Bypassing a Corporate Firewall with SSTP VPN
Why choose SSTP VPN
Currently, I work in the finance industry with a high level of security system, the network engineer implement DPI(Deep Packet Inspection) in the network architecture, Which allows them to block or restrict access to certain websites, applications, and services(including SSH).
The ability of SSTP to bypass firewall restrictions is not dependent on the type of firewall. It literally unblocks them just at the snap of your finger and grants you full access into the network. The SSTP cannot be blocked out because it uses TCP port 443, which is the same port HTTPS uses.
Prerequisites
- VPS with IP public
- Port 443/TCP is open
Pre Installing Softether Server
- Upgrade & Install Depedencies
sudo apt-get update && sudo apt-get -y upgrade && sudo apt install -y wget build-essential nano tar acl
Installing Softether Server
- Download softether latest version from this link
wget "http://www.softether-download.com/files/softether/v4.34-9745-rtm-2020.04.05-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.34-9745-rtm-2020.04.05-linux-x64-64bit.tar.gz" -O softether-vpnserver-linux.tar.gz
- Extract softether
tar -xvf softether-vpnserver-linux.tar.gz
- Move to softether directory, and build the binary
sudo mv vpnserver /usr/local && cd /usr/local/vpnserver
make
- Change softether config and binary permission
chmod 600 * && chmod 700 vpnserver && chmod 700 vpncmd
- Create user for limit permission
sudo useradd vpn --shell /usr/sbin/nologin
sudo setfacl -m user:vpn:rwx -R /usr/local/vpnserver
- Create systemd service for autostart after reboot
sudo vi /etc/systemd/system/softether-vpn.service
[Unit]
Description=SoftEther VPN server
After=network-online.target
After=dbus.service
[Service]
type=forking
User=vpn
Group=vpn
ExecStart=/usr/local/vpnserver/vpnserver start
ExecReload=/bin/kill -HUP $MAINPID
# Maximum number of restart is 5, and attempts for every 60 seconds
StartLimitBurst=5
StartLimitInterval=60
[Install]
WantedBy=multi-user.target
- Permit the binary to open port under 1024
The binary will open port 443/TCP without root permission
sudo setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' /usr/local/vpnserver/vpnserver
sudo getcap /usr/local/vpnserver/vpnserver
- Reload and start service after reboot
sudo systemctl daemon-reload && sudo systemctl enable --now softether-vpn.service
Post Installation Softether Server
Create vpn user and vpn config
- Login to vpncmd, for system requirement checking
/usr/local/vpnserver/vpncmd
1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
typing number: 3
VPN Server> check
VPN Server> exit
- Set password for administrator
/usr/local/vpnserver/vpncmd
1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
typing number: 1
Hostname of IP Address of Destination: ↵
Specify Virtual Hub Name: ↵
VPN Server> ServerPasswordSet
- Relogin to vpncmd, and create a virtual hub
/usr/local/vpnserver/vpncmd
1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
typing number: 1 (management vpn server)
VPN Server> HubCreate VPN
VPN Server> Hub VPN
VPN Server> SecureNatEnable
- Relogin to vpncmd, and create a user
/usr/local/vpnserver/vpncmd
1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
typing number: 1 (management vpn server)
# <blank or 443 depends on your port config>
Hostname of IP Address of Destination: ↵
Specify Virtual Hub Name: VPN
VPN Server> UserCreate ubuntu
VPN Server> UserPasswordSet ubuntu
Password: <your_password>
Confirm input: <your_password>
- Relogin to vpncmd, and create a certificate
/usr/local/vpnserver/vpncmd
typing number: 1 (management vpn server)
Hostname of IP Address of Destination: ↵
Specify Virtual Hub Name: ↵
VPN Server> IPsecEnable
enable l2tp: yes
enable raw l2tp: yes
enable ipsec: yes
preshared key ipsec: <your_ipsec_pass>
default virtualhub: VPN
# you can write ip or dns(pointing your ip first before using dns cert)
VPN Server> ServerCertRegenerate 172.104.48.41 or sstp.ajinfajrian.id
VPN Server> ServerCertGet ~/cert.cer
VPN Server> SstpEnable yes
VPN Server> ServerKeyGet ~/privatekey.key
exit
Optional
- Hardening web api softether
Prevent anonymous user to accessing public web api softether server
sudo systemctl stop softether-vpn.service
sudo sed -i 's/DisableJsonRpcWebApi false/DisableJsonRpcWebApi true/g' vpn_server.config
sudo systemctl start softether-vpn.service
- Hardening VirtualHub with Password
/usr/local/vpnserver/vpncmd
typing number: 1 (management vpn server)
Hostname of IP Address of Destination: <blank or 443 depends on your port config>
Specify Virtual Hub Name: VPN
Password: <your_password>
VPN Server> SetHubPassword VPN
VPN Server> SetEnumDeny
Troubleshoot
- Selinux context
softether.service: Failed to locate executable /usr/local/vpnserver/vpnserver: Permission denied
SELinux is preventing /usr/lib/systemd/systemd from execute access on the file vpnserver.
chcon -R -t bin_t /usr/local/vpnserver/
semanage fcontext -a -t bin_t "/usr/local/vpnserver(/.*)?"
restorecon -r -v /usr/local/vpnserver/
Installing Softether Client Windows
-
Download softether client from this link
-
Install softether client
- Create new virtual network adapter
After installation’s completed, then create a new virtual network adapter with nameVPN2
- Add VPN Connection
- Edit
Setting Name - Change with your
HostnameandPort Number - Edit
Virtual Hub NametoVPN - Import and
Manage Trusted CAwith your CA - Change
User NameandPassword - OK
- Connect to SSTP Server
Double click to theDemopanel
That’s it, you’ve successfully connected to sstp server
Conclusion
Be a wise when surfing to internet with your corporate network. The reason why Firewall & DPI is implemented is to protect the device from data leaks and malware.