL Certificate and choose the installed cert.
  • Configure authentication: prefer EAP-MSCHAPv2 with NPS for centralized authentication; avoid PAP/CHAP.
  • Set IP address assignment: use DHCP relay or a static IP pool for VPN clients, and configure routing/NAT as required.

Linux-based SSTP (SoftEther or sstp-server)

  • SoftEther Server includes SSTP support and is straightforward to configure via GUI or command line. After installing SoftEther, import the TLS cert and enable SSTP listener on TCP 443.
  • For sstp-server: place cert and key in /etc/sstp/ and set appropriate file permissions. Configure authentication (PAM, local users or RADIUS) and PPP options.
  • Example minimal server.conf directives: set the path to server.crt and server.key, enable tcp-listen 443, and define the ip-pool and routing.

After configuring the server, restart the SSTP service and confirm it’s listening on TCP 443: ss -tlnp | grep 443 or use netstat.

Step 4 — Router / firewall NAT & port forwarding

On your gateway router, forward TCP 443 to the SSTP server’s internal IP. Example NAT rule:

  • External Port: 443 → Internal IP: 192.168.1.10 → Internal Port: 443 (TCP)

Also ensure firewall rules on the server allow inbound TCP 443 from the internet, and that outbound firewall rules allow client traffic (e.g., access to required networks, DNS, etc.). If you use split-tunneling, tailor firewall/NAT rules accordingly.

Step 5 — Client configuration and connection testing

Windows clients (native SSTP):

  • Open Network & Internet → VPN → Add a VPN connection.
  • Set VPN provider to Windows (built-in), enter the DDNS hostname as the Server name, choose SSTP as the VPN type and set authentication (username/password or certificate).
  • Connect and check the certificate prompt (should match your hostname). If you used a CA-signed cert there should be no warning.

macOS / Linux clients: use third-party SSTP clients (sstp-client) or SoftEther client. On Linux, the open-source sstp-client and network-manager-sstp plugin provide integration with NetworkManager.

Verify basic connectivity: ping the server’s VPN IP, test internal resource access and confirm DNS resolution for internal networks. Check IP leak by visiting an IP-check service to confirm the VPN is used if full-tunnel.

Troubleshooting checklist

  • DNS resolve: ensure your DDNS hostname resolves to the correct public IP (dig/nslookup).
  • Port reachability: test TCP 443 with telnet yourhost.ddns.net 443 or nmap -p 443 yourhost.ddns.net.
  • Certificate mismatch: SSTP requires the cert CN/SAN to match the hostname—verify using openssl: openssl s_client -connect yourhost.ddns.net:443 -showcerts.
  • Authentication issues: check server logs (RRAS event viewer or SoftEther logs) for EAP failures and ensure user credentials are correct and not expired/locked.
  • NAT hairpinning: if testing from inside the LAN and your router doesn’t support NAT loopback, test from an external network.

Security hardening recommendations

  • Use strong TLS settings: disable SSLv3/TLSv1/TLSv1.1, prefer TLS 1.2/1.3 and choose strong ciphers only.
  • Certificate management: use CA-signed certificates with automated renewals and protect private keys with strict filesystem permissions.
  • Authentication: use EAP with MSCHAPv2 only when combined with certificate-based server authentication; consider MFA via RADIUS/NPS for stronger assurance.
  • Least privilege: restrict VPN user access using firewall rules and VLANs; implement split tunneling only when necessary and safe.
  • Monitoring and logging: enable detailed logs for connections and authentication attempts; forward logs to a SIEM for analysis and alerting on anomalies.
  • Automate renewals: ensure your ACME client auto-renews certificates and deploys them to the SSTP server without manual steps.

Operational tips for scale and reliability

For enterprise deployments, consider:

  • Using a load balancer or front-end reverse proxy (TLS termination) that forwards to SSTP backends if you need high availability. Note that SSTP is stateful and TCP 443 termination must preserve the underlying protocol.
  • Centralized authentication with RADIUS/NPS for single-sign-on and consistent policy enforcement.
  • IP address management for client pools and proper routing to internal subnets.
  • Regularly testing certificate expiry warnings and setting up alerting for impending expirations.

Summary

Combining SSTP with Dynamic DNS provides a resilient, firewall-friendly remote access solution that is straightforward to deploy and maintain. The keys to a secure, production-ready setup are: using a trusted TLS certificate bound to your DDNS hostname, properly configuring RRAS or an SSTP server implementation, implementing robust authentication and firewall policies, and automating certificate/DNS updates.

Follow the steps above to provision the hostname, obtain and install TLS certificates, configure server and gateway forwarding, and harden the deployment with modern TLS, MFA and monitoring. With these measures in place you’ll have a fast, dependable VPN that works across many restrictive network environments.

Published by Dedicated-IP-VPN