Setting up an SSTP server on a Zyxel router (link to article) and installing an SSTP client on Linux

May

2024

12:02

Setting up an SSTP server on a Zyxel router (link to article) and installing an SSTP client on Linux

Linux

31 May 2024 12:02

To connect to your home PC from work, you can install an SSTP server on your Zyxel router.

1. Installing an SSTP server on the Zyxel Keenetic router

Instructions for setting up a server on the Zyxel Keenetic router are given in the article on the support site:
*Article on setting up an SSTP server on help.keenetic.com.

If the link doesn't work, you can use Wayback Machine.

I repeated the instructions for setting up an SSTP server on my home router.

Tips:

а) I recommend that you allocate the initial IP address of SSTP clients within your home network. for example, if your home network is 192.168.1.0/24, where the DHCP server allocates 100 IP addresses, then the starting address for SSTP should be 192.168.1.150. In this case, the home computer will see the work computer on the same network at 192.168.1.150, since the ARP-Proxy function will work.

b) I recommend using a “white” IP address from your provider on your home PC, then the connection via IPv4 is direct, and the ping is 12 ms.

c) I recommend creating a second user on the Keenetic router - a user with normal rights. connecting as admin is not safe. The admin user only has access to the control panel, while the user user can connect to the home network. The admin and user users must have different passwords.

2. Installing an SSTP client on Linux

I found a good guide on the IT Pro Blog website -article on setting up an SSTP client in Linux Mint.

I got slightly improved commands, the changes affected only gpg:

sudo gpg --keyserver keyserver.ubuntu.com --recv 61FF9694161CE595

sudo gpg --export 61FF9694161CE595 | sudo tee /etc/apt/trusted.gpg.d/sstp_client.gpg  > /dev/null

sudo add-apt-repository -y ppa:eivnaes/network-manager-sstp && sudo apt update

sudo apt install -y sstp-client network-manager-sstp network-manager-sstp-gnome

The connection is configured on the client in graphical mode in the Network Manager applet (its icon looks like a network card slot and is located in the status bar next to the clock).

3. Installing the Open SSTP Client application for Android

*Open SSTP Client

Advantages and Disadvantages of the SSTP Protocol

Advantages:

Since the server side uses the most common port 443, providers do not control connections to it.
1. Data traffic between the client and server is reliably protected using an encryption protocol ChaCha20-Poly1305.
Disadvantages:
When SSTP is enabled, logging into the router's web interface becomes accessible from the outside via the https:// protocol (port 443). The most annoying thing is that with SSTP, the entrance to the Keenetic web interface is visible when connecting via http, i.e. to port 80 without encryption. A non-standard administrator account name and a strong password are required.
1. Connecting to the SSTP server from the Mikrotik client router is difficult due to an error stating that the key for the certificate was not found ("terminating... no key for certificate found (6)"). This error occurs if the Keenetic server certificate with the extension *.pem is imported into Mikrotik without a key *.key. If you do not import the server certificate, or specify the "none" certificate, then an error occurs at the early stage of the handshake: "handshake failed, error 14077458... terminating: unable to connect." Export from a public key certificate (openssl x509 -pubkey -noout < cert.pem > pubkey.key) and adding it next to it when importing into System - Certificates does not help. The server key does not contain a private key, which can be seen when issuing the command openssl rsa -in cert.pem -out certout.pem Thus, SSTP is only good for connecting 2 Keenetics, and not Keenetic - Mikrotik. According to Keenetic support, extracting the *.key file from. Keenetic router, where it is stored,not implemented.

Blog about Radio and Linux