How to configure SSTP server with automatically renewed let’s encrypt certificate
In this post we are going to provide exact instructions on the deployment of trusted SSTP server, you might wonder what is the difference between trusted and not trusted… well not a big one, when server is “untrusted” in our terminology that just means that on a client side one has to import certificate prior connection could be established. While for one user it is not a problem, it might be annoying if there are more than few. We will be using Let’s Encrypt free service to obtain trusted by system certificate and in addition we add a minor automation to have it renewed every 3 months without our intervention.
Assumptions:
– Internal subnet allocated to SSTP users in this example will be 192.168.120.0/24
– To resolve domain names server will be using Google DNS: 8.8.8.8 and 8.8.4.4 addresses
– Domain name in this example will be sstp.netsectech.com.au and it resolves to the Public IP address of AWS VyOS instance
– We will be using local user database to store our test login sstp_user
– AWS VyOS instance has Security Group with HTTPS protocol allowed
Please note that assumptions are only an example of how this can be set up, for the real deployment applicable to specific company values should be used.
Pre-requisite:
- AWS instance with deployed Vyatta default image
Install the latest VyOS image:
- add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- reboot
Configure VyOS using steps below
- Make sure that DNS A record for SSTP domain name points to external IP of AWS instance
- In VyOS instance CLI perform following command:
sudo su
certbot certonly --standalone -d sstp.netsectech.com.au -n --agree-tos --email support@netsectech.com.au;
cp -s /etc/letsencrypt/live/sstp.netsectech.com.au/* /config/auth
chmod go+rx -R /etc/letsencrypt/live
exit - Configure SSTP part:
configure
set vpn sstp authentication local-users username sstp_user password 'password'
set vpn sstp authentication mode 'local'
set vpn sstp authentication protocols 'mschap-v2'
set vpn sstp network-settings client-ip-settings gateway-address '192.168.120.254'
set vpn sstp network-settings client-ip-settings subnet '192.168.120.0/24'
set vpn sstp network-settings name-server 8.8.8.8
set vpn sstp network-settings name-server 8.8.4.4
set vpn sstp ssl ca-cert-file '/config/auth/chain.pem'
set vpn sstp ssl cert-file '/config/auth/fullchain.pem'
set vpn sstp ssl key-file '/config/auth/privkey.pem'
commit
save - Configure firewall NAT rules for SSTP subnet:
set nat source rule 20 log 'disable'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '192.168.120.0/24'
set nat source rule 20 translation address 'masquerade' - Schedule cron task to check if renewal of the certificate is required:
configure
set system task-scheduler task certbot-renew crontab-spec '5 0 * * * '
set system task-scheduler task certbot-renew executable arguments 'certonly --standalone -d sstp.netsectech.com.au -n'
set system task-scheduler task certbot-renew executable path '/usr/bin/certbot'
commit
save