Dual-stack networks combining IPv4 and IPv6 are increasingly common in modern infrastructures. When deploying a secure remote access solution, administrators must ensure the virtual private network (VPN) supports both address families seamlessly. This guide walks through a practical, technical approach to configuring an SSTP-based VPN for dual-stack environments, covering server and client setup, certificate handling, firewall rules, routing, IPv6 prefix delegation, and troubleshooting tips.
Why SSTP for Dual-Stack VPNs?
SSTP (Secure Socket Tunneling Protocol) encapsulates PPP traffic over TLS-encrypted HTTPS (TCP port 443). Its advantages for dual-stack deployments include:
- High compatibility with firewalls and proxies—SSTP uses TCP/443, which is almost always allowed outbound.
- Strong encryption and certificate-based authentication via TLS.
- Native client support on Windows, and third-party implementations for Linux/macOS, making it practical for mixed-client environments.
Design considerations before you begin
Plan the following items up front to avoid rework:
- Public certificate on your SSTP endpoint (domain name) — recommended: Let’s Encrypt or a commercial CA.
- How IPv6 addressing will be provided to clients: delegated prefix (/56 or /64) via DHCPv6-PD, static routed /64 per client, or routed /64 for tunnel network.
- Whether clients should use the VPN for all traffic (full tunnel) or only specific routes (split tunneling).
- Firewall and NAT policy: IPv4 commonly requires NAT, IPv6 should avoid NAT where possible—use routing and correct firewalling instead.
- Compatibility of your SSTP server software with PPP-based IPv6 negotiation (e.g., support for IPv6CP).
Server prerequisites
Before configuring SSTP, prepare the host platform and prerequisites:
- Public hostname (FQDN) and A/AAAA DNS records pointing to your server.
- Valid TLS certificate for the hostname. For automated renewals use Certbot (Let’s Encrypt).
- Kernel network forwarding enabled for both address families:
sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1 - Appropriate SSTP server software: Windows Server RRAS, sstpd/sstp-server on Linux, or dedicated appliances. Ensure the chosen software supports IPv6CP (PPP’s IPv6 Control Protocol).
TLS certificate and virtual host
Install a certificate for the SSTP host. Example using Certbot on Linux (standalone mode):
certbot certonly --standalone -d vpn.example.comConfigure the SSTP service to reference the certificate and private key. The exact configuration stanza depends on your SSTP implementation; typical settings point to the PEM or PFX files for the endpoint TLS context. Ensure the certificate chain includes intermediates so clients validate correctly.
Windows Server (RRAS) configuration — IPv4 and IPv6
For environments using Windows Server RRAS:
- Install and configure the Remote Access role with VPN (SSTP) enabled.
- Bind the server certificate to the SSTP listener (IIS or RRAS binding). In IIS Manager or MMc, bind the cert to port 443 if necessary.
- Enable IPv4 and IPv6 routing in RRAS: in the RRAS console, check that IPv4 and IPv6 are both enabled under Server Properties → IPv4 and IPv6 tabs.
- Define IP assignment pools:
- IPv4: configure a private pool (for example, 10.10.10.0/24) or use DHCP relay.
- IPv6: assign either individual addresses from a routed prefix or delegate a /64 via DHCPv6-PD. In RRAS with Windows Server 2016+, you can configure a static IPv6 pool if needed.
- Firewall: allow inbound TCP/443 to the RRAS host, allow forwarding for the VPN interface to internal networks, and ensure outbound IPv6 is allowed.
Example RRAS IPv6 approach
If your ISP provides a routed /48 or /56, allocate a /64 to the VPN pool and add a static route on your upstream router pointing that /64 to the RRAS host. Configure RRAS to assign addresses from that /64 to clients. Avoid NAT for IPv6 and rely on routing + appropriate firewall rules for protection.
Linux SSTP server configuration (conceptual)
Several open-source SSTP servers exist. Steps below are general and map to most implementations:
- Install sstp-server or sstp daemon package and dependencies (pppd, libssl).
- Place TLS certificate and key in an accessible path and configure the SSTP daemon to use them.
- Configure pppd to enable IPv4 and IPv6 negotiation. pppd must be started with the +ipv6 option and support IPv6CP. Example pppd options snippet:
/usr/sbin/pppd plugin sstp.so nodetach noauth +ipv6 proxyarp 10.10.10.1:10.10.10.2 - Provide an IPv4 pool via pppd options or via chap-secrets mapping; provide IPv6 addressing via IPv6CP or use radvd/DHCPv6 for downstream advertisement.
- Enable forwarding and configure iptables/ip6tables rules (examples below).
Firewall and NAT rules
Both IPv4 and IPv6 must be allowed through host and edge firewalls. Below are representative rule examples—adapt them to your distribution and policy:
IPv4 (iptables)
# Allow SSTP
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
Allow established sessions
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
NAT for IPv4 VPN clients (if required)
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
Allow forwarding from VPN subnet to the internet
iptables -A FORWARD -s 10.10.10.0/24 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -d 10.10.10.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
IPv6 (ip6tables)
# Allow SSTP over TCP/443 (IPv6 must be listening on ::)
ip6tables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
Accept established
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Allow forwarding for IPv6 subnets (no NAT)
ip6tables -A FORWARD -s 2001:db8:1:1::/64 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A FORWARD -d 2001:db8:1:1::/64 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Remember to persist firewall rules across reboots and to restrict administrative access to management hosts only.
IPv6 addressing and delegation
Common options to assign IPv6 to VPN clients:
- DHCPv6-PD: The ISP delegates a prefix to your router (or the VPN server). Advertise a /64 to VPN clients via radvd or hand out addresses via DHCPv6.
- Static routed /64s: Your upstream router routes a /64 to the SSTP host; the SSTP host assigns addresses from that /64.
- SLAAC/RA: For clients that support SLAAC over PPP, use IPv6CP and RA-like mechanisms; however, PPP’s IPv6CP is the standard approach for IPv6 over PPP-based VPNs.
When using DHCPv6-PD, configure radvd or a DHCPv6 server to advertise the delegated prefix on the VPN interface so clients receive routable IPv6 addresses and default routes.
Client configuration — Windows
Windows has native SSTP support and IPv6 over SSTP is supported via PPP’s IPv6CP. Steps for Windows clients:
- Create a new VPN connection in Network & Internet settings → VPN → Add a VPN connection.
- VPN provider: Windows (built-in); VPN type: Secure Socket Tunneling Protocol (SSTP); Server name: vpn.example.com.
- Under the connection properties → Networking tab, enable Internet Protocol Version 6 (TCP/IPv6) and Internet Protocol Version 4 (TCP/IPv4).
- If using split tunneling, in IPv4 properties uncheck “Use default gateway on remote network”. For IPv6 split tunneling, use route commands or IPv6-specific settings as needed.
- Connect and verify addressing:
ipconfig /all netsh interface ipv6 show interfaces netsh interface ipv6 show addresses
Client configuration — Linux
Linux SSTP clients typically use sstp-client plus pppd. Conceptual steps:
- Install sstp-client and pppd with IPv6 support.
- Create a pppd options file specifying authentication and IPv6 negotiation (include +ipv6).
- Start the sstp-client pointing to the server hostname and certificate verification options, then let pppd manage address assignment.
- Verify with:
ip addr show ppp0 ip -6 route show ping6 2001:4860:4860::8888
DNS and split-DNS considerations
Clients will typically receive DNS settings via PPP. For dual-stack resolution:
- Provide both A and AAAA records for internal resources where applicable.
- If using split-DNS (internal names only resolvable over VPN), ensure the VPN-pushed DNS servers respond to both IPv4 and IPv6 queries.
- Consider pushing search domains and DNS server addresses via PPP options to prevent DNS leaks and ensure correct name resolution.
Testing and verification checklist
- Connectivity:
telnet vpn.example.com 443orcurl -v https://vpn.example.com/to verify TLS listener. - IPv4 path: ping internal IPv4 resources from client after connecting.
- IPv6 path: ping6 or traceroute6 through the tunnel to internal IPv6 addresses and external IPv6 hosts.
- Routing: verify routes on server and client (ip route, ip -6 route) to ensure correct prefix advertisement and default gateway behavior.
- Firewall: ensure FORWARD and FORWARD chain is allowing VPN-subnet to desired destinations and stateful rules are working.
- Certificate validation: check client trusts the SSTP certificate and there are no hostname mismatches.
Troubleshooting tips
Common issues and quick fixes:
- No SSTP connectivity: check TLS cert, port 443 open, and that a reverse proxy (if present) forwards TLS passthrough rather than terminating TLS unless intentionally proxying.
- IPv6 not assigned: confirm IPv6CP support on server, ensure delegated prefix is routed to the SSTP host, and that radvd/DHCPv6 configured to advertise/assign addresses to the PPP interface.
- DNS leaks or resolution failures: ensure PPP pushes DNS servers and that clients prioritize VPN DNS over local DNS.
- Asymmetric routing: ensure upstream devices route the VPN-assigned IPv6 prefix back to the SSTP host; otherwise packets will be dropped.
- Large MTU fragmentation: SSTP over TLS inside PPP can cause MTU issues. Adjust MSS/MTU in pppd options or on firewall to avoid fragmentation (common fix: set ppp mtu 1400).
Deploying SSTP in a dual-stack environment requires attention to IPv6 addressing mechanics, proper TLS certificate usage, and correct forwarding/firewall rules. With careful prefix planning, PPPv6 support enabled, and verified routing, you can provide seamless IPv4/IPv6 connectivity to remote users with the compatibility advantages SSTP brings.
For in-depth consultation, reference materials, and managed solutions that support dual-stack SSTP deployments, visit Dedicated-IP-VPN.