SSTP stands for Secure Socket Tunneling Protocol, developed by Microsoft. It is one of the most powerful and widely used VPN protocols. It has the ability to bypass most firewalls because it uses SSL over port 443, which is also used by the famous protocol – HTTPS. Together with OpenVPN protocol, SSTP is considered one of the “stealth-VPN” protocols. Since it is owned by Microsoft, most Windows operating systems has a built-in SSTP-client. Other operating systems (e.g., macOS, Linux) also have some plug-in applications with GUI for SSTP client.

In this note, I am interested in finding a way to connect to an SSTP VPN server from a Ubuntu 18.04 machine (not GUI since I need to automate some tasks(READ -*2 before proceeding!)). My VPN service provider only gives me a username, a password, a hostname of the SSTP VPN server, and a tutorial using GUI (similar to this one). There are many tutorials found on Google (here and there) that show you how to install and use the GUI to connect to an SSTP server. Unfortunately, I couldn’t find any CLI tutorial that met my needs. Thus, I noted down here what I found and the steps I took to connect to an SSTP server using CLI.

  • Install necessary packages (I am using Ubuntu 18.04 LTS) (original instructions). The sstp-client and network-manager packages is available via PPA on launchpad. You can import the gpg key using the following command:

    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 61FF9694161CE595
    

    Put the following two lines into the following file: /etc/apt/sources.list.d/sstp-client.list

    deb http://ppa.launchpad.net/eivnaes/network-manager-sstp/ubuntu vivid main
    deb-src http://ppa.launchpad.net/eivnaes/network-manager-sstp/ubuntu vivid main
    

    Then use apt-get:

    sudo apt-get update
    sudo apt-get install -y network-manager-sstp sstp-client
    
  • After playing around with all parameters of sstpc and the man page of sstpc, I get my first SSTP connection UP using this command(-*1):

    sudo sstpc --cert-warn --save-server-route --user <your_user_name> --password <your_password> <hostname_or_ip_address_of_sstp_server:port_if_not_standard_port> usepeerdns require-mschap-v2 noauth noipdefault nobsdcomp nodeflate # add/remove parameters according to your VPN provider's instruction.
    

    Note that you may also need to run the following command to route all traffic to the VPN interface since some systems do not automatically do this task for you regardless of successfully establishing a connection with the VPN server, see more on stackexchange.

    sudo route add default <vpn_interface> # e.g., ppp0 in my case. You can find it with `ifconfig` command
    

    Or, you can also try using this command:

    sudo route add default gw <ip_address_of_the_vpn_server>
    

    If the above commands keep failing, please make sure your SSTP server is ON and accessible.

    If curl-ing a website keeps hanging, make sure the DNS resolver is set up properly by looking at /etc/resolv.conf. If this file contains nameserver(s) of the older network, you may try running this command echo "nameserver 8.8.8.8" > /etc/resolv.conf as root. You can replace 8.8.8.8 with any OpenDNS server accessible from your network (e.g., 1.1.1.1 or 9.9.9.9). Note that this task will temporaryly change your OS’s stub resolver. When the NetworkManager is restarted, all nameserver will be reset in accordance with your network connection._

_*1: Since we have the flag --save-server-route ON, you may want to remove the added routes from the routing table using route del command to not increase the size of the routing table. You don’t need to remove them if you frequently use the same SSTP VPN server, but definitely should remove them if many different SSTP servers are used.

_*2: Follow this note if you can only use sstpc. However, NetworkManager is a better choice if you can use nmcli on your machine. NetworkManager will help to handle all settings of the DNS stub resolver and the routing table. If you have access to nmcli command on your machine, you may want to skip this note and read this one instead.