Ubuntu Connect To SSTP VPN
Does anyone have any experience with connecting an Ubuntu 10.10 machine to a SSTP VPN server? I haven't found anything too great of information on how to do it.
May be sstp-client can do it? And here is network-manager support for it.
There are now Ubuntu packages for recent distributions, so you should be able to add the PPA for eivnaes/network-manager-sstp
and install the packages:
$ sudo add-apt-repository ppa:eivnaes/network-manager-sstp
...
$ sudo apt-get update
$ sudo apt-get install sstp-client
$ sudo apt-get install network-manager-sstp-gnome # NM configuration GUI
Example
Here is an example of an entry in /etc/network/interfaces:
auto work
iface work inet ppp
provider work
options pty "sstpc vpn.example.com --ca-cert /path/to/example.com.ca.crt --nolaunchpppd" \
plugin sstp-pppd-plugin.so sstp-sock /var/run/sstpc/sstpc-uds-sock \
lock nodefaultroute noipdefault noauth user myusername \
refuse-pap refuse-chap refuse-eap nobsdcomp nodeflate novj \
nomultilink \
persist maxfail 0 \
debug logfd 2
pre-up touch /etc/ppp/peers/work
Usage
Then you just use ifup work
and ifdown work
to connect or disconnect.
Installation
You'll need to compile the sstp-client and install it. This can be used by following the instructions on http://sstp-client.sourceforge.net/ or building a deb package using these instructions:
apt-get install build-essential dpkg-dev debhelper ppp-dev libevent-dev libssl-dev
mkdir sstp-client.build && cd sstp-client.build
wget -o sstp-client-1.0.10.tar.gz http://sourceforge.net/projects/sstp-client/files/sstp-client/1.0.10/sstp-client-1.0.10.tar.gz/download
tar xzvf sstp-client-1.0.10
cd sstp-client-1.0.10
dpkg-buildpackage -b -us -uc
cd ..
dpkg -i sstp-client_1.0.10-0ubuntu2_amd64.deb \
libsstp-client0_1.0.10-0ubuntu2_amd64.deb \
libsstp-client-dev_1.0.10-0ubuntu2_amd64.deb
cd /usr/lib/pppd/2.4.5 && ln -s ../2.4.6/sstp-pppd-plugin.so .
Fix symlink
The pppd lib dir is hard-coded to use 2.4.6, and not the installed version, which is why the symlink is required. This is a bug in the debian build description for sstp-client.
Typical connection timeout issue
If you use the pppd pty
option (which the example uses) it is vital that the parameters plugin sstp-pppd-plugin.so sstp-sock /var/run/sstpc/sstpc-uds-sock
are specified. If you don't specify these, you'll end up getting the famous Connection aborted, reason not known error after approximately 60 seconds, and the connection will not transmit packets.
CA certificate requirement
You also must have the CA certificate for the Active Directory domain the Microsoft SSTP VPN server is part of in the local file /path/to/example.com.ca.crt
. This can usually be found in the CertEnroll
SMB share on one of the Domain Controllers. Export it as a Base64-encoded X509 certificate and rename as appropriate. Use certtool -i <example.com.ca.crt
to verify you have the correct certificate with the correct information.