How to setup a personal SSTP VPN server on Azure Ubuntu using SoftEther

1. What is VPN and why to use?

VPN is getting popular not only for enterprise and virtual network usage, but also for personal purpose which can secure all connections and data transferred from your PC. Those who plan to use VPN service usually subscribe for VPN service by paying some $$. It is convenient to get VPN connection, but you should pay the usage cost to the VPN provider, also might concern that whether you can trust the VPN provider.

To avoid the cost and the dodge VPN providers, you can set up your own VPN server on a cloud service, if you can get a free instance on the cloud. Amazon's AWS has a trial plan which you can get t1.micro instance for free for the first year. Also, Microsoft provides free instances or free credits for students and start-up companies, so that you can run your own virtual machines there. If you can access AWS, it's easier to set up VPN server (PPTP or L2TP) by just following some tutorials online as they support more wide range of IP protocols for their virtual instances.

2. Creating VPN server on Clouds: Microsoft Azure VS Amazon AWS

Azure is a cloud platform service by Microsoft that provides virtual machines where you can run any application you want. Users can create Windows, Ubuntu, or any other system with a few mouse clicks. However, Azure does not support non-trivial protocols on top of IP for L2TP or PPTP, but only TCP and UDP can be used. For example, L2TP/IPSec uses several UDP/TCP ports plus protocol 50 (ESP). Users can open those specific UDP/TCP ports for the virtual machine in Azure to allow traffic to goes through the Azure's firewall, but there is no way to open protocol 50 on IP, as it is not controllable by the user. Similarly, PPTP uses TCP 1723 as well as protocol 47 (GRE) which cannot be opened on the firewall settings. Unlike Auzre, Amazon's AWS supports opening these IP ports. In AWS you can change security settings to allow the traffic on protocol 50 (ESP) or protocol 47 (GRE) going through the firewall.

Unless Microsoft changes their policy, there is no way to use those protocols in Azure. Therefore, we cannot set up the famous L2TP or PPTP in Azure. However, we still have a few options. SSTP and OpenVPN can be used in Azure, as they do not use any protocol other than TCP or UDP. OpenVPN is easy to set up on Linux, but it requires installing their own client program on Windows and other O/S, because none of them supports OpenVPN in their native system. If you do not want to install any third party VPN client on your operating system, the last option is SSTP. SSTP is Microsoft's protocol to support VPN. It is provided in Windows Server by default, so that you can easily set up the server if you create Windows Server virtual machine in Azure.

In this article, we will set up SSTP server on Microsoft Azure cloud using Ubuntu OS, not on Windows Server. We set up SSTP because we want to connect to it from Windows desktop without installing any other client software. It is also secure as the VPN server is fully controlled by ourselves. If you are using Windows on your desktop and want to build your own VPN server on Azure, but if you do not want to install another VPN client, this article is for you.

3. Configuring SSTP Server on Ubuntu using SoftEther

On Linux, there is a software project called SoftEther which provides SSTP server function.You can follow the Nima's article in the following site up to Step 10 to set up SoftEther server on Linux, with some cautions.

https://www.digitalocean.com/community/tutorials/how-to-setup-a-multi-protocol-vpn-server-using-softether

Before starting the configuration, you have to alter some parts from the original article to allow Windows' default SSTP to work with your SoftEther server program.


1) In Step 6, instead of creating a new virtual hub, you have to use DEFAULT hub that is already created by SoftEther. Instead of "HubCreate VPN" and "Hub VPN" command, simply put "Hub DEFAULT" command which will choose the DEFAULT hub.

2) As we setup SSTP only, you can skip Step 9, and the OpenVPN part in Step 10.

3) Once you finish up to Step 10, restart SoftEther service by using the following command.

sudo /etc/init.d/vpnserver restart

4) Also, don't forget to open TCP port 443 in Microsoft Azure's portal to let the packets pass through the firewall.

4. Configuring SSTP Client on Windows

After the server configuration, simply use Windows' default VPN setup wizard in Network Settings to connect to the new SSTP server.

If you see "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." error message, the certificate of your SoftEther server has to be installed on your Windows client PC to allow the connection. You can simply download "cert.cer" created during the SoftEther setup procedure (Step 10) to the Windows, and import it to the root certificate. (Link to how to import Certificate chain)

There will be no issue if you set up SoftEther successfully using its DEFAULT virtual hub. Now, enjoy the free VPN through your own VPN server hosted in Azure.