SSTP (Secure Socket Tunneling Protocol) 是微软开发的一种 VPN 协议,用 SSL/TLS 加密 PPP 流量。参见 使用 SSTP 协议的 VPN 有什么优势和缺陷?。
本来没怎么关注这个东西,支持少非主流,IP over TCP,也是因为一些奇怪的事突然有了这方面需求了,才开始了解它。
SoftEther
目前在 Linux,服务器似乎只有 SoftEther 这个实现。这软件也是挺拼的,把各种流行的非主流的 VPN 协议都给实现了一遍,跨平台,GPL。还提供傻瓜化的 GUI 管理,中日英三语界面,简直就是部署 VPN 的大杀器。只是一来太重,二来对 RADIUS 支持不全,不太符合需求。
DIY
因为内部走的是 PPP,如果只是调用 pppd 并转发数据,由 pppd 负责用户认证等麻烦事,自己实现一个目测也不是太复杂。加上微软的官方文档甚详,近来又一直想学一下 Twisted 但又不知如何入手,决定来写一个试试。
托 Twisted 的简单易用,挺顺利地初步完成了这个 SSTP 服务器。
代码放在 GitHub 和 PyPI 上了,sorz/sstp-server 。
安装使用
供参考,详见sstpd --help:
sudo apt-get install python-dev python-pip python-twisted sudo pip install sstp-server sudo sstpd -c cert.pem --local 10.0.0.1 --remote 10.0.0.0/24
关于证书,请参考 HTTPS 证书相关教程。
别忘了建/etc/ppp/options.sstpd,一个例子:
name sstpd require-mschap-v2 nologfd nodefaultroute ms-dns 8.8.8.8 ms-dns 8.8.4.4
需要 IPv6 支持的,可加参数--listen ::。
麻烦
折腾过程中遇到的主要障碍还是关于 PPP 的。简单地转发是不行的,因为每个 SSTP 包中只允许放入一个 PPP frame,需要自行分离出每个 frame。
PPP 这个古老的协议比预想中的要复杂。Windows 在 SSTP 中使用的其实是这个 HDLC-like Framing。找了一份 SSTP 客户端的代码,它是自行对两种格式进行了转换。好在后来发现 pppd 其实自身就支持 HDLC(sync 参数),于是成功偷懒。
但后来发现 HDLC 似乎需要 Linux 内核支持(CONFIG_PPP_SYNC_TTY = yes)。
更新:
果然偷懒失败了,用 HDLC 取巧的方法是不行的,偶尔会有 frame 被截断,后面就全乱了。于是还是老老实实地照着 RFC 1662 来做 framing,自行 (un)escape 一些字符。但是这样性能变得很糟糕,试着把这部分用 C 扩展重写了一遍。想来这还是我第一次出于解决问题的需要写 C 呢……
感谢 @deba12 指出了这个问题,并协助测试、改善性能。
安全性
目前这个实现其实是不完整的,没有实现 Crypto binding 部分,导致其可能遭受中间人攻击。
使用了 SSL 还会遭受中间人攻击?微软在文档末尾提供了一个这种攻击的情境,挺有意思的。
攻击者建立一个假 Wi-Fi AP,然后诱骗用户连接。
Wi-Fi 使用 802.11 EAP 进行认证,用户以为他是在登录 Wi-Fi,但实际上,攻击者将这个认证请求转发给了 SSTP(PPP) 服务器!用户确实在和真的认证服务器在对话,只不过认证的不是 Wi-Fi 而是 SSTP 服务。
Crypto binding 可以防止这种攻击,想详细了解请参见微软文档。
但实现这个有些复杂,我这边的使用情境暂时没有这个需求,就先放一放了。
(懒你就直说 _(:з」∠)_
话说既然用了类似PPP的配置文件,能支持radius认证不?支持的话我就开来玩玩
可以啊,其实用的 就是 pppd,所以像 PPTP 一样配 RADIUS 就行了。
也就是说options里面填入radius的配置就OK?
pppd 的配置文件里
plugin radius.so
plugin radattr.so
radius-config-file
之类的吧
今年暑假的时候大改了一部分代码,
这篇文章放了好久一直没更新,刚刚更新了一下 🙂
另外我在犹豫要不要迁移到 Python 3……
当时写的时候,Twisted 的 Py3 支持还很有些问题,所以算是被迫用的 Py2。
但是现在再换的话,好像也看不见什么特别的好处……
考虑过 single codebase 同时兼容 Py2/3,但是后来发现这样太麻烦了,如果要迁移,Py2 就不再维护了…
改天去提个 issue 放着好了(
想安装sstp,在centos 下遇到困难,请问能否帮助?邮件已留,QQ也是,请联系。
请问能提供下centos的安装教程吗?试了很久都没有成功
可否容許安裝於 openwrt x86,我嘗試了加入python,但 pip install sstp-server不成功。
你好,可以提供 pip install 的日志吗?
unable to execute ‘i486-openwrt-linux-uclibc-gcc’ no such file or directory
pip install 在安装过程中需要编译一些插件,要先安装 gcc 等工具和依赖
The latest log as follow
Downloading/unpacking sstp-server
Downloading sstp-server-0.3.5.tar.gz
Running setup.py (path:/tmp/pip_build_root/sstp-server/setup.py) egg_info for package sstp-server
Downloading/unpacking twisted (from sstp-server)
Running setup.py (path:/tmp/pip_build_root/twisted/setup.py) egg_info for package twisted
Downloading/unpacking service-identity (from sstp-server)
Downloading service_identity-16.0.0-py2.py3-none-any.whl
Downloading/unpacking argparse (from sstp-server)
Downloading argparse-1.4.0-py2.py3-none-any.whl
Downloading/unpacking py2-ipaddress (from sstp-server)
Downloading py2-ipaddress-3.4.1.tar.gz
Running setup.py (path:/tmp/pip_build_root/py2-ipaddress/setup.py) egg_info for package py2-ipaddress
Downloading/unpacking zope.interface>=3.6.0 (from twisted->sstp-server)
Running setup.py (path:/tmp/pip_build_root/zope.interface/setup.py) egg_info for package zope.interface
warning: no previously-included files matching ‘*.dll’ found anywhere in distribution
warning: no previously-included files matching ‘*.pyc’ found anywhere in distribution
warning: no previously-included files matching ‘*.pyo’ found anywhere in distribution
warning: no previously-included files matching ‘*.so’ found anywhere in distribution
warning: no previously-included files matching ‘coverage.xml’ found anywhere in distribution
no previously-included directories found matching ‘docs/_build’
Downloading/unpacking pyasn1 (from service-identity->sstp-server)
Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Downloading/unpacking pyasn1-modules (from service-identity->sstp-server)
Downloading pyasn1_modules-0.0.8-py2.py3-none-any.whl
Downloading/unpacking attrs (from service-identity->sstp-server)
Downloading attrs-15.2.0-py2.py3-none-any.whl
Downloading/unpacking pyopenssl>=0.12 (from service-identity->sstp-server)
Requirement already satisfied (use –upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages/setuptools-7.0-py2.7.egg (from zope.interface>=3.6.0->twisted->sstp-server)
Downloading/unpacking six>=1.5.2 (from pyopenssl>=0.12->service-identity->sstp-server)
Downloading six-1.10.0-py2.py3-none-any.whl
Downloading/unpacking cryptography>=0.7 (from pyopenssl>=0.12->service-identity->sstp-server)
Running setup.py (path:/tmp/pip_build_root/cryptography/setup.py) egg_info for package cryptography
no previously-included directories found matching ‘docs/_build’
warning: no previously-included files matching ‘*’ found under directory ‘vectors’
Downloading/unpacking idna>=2.0 (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
Downloading/unpacking enum34 (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
Running setup.py (path:/tmp/pip_build_root/enum34/setup.py) egg_info for package enum34
Downloading/unpacking ipaddress (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
Downloading ipaddress-1.0.16-py27-none-any.whl
Downloading/unpacking cffi>=1.4.1 (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
Running setup.py (path:/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi
Downloading/unpacking pycparser (from cffi>=1.4.1->cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
Running setup.py (path:/tmp/pip_build_root/pycparser/setup.py) egg_info for package pycparser
warning: no previously-included files matching ‘yacctab.*’ found under directory ‘tests’
warning: no previously-included files matching ‘lextab.*’ found under directory ‘tests’
warning: no previously-included files matching ‘yacctab.*’ found under directory ‘examples’
warning: no previously-included files matching ‘lextab.*’ found under directory ‘examples’
Installing collected packages: sstp-server, twisted, service-identity, argparse, py2-ipaddress, zope.interface, pyasn1, pyasn1-modules, attrs, pyopenssl, six, cryptography, idna, enum34, ipaddress, cffi, pycparser
Running setup.py install for sstp-server
warning: build_py: byte-compiling is disabled, skipping.
building ‘sstpd.codec’ extension
i486-openwrt-linux-uclibc-gcc -fno-strict-aliasing -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -DNDEBUG -fno-inline -DNDEBUG -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fPIC -I/usr/include/python2.7 -c sstpd/codecmodule.c -o build/temp.linux-i686-2.7/sstpd/codecmodule.o
sstpd/codecmodule.c:1:20: fatal error: Python.h: No such file or directory
#include
^
compilation terminated.
error: command ‘i486-openwrt-linux-uclibc-gcc’ failed with exit status 1
Complete output from command /usr/bin/python2.7 -c “import setuptools, tokenize;__file__=’/tmp/pip_build_root/sstp-server/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(__file__).read().replace(‘\r\n’, ‘\n’), __file__, ‘exec’))” install –record /tmp/pip-RR15_y-record/install-record.txt –single-version-externally-managed –compile:
running install
running build
running build_py
creating build
creating build/lib.linux-i686-2.7
creating build/lib.linux-i686-2.7/sstpd
copying sstpd/packets.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/utils.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/__main__.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/sstp.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/constants.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/__init__.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/address.py -> build/lib.linux-i686-2.7/sstpd
copying sstpd/ppp.py -> build/lib.linux-i686-2.7/sstpd
warning: build_py: byte-compiling is disabled, skipping.
running build_ext
building ‘sstpd.codec’ extension
creating build/temp.linux-i686-2.7
creating build/temp.linux-i686-2.7/sstpd
i486-openwrt-linux-uclibc-gcc -fno-strict-aliasing -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -DNDEBUG -fno-inline -DNDEBUG -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fPIC -I/usr/include/python2.7 -c sstpd/codecmodule.c -o build/temp.linux-i686-2.7/sstpd/codecmodule.o
sstpd/codecmodule.c:1:20: fatal error: Python.h: No such file or directory
#include
^
compilation terminated.
error: command ‘i486-openwrt-linux-uclibc-gcc’ failed with exit status 1
—————————————-
Cleaning up…
Command /usr/bin/python2.7 -c “import setuptools, tokenize;__file__=’/tmp/pip_build_root/sstp-server/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(__file__).read().replace(‘\r\n’, ‘\n’), __file__, ‘exec’))” install –record /tmp/pip-RR15_y-record/install-record.txt –single-version-externally-managed –compile failed with error code 1 in /tmp/pip_build_root/sstp-server
Storing debug log for failure in /root/.pip/pip.log
我的目的是在 openwrt 安裝 sstp-server
hi.
sstpd -c cert.pem –local 10.0.0.1 –remote 10.0.0.0/24是客户端机器所运行的命令。服务器上,运行的命令是怎样的?为sstpd -c cert.pem 吗?
这是在服务器运行的。
客户端可以尝试下 sstp-client
mac下,怎么运行客户端?有gui程序吗?还是用命令行?
如果用命令行,该怎么写?
博主看到你有 -n, –no-ssl 这个选项,我尝试使用nginx 做ssl代理却无法成功
nginx配置
stream{
upstream backends {
server XXXXXXX:443;
}
server {
# listen 80;
listen 443 ssl ; # ‘ssl’ parameter tells NGINX to decrypt the traffic
proxy_buffer_size 16M;
proxy_pass backends;
ssl_certificate ssl.crt; # The certificate file
ssl_certificate_key ssl.key; # The private key file
}
}
服务端报错
2016-07-07 09:25:22,733 INFO: Running without SSL.
2016-07-07 09:25:22,735 INFO: Listening on :443…
2016-07-07 09:25:29,700 INFO: SSTP control packet (type 1) received.
2016-07-07 09:25:32,808 INFO: SSTP control packet (type 4) received.
Unhandled Error
Traceback (most recent call last):
File “/usr/local/lib/python2.7/site-packages/twisted/python/log.py”, line 101, in callWithLogger
return callWithContext({“system”: lp}, func, *args, **kw)
File “/usr/local/lib/python2.7/site-packages/twisted/python/log.py”, line 84, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File “/usr/local/lib/python2.7/site-packages/twisted/python/context.py”, line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File “/usr/local/lib/python2.7/site-packages/twisted/python/context.py”, line 81, in callWithContext
return func(*args,**kw)
— —
File “/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py”, line 597, in _doReadOrWrite
why = selectable.doRead()
File “/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py”, line 209, in doRead
return self._dataReceived(data)
File “/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py”, line 215, in _dataReceived
rval = self.protocol.dataReceived(data)
File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 34, in dataReceived
self.sstpDataReceived(data)
File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 80, in sstpDataReceived
self.sstpPacketReceived(packet)
File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 99, in sstpPacketReceived
self.sstpControlPacketReceived(messageType, attributes)
File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 123, in sstpControlPacketReceived
self.sstpMsgCallConnectedReceived(hashType, nonce, certHash, macHash)
File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 204, in sstpMsgCallConnectedReceived
if certHash is not None and certHash not in self.factory.certHash:
exceptions.TypeError: argument of type ‘NoneType’ is not iterable
我试着修复了一下,现在不方便测试,也不知道行不行了。
还没推到 PyPI,你可以从 GitHub 上安装试一下?
早前我写 –no-ssl 也是想用 nginx 反代的,但是后来发现 nginx 嫌 Content-Length 太大报错了,
于是后来就没有管这个功能了…
我用的http代理不行 tcp代理就ok了 还有似乎和nginx 不支持SSTP_DUPLEX_POST 这个动词有关?
印象中这个不影响他能认,只是客户端扔过去的 Content-Length 太大了…
root@AR:~# sstpd -c public.crt –local 10.0.0.1 –remote 10.0.0.0/24
Traceback (most recent call last):
File “/usr/local/bin/sstpd”, line 9, in
load_entry_point(‘sstp-server==0.3.5’, ‘console_scripts’, ‘sstpd’)()
File “/usr/local/lib/python2.7/dist-packages/sstpd/__main__.py”, line 76, in main
ippool = IPPool(args.remote)
File “/usr/local/lib/python2.7/dist-packages/sstpd/address.py”, line 9, in __init__
self._network = ipaddress.ip_network(network)
File “/usr/local/lib/python2.7/dist-packages/ipaddress-1.0.16-py2.7.egg/ipaddress.py”, line 199, in ip_network
‘ a unicode object?’ % address)
ipaddress.AddressValueError: ‘10.0.0.0/24’ does not appear to be an IPv4 or IPv6 network. Did you pass in a bytes (str in Python 2) instead of a unicode object?
root@AR:~#
怎么解决?
谢谢回复。
系统里已经安装的 ipaddress 包和 sstp-server 需要的 py2-ipaddress 冲突了。
可以在 virtualenv 里安装 sstp-server,或者直接卸载 ipaddress 包。
请问sstp是不是相当于把pptp里的GRE用SSL代替了呢?或者是否可以把sstp理解为pptp套了个ssl的壳子,用户验证之类的还是交给ppp在做是吗? ω・´)
对的
centos 下依赖 openssl-devel python-devel gcc 供参考。
options.sstpd 中不支持require-mppe-128 是这个意思吧?
sstpd -p 443 -c /etc/pki/CA/certs/server.pem –local 10.0.0.1 –remote 10.0.0.0/24
Traceback (most recent call last):
File “/usr/bin/sstpd”, line 9, in
load_entry_point(‘sstp-server==0.4.0’, ‘console_scripts’, ‘sstpd’)()
File “/usr/lib64/python2.7/site-packages/sstpd/__init__.py”, line 8, in run
from __main__ import main
File “/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 7, in
from twisted.internet.endpoints import SSL4ServerEndpoint
File “/usr/lib64/python2.7/site-packages/twisted/internet/endpoints.py”, line 52, in
from twisted.protocols.tls import TLSMemoryBIOFactory
File “/usr/lib64/python2.7/site-packages/twisted/protocols/tls.py”, line 63, in
from twisted.internet._sslverify import _setAcceptableProtocols
File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 38, in
TLSVersion.TLSv1_1: SSL.OP_NO_TLSv1_1,
AttributeError: ‘module’ object has no attribute ‘OP_NO_TLSv1_1’
How to solve it ? (Python 2.7.5)
Try to install sstp-server with pip on a clean py venv.
$ virtualenv2 env
$ source env/bin/activate
$ pip install sstp-server
Or upgrade your PyOpenSSL
$ pip2 install –upgrade pyopenssl
After create new ENV as above ,still have problem
(env) [root@centos73 ~]# sstpd -p 443 -c /etc/pki/CA/certs/server.pem –local 10.0.0.1 –remote 10.0.0.0/24
Traceback (most recent call last):
File “/usr/bin/sstpd”, line 9, in
load_entry_point(‘sstp-server==0.4.0’, ‘console_scripts’, ‘sstpd’)()
File “/usr/lib64/python2.7/site-packages/sstpd/__init__.py”, line 9, in run
main()
File “/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 127, in main
cert = _load_cert(args.pem_cert)
File “/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 99, in _load_cert
return ssl.PrivateCertificate.loadPEM(certData)
File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 699, in loadPEM
crypto.FILETYPE_PEM)
File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 676, in load
return Class._load(data, format)._setPrivateKey(privateKey)
File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 660, in _setPrivateKey
if not privateKey.matches(self.getPublicKey()):
File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 793, in matches
return self.keyHash() == otherKey.keyHash()
File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 826, in keyHash
raw = crypto.dump_publickey(crypto.FILETYPE_ASN1, self.original)
AttributeError: ‘module’ object has no attribute ‘dump_publickey’
PS : My OS is CentOS 7.3 , Just new install without others . Twisted version 17.1.0.
Hi :
After downgrade Twisted to 16.3.2 . Now i can run SSTP service no “dump_publickey Error” .
Successfully installed twisted-16.3.2
[root@solaris10 ~]# sstpd -p 1443 -c /etc/pki/CA/certs/server.pem –local 10.0.0.1 –remote 10.0.0.0/24 -v 5
2017-02-27 00:41:11,345 INFO: Listening on :1443…
👍
RouterOS 连不上?
可以连上的,我就是用的ROS
客户端连接上之后,如果不产生流量,大概1分钟左右就会自动断开。。这个怎样解决?一直ping网关可以保持,不过也没有参数可以设置?
这是一个 bug,刚修好,稍后发布新版。感谢。
我已经解决了,在options.sstpd 加入参数
lcp-echo-failure 5
lcp-echo-interval 10
心跳检测就行。
求发下安装文档嗯
我用iperf3做了测试,速率最大在20Mbps左右,client和server的cpu都不高。
不知sstp-server最大能跑多少?
呃不知道你是什么时候测试的?
之前的版本有个 bug 会导致一些丢包(在 iperf3 里就是 Retr 栏数字很高……
这个问题在 v0.3.6 (2016-11-21) 修复了。
你是怎么安装的嗯,求安装文档嗯
不支持Let’sEncrypt签发的证书吗?生成的四个pem文件都试了都不行呢。
—————————————–
Traceback (most recent call last):
File “/opt/rh/python27/root/usr/bin/sstpd”, line 11, in
load_entry_point(‘sstp-server==0.4.1’, ‘console_scripts’, ‘sstpd’)()
File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/sstpd/__init__.py”, line 9, in run
main()
File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 127, in main
cert = _load_cert(args.pem_cert)
File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 99, in _load_cert
return ssl.PrivateCertificate.loadPEM(certData)
File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 696, in loadPEM
crypto.FILETYPE_PEM)
File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 673, in load
return Class._load(data, format)._setPrivateKey(privateKey)
File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 507, in load
return Class(crypto.load_certificate(format, requestData), *args)
File “/opt/rh/python27/root/usr/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 1661, in load_certificate
_raise_current_error()
File “/opt/rh/python27/root/usr/lib/python2.7/site-packages/OpenSSL/_util.py”, line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [(‘PEM routines’, ‘PEM_read_bio’, ‘no start line’)]
—————————————–
需要使用 fullchain.pem privkey.pem 两个文件,现在的版本只支持指定一个文件,所以需要手动把这两个文件合起来(`cat fullchain.pem privkey.pem > cert-with-key.pem`)。下个版本将支持指定两个。
github上提feature request的就是我,谢谢。不过性能比较低,比起ss+proxifier的组合只有大概三分之一到四分之一的速度(speedtest.net),ss也是用的pip的版本。作者君加油_(:3 ⌒゙)_。看好这项目。
作者菌有试过sstpc连接吗。我在fedora25下用sstpc连接直接失败,sstpc这破东西开–debug也没任何有用的信息,sstpd后台也看不到有请求,不知道什么毛病
很奇怪,我指定的连接域名是px,但是sstpc显示是blog,这样nginx反代识别不到,肯定就连接不上了。可是为什么会这样呢,明明是px先的(雾),hosts里面也没有可疑的信息,sstpc到底是怎么办到的。。
# sstpc –log-stdout –log-level 4 –user *** –password *** px.*.com
Apr 1 04:01:51 sstpc[38653]: Resolved blog.*.com to 45.63.50.*
Apr 1 04:01:51 sstpc[38653]: TLS hostname extension is disabled
Apr 1 04:02:01 sstpc[38653]: Connect timed out
Apr 1 04:02:01 sstpc[38653]: Could not complete connect to the client
**Error: Could not complete connect to the client, (-1)
没用过,另外看起来要开启 TLS hostname extension
开启后也是一样的。迷。不过linux下挂openconnect就行了,倒是影响不大。
sstpd 0.4.2必须升级glibc-2.14才能用,要编译安装好麻烦哦~~
最近发现sstp之后延时会变大一倍,而且不稳定。其他协议正常,PPTP,IKEV2,OPENVPN延时都正常。什么原因呢?
和 OpenVPN TCP 对比一下看看?
貌似不是sstp本身的问题,我有些服务器正常。貌似有问题的都是升级了4.x内核,开启bbr。等会同一个机房的开个没升级内核的试试。
再测试应该排除了内核的影响。极少数机房机器,PPTP和SSTP延时差不多。绝大多数SSTP延时都很不稳定,高了很多。。。
有个测试,两台linux连SSTP,延时160左右,实际延时五十多,但是使用双边加速之后回复五十多延时。
网络不好对走 TCP 的 VPN 影响会更大一些,
可以看一下同样环境下其他 TCP VPN 怎样,比如 TCP 模式的 OpenVPN 或者 ocserv。
测试环境阿里云香港B,升级内核4.12开启BBR。
连接SSTP之后ping 8.8.8.8,0%丢包,最短46ms,最长524ms,平均162ms
连接OPENVPN TCP之后ping 8.8.8.8,0%丢包,最短29ms,最长78ms,平均35ms
刚改了一下,更新 sstp-server 到 master 试试?
测试了,延时明显正常了。谢谢。
有没有考虑过CentOS 上python2 和python3的不兼容问题.CentOS下怎么部署最新版?或者继续更新python2?
Python 2 可以装旧版:
$ pip install “sstp-server<0.5"
不过可能没有精力同时更新旧版了。
不了解 CentOS,应该是有办法的?
## 安装IUS 源
yum install -y https://centos6.iuscommunity.org/ius-release.rpm
## 安装python 3.6
yum install -y gcc python36u python36u-pip python36u-devel openssl-devel
pip3.6 install sstp-server
这样不用考虑兼容问题
您好,请问客户端连上就被停止 ,报:不能建立到远程计算机的连接,因此用于此连接的端口已关闭。
下面是服务端输出
root@iZ2zea7mzaes6e2c8c1quqZ:/home/crt3# sstpd -c ca.cert.pem -k ca.pem –local 10.52.0.1 –remote 10.52.0.0/24
2017-09-28 16:43:26,121 INFO: Listening on :443…
2017-09-28 16:43:57,963 INFO: SSTP control packet (CALL_CONNECT_REQUEST) received.
2017-09-28 16:43:57,970 INFO: pppd stopped.
2017-09-28 16:43:58,044 INFO: SSTP control packet (CALL_DISCONNECT_ACK) received.
请帮忙看下,万分感谢!
连接后 pppd 退出了,检查一下 pppd 的日志?
请问在哪看pppd 的日志?
我在 /etc/ppp/options.sstpd 里 添加 touch /var/log/sstpppdebug ,运行完后没任何效果。
logfile /var/log/… 不是 touch
您好,在 /etc/ppp/options.sstpd 里 改成 logfile /var/log/sstpppdebug
一样没sstpppdebug文件生成。我先touch了一个sstpppdebug,再重新运行sstp 还是不见输出,麻烦帮我再看下呢。
你在用哪个版本的 sstp-server?
这种方式安装的
Python 2 可以装旧版:
$ pip install “sstp-server<0.5"
不过可能没有精力同时更新旧版了。
要不你试试用 Python 3 装新版?
新版应该会把 pppd 的错误信息打出来。
您好,我用的系统是ubuntu16.04 64位。带的python是2.7的
编译安装python老是遇见奇怪的错误,请问有没有什么简便的方法升级python3?
apt install python3 python3-pip
pip3 install sstp-server
解决了,万分感激!!
博主我们做朋友吧ヾ(≧▽≦*)o
你好,请问博主有和softether做过单sstp的性能对比吗?
請問:
版主能在 –remote 參數支援 ip 區間設定,非整個網段.
謝謝.