Using SSTP package

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, I want to connect to an sstp server but on a different port than 443 (e.g 9443).
The package doesn't have such an option to change server port and it doesn't even accept "server:port" format. Is there anyway to connect on a different port using the sstp package?

2

Is the server running on OpenWrt on on a device behind an openwrt router?

Does the client have the ability to change the port number?

3

it is actually a server from a commercial vpn service provider.
I can connect to the server using other sstp clients such as windows and android.
The sstp client package on openwrt doesn't have any option to change server port

4

Is the commercial VPN service using port 443 or some other port (9443, for example)?

Or... maybe the better question: doe the windows/android client 1) allow you to change the port, and 2) connect when you do change it from 443 to something else?

5

Hi

i tried out of curiosity and moved my SSTP server port to 4433
tried from CLI

root@dmz1:~# sstpc 133.123.247.221:4433 --user test
**Error: HTTP handshake with server failed, (-1)

so, client is capable to specify port

6

This is really weird, I tried it now and it gives me this error:

**Error: Verification of server certificate failed, (-2)

Any idea on how to resolve this problem and if there is anyway to configure the server and the port into an interface in LuCI so I can easily configure the firewall later?

7

sorry, i could not help you much
i remember that i struggle with l2tp and there was missing "default route" and "peer dns" in LuCI, but editing

/etc/config/network

by hand is good place to fix things / add missing options

so my advice is to place as much information as you can in LuCI, save, and then fix config file

don't worry, as long as interface is listed in config file, it will be started automaticaly. After all, OWRT working happily without (optional) LuCI web

8

No worries, thanks for the advise.

9

Now how can I solve the certificate problem?! Any ideas?

10

well, if you look at CLI ..

Usage: sstpc <sstp-options> <hostname> [[--] <pppd-options>]
   Or: pppd pty "sstpc --nolaunchpppd <sstp-options> <hostname>"

Available sstp options:
  --ca-cert <cert>         Provide the CA certificate in PEM format
  --ca-path <path>         Provide the CA certificate path
  --cert-warn              Warn on certificate errors
  --crl-file <pem>         Provide the CRL file in PEM format
  --crl-path <path>        Provide the CRL directory
  --ipparam <param>        The unique connection id used w/pppd
  --help                   Display this menu
  --nolaunchpppd           Don't start pppd, for use with pty option
  --password               Password
  --priv-user              The user to run as
  --priv-group             The group to run as
  --priv-dir               The privilege separation directory
  --proxy                  Proxy URL
  --user                   Username
  --save-server-route      Add route to VPN server
  --uuid                   The connection id
  --tls-ext                Enable TLS hostname extension
  --version                Display the version information

Available logging options:
  --log-level  <level>     Specify the log-level per command line
  --log-syslog <sock>      Output to syslog
  --log-stderr             Output to stderr (negates --log-stdout)
  --log-stdout             Output to stdout (negates --log-stderr)
  --log-lineno             Include file/line information in messags
  --log-ident              Specify log identity
  --log-filter <tok,tok>   Log messages matching a token

there is ca-cert and ca-path options, so i think you should upload somewhere cert file and pass this param in "sstp_option"

11

Yeah, I read the options. The issue is that I don't have any certificate and the service provider won't give me any

12

You could use --cert-warn

Ignore certificate warnings like common name instead of terminating the connection.

13

I tried this and it seems that it did ignore certificate errors, but it gave this error:

Received bad configure-ack:

then it timed out and terminated

14

Which provider are you using?

15

TorGuard service

16

Is there a reason why you don't use wireguard or openvpn?

https://forums.torguard.net/index.php?/topic/1637-solved-torguard-openwrt-wireguard-client/

17

Yes there is, because internet restrictions are very heavy here and these protocols don't work anymore.
I found a working wireguard server yesterday and after just 3 hours of use, the filtered it and it doesn't work anymore.

18

That sucks.

Can you try

--log-level debug

Can you provide the log but remove any sensitive information please.

19

I still can't get it to work :frowning:
Why is it so hard to add a port option to this package??!!

20

I really don't know what I'm doing wrong.
If I add the server port to the interface in: /etc/config/network using cli, it gives the couldn't resolve server address error.
If I try and connect from cli using this code: sstpc server:port --user username --password password --cert-warn it just hangs and gives several Received bad configure-ack: messages in system log.
And nothing happens when I specify --log-level, I really can't understand what to do to make this client package work.
I even tested softethervpn client package and didn't work out for me.
Please help me fix it or suggest another community package (if there's any) to connect to an sstp server over a specified port.