基于Mikrotik的RouterOS路由搭建SSTP VPN服务

1
2
3
4
5
6
7
8
9
/certificate
add name=ca-template-sstp common-name=ros-sstp-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template-sstp common-name=*.ros-sstp-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template-sstp common-name=client.ros-sstp-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client
 
/certificate
sign ca-template-sstp name=ca-certificate-sstp
sign server-template-sstp name=server-certificate-sstp ca=ca-certificate-sstp
sign client-template-sstp name=client-certificate-sstp ca=ca-certificate-sstp

配置IP池,账号信息,启动服务

1
2
3
4
5
/ip pool add name="sstp-vpn-pool" ranges=172.20.252.1-172.20.252.254
/ppp profile add name="sstp-vpn-profile" use-encryption=yes local-address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=sstp-vpn-pool
/ppp secret add name=lookback profile=sstp-vpn-profile password=lookback123 service=sstp
/interface sstp-server server set enabled=yes default-profile=sstp-vpn-profile authentication=mschap2 certificate=server-certificate-sstp force-aes=yes pfs=yes
/ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"

下载CA,导入Windows系统:

配置VPN,测试连接

总结

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
/certificate add name=ca-template-sstp common-name=sstp-dt-ros.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
/certificate add name=server-template-sstp common-name=*.sstp-dt-ros.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
/certificate add name=client-template-sstp common-name=client.sstp-dt-ros.com days-valid=3650 key-size=2048 key-usage=tls-client
 
/certificate sign ca-template-sstp name=ca-certificate-sstp
/certificate sign server-template-sstp name=server-certificate-sstp ca=ca-certificate-sstp
/certificate sign client-template-sstp name=client-certificate-sstp ca=ca-certificate-sstp
 
/certificate export-certificate ca-certificate-sstp export-passphrase=""
/certificate export-certificate client-certificate-sstp export-passphrase=12345678
 
/ip pool add name="sstp-pool" ranges=10.253.252.1-10.253.252.254
 
/ppp profile add name="sstp-profile" use-encryption=yes local-address=10.0.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=sstp-pool
/ppp secret add name=lookback password=lookback123 profile=sstp-profile service=sstp
 
/interface sstp-server server set enabled=yes default-profile=sstp-profile authentication=mschap2 certificate=server-certificate-sstp force-aes=yes pfs=yes
/ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"

12-14 16:30