sstoper
sstoper copied to clipboard
SSTP VPN client for Linux
---[ SSToPer ]------------------------------------------------------------------ ---[ SSTP Client for Linux ]---------------------------------------------------- ---[ By Christophe Alladoum ]---------------------------------------------------
What is SSTP ?
Wikipedia says: "Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers." http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol
What is SSToPer ?
SSToPer is a SSTP client for Linux. It creates SSTP communications with any Windows Server (2008+) having active service, and is used to establish VPN communication with Microsoft Server 2008 and above. Since SSTP is only a wrapper over PPP communication, pppd (http://ppp.samba.org/) MUST be installed with the synchronous HDLC serial encoding capability enabled.
Current SSToPer version DOES NOT support certification validation.
SSToPer spawns a pppd instance with noauth option that requires root privilege. Hence, SSToPer must either be started as root, or have CAP_SETKILL and CAP_SETUID. This can be done as root : {{{ $ su -c "setcap cap_setuid,cap_kill+eip ./sstoper" }}}
Features:
- Establishes PPP based VPN through SSTP
- Proxy
- HMAC-128/256 support
- (Opt.) Wireshark SSTP dissector provided to analyse SSTP behaviour
Pre-requisites:
- libcrypto (for hmac.h)
- libgnutls (for gnutls.h and other)
- libbsd (for util.h)
- HDLC-sync capable pppd must be installed
- root privileges on a 2.6 Linux kernel
Todo:
- Certification validation
Installing Wireshark SSTP dissector:
- Download Wireshark source from http://www.wireshark.org and un-tar archive
- Add "dissectors/packet-sstp.c" in DISSECTOR_SRC section inside
epan/CMakeLists.txt
file - Add "packet-sstp.c" in DISSECTOR_SRC section inside
epan/dissectors/Makefile.common
file - Copy sstoper/misc/packet-sstp.c -> wireshark/epan/dissectors/
- In wireshark/ root directory, execute : {{{ $ ./autogen.sh && ./configure --with-ssl && make }}}
- You now have a SSTP-compliant Wireshark version (a simple SSTP negociation
PCAP file is provided in misc/ directory) which can be started
{{{
$ sudo ./wireshark
}}}
SSTP Session example:
-
first you need your server PEM-formatted CA file. It can usually be obtained like this: -> Go to http://
/certsrv -> Click on "Download a CA certificate, certificate chain, or CRL" link -> Select "Base64" as "Encoding method" option -> Click on "Download CA certificate" link -
un-tar and compile sstoper {{{ $ tar xf sstoper.tar.gz $ cd sstoper && make $ su -c "make install" }}}
install
directive will install sstoper binary by properly setting capabilities
so that it can be executed by any user.
- Execution with SSToPer with Linux capabilities {{{ $ sstoper -s tweety.looney -c misc/vpn.tweety.looney.crt -U user1 -vv Password: [...] 2011-06-18 03:07:20 [!] Using default value: '443' 2011-06-18 03:07:20 [!] Using default value: '/usr/sbin/pppd' 2011-06-18 03:07:20 [+] Verbose level: 2 2011-06-18 03:07:20 [] Starting ./sstoper as 7789 2011-06-18 03:07:20 [+] Connected to tweety:443 2011-06-18 03:07:20 [+] Dropping privileges 2011-06-18 03:07:20 [] chdir-ed '/var/empty' 2011-06-18 03:07:20 [] Switch user to 'nobody' 2011-06-18 03:07:20 [+] '/usr/sbin/pppd' forked with PID 7790 2011-06-18 03:07:20 [] [7790] Waiting for SIGUSR1 [...] 2011-06-18 03:07:27 [] --> 112 bytes 2011-06-18 03:07:27 [+] status: CLIENT_CONNECT_ACK_RECEIVED (0x2) -> CLIENT_CALL_CONNECTED (0x3) 2011-06-18 03:07:27 [+] SSTP link established 2011-06-18 03:07:27 [] --> 8 bytes 2011-06-18 03:07:27 [*] --> 22 bytes [...]
(Hit Ctrl-C to close connection)
2011-06-18 03:07:44 [+] SSTP connection time: 22 sec 2011-06-18 03:07:44 [+] Sent 986 bytes, received 894 bytes 2011-06-18 03:07:44 [+] End of TLS connection, reason: Success. $ }}}
Incrementing verbose option (0-3) will display more connection events. Level 3 will expose low-level details, such as crypto algorithm negociation, key exchange, etc.
Actually working on Linux (tested Debian & Fedora), other system to be supported.
Comments/Bugs:
Please send me back comments and bugs to <christophe DOT alladoum AT hsc DOT fr> with backtrace (using sstoper -vvv options) and/or an strace output of the bug.
Changelogs:
06/2012 : migrating to GitHub public repository 06/2011 : 0.21 few bug fixes 03/2011 : 0.2 version adding capabilities, IPv6 support and many fixes. 11/2010 : 0.1 version adding better network handling. 10/2010 : first public release.
Thanks for using SSToPer !