← Back to branch summary

~eivnaes/sstp-client/1.0.13 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171

.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
.\" IP indented paragraph
.\" TP hanging label
.TH SSTPC 8
.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection
.\" other parms are allowed: see man(7), man(1)
.SH NAME
sstpc \- SSTP Client
.SH SYNOPSIS
.B sstpc
.I "<sstp-server-IP> <sstp-options> [ppp-options] ..."
.SH "DESCRIPTION"
.LP
.B sstpc
establishes the client side of a Virtual Private Network (VPN) using the Secure Socket Tunneling Protocol (SSTP). Use this program to connect to an employer's SSTP based VPN when PPTP and L2TP is not working.
.LP
By default, \fBsstpc\fR establishes the SSTP call to the SSTP server, and then starts an instance of \fBpppd\fR to manage the data transfer. However, \fBsstpc\fR can also be run as a connection manager within
\fBpppd\fR.
.SH OPTIONS
.LP
The first non\-option argument on the \fBsstpc\fR command line must be the host name or IP address of the SSTP server.
.LP
All long options (starting with "\-\-") are interpreted as sstpc options, and a fatal error occurs if an unrecognised option is used.
.LP
All command\-line arguments which do not start with "\-" are interpreted as ppp options, and passed as is to \fBpppd\fR unless \fB\-\-nolaunchpppd\fR is given.
.TP
.B \-\-ca-cert
Specify the CA certificate used to verify the server with
.TP
.B \-\-ca-dir
Specify the directory of certificates that contains the CA certificate. If nothing is specified, the system's wide directory is used.
.TP
.B \-\-cert-warn
Ignore certificate warnings like common name instead of terminating the connection.
.TP
.B \-\-debug
Run in foreground (for debugging with gdb)
.TP
.B \-\-ipparam
This will help specify the callback socket that 
.B pppd 
will try to connect back to
.B sstpc
in order to communciate the MPPE keys as negotiated. The MPPE keys are required to authenticate against the server at the SSL layer. They can be zeroed if no MPPE is negotated. The name is formed based on /tmp/sstpc-<ipparam>.
.TP
.B \-\-nolaunchpppd
Do not launch
.B pppd
but use stdin as the network connection.  Use this flag when including
.B sstpc
as a
.B pppd
connection process using the
.B pty
option. See EXAMPLES.
.TP
.B \-\-password
Specify a password per command line instead of setting it up in a configuration file for 
.B pppd
in /etc/ppp/peers.
.TP
.B \-\-proxy
Connect to the SSTP server via a proxy on your network. The syntax is http://[<user>:<pass>@]<domain>:port.
.TP
.B \-\-priv-user
Specify the privilege separation user to run 
.B sstpc
.TP
.B \-\-priv-group
Specify the privilege separation group to run 
.B sstpc
.TP
.B \-\-priv-dir
Specify the privilege separation directory for the chroot jail to run
.B sstpc
.TP
.B \-\-user
Specify the username to authenticate to the SSTP server instead of setting it up in a configuration file for
.B pppd
in /etc/ppp/peers.
.TP
.B \-\-save-server-route
This will automatically add and remove a route to the SSTP server.
.TP
.B \-\-uuid
Specify a UUID for the connection to simplify the server end debugging.
.SS Troubleshooting
The following options are available to help troubleshoot
.B sstpc
.TP
.B \-\-log-level <level>
Set the debug level for debugging the
.B sstpc
process. Level can be a value between 0 and 4.
.TP
.B \-\-log-syslog
Log messages to syslog (default).
.TP
.B \-\-log-stderr
Log messages to error output
.TP
.B \-\-log-stdout
Log messages to standard output
.TP
.B \-\-log-fileno
Include file and line number with the log messages
.TP
.B \-\-log-filter
Filter the logs by a particular set of files, e.g: sstp-packet,sstp-state

.SH "EXAMPLES"
Connection to a Microsoft Windows RAS Service using SSTP protocol
.TP
Setup the peer scripts in /etc/ppp/peers, you may start by cloning one of the scripts available in your docs directory, /usr/share/doc/sstp-client, or /usr/local/share/doc/sstp-client. The general content of this file will be close to the following:
.IP
# Example Content of /etc/ppp/peers/sstp-test
.br
remotename  sstp-test
.br
linkname    sstp-test
.br
ipparam     sstp-test
.br
pty         "sstpc \-\-ipparam sstp\-test \-\-nolaunchpppd sstp\-test.yourdomain.com"
.br
name        eivnaes
.br
plugin      sstp-pppd-plugin.so
.br
sstp-sock   /var/run/sstpc/sstpc-sstp-test
.br
usepeerdns
.br
require-mppe
.br
require-mschap-v2
.br
refuse-eap
.br
refuse-pap
.br
refuse-chap
.br
refuse-mschap
.br
nobsdcomp
.br
nodeflate
.TP
Note that the \fBchap\-secrets\fR file used by \fBpppd\fR must include an entry for domain\\\\username. For the sstp-test example, the user eivnaes will have a equivalent entry in the /etc/ppp/chap-secrets file.

# Secrets for authentication using CHAP
.br
# client        server  secret          IP addresses
.br
eivnaes         *       xxxxxx          *
.TP
Starting the sstp-test using the pon script
.B sudo pon sstp-test
.TP
Invoking sstpc using the the call command
.B sstpc \-\-ipparam sstp\-test sstp-test.yourdomain.com call sstp-test-nopty
.TP
The sstp-test-nopty is a pppd script you need to create in /etc/ppp/peers, and you can clone the example sstp-test above; but you must omit the \fBpty\fR statement in the peers configuration.
.SH "SEE ALSO"
.IR pppd (8)
.PP
.SH AUTHOR
This manual page was written by Eivind Naess <enaess@yahoo.com>