opened image

    SSTP (Secure Socket Tunneling Protocol) is a form of virtual private network (VPN) tunnel that provides a mechanism for passing PPP traffic over an SSL/TLS channel.

    SSL/TLS provides transport layer security with key negotiation, encryption, and traffic integrity checking.


    A fairly simple VPN, which was developed by Microsoft, has a number of advantages,

    such as no need to install additional software to work on Windows,

    supported right out of the box, easy to configure both on the server side and on the client side,

    the disadvantages are that this VPN is somewhat slow, has limitations in terms of configuration and does not know support the UDP protocol.

    Despite the rather large drawbacks, in some cases it can be useful.


    We will be installing an SSTP VPN server based on SoftEther VPN in Docker, which allows you to further simplify the installation of this software.

    A guide on how to connect to the SSTP VPN server after it's setup, can be found here:


    SoftEther VPN also supports other protocols such as OpenVPN and L2TP/IPsec, but in this article we will focus only on SSTP.


    1. Docker installation

    Run the following commands to install and start the Docker service:

    wget -qO- | sh
    systemctl start docker
    systemctl enable docker


    2. Next, you need to open the port in firewall on which the VPN will work and save the setting permanently:

    iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    service iptables save

    On different Linux distributives saving iptables rules may differ.

    Please note that if sites are running on your server, you will need to select a different port to avoid port conflicts.


    3. Issuance of a certificate.

    Now you need to issue a certificate that will be used to encrypt the connection, note that there is no need to set a password for it.

    We will also need a domain that will be used for connection to the server, the domain must be directed to the IP address of the server in DNS,

    replace the word MYDOMAIN in the following line with your domain name:

    openssl req -x509 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -days 365 -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=MYDOMAIN/[email protected]"


    For example, I will specify the "" domain, but you need to specify a real working domain, otherwise the VPN will not be able to connect.


    We get the secret key file "server_key.pem" and the certificate file "server_cert.pem" in the current folder.


    4. SoftEther VPN launch:

    Let's create a server password, that will be used only on the server and only for settings.

    Replace the word MYPASSWORD on the next line with your chosen password (password should be atleast 12 symbols and to consist of numbers and lowercase and uppercase letters) and then enter the following command in the console:



    Now let's create our user and it's password.

    This credentials will be used for connection, so write down this data somewhere, as we will need to enter it later on your computer:

    Replace the word MYUSER with your connection name and the word MYPASSWORD with your chosen password (password should be atleast 12 symbols and to consist of numbers and lowercase and uppercase letters) in next lines and then enter these lines in the console:


    I will use "client1" as the username.


    Download and run the container with SoftEther VPN, passing the previously specified parameters and attaching the previously created certificate, just run the following command:

    docker run --restart=always -d --name sstp-vpn --cap-add NET_ADMIN -p 443:443/tcp -e SSTP_ENABLED=1 -e USERNAME=${CUSER} -e PASSWORD=${CUSER_PASS} -e SERVER_PWD=${SERVER_PASS} -e CERT="$(cat server_cert.pem)" -e KEY="$(cat server_key.pem)" fernandezcuesta/softethervpn


    Let's check that our container is up and running:

    docker ps


    5. Create an additional user (optional)

    If you need to create a few more connections, then you need to run the following commands for each one:

    docker exec -it sstp-vpn ./vpncmd <MYDOMAIN> /SERVER /PASSWORD:"$SERVER_PASS" /ADMINHUB:DEFAULT /CSV /CMD UserCreate <USER_NAME> /GROUP:none /REALNAME:none /NOTE:none

    Where you need to replace:

    <MYDOMAIN> - replace with the domain name that you specified earlier in certificate issuing command

    <USER_NAME> - replace with the name of the new connection (user)

    <PASSWORD> - replace with the password of the new connection (user)


    On the server, the configuration is over, let's move on to the configuration guide on the client side in the next article: