Skip to content

Instantly share code, notes, and snippets.

@daryltucker

daryltucker/sstp-compile.sh

Last active September 14, 2021 02:44
Show Gist options
  • Save daryltucker/78bf182ae140c53cd39d6e0c0870d250 to your computer and use it in GitHub Desktop.
Save daryltucker/78bf182ae140c53cd39d6e0c0870d250 to your computer and use it in GitHub Desktop.
Download ZIP
sstp on Linux for Microsoft Azure VPN Gateway
Raw
sstp-compile.sh
#!/bin/bash
# Install dependencies
sudo apt install -y git build-essential libevent-dev ppp-dev libssl-dev libevent-dev intltool automake autoconf libglib-dev libglib2.0-dev gnutls gnutls-bin gnutls-dev libgtk3-dev libgtkd-3-dev libgtk-3-dev libnma-dev libsecret1-dev libsecret-1-dev libppp-dev
# Determine pppd version
pppd_version="$(pppd --version 2>&1 | awk '{print $3}')"
# Compile sstp-client
mkdir -p ~/src; cd ~/src
git clone https://gitlab.com/eivnaes/sstp-client
cd sstp-client
# As of right now, neweer builds cause errors:
# Connection was aborted, Value of attribute is incorrect
git checkout 96ed53eb9e1445309a613c87022b7feb36fa18b9
./autogen.sh \
--prefix=/usr \
--localstatedir=/ \
--with-pppd-plugin-dir=/usr/lib/pppd/$pppd_version
make
sudo make install
# Compile network-manager-sstp
cd ..
git clone https://github.com/enaess/network-manager-sstp
cd network-manager-sstp
git checkout 1.0.15
./autogen.sh \
--prefix=/usr \
--sysconfdir=/etc \
--with-pppd-plugin-dir=/usr/lib/pppd/$pppd_version \
--libdir=/usr/lib \
--libexecdir=/usr/lib/NetworkManager \
--with-libnm-glib=no \
--enable-more-warnings=yes
make
sudo make install
Raw
sstp-setup.mkd

sstp on Linux for Microsoft Azure VPN Gateway

Preparation

vpn_name=""
vpn_gateway_url=""
vpn_user_cn=""

sudo mkdir -p /etc/ppp/certs; sudo chmod 600 /etc/ppp/certs

Download and extract VPN settings from Azure

Determine gateway location

Within VpnSettings.xml you should see a <VpnServer> block.

vpn_gateway_url="azuregateway-....cloudapp.net"

Convert .cer to .pem format

openssl x509 -inform der -in General/VpnServerRoot.cer -out /tmp/$vpn_name-server.pem
sudo mv /tmp/$vpn_name-server.pem /etc/ppp/certs/

Create VPN configuration

Create the configuration user set variables, and then move to the correct location.

cat <<EOF > /tmp/$vpn_name

remotename  $vpn_gateway_url
linkname    $vpn_name
ipparam     $vpn_name
pty         "sstpc    --ipparam    azure-vpn   --nolaunchpppd --ca-cert /etc/ppp/certs/$vpn_name-server.pem  $vpn_gateway_url"
name        $vpn_user_cn
plugin      sstp-pppd-plugin.so
sstp-sock   /var/run/sstpc/sstpc-$vpn_name
require-mppe
require-eap
refuse-mschap-v2
refuse-pap
refuse-chap
refuse-mschap
# Disable compression
nodeflate
nobsdcomp
novj
novjccomp
# Use client certificates for authentication
noauth
ca   "/etc/ppp/certs/$vpn_name-server.pem"
cert "/home/$USER/.ssh/$vpn_user_cn-client.crt"
key  "/home/$USER/.ssh/$vpn_user_cn-client.key"


EOF

sudo mv /tmp/$vpn_name /etc/ppp/peers/; sudo chmod 600 /etc/ppp/peers/$vpn_name

Start VPN connection

The domain name given by Microsoft in this configuration will cause issues w. DNS and certificate validation.

pppd[111447]: Certificate verification error: CN (XXX.vpn.cloudapp.net) != peer_name (azuregateway-XXX-YYY.vpn.cloudapp.net)
pppd[111447]:  -> Alert: internal error
pppd[111447]: EAP: peer reports authentication failure
  1. Open a second terminal and begin monitoring the system logs (ie: sudo journalctl -f)
  2. Attempt to connect to the VPN
    • sudo -E pon $vpn_name
  3. Adjust remotename to match the 'correct' domain name seen in logs
  4. Attempt to connect again.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment