What is SSTP (Secure Socket Tunneling Protocol), and how does it help secure a VPN connection?
SSTP is a tunneling protocol developed by Microsoft to create VPN connections. SSTP means using the SSL and TLS protocols to encrypt traffic, which protects data transmission on the Internet and makes the connection more reliable and secure.
Here are the situations for which SSTP VPN can be used:
Corporate networks
-
Allows employees to connect to the corporate network from anywhere in the world while maintaining privacy and security of data transfer
-
Provides secure remote access to internal company resources such as file servers, applications and email
Distant work
- With the rise of remote work, SSTP and VPN are becoming important tools for providing secure remote access to work resources
Bypassing blocking and censorship
- Allows you to bypass geo-restrictions and censorship on the Internet, providing access to blocked sites and services
Protection of personal information
- Protects personal information when using insecure networks, such as open Wi-Fi in cafes or airports
Remote access to home resources
- Provides secure access to home network resources, such as personal cloud storage or private network devices
Telecommunications and IT
- Used to provide secure connections between locations, servers and data in telecommunications and IT infrastructures
Historical reference
The SSTP protocol was developed by Microsoft and first introduced in the Windows Vista Service Pack 1 operating system in 2007. SSTP was created to provide more reliable and secure VPN connections than previous solutions, such as PPTP and L2TP/IPsec. Its appearance was a response to the need for more modern and secure VPN connection technologies, especially in the corporate sector, where data security is critical.
Since then, the SSTP protocol has gone through several stages of development:
Initial release in 2007
SSTP, introduced in Windows Vista SP1, allows Windows users to create secure VPN connections.
Expanded support in 2008
With the release of Windows 7 and subsequent Windows operating systems, SSTP support has become more comprehensive, and the protocol's performance and level of security have improved.
Support on other operating systems
Over time, implementations of SSTP appeared for other operating systems, including open source Linux and macOS, making the SSTP VPN protocol more widely available.
Security and performance improvements
Improvements included support for modern SSL/TLS protocols and more efficient session management.
Today, SSTP remains a relevant and widely used VPN protocol, especially in Windows environments, due to its integration with Microsoft operating systems and the high level of security provided by SSL/TLS encryption. However, the emergence and proliferation of other protocols, such as OpenVPN and WireGuard, have given users and organizations additional options for secure VPN connections. Some consider these new protocols to be more flexible or performant than SSTP.
As such, SSTP remains an essential tool for creating secure VPN connections, especially in corporate environments and for Windows users, although other modern alternatives exist.
Basic features of SSTP VPN
Route push
Like other VPN protocols, the route push feature in SSTP allows the VPN server to automatically update the client's routing table with the necessary routes to access the internal network. This simplifies client-side configuration and ensures that traffic is routed correctly through the VPN tunnel.
TCP and UDP support
Unlike some other VPN protocols, SSTP primarily uses TCP for tunneling. TCP provides a reliable connection, which is important for security and data integrity, although it may be less efficient than protocols using UDP.
DNS server push
This feature allows the VPN server to automatically provide the client with information about DNS servers for name resolution on the internal network. This also simplifies client-side DNS configuration and ensures correct name resolution.
LDAP/RADIUS integration
SSTP can integrate with LDAP and RADIUS for centralized user authentication. This provides centralized management of accounts and security policies, which improves network management and security.
Cryptographic algorithms
SSTP uses the encryption algorithms provided by SSL/TLS to ensure confidentiality and data integrity. Reliable cryptographic algorithms are the basis for protecting data in VPN connections from unauthorized access and hacking.
These features combine to help provide a secure, reliable, and manageable VPN connection, which is critical for enterprise networks and remote access to resources.
Use of SSTP protocol in the corporate segment
The SSTP protocol provides secure and reliable remote access to corporate resources. With global organizations and the growing need for remote work, secure VPN connections are critical to maintaining business operations and protecting corporate information.
Examples of using SSTP VPN
Remote access to the corporate network
Employees traveling or working remotely can use SSTP to securely access internal company resources such as file servers, applications, and internal sites.
Connecting branches and divisions
Corporations with multiple branches and divisions can use SSTP protocol to create secure tunnels between networks for data exchange and network interoperability.
Securing communications with cloud services
SSTP VPN can provide a secure connection between the corporate network and cloud services if corporate data is hosted in the cloud storage.
Advantages and disadvantages of corporate networks
Advantages
-
Security: SSTP offers strong encryption and authentication, providing high data security
-
Integration with Microsoft products: Tight integration with Microsoft operating systems and products makes it a convenient solution for enterprise networks based on Microsoft technologies
-
Overcoming blocking and filtering: SSTP easily overcomes network-level blocking by using TCP port 443, also used for secure web traffic (HTTPS)
Flaws
-
Performance: The TCP used in SSTP can be less efficient than protocols using UDP, especially on networks with high latency or packet loss
-
Limited platform support: Unlike other VPN protocols, SSTP may not be supported on all platforms or devices, which may cause problems on private networks
-
Microsoft dependency: For companies that don't want to depend on Microsoft products, SSTP may be a less attractive option than other open VPN standards
-
Security: The SSTP code has never been exposed or verified, leaving concerns about possible vulnerabilities
How the SSTP protocol can be useful for ordinary users
Secure Internet access
SSTP can be used to create an encrypted point-to-point tunnel between a user's device and a VPN server, allowing secure Internet browsing on open or unsecured networks, such as in cafes, hotels or airports.
Bypass blocking and censorship
If the user is in a country or network where specific sites or services are restricted or blocked, SSTP can help bypass these restrictions by providing access to blocked resources.
Secure remote access to your home network
If users want to connect to their home network securely from other locations, SSTP can help create a secure connection to home resources such as personal files, media, or smart home controls.
Anonymous Internet access
SSTP can help provide anonymity on the Internet by hiding a user's real IP address and encrypting their Internet traffic, making tracking a user's online activity harder.
Secure online transactions
For users who buy things online, SSTP can offer an additional level of security to protect their financial information and personal data.
Secure access to cloud services
If a user has data or services hosted in the cloud, SSTP can provide a secure connection between their device and cloud services, protecting the data from possible threats.
Advantages and disadvantages for private users
Advantages of SSTP for private use
-
Security and privacy: The SSTP protocol offers a high level of encryption and authentication, which is important to ensure the privacy and security of user data
-
Ease of setup: Setup is usually simple and requires no additional software on platforms that support SSTP. This makes it accessible to users who do not need technical knowledge to set up a VPN connection
-
Reliability: SSTP offers a reliable connection by using the TCP protocol to ensure data integrity and delivery
Disadvantages of SSTP for private use
-
Performance: Because SSTP uses TCP instead of the faster UDP, performance can suffer, especially on networks with high latency or packet loss
-
Limited platform support: SSTP is primarily built into Windows operating systems, and its support may be limited on other platforms, which may cause problems for users of other systems
-
Dependency on third parties: To use SSTP, users must rely on VPN providers, which can present concerns regarding cost, privacy, and dependence on third-party services
-
Difficulty in tracing problems: When connection problems occur, users may find it challenging to independently identify and correct the problem due to the technical complexity of the SSTP protocol
-
Security: The SSTP code has never been exposed or verified, leaving concerns about possible vulnerabilities
SSTP protocol resistance to blocking
Secure Socket Tunneling Protocol is considered quite resistant to blocking for several reasons:
Using port 443
SSTP sends traffic over SSL over TCP port 443, traditionally used for secure web traffic (HTTPS). Most firewalls open external TCP port 443 for SSL, allowing SSTP to pass through them.
SSL encryption
SSTP uses the SSL (Secure Sockets Layer) protocol to encrypt data, similar to regular HTTPS traffic. This makes it hard to identify and block SSTP traffic. However, it also has some weaknesses:
- Protocol detection
Despite encryption, specialized DPI (Deep Packet Inspection) devices can sometimes detect and block the characteristics of SSTP traffic.
- Dependency on Microsoft
SSTP VPN is closely tied to Microsoft products, which may make it less resistant to blocking in environments where alternative technologies are used or where there are strict restrictions on Microsoft products.
In general, SSTP is pretty resistant to blocking due to its use of port 443 and SSL encryption. However, it is not entirely impervious to detection in more restrictive or controlled network environments.
Applicability and availability of the SSTP protocol on home routers
The availability of SSTP on home routers largely depends on the specific router model and manufacturer. Here are a few key aspects that can affect SSTP availability on home routers:
Router manufacturer
Some manufacturers offer built-in SSTP support on their routers, especially those aimed at the business segment or more technically advanced users.
Custom firmware
Custom firmware, such as DD-WRT or Tomato, can add SSTP support to routers that do not natively have it. However, installing custom firmware can be technically complex and require certain knowledge.
External VPN providers
Some VPN providers offer simple solutions for setting up SSTP on home routers, perhaps through apps or web interfaces. This can provide access to SSTP even if the router itself does not natively support this protocol.
Cloud VPN services
Cloud VPN services may offer SSTP settings that can be applied to your home router. This could be an option for those looking for an easy way to implement SSTP.
Technical support
Contact your router manufacturer's technical support to find out whether your router supports SSTP and how to configure it.
SSTP may not be as widely available on home routers as more popular VPN protocols such as OpenVPN and IPsec, especially on basic or budget routers. If SSTP access is important to you, check the specifications and documentation for your router or contact the manufacturer for more information.
How to deploy SSTP VPN on the server
Deploying Secure Socket Tunneling Protocol on a server involves several steps and requires certain hardware and software.
Installation and configuration steps
Installing a VPN server
Start by installing server software that supports SSTP, such as Windows Server with the Remote Access role (VPN and DirectAccess).
Setting up an SSL certificate
SSTP requires an SSL certificate for authentication and encryption. Obtain and install an SSL certificate from a trusted certificate authority (CA), or create your own self-signed certificate.
SSTP port listening configuration
Make sure the server is configured to listen for incoming connections on TCP port 443, which SSTP uses.
Setting up routing and remote access
Configure routing and remote access rules to suit the requirements of your network infrastructure.
Testing
Test your VPN connection using a client computer or device to ensure everything is configured correctly.
Hardware and software requirements
- Server: You need a reliable server with enough resources (CPU, memory, network bandwidth) to process VPN traffic
- Operating system: Microsoft Windows Server with Remote Access role or similar software that supports SSTP
- Network equipment: Provide suitable network equipment to handle VPN traffic and support the required protocols and ports
Security features and recommendations
SSL certificates
Use SSL certificates from trusted certificate authorities for better security, and avoid using self-signed certificates if possible.
Strong authentication
Implement strong authentication mechanisms such as multi-factor authentication (MFA) to improve the security of VPN access to your network.
Security policies
Create and implement strict security policies for accessing resources via VPN, including access control and network traffic monitoring.
Updates and patches
Regularly update your server and network equipment to protect all system components from known vulnerabilities.
Monitoring and logging
Configure monitoring and logging levels to track unusual activity and detect security incidents.
Features of configuration on the client
Setting up Secure Socket Tunneling Protocol on the client side may vary slightly depending on the platform. However, the basic process remains similar. Below are the general steps to configure SSTP on desktop and mobile operating systems:
Setting up on desktop devices
Windows
- Open Control Panel → Network and Internet → Network and Sharing Center
- Select Set up a new connection or network
- Select Desktop Connection and follow the connection creation wizard
- Enter the server address and connection credentials
- In the connection properties, make sure that the SSTP protocol is selected
macOS and Linux
- These OSes may require third-party software as native SSTP support may not be available
- You can use programs such as SSTP-client or similar to install and configure the SSTP connection
Setup on mobile devices
Android
- Depending on the version and device manufacturer, a third-party application, such as SSTP VPN Client, may be required to support SSTP
- After installing the app, follow the on-screen instructions to set up a VPN connection to your server
iOS
- Similar to Android, a third-party app may be required to support SSTP
- Download and install the app of your choice from the App Store and follow the instructions to set up a VPN connection
When setting up SSTP on any platform, make sure you have all the required credentials and server information (such as the server address, username, and password). Also, make sure the server has a valid SSL certificate to ensure a secure connection.
SSTP VPN standards and performance
SSTP performance may vary depending on many factors, including hardware and network configuration. Below is an analysis of SSTP performance in various scenarios.
Performance based on CPU resources
SSTP performance in megabits per second on a single core can vary greatly depending on the hardware and the specific network configuration. However, a more powerful processor core with a higher clock speed can improve SSTP performance.
SSTP vs. other VPN protocols
-
OpenVPN. OpenVPN can perform similarly to SSTP but is generally considered more flexible to configure and natively supports more operating systems
-
IPsec/L2TP. IPsec/L2TP generally offers high performance and can be faster than SSTP on some configurations, especially when using hardware-accelerated encryption
-
PPTP. PPTP may provide high performance due to weak encryption, making it less secure than SSTP
-
WireGuard. WireGuard is known for its high performance and simplicity and is generally superior to SSTP in speed and ease of configuration
Recommendations to optimize SSTP VPN performance
Hardware acceleration
Use hardware encryption acceleration if supported by your hardware to improve SSTP performance.
Network optimization
Ensure your network is optimized for performance — eliminate bottlenecks and improve routing.
Correct server configuration
Configure your server correctly and make sure you have enough resources to handle VPN traffic.
Performance monitoring and analysis
Regularly monitor and analyze the performance of your SSTP VPN to identify and resolve potential problems.
Hardware and software updates
Keep your hardware and software up to date for best performance and security.
Conclusion
SSTP is a reliable and proven solution for creating secure VPN connections, especially in Windows environments. It provides good encryption and is relatively easy to configure on supported platforms. However, when using SSTP, you may encounter speed and platform support limitations compared to other modern VPN protocols, such as WireGuard.