Skip to content

Instantly share code, notes, and snippets.

@iainsproat

iainsproat/README.md

Created April 24, 2018 22:56
Show Gist options
  • Save iainsproat/865d9478730098c572d5233ec8c7a20f to your computer and use it in GitHub Desktop.
Save iainsproat/865d9478730098c572d5233ec8c7a20f to your computer and use it in GitHub Desktop.
Download ZIP
Instructions to create a SSTP VPN in a docker container running on a GCP VM
Raw
README.md

Creating an SSTP server on GCP

Local command line

  1. ssh-keygen -t rsa -b 4096 -C "YOUR EMAIL ADDRESS"
  2. write ssh key to ~/.ssh/gcp-sstp-box
  3. also save the key to an encrypted location, e.g. Lastpass
  4. gcloud config set project YOURGCPPROJECTNAME
  5. gcloud config compute/region set europe-west1 (or wherever you wish to host it)
  6. gcloud config compute/zone set europe-west1-b (or wherever)

Google UI

  1. Create instance
    • type: g1-small (based on usage to date this might be oversized; a micro may be possible)
    • zone: europe-west1-b (or wherever)
    • name & tag: sstp
    • Image: container-optimized-stable
    • Add the public key from ~/.ssh/gcp-sstp-box.pub
    • default service account permissions/roles
    • select allow https access
  2. Allocate the instance a static IP
  3. Open an egress in the firewall from instances tagged sstp, to 0.0.0.0/0, allowing all ports (allow all).

Local command line

  1. gcloud compute ssh sstp

On the instance

  1. openssl req -nodes -new -x509 -keyout /tmp/key.pem -out /tmp/cert.pem
    • do not provide a password for this key
    • The Common Name (CN) must be the static IP address of the instance
    • All other parameters can be blank
    • For more security you could instead use rsa:4096 with an expiry period e.g. openssl req -x509 -newkey rsa:4096 -keyout /tmp/key.pem -out /tmp/cert.pem -days 365
  2. docker run -d --cap-add NET_ADMIN -e SSTP_ENABLED=1 -e USERNAME=<YOUR USERNAME> -e PASSWORD=<CREATE A NEW PASSWORD> -e SERVER_PWD=<CREATE ANOTHER NEW PASSWORD> -e CERT="$(cat /tmp/cert.pem)" -e KEY="$(cat /tmp/key.pem)" -p 443:443/tcp fernandezcuesta/softethervpn

Local command line

  1. gcloud compute scp sstp:/tmp/cert.pem ./server.cert

On the instance

  1. Save the cert and key in an encrypted secrets store (e.g. Lastpass)
  2. rm /tmp/cert.pem
  3. rm /tmp/key.pem

On Windows

  1. Install the server certificate as a trusted root cert
  2. Right-click the server.cert and press install
  3. Click next on the first panel
  4. Select 'Place all certificates in the following store'
  5. Browse to 'Trusted Root Certification Authorities'
  6. Click 'OK', then click 'Next'
  7. Click 'Finish' on the next panel
  8. Then follow this guide to connect the VPN

As a further activity to ensure the server reboots immediately whenever the VM is restarted:

Local command line

  1. vim /tmp/sstp-startup.sh
  2. paste in the following, replacing secrets where noted in <>:
#! /bin/bash
exec docker run -d --cap-add NET_ADMIN -e SSTP_ENABLED=1 -e USERNAME=<SECRET-STORE-LOCATION-OF-YOUR-USERNAME> -e PASSWORD=<SECRET-STORE-LOCATION-OF-YOUR-PASSWORD> -e SERVER_PWD=<SECRET-STORE-LOCATION-OF-YOUR-SERVER-PASSWORD> -e CERT="$(cat SECRET-STORE-LOCATION-OF-YOUR-CERT)" -e KEY="$(cat SECRET-STORE-LOCATION-OF-YOUR-KEY)" -p 443:443/tcp fernandezcuesta/softethervpn
  1. gcloud compute instances add-metadata sstp --metadata-from-file startup-script=/tmp/sstp-startup.sh

For further information on Soft Ether VPN docker, refer to this guide found here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment