Configure Mikrotik SSTP VPN with TLS certificate

In our previous post, we showed how to automatically generate and activate/renew a Let’s Encrypt TLS certificate on a Mikrotik device: https://www.amd-k6.com/automate-letss-encrypt-tls-certificate-on-mikrotik-routeros/

Today, we look at configuring an SSTP VPN server which uses this certificate so you can remotely connect to your Mikrotik router from a Windows PC, for example.

The first step is to create a VPN user, this is done in PPP > Secrets. The options are mostly straightforward:

  • Name: you username
  • Password: select a strong password
  • Service: select sstp
  • Profile: default-encryption
  • Local address: set the IP address of you mikrotik device on the LAN-side
  • Remote address: this is the IP address you will get from the VPN, select an address that is available on your LAN

The next step is to anble the SSTP server, click PPP > SSTP Server

  • Enable it
  • Port: default is 443, I set mine to 1724 so it’s a bit harder to scan
  • Authentication: select only mschap2 which is the most “secure”
  • Certificate: select the certificate we created in our previous article
  • TLS Version: select the most secure one compatible with your OS, that is TLS 1.2 at the moment
  • Select Force AES and PFS

And that’s it, now on a Windows 10 PC you can just add a new VPN connection, and it should work!

Add your feedback

Your email address will not be published. Required fields are marked *