How to Configure MikroTik SSTP VPN for Remote Access

Secure remote access is essential for any business or IT team managing remote users or branch offices. MikroTik routers support several VPN protocols, and SSTP (Secure Socket Tunneling Protocol) is one of the best options for secure, firewall-friendly remote access.

This guide shows how to set up SSTP VPN on a MikroTik router, configure a Windows client, and apply best practices for security. It’s written for network engineers and system administrators, using clear steps and real-world configuration examples.

Table of Contents

• Why Use SSTP VPN on MikroTik?
• What is SSTP and How Does It Work?
• Requirements Before You Start
• Step 1: Generate or Import SSL Certificates
• Step 2: Configure SSTP Server on MikroTik
• Step 3: Configure Firewall Rules
• Step 4: Configure SSTP Client (Windows)
• Step 5: Test the SSTP VPN Connection
• Hardening and Best Practices
• Troubleshooting Common SSTP Issues
• Quick SSTP Server Setup Script
• Frequently Asked Questions (FAQ)
• Further Resources
• Conclusion

Why Use SSTP VPN on MikroTik?

SSTP uses SSL/TLS encryption over TCP port 443. It works well behind NAT and most firewalls. This makes it a strong option compared to older VPN protocols.

SSTP Advantages

• Works through most firewalls and proxies (TCP 443)
• Encrypted by default using SSL/TLS
• Built-in support on Windows
• Supported in MikroTik RouterOS
• Certificate-based authentication available

Use SSTP when:

• You need secure remote access for staff or admins
• The network has strict firewalls or NAT
• You need a simple setup for Windows clients

What is SSTP and How Does It Work?

SSTP (Secure Socket Tunneling Protocol) is a VPN protocol that:

• Runs over TCP port 443
• Uses SSL/TLS encryption
• Supports username/password or certificate authentication
• Tunnels PPP traffic over HTTPS

Because it uses standard HTTPS, SSTP is harder to block than PPTP or L2TP/IPSec.

Requirements Before You Start

Before starting, prepare the following:

1. MikroTik RouterOS (v6.0+ or v7.x)

• Must support PPP and SSTP Server
• Use the latest stable version

2. Public IP or DDNS

• Use a static public IP or dynamic DNS hostname (e.g. vpn.yourdomain.com)

3. SSL Certificate

• Self-signed or from a public CA (e.g. Let’s Encrypt)

4. VPN IP Pool

• Reserve IPs for VPN clients
• Should be outside your LAN DHCP range

5. Basic Firewall Config

• Allow port TCP 443
• Block access from unknown sources (optional)

Step 1: Generate or Import SSL Certificates

Option 1: Generate Self-Signed Certificate on MikroTik

/certificate
add name=ca-template common-name="MyCA" key-usage=key-cert-sign,crl-sign days-valid=3650
sign ca-template name=MyCA

add name=server-template common-name="vpn.yourdomain.com" key-usage=digital-signature,key-encipherment,tls-server days-valid=3650
sign server-template name=server-cert ca=MyCA

set MyCA trusted=yes

Option 2: Import Public SSL Certificate

/certificate import file-name=server.crt
/certificate import file-name=server.key

Step 2: Configure SSTP Server on MikroTik

1. Create an IP Pool

/ip pool add name=vpn-pool ranges=192.168.50.10-192.168.50.50

2. Create a PPP Profile

/ppp profile
add name=sstp-profile local-address=192.168.50.1 remote-address=vpn-pool dns-server=8.8.8.8 bridge=bridge1 use-encryption=yes

3. Add a PPP User

/ppp secret
add name=vpnuser password=StrongPassword profile=sstp-profile service=sstp

4. Enable SSTP Server

/interface sstp-server server
set enabled=yes certificate=server-cert default-profile=sstp-profile authentication=mschap2 verify-client-certificate=no

Step 3: Configure Firewall Rules

1. Allow SSTP from Trusted IPs

/ip firewall filter
add chain=input protocol=tcp dst-port=443 action=accept place-before=1 comment="Allow SSTP VPN"

2. Drop Other Inbound Traffic (Optional)

add chain=input connection-state=invalid action=drop
add chain=input in-interface=ether1 protocol=tcp action=drop

Step 4: Configure SSTP Client (Windows)

1. Open VPN Settings

• Go to Settings > Network & Internet > VPN
• Click “Add a VPN connection”

2. Fill in VPN Details

• VPN provider: Windows (built-in)
• Connection name: MikroTik SSTP
• Server name: vpn.yourdomain.com
• VPN type: Secure Socket Tunneling Protocol (SSTP)
• Type of sign-in: Username and password

Step 5: Test the SSTP VPN Connection

On MikroTik:

/interface sstp-server print
/ppp active print
/log print where message~"sstp"

On Windows Client:

• Run ipconfig and check for VPN IP
• Ping VPN gateway: ping 192.168.50.1

Hardening and Best Practices

• Use strong passwords for PPP users
• Restrict port 443 to specific IP ranges
• Enable verify-client-certificate=yes for mutual TLS
• Enable PPP and SSTP logging
• Disable unused MikroTik services
• Set up auto-renewal or scheduled reminders for certificate expiration

Troubleshooting Common SSTP Issues

1. Client Won’t Connect

• Check SSL certificate name (CN must match hostname)
• Ensure TCP 443 is open in firewall

2. Authentication Fails

• Confirm username and password
• Use only mschap2 authentication

3. Routing or DNS Issues

• Set DNS in PPP profile
• Ensure client IP range doesn’t overlap LAN

4. MTU Issues

/ip firewall mangle
add action=change-mss chain=forward protocol=tcp tcp-flags=syn tcp-mss=!0-1360 new-mss=1360 passthrough=yes

Quick SSTP Server Setup Script

/ip pool add name=vpn-pool ranges=192.168.50.10-192.168.50.50
/ppp profile add name=sstp-profile local-address=192.168.50.1 remote-address=vpn-pool dns-server=8.8.8.8 use-encryption=yes
/ppp secret add name=vpnuser password=StrongPassword profile=sstp-profile service=sstp
/certificate add name=ca-template common-name="MyCA" key-usage=key-cert-sign,crl-sign days-valid=3650
/certificate sign ca-template name=MyCA
/certificate add name=server-template common-name="vpn.yourdomain.com" key-usage=digital-signature,key-encipherment,tls-server days-valid=3650
/certificate sign server-template name=server-cert ca=MyCA
/certificate set MyCA trusted=yes
/interface sstp-server server set enabled=yes certificate=server-cert default-profile=sstp-profile authentication=mschap2 verify-client-certificate=no
/ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept comment="Allow SSTP"

Frequently Asked Questions (FAQ)

Can I use Let’s Encrypt on MikroTik?

Yes. Use scripting or external tools to generate the certificate and import it into RouterOS.

Is SSTP VPN secure?

Yes. SSTP uses SSL/TLS encryption and supports strong authentication.

What port does SSTP VPN use?

TCP port 443.

Does SSTP work behind NAT?

Yes. SSTP is NAT-friendly and works through most firewalls.

Can MikroTik connect as SSTP client?

Yes. Use /interface sstp-client for site-to-site configurations.

Further Resources

• MikroTik Official Documentation – SSTP
• MikroTik Forums
• Let’s Encrypt Script Tools

Conclusion

MikroTik SSTP VPN is a strong option for remote access. It uses SSL encryption, works through firewalls, and supports easy configuration. Use strong passwords, proper firewall rules, and certificates to protect your setup. This guide provides a clear path to deploy, test, and secure a MikroTik SSTP VPN successfully.