sstpc - Man Page

SSTP Client

Synopsis

sstpc [<sstp-options>] <hostname> [ppp-options] ...

Description

sstpc establishes the client side of a Virtual Private Network (VPN) using the Secure Socket Tunneling Protocol (SSTP). Use this program to connect to an employer's SSTP based VPN when PPTP and L2TP is not working.

By default, sstpc establishes the SSTP call to the SSTP server, and then starts an instance of pppd to manage the data transfer. However, sstpc can also be run as a connection manager within pppd.

Options

The first non-option argument on the sstpc command line must be the host name or IP address of the SSTP server.

All long options (starting with "--") are interpreted as sstpc options, and a fatal error occurs if an unrecognised option is used.

All command-line arguments which do not start with "-" are interpreted as ppp options, and passed as is to pppd unless --nolaunchpppd is given.

--ca-cert

Specify the CA certificate used to verify the server with

--ca-dir

Specify the directory of certificates that contains the CA certificate. If nothing is specified, the system's wide directory is used.

--cert-warn

Ignore certificate warnings like common name instead of terminating the connection.

--host

When connecting to an IP address, the host parameter will provide the hostname for http, proxy and tls-ext

--ipparam

This will help specify the callback socket that pppd will try to connect back to sstpc in order to communicate the MPPE keys as negotiated. The MPPE keys are required to authenticate against the server at the SSL layer. They can be zeroed if no MPPE is negotiated. The name is formed based on /tmp/sstpc-<ipparam>.

--nolaunchpppd

Do not launch pppd but use stdin as the network connection.  Use this flag when including sstpc as a pppd connection process using the pty option. See Examples.

--password

Specify a password per command line instead of setting it up in a configuration file for pppd in /etc/ppp/peers.

--proxy

Connect to the SSTP server via a proxy on your network. The syntax is http://[<user>:<pass>@]<domain>:port.

--priv-user

Specify the privilege separation user to run sstpc

--priv-group

Specify the privilege separation group to run sstpc

--priv-dir

Specify the privilege separation directory for the chroot jail to run sstpc

--user

Specify the username to authenticate to the SSTP server instead of setting it up in a configuration file for pppd in /etc/ppp/peers.

--save-server-route

This will automatically add and remove a route to the SSTP server.

--uuid

Specify a UUID for the connection to simplify the server end debugging.

--tls-ext

This will enable TLS hostname extension.

Troubleshooting

The following options are available to help troubleshoot sstpc

--log-level <level>

Set the debug level for debugging the sstpc process. Level can be a value between 0 and 4.

--log-syslog

Log messages to syslog (default).

--log-stderr

Log messages to error output

--log-stdout

Log messages to standard output

--log-fileno

Include file and line number with the log messages

--log-filter

Filter the logs by a particular set of files, e.g: sstp-packet,sstp-state

--log-ident

Specify the identity that will be used when writing logs to e.g. syslog

Examples

Connection to a Microsoft Windows RAS Service using SSTP protocol

Setup the peer scripts in /etc/ppp/peers, you may start by cloning one of the scripts available in your docs directory, /usr/share/doc/sstp-client, or /usr/local/share/doc/sstp-client. The general content of this file will be close to the following:

# Example Content of /etc/ppp/peers/sstp-test
remotename  sstp-test
linkname    sstp-test
ipparam     sstp-test
pty         "sstpc --ipparam sstp-test --nolaunchpppd sstp-test.yourdomain.com"
name        eivnaes
plugin      sstp-pppd-plugin.so
sstp-sock   /var/run/sstpc/sstpc-sstp-test
usepeerdns
require-mppe
require-mschap-v2
refuse-eap
refuse-pap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

Note that the chap-secrets file used by pppd must include an entry for domain\\username. For the sstp-test example, the user eivnaes will have a equivalent entry in the /etc/ppp/chap-secrets file.

# Secrets for authentication using CHAP
# client        server  secret          IP addresses
eivnaes         *       xxxxxx          *

Starting the sstp-test using the pon script

sudo pon sstp-test

Invoking sstpc using the the call command

sstpc --ipparam sstp-test sstp-test.yourdomain.com call sstp-test-nopty

The sstp-test-nopty is a pppd script you need to create in /etc/ppp/peers, and you can clone the example sstp-test above; but you must omit the pty statement in the peers configuration.

See Also

pppd(8)

Author

This manual page was written by Eivind Naess <enaess@yahoo.com>