There is an app available on Adroid called VPN Client Pro which fully supports SSTP VPN and allows you to connect to a Windows Server 2008 – 2019 environment running RRAS. Use the button below to download the apk install file. You may need to click on the reCAPTCHA prior to clicking Download.
If you have only a single public IP to use and are already running something over TCP/443, fear not as I have proven you can use clever tricks such as PAT (port-address translation) over NAT (network-address translation). I basically reconfigure the listening port on the public side to another port such as TCP/444 in my case and then translate it to the proper destination port internally which is 443 obviously. Here is a crewed diagram:
Public > 188.8.131.52:444 [ Router/Firewall ] > 192.168.1.240:443 Internal
The protocol is designed to secure online data and traffic, and is considered a much safer option for Windows users than PPTP or L2TP/IPSec.
How Does the SSTP Protocol Work?
SSTP works by establishing a secure connection between a VPN client and a VPN server. Basically, the protocol creates a secure “tunnel” between the client and the server, and all the data and traffic that passes through that tunnel is encrypted.
Like PPTP (Point-to-Point Tunneling Protocol), SSTP transports PPP (Point-to-Point Protocol) traffic, but – unlike PPTP – it does it through a SSL/TLS channel. Because of that, SSTP offers significantly more security than PPTP since SSL/TLS provides traffic integrity checking, secure key negotiation, and encryption.
Due to the use of SSL/TLS, SSTP servers must be authenticated when a connection is established. SSTP clients can be optionally authenticated too.
General Technical Details About the SSTP VPN Protocol
- SSTP uses TCP port 443 – the same port used by HTTPS traffic.
- SSTP is often compared to OpenVPN thanks to the high level of security it offers, and the fact that it can bypass NAT firewalls.
- SSTP doesn’t generally support site-to-site VPN tunnels. Instead, it supports roaming since it uses SSL transmissions.
- SSTP only supports user authentication. The protocol doesn’t support device or computer authentication.
What Is Secure Socket Tunneling Protocol Service?
The “Secure Socket Tunneling Protocol Service” is a feature that was introduced with Windows Vista, and is also present on Windows 7, Windows 8, and Windows 10. Basically, it’s a service that offers support for the SSTP VPN protocol, allowing it to connect to remote devices through VPN connections. If the service is disabled, you won’t be able to access remote servers using the SSTP protocol.
You might also see that the “Secure Socket Tunneling Protocol Service” is related to the “SstpSvc.dll” file. You should avoid messing with that file or deleting it since it provides the SSTP service functionality on the Windows platform.
How Secure Is the SSTP Protocol?
Generally, SSTP encryption is considered relatively safe to use when you’re browsing the web. Many people even compare its security to the one offered by OpenVPN – most likely because it uses SSL and encapsulates data packets over HTTPS. What’s more, it can also use the AES encryption cipher, making it even safer.
However, it should be mentioned that there are two issues with SSTP:
1. It’s Susceptible to the “TCP Meltdown” Problem
Without getting too technical, that’s an issue that might occur with the TCP connection that’s created within the VPN tunnel, and takes places over the TCP transmission protocol. Basically, a TCP connection (the VPN one) contained within a TCP connection can result in a conflict between the two connections, which culminates in connectivity issues.
On its own, the “TCP Meltdown” problem isn’t really a huge security flaw with SSTP, but if you need round-the-clock online security or VPN encryption during critical moments (like when you’re downloading torrents, for example), it can be an annoying issue.
2. SSTP Is Owned by Microsoft
Another problem some people have with the SSTP VPN protocol is the fact that it’s closed-source and solely owned by Microsoft. While there is no evidence to showcase that SSTP was intentionally weakened or even cracked, it’s no secret that Microsoft has closely collaborated with the NSA in the past – even going as far as offering them access to encrypted messages.
What’s more, Microsoft belong to the PRISM surveillance program, and was even the program’s first partner. If you’re not familiar with PRISM, it’s a surveillance program run by the NSA which offers them access to emails, documents, and other user data that’s stored by major companies. So, it’s not far-fetched to think that the SSTP protocol might (emphasis on “might”) have been compromised by the NSA during or after development.
Overall, how good the security of the SSTP VPN protocol is solely depends on how much you trust Microsoft.
SSTP VPN Speed – What Should You Know?
SSTP offers decent online speeds most of the time, though you might encounter some slowdowns if you don’t have enough bandwidth or a relatively strong CPU. Don’t forget – SSTP uses pretty strong encryption, and that can lower your online speeds, especially if a powerful encryption cipher is used too.
Also, you should consider the fact that there are plenty of other factors that can influence the online speeds you get when using an SSTP VPN connection.
SSTP Advantages and Disadvantages
- SSTP encryption offers a decent level of security, almost on par with OpenVPN (SSL 3.0 + 256-bit encryption).
- SSTP is easy to configure on platforms it is built into.
- The SSTP VPN protocol is very difficult to block because it uses TCP port 443 (the same one HTTPS uses).
- SSTP offers good speeds if you have enough bandwidth.
- SSTP is closed-source and solely owned by Microsoft, a company that is well known to collaborate with the NSA.
- The SSTP protocol is available on a limited number of platforms – Windows, Linux, Android, and routers.
- SSTP connections could be dropped if the network admin spots the SSTP header (which is possible to do since the protocol doesn’t support authenticated web proxies).
- Since SSTP only works on TCP, it is susceptible to the “TCP Meltdown” issue.
What Is an SSTP VPN?
An SSTP VPN is a service offered by a VPN provider that gives you access to a ready-to-go SSTP VPN connection. Normally, you just need to download and install a VPN client, connect to a VPN server, and you’re good to go
Ideally, you shouldn’t stick to a VPN provider that only offers you access to the SSTP VPN protocol. It’s best to pick a provider who can offer you variety when it comes to choosing the VPN protocol you want to use.
SSTP Compared to Other VPN Protocols
Here’s an in-depth overview showcasing how good or bad the SSTP VPN protocol is compared to the other VPN protocols you can use. If you would like even more detail regarding the differences then see my other post called PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2.
SSTP vs. OpenVPN
Security-wise, both VPN protocols are decent options since they can use strong encryption keys and ciphers, and also use SSL 3.0. But unlike SSTP, OpenVPN is open-source and is not solely owned by Microsoft. That makes it easier for online users to trust that the protocol offers reliable security with no potential loopholes.
Besides that, OpenVPN can also use the UDP transmission protocol alongside the TCP one which is used by SSTP. As a result, you’re likely to get better online speeds with OpenVPN than with TCP. Also, OpenVPN isn’t susceptible to the “TCP Meltdown” issue mentioned above.
And while SSTP can’t really be blocked by firewalls easily since it uses port 443 just like OpenVPN (the HTTPS port), it does have one weakness – the fact that it doesn’t support authenticated web proxies. Why is that a problem? Well, if SSTP uses a non-authenticated web proxy, the administrator of a network could potentially detect SSTP headers. In that situation, they could drop the connection if they want to.
OpenVPN is also available on more platforms than SSTP. While it is convenient that SSTP is natively built into Windows operating systems, and thus can be easily set up, it can only be configured on routers, Android, and Linux. OpenVPN, on the other hand, can be set up on all those platforms, including many others (like Windows XP, macOS, iOS, FreeBSD, OpenBSD, Solaris, and NetBSD.
Oh, and OpenVPN could potentially be more stable than SSTP when it comes to network changes. That’s because OpenVPN has the “float” command, which could ensure OpenVPN connections don’t drop when you switch networks.
SSTP vs. IPSec
Both protocols offer a pretty good level of security, though you might have to be a bit more careful when configuring the IPSec protocol since it’s easier to mess up the protection it offers if it’s not configured properly. On the plus side, IPSec works on more platforms than SSTP, like macOS, Windows 2000, Solaris, FreeBSD, OpenBSD, and NetBSD.
Also, IPSec is much easier to block with a firewall than SSTP. Since SSTP uses TCP port 443 (the same port used by HTTPS), a network admin or ISP can’t really block it without also blocking all other online activities. IPSec traffic, on the other hand, can be blocked if the network admin or ISP blocks IP protocols 50 (which stops the Encapsulating Security Payload offered by IPSec) and 51 (which would stop the Authentication Header used by IPSec). The same can happen if port 500 is blocked since it’s the port used for IPSec’s Internet Security Association and Key Management Protocol (ISAKMP).
In terms of speed, there’s a chance that SSTP might be faster than IPSec because it can take IPSec longer to negotiate a VPN tunnel. A lot of online users have also been complaining, saying that IPSec tends to eat up a lot of resources – something that can further lower online speeds.
IPSec is normally paired with L2TP or IKEv2, but you might see VPN providers who offer IPSec as a protocol on its own. Overall, we’d recommend using SSTP over IPSec if possible.
SSTP vs. IKEv2/IPSec
If you’re mostly interested in security, you should know that both SSTP and IKEv2/IPSec offer a similar level of protection. IKEv2/IPSec might be a bit more trustworthy than SSTP, though, since it’s not solely owned by Microsoft. Instead, it was developed by Microsoft together with Cisco. Also, there are open-source implementations of IKEv2 available online.
In terms of cross-platform compatibility, IKEv2/IPSec has limited support just like SSTP, but it still has an advantage since it also works on iOS, macOS, and BlackBerry platforms.
As for speed and stability, IKEv2 might potentially be a bit faster than SSTP since it uses UDP, but it’s unfortunately also easier to block than SSTP because it only uses UDP port 500. If a network admin blocks it, IKEv2/IPSec traffic is blocked altogether. SSTP, however, uses TCP port 443, which is much harder to block. Still, IKEv2 has a very nice perk when it comes to stability – MOBIKE (IKEv2 Mobility and Multihoming), a feature that allows the protocol to seamlessly resist network changes without the connection being dropped.
In the end, IKEv2/IPSec is only a better option than SSTP if you use your mobile device a lot and travel often, or if you’d prefer an open-source alternative to SSTP that’s easy to set up on Windows platforms and BlackBerry devices.
SSTP vs. L2TP/IPSec
Generally, SSTP is a much more secure option than L2TP/IPSec, though it is worth mentioning that some online users have an easier time placing their trust in L2TP/IPSec because it’s not solely developed by Microsoft. However, L2TP/IPSec is easier blocked with a firewall than SSTP, making it overall less reliable.
In terms of connection speeds, L2TP/IPSec is inferior to SSTP because it uses double encapsulation – meaning it encrypts online traffic twice. There’s also a chance that L2TP/IPSec is more resource-intensive than SSTP.
On the other hand, L2TP/IPSec is available on more platforms than SSTP. What’s more, L2TP is even built into more devices and operating systems than SSTP, which is only built into Windows Vista and higher.
If you were to choose between SSTP and L2TP/IPSec, we’d say you’d be better off with SSTP.
SSTP vs. PPTP
Both SSTP and PPTP have been developed by Microsoft, though PPTP was developed by Microsoft together with other companies. When it comes to security, SSTP surpasses PPTP because it offers better protection – especially since it has support for 256-bit encryption keys, while PPTP can only has support for 128-bit keys.
Normally, that wouldn’t be a huge issue for PPTP users, but the main problem is with PPTP’s own encryption – MPPE – which is very flawed. Also, it has been shown that the NSA can crack PPTP traffic.
The only way PPTP is better than SSTP is when it comes to speed and availability. Due to its poor encryption, PPTP offers very fast connections. Also, PPTP is natively built into many platforms, though it is worth mentioning that – due to the protocol’s poor security – it might not continue to be natively included in future operating systems and devices. For example, PPTP is no longer natively available on macOS Sierra and iOS 10 (and newer versions).
SSTP vs. SoftEther
SSTP and SoftEther both seem to offer a decent level of security when it comes to high encryption and supported ciphers, but SoftEther is simply more trustworthy because it’s open-source and because it isn’t owned by a company that’s been known to collaborate with the NSA. Also, SoftEther has a wide variety of security features that make it even stronger.
Speed-wise, there’s a chance that SoftEther is faster than SSTP since it was programmed with fast throughput in mind. Also, SoftEther is allegedly 13 times faster than OpenVPN, and SSTP speeds are often considered to be on a similar level to OpenVPN connection speeds.
Now, it’s true that SoftEther might be more difficult or inconvenient to set up than SSTP. After all, SSTP is natively built into Windows platforms, so it can easily be configured with a few clicks. What’s more, if you use a third-party VPN service that offers SoftEther connections, you’ll still need to download and install the SoftEther software on your device.
On the other hand, SoftEther works on more platforms than SSTP, which is only available natively on Windows operating systems, and can be manually configured on routers, Android, and Linux. SoftEther works on all those platforms, and on other operating systems and devices like iOS, FreeBSD, Solaris, and macOS.
Another difference worth mentioning is the fact that the SoftEther VPN server actually offers support for the SSTP VPN protocol – alongside many other VPN protocols like OpenVPN, L2TP/IPSec, IPSec, and SoftEther. An SSTP VPN server doesn’t offer such flexibility.
Overall, SoftEther is a much better option than SSTP – especially if you are looking for an open-source alternative.
SSTP vs. Wireguard
At the moment of writing of this article, Wireguard is a very young VPN protocol, so not a lot of people trust it as much as they trust SSTP – especially since it’s only in its experimental phase. Still, the protocol is open-source, and it might end up offering better security than SSTP since it uses state-of-the-art cryptography.
Wireguard is also very likely faster than SSTP if we are to believe the benchmarks on the protocol’s website that showcase how it has better throughput and less ping times than OpenVPN (a protocol SSTP is often compared to in terms of speed).
At the moment, SSTP is much more cross-platform compatible than Wireguard since it’s available on Linux (the only platform Wireguard works on right now), and on Windows, Android, and routers. Not to mention SSTP is much easier to set up too.
As things stand right now, Wireguard isn’t a better choice than SSTP since it isn’t stable, nor is it fully secure. Of course, if you just want to test it out, the protocol is a good option. In the future, Wireguard might surpass SSTP, though.
Considering All That, Is the SSTP VPN Protocol a Good Choice?
Well, if you’re a Windows user and can’t use OpenVPN or SoftEther for various reasons, SSTP is the next best VPN protocol in terms of security and reliability. Of course, that depends on how much you trust the Microsoft corporation. If you’re not particularly worried about that aspect, though, SSTP could be a good choice then.
What Is SSTP? The Main Idea
SSTP is a VPN protocol that encrypts online communications between a VPN client and a VPN server. It’s generally considered as secure as OpenVPN, but many online users don’t trust it fully because it’s solely owned by Microsoft. Also, the protocol has limited cross-platform compatibility, only being natively available on Windows, and supporting configurations on Android, Linux, and routers.
Overall, SSTP is a good choice if you don’t mind the fact that it’s owned by Microsoft, and that it’s not open-source. We generally recommend using it only when OpenVPN or SoftEther are not valid options.