简单的 SSTP 服务器

SSTP (Secure Socket Tunneling Protocol) 是微软开发的一种 VPN 协议,用 SSL/TLS 加密 PPP 流量。参见 使用 SSTP 协议的 VPN 有什么优势和缺陷?

本来没怎么关注这个东西,支持少非主流,IP over TCP,也是因为一些奇怪的事突然有了这方面需求了,才开始了解它。

SoftEther

目前在 Linux,服务器似乎只有 SoftEther 这个实现。这软件也是挺拼的,把各种流行的非主流的 VPN 协议都给实现了一遍,跨平台,GPL。还提供傻瓜化的 GUI 管理,中日英三语界面,简直就是部署 VPN 的大杀器。只是一来太重,二来对 RADIUS 支持不全,不太符合需求。

DIY

因为内部走的是 PPP,如果只是调用 pppd 并转发数据,由 pppd 负责用户认证等麻烦事,自己实现一个目测也不是太复杂。加上微软的官方文档甚详,近来又一直想学一下 Twisted 但又不知如何入手,决定来写一个试试。

托 Twisted 的简单易用,挺顺利地初步完成了这个 SSTP 服务器。

代码放在 GitHub 和 PyPI 上了,sorz/sstp-server
PyPI

安装使用

供参考,详见sstpd --help

sudo apt-get install python-dev python-pip python-twisted
sudo pip install sstp-server
sudo sstpd -c cert.pem --local 10.0.0.1 --remote 10.0.0.0/24

关于证书,请参考 HTTPS 证书相关教程。
别忘了建/etc/ppp/options.sstpd,一个例子:

name sstpd
require-mschap-v2
nologfd
nodefaultroute
ms-dns 8.8.8.8
ms-dns 8.8.4.4

需要 IPv6 支持的,可加参数--listen ::

麻烦

折腾过程中遇到的主要障碍还是关于 PPP 的。简单地转发是不行的,因为每个 SSTP 包中只允许放入一个 PPP frame,需要自行分离出每个 frame。

PPP 这个古老的协议比预想中的要复杂。Windows 在 SSTP 中使用的其实是这个 HDLC-like Framing。找了一份 SSTP 客户端的代码,它是自行对两种格式进行了转换。好在后来发现 pppd 其实自身就支持 HDLC(sync 参数),于是成功偷懒

但后来发现 HDLC 似乎需要 Linux 内核支持(CONFIG_PPP_SYNC_TTY = yes)。

更新:
果然偷懒失败了,用 HDLC 取巧的方法是不行的,偶尔会有 frame 被截断,后面就全乱了。于是还是老老实实地照着 RFC 1662 来做 framing,自行 (un)escape 一些字符。但是这样性能变得很糟糕,试着把这部分用 C 扩展重写了一遍。想来这还是我第一次出于解决问题的需要写 C 呢……

感谢 @deba12 指出了这个问题,并协助测试、改善性能。

安全性

目前这个实现其实是不完整的,没有实现 Crypto binding 部分,导致其可能遭受中间人攻击。

使用了 SSL 还会遭受中间人攻击?微软在文档末尾提供了一个这种攻击的情境,挺有意思的。

攻击者建立一个假 Wi-Fi AP,然后诱骗用户连接。
Wi-Fi 使用 802.11 EAP 进行认证,用户以为他是在登录 Wi-Fi,但实际上,攻击者将这个认证请求转发给了 SSTP(PPP) 服务器!用户确实在和真的认证服务器在对话,只不过认证的不是 Wi-Fi 而是 SSTP 服务。

Crypto binding 可以防止这种攻击,想详细了解请参见微软文档。
但实现这个有些复杂,我这边的使用情境暂时没有这个需求,就先放一放了。
(懒你就直说 _(:з」∠)_

简单的 SSTP 服务器》上有68条评论

  1. Null 文章作者

    另外我在犹豫要不要迁移到 Python 3……
    当时写的时候,Twisted 的 Py3 支持还很有些问题,所以算是被迫用的 Py2。

    但是现在再换的话,好像也看不见什么特别的好处……
    考虑过 single codebase 同时兼容 Py2/3,但是后来发现这样太麻烦了,如果要迁移,Py2 就不再维护了…
    改天去提个 issue 放着好了(

    回复
  2. CK

    The latest log as follow

    Downloading/unpacking sstp-server
    Downloading sstp-server-0.3.5.tar.gz
    Running setup.py (path:/tmp/pip_build_root/sstp-server/setup.py) egg_info for package sstp-server

    Downloading/unpacking twisted (from sstp-server)
    Running setup.py (path:/tmp/pip_build_root/twisted/setup.py) egg_info for package twisted

    Downloading/unpacking service-identity (from sstp-server)
    Downloading service_identity-16.0.0-py2.py3-none-any.whl
    Downloading/unpacking argparse (from sstp-server)
    Downloading argparse-1.4.0-py2.py3-none-any.whl
    Downloading/unpacking py2-ipaddress (from sstp-server)
    Downloading py2-ipaddress-3.4.1.tar.gz
    Running setup.py (path:/tmp/pip_build_root/py2-ipaddress/setup.py) egg_info for package py2-ipaddress

    Downloading/unpacking zope.interface>=3.6.0 (from twisted->sstp-server)
    Running setup.py (path:/tmp/pip_build_root/zope.interface/setup.py) egg_info for package zope.interface

    warning: no previously-included files matching ‘*.dll’ found anywhere in distribution
    warning: no previously-included files matching ‘*.pyc’ found anywhere in distribution
    warning: no previously-included files matching ‘*.pyo’ found anywhere in distribution
    warning: no previously-included files matching ‘*.so’ found anywhere in distribution
    warning: no previously-included files matching ‘coverage.xml’ found anywhere in distribution
    no previously-included directories found matching ‘docs/_build’
    Downloading/unpacking pyasn1 (from service-identity->sstp-server)
    Downloading pyasn1-0.1.9-py2.py3-none-any.whl
    Downloading/unpacking pyasn1-modules (from service-identity->sstp-server)
    Downloading pyasn1_modules-0.0.8-py2.py3-none-any.whl
    Downloading/unpacking attrs (from service-identity->sstp-server)
    Downloading attrs-15.2.0-py2.py3-none-any.whl
    Downloading/unpacking pyopenssl>=0.12 (from service-identity->sstp-server)
    Requirement already satisfied (use –upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages/setuptools-7.0-py2.7.egg (from zope.interface>=3.6.0->twisted->sstp-server)
    Downloading/unpacking six>=1.5.2 (from pyopenssl>=0.12->service-identity->sstp-server)
    Downloading six-1.10.0-py2.py3-none-any.whl
    Downloading/unpacking cryptography>=0.7 (from pyopenssl>=0.12->service-identity->sstp-server)
    Running setup.py (path:/tmp/pip_build_root/cryptography/setup.py) egg_info for package cryptography

    no previously-included directories found matching ‘docs/_build’
    warning: no previously-included files matching ‘*’ found under directory ‘vectors’
    Downloading/unpacking idna>=2.0 (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
    Downloading/unpacking enum34 (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
    Running setup.py (path:/tmp/pip_build_root/enum34/setup.py) egg_info for package enum34

    Downloading/unpacking ipaddress (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
    Downloading ipaddress-1.0.16-py27-none-any.whl
    Downloading/unpacking cffi>=1.4.1 (from cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
    Running setup.py (path:/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi

    Downloading/unpacking pycparser (from cffi>=1.4.1->cryptography>=0.7->pyopenssl>=0.12->service-identity->sstp-server)
    Running setup.py (path:/tmp/pip_build_root/pycparser/setup.py) egg_info for package pycparser

    warning: no previously-included files matching ‘yacctab.*’ found under directory ‘tests’
    warning: no previously-included files matching ‘lextab.*’ found under directory ‘tests’
    warning: no previously-included files matching ‘yacctab.*’ found under directory ‘examples’
    warning: no previously-included files matching ‘lextab.*’ found under directory ‘examples’
    Installing collected packages: sstp-server, twisted, service-identity, argparse, py2-ipaddress, zope.interface, pyasn1, pyasn1-modules, attrs, pyopenssl, six, cryptography, idna, enum34, ipaddress, cffi, pycparser
    Running setup.py install for sstp-server
    warning: build_py: byte-compiling is disabled, skipping.

    building ‘sstpd.codec’ extension
    i486-openwrt-linux-uclibc-gcc -fno-strict-aliasing -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -DNDEBUG -fno-inline -DNDEBUG -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fPIC -I/usr/include/python2.7 -c sstpd/codecmodule.c -o build/temp.linux-i686-2.7/sstpd/codecmodule.o
    sstpd/codecmodule.c:1:20: fatal error: Python.h: No such file or directory
    #include
    ^
    compilation terminated.
    error: command ‘i486-openwrt-linux-uclibc-gcc’ failed with exit status 1
    Complete output from command /usr/bin/python2.7 -c “import setuptools, tokenize;__file__=’/tmp/pip_build_root/sstp-server/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(__file__).read().replace(‘\r\n’, ‘\n’), __file__, ‘exec’))” install –record /tmp/pip-RR15_y-record/install-record.txt –single-version-externally-managed –compile:
    running install

    running build

    running build_py

    creating build

    creating build/lib.linux-i686-2.7

    creating build/lib.linux-i686-2.7/sstpd

    copying sstpd/packets.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/utils.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/__main__.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/sstp.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/constants.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/__init__.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/address.py -> build/lib.linux-i686-2.7/sstpd

    copying sstpd/ppp.py -> build/lib.linux-i686-2.7/sstpd

    warning: build_py: byte-compiling is disabled, skipping.

    running build_ext

    building ‘sstpd.codec’ extension

    creating build/temp.linux-i686-2.7

    creating build/temp.linux-i686-2.7/sstpd

    i486-openwrt-linux-uclibc-gcc -fno-strict-aliasing -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -DNDEBUG -fno-inline -DNDEBUG -Os -pipe -march=i486 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fPIC -I/usr/include/python2.7 -c sstpd/codecmodule.c -o build/temp.linux-i686-2.7/sstpd/codecmodule.o

    sstpd/codecmodule.c:1:20: fatal error: Python.h: No such file or directory

    #include

    ^

    compilation terminated.

    error: command ‘i486-openwrt-linux-uclibc-gcc’ failed with exit status 1

    —————————————-
    Cleaning up…
    Command /usr/bin/python2.7 -c “import setuptools, tokenize;__file__=’/tmp/pip_build_root/sstp-server/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(__file__).read().replace(‘\r\n’, ‘\n’), __file__, ‘exec’))” install –record /tmp/pip-RR15_y-record/install-record.txt –single-version-externally-managed –compile failed with error code 1 in /tmp/pip_build_root/sstp-server
    Storing debug log for failure in /root/.pip/pip.log

    回复
  3. fish

    hi.

    sstpd -c cert.pem –local 10.0.0.1 –remote 10.0.0.0/24是客户端机器所运行的命令。服务器上,运行的命令是怎样的?为sstpd -c cert.pem 吗?

    回复
  4. peter mao

    博主看到你有 -n, –no-ssl 这个选项,我尝试使用nginx 做ssl代理却无法成功
    nginx配置
    stream{

    upstream backends {
    server XXXXXXX:443;
    }

    server {
    # listen 80;
    listen 443 ssl ; # ‘ssl’ parameter tells NGINX to decrypt the traffic
    proxy_buffer_size 16M;
    proxy_pass backends;

    ssl_certificate ssl.crt; # The certificate file
    ssl_certificate_key ssl.key; # The private key file
    }
    }
    服务端报错
    2016-07-07 09:25:22,733 INFO: Running without SSL.
    2016-07-07 09:25:22,735 INFO: Listening on :443…
    2016-07-07 09:25:29,700 INFO: SSTP control packet (type 1) received.
    2016-07-07 09:25:32,808 INFO: SSTP control packet (type 4) received.
    Unhandled Error
    Traceback (most recent call last):
    File “/usr/local/lib/python2.7/site-packages/twisted/python/log.py”, line 101, in callWithLogger
    return callWithContext({“system”: lp}, func, *args, **kw)
    File “/usr/local/lib/python2.7/site-packages/twisted/python/log.py”, line 84, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
    File “/usr/local/lib/python2.7/site-packages/twisted/python/context.py”, line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
    File “/usr/local/lib/python2.7/site-packages/twisted/python/context.py”, line 81, in callWithContext
    return func(*args,**kw)
    — —
    File “/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py”, line 597, in _doReadOrWrite
    why = selectable.doRead()
    File “/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py”, line 209, in doRead
    return self._dataReceived(data)
    File “/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py”, line 215, in _dataReceived
    rval = self.protocol.dataReceived(data)
    File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 34, in dataReceived
    self.sstpDataReceived(data)
    File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 80, in sstpDataReceived
    self.sstpPacketReceived(packet)
    File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 99, in sstpPacketReceived
    self.sstpControlPacketReceived(messageType, attributes)
    File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 123, in sstpControlPacketReceived
    self.sstpMsgCallConnectedReceived(hashType, nonce, certHash, macHash)
    File “/usr/local/lib/python2.7/site-packages/sstpd/sstp.py”, line 204, in sstpMsgCallConnectedReceived
    if certHash is not None and certHash not in self.factory.certHash:
    exceptions.TypeError: argument of type ‘NoneType’ is not iterable

    回复
    1. Null 文章作者

      我试着修复了一下,现在不方便测试,也不知道行不行了。
      还没推到 PyPI,你可以从 GitHub 上安装试一下?

      早前我写 –no-ssl 也是想用 nginx 反代的,但是后来发现 nginx 嫌 Content-Length 太大报错了,
      于是后来就没有管这个功能了…

      回复
  5. fish

    [email protected]:~# sstpd -c public.crt –local 10.0.0.1 –remote 10.0.0.0/24
    Traceback (most recent call last):
    File “/usr/local/bin/sstpd”, line 9, in
    load_entry_point(‘sstp-server==0.3.5’, ‘console_scripts’, ‘sstpd’)()
    File “/usr/local/lib/python2.7/dist-packages/sstpd/__main__.py”, line 76, in main
    ippool = IPPool(args.remote)
    File “/usr/local/lib/python2.7/dist-packages/sstpd/address.py”, line 9, in __init__
    self._network = ipaddress.ip_network(network)
    File “/usr/local/lib/python2.7/dist-packages/ipaddress-1.0.16-py2.7.egg/ipaddress.py”, line 199, in ip_network
    ‘ a unicode object?’ % address)
    ipaddress.AddressValueError: ‘10.0.0.0/24’ does not appear to be an IPv4 or IPv6 network. Did you pass in a bytes (str in Python 2) instead of a unicode object?
    [email protected]:~#

    怎么解决?
    谢谢回复。

    回复
    1. Null 文章作者

      系统里已经安装的 ipaddress 包和 sstp-server 需要的 py2-ipaddress 冲突了。
      可以在 virtualenv 里安装 sstp-server,或者直接卸载 ipaddress 包。

      回复
  6. Minty

    请问sstp是不是相当于把pptp里的GRE用SSL代替了呢?或者是否可以把sstp理解为pptp套了个ssl的壳子,用户验证之类的还是交给ppp在做是吗? ω・´)

    回复
  7. foehn

    sstpd -p 443 -c /etc/pki/CA/certs/server.pem –local 10.0.0.1 –remote 10.0.0.0/24
    Traceback (most recent call last):
    File “/usr/bin/sstpd”, line 9, in
    load_entry_point(‘sstp-server==0.4.0’, ‘console_scripts’, ‘sstpd’)()
    File “/usr/lib64/python2.7/site-packages/sstpd/__init__.py”, line 8, in run
    from __main__ import main
    File “/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 7, in
    from twisted.internet.endpoints import SSL4ServerEndpoint
    File “/usr/lib64/python2.7/site-packages/twisted/internet/endpoints.py”, line 52, in
    from twisted.protocols.tls import TLSMemoryBIOFactory
    File “/usr/lib64/python2.7/site-packages/twisted/protocols/tls.py”, line 63, in
    from twisted.internet._sslverify import _setAcceptableProtocols
    File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 38, in
    TLSVersion.TLSv1_1: SSL.OP_NO_TLSv1_1,
    AttributeError: ‘module’ object has no attribute ‘OP_NO_TLSv1_1’

    How to solve it ? (Python 2.7.5)

    回复
    1. Null 文章作者

      Try to install sstp-server with pip on a clean py venv.
      $ virtualenv2 env
      $ source env/bin/activate
      $ pip install sstp-server

      Or upgrade your PyOpenSSL
      $ pip2 install –upgrade pyopenssl

      回复
  8. foehn

    After create new ENV as above ,still have problem
    (env) [[email protected] ~]# sstpd -p 443 -c /etc/pki/CA/certs/server.pem –local 10.0.0.1 –remote 10.0.0.0/24
    Traceback (most recent call last):
    File “/usr/bin/sstpd”, line 9, in
    load_entry_point(‘sstp-server==0.4.0’, ‘console_scripts’, ‘sstpd’)()
    File “/usr/lib64/python2.7/site-packages/sstpd/__init__.py”, line 9, in run
    main()
    File “/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 127, in main
    cert = _load_cert(args.pem_cert)
    File “/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 99, in _load_cert
    return ssl.PrivateCertificate.loadPEM(certData)
    File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 699, in loadPEM
    crypto.FILETYPE_PEM)
    File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 676, in load
    return Class._load(data, format)._setPrivateKey(privateKey)
    File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 660, in _setPrivateKey
    if not privateKey.matches(self.getPublicKey()):
    File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 793, in matches
    return self.keyHash() == otherKey.keyHash()
    File “/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 826, in keyHash
    raw = crypto.dump_publickey(crypto.FILETYPE_ASN1, self.original)
    AttributeError: ‘module’ object has no attribute ‘dump_publickey’

    PS : My OS is CentOS 7.3 , Just new install without others . Twisted version 17.1.0.

    回复
  9. foehn

    Hi :
    After downgrade Twisted to 16.3.2 . Now i can run SSTP service no “dump_publickey Error” .

    Successfully installed twisted-16.3.2
    [[email protected] ~]# sstpd -p 1443 -c /etc/pki/CA/certs/server.pem –local 10.0.0.1 –remote 10.0.0.0/24 -v 5
    2017-02-27 00:41:11,345 INFO: Listening on :1443…

    回复
  10. lava

    客户端连接上之后,如果不产生流量,大概1分钟左右就会自动断开。。这个怎样解决?一直ping网关可以保持,不过也没有参数可以设置?

    回复
    1. Null 文章作者

      呃不知道你是什么时候测试的?
      之前的版本有个 bug 会导致一些丢包(在 iperf3 里就是 Retr 栏数字很高……
      这个问题在 v0.3.6 (2016-11-21) 修复了。

      回复
  11. 小梦梦

    不支持Let’sEncrypt签发的证书吗?生成的四个pem文件都试了都不行呢。
    —————————————–
    Traceback (most recent call last):
    File “/opt/rh/python27/root/usr/bin/sstpd”, line 11, in
    load_entry_point(‘sstp-server==0.4.1’, ‘console_scripts’, ‘sstpd’)()
    File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/sstpd/__init__.py”, line 9, in run
    main()
    File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 127, in main
    cert = _load_cert(args.pem_cert)
    File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/sstpd/__main__.py”, line 99, in _load_cert
    return ssl.PrivateCertificate.loadPEM(certData)
    File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 696, in loadPEM
    crypto.FILETYPE_PEM)
    File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 673, in load
    return Class._load(data, format)._setPrivateKey(privateKey)
    File “/opt/rh/python27/root/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py”, line 507, in load
    return Class(crypto.load_certificate(format, requestData), *args)
    File “/opt/rh/python27/root/usr/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 1661, in load_certificate
    _raise_current_error()
    File “/opt/rh/python27/root/usr/lib/python2.7/site-packages/OpenSSL/_util.py”, line 48, in exception_from_error_queue
    raise exception_type(errors)
    OpenSSL.crypto.Error: [(‘PEM routines’, ‘PEM_read_bio’, ‘no start line’)]
    —————————————–

    回复
    1. Null 文章作者

      需要使用 fullchain.pem privkey.pem 两个文件,现在的版本只支持指定一个文件,所以需要手动把这两个文件合起来(`cat fullchain.pem privkey.pem > cert-with-key.pem`)。下个版本将支持指定两个。

      回复
      1. 小梦梦

        github上提feature request的就是我,谢谢。不过性能比较低,比起ss+proxifier的组合只有大概三分之一到四分之一的速度(speedtest.net),ss也是用的pip的版本。作者君加油_(:3 ⌒゙)_。看好这项目。

        回复
  12. 小梦梦

    作者菌有试过sstpc连接吗。我在fedora25下用sstpc连接直接失败,sstpc这破东西开–debug也没任何有用的信息,sstpd后台也看不到有请求,不知道什么毛病

    回复
    1. 小梦梦

      很奇怪,我指定的连接域名是px,但是sstpc显示是blog,这样nginx反代识别不到,肯定就连接不上了。可是为什么会这样呢,明明是px先的(雾),hosts里面也没有可疑的信息,sstpc到底是怎么办到的。。
      # sstpc –log-stdout –log-level 4 –user *** –password *** px.*.com
      Apr 1 04:01:51 sstpc[38653]: Resolved blog.*.com to 45.63.50.*
      Apr 1 04:01:51 sstpc[38653]: TLS hostname extension is disabled
      Apr 1 04:02:01 sstpc[38653]: Connect timed out
      Apr 1 04:02:01 sstpc[38653]: Could not complete connect to the client
      **Error: Could not complete connect to the client, (-1)

      回复
      1. LAVA

        貌似不是sstp本身的问题,我有些服务器正常。貌似有问题的都是升级了4.x内核,开启bbr。等会同一个机房的开个没升级内核的试试。

        回复
        1. LAVA

          再测试应该排除了内核的影响。极少数机房机器,PPTP和SSTP延时差不多。绝大多数SSTP延时都很不稳定,高了很多。。。
          有个测试,两台linux连SSTP,延时160左右,实际延时五十多,但是使用双边加速之后回复五十多延时。

        2. Null 文章作者

          网络不好对走 TCP 的 VPN 影响会更大一些,
          可以看一下同样环境下其他 TCP VPN 怎样,比如 TCP 模式的 OpenVPN 或者 ocserv。

  13. LAVA

    测试环境阿里云香港B,升级内核4.12开启BBR。
    连接SSTP之后ping 8.8.8.8,0%丢包,最短46ms,最长524ms,平均162ms
    连接OPENVPN TCP之后ping 8.8.8.8,0%丢包,最短29ms,最长78ms,平均35ms

    回复
    1. Null 文章作者

      Python 2 可以装旧版:
      $ pip install “sstp-server<0.5"
      不过可能没有精力同时更新旧版了。

      不了解 CentOS,应该是有办法的?

      回复
  14. 您好,请问客户端连上就被停止 ,报:不能建立到远程计算机的连接,因此用于此连接的端口已关闭。
    下面是服务端输出
    [email protected]:/home/crt3# sstpd -c ca.cert.pem -k ca.pem –local 10.52.0.1 –remote 10.52.0.0/24
    2017-09-28 16:43:26,121 INFO: Listening on :443…
    2017-09-28 16:43:57,963 INFO: SSTP control packet (CALL_CONNECT_REQUEST) received.
    2017-09-28 16:43:57,970 INFO: pppd stopped.
    2017-09-28 16:43:58,044 INFO: SSTP control packet (CALL_DISCONNECT_ACK) received.

    请帮忙看下,万分感谢!

    回复
      1. 您好,在 /etc/ppp/options.sstpd 里 改成 logfile /var/log/sstpppdebug
        一样没sstpppdebug文件生成。我先touch了一个sstpppdebug,再重新运行sstp 还是不见输出,麻烦帮我再看下呢。

        回复
      2. 您好,我用的系统是ubuntu16.04 64位。带的python是2.7的
        编译安装python老是遇见奇怪的错误,请问有没有什么简便的方法升级python3?

        回复

发表评论

电子邮件地址不会被公开。 必填项已用*标注