Managing your Mikrotik with SSTP

Summary
SSTP tunnels VPN traffic inside HTTPS (port 443), making remote MikroTik access possible even behind strict firewalls and proxies. This guide shows RouterOS server and client setup, NAT examples, security tips and when SSTP is the right choice.

Remote MikroTik Management with SSTP

SSTP (Secure Socket Tunneling Protocol) hides a VPN inside HTTPS.

It works over port 443 and blends with normal web traffic.

That makes it ideal when networks block traditional VPN ports.

This post gives a concise, hands-on SSTP recipe for MikroTik RouterOS.

What is SSTP?

SSTP tunnels PPP (Point-to-Point Protocol) inside a TLS/HTTPS session.

It uses TLS for encryption and authentication.

From the network’s point of view, SSTP is nearly indistinguishable from normal HTTPS.

That’s why it sails through corporate proxies and CGNAT.

How SSTP works — quick flow

1. Client opens a TLS (HTTPS) connection to the server on port 443.
2. Server proves its TLS certificate.
3. A PPP session is established inside the TLS tunnel.
4. Traffic is encrypted end-to-end (AES-256 when configured).

Simple. Reliable. Hard to block.

Note: Because SSTP uses HTTPS, many restrictive networks will allow it while blocking other VPNs.

Advantages and limitations

Advantages

• Works almost anywhere — firewalls and proxies included.
• Uses port 443 (HTTPS) which is usually open.
• Strong TLS encryption (when using modern RouterOS/TLS settings).
• Native support in Windows and RouterOS.
• Flexible auth: username/password, certificates, or RADIUS.

Limitations

• Higher CPU use than lightweight VPNs (TLS overhead).
• Performance is usually lower than WireGuard.
• Requires a valid SSL certificate for best results.

Warning: Older TLS/SSL versions are insecure. Keep RouterOS updated and disable legacy TLS/SSL.

Server: Configure SSTP on a MikroTik

Below are the minimal RouterOS commands to create an SSTP server.

1. Create or import a certificate

/certificate add name=srv-cert common-name=vpn.yourdomain.com key-usage=key-cert-sign,crl-sign
/certificate sign srv-cert ca-cert=srv-cert
/certificate set srv-cert trusted=yes

2. Create a PPP profile

/ppp profile add name=srv-profile local-address=10.10.10.1 remote-address=10.10.10.2

3. Add a user (secret)

/ppp secret add name="usuario" password="senha123" profile=srv-profile service=sstp

4. Enable the SSTP server

/interface sstp-server server set enabled=yes certificate=srv-cert authentication=mschap2 default-profile=srv-profile

Now the router listens on port 443 and accepts SSTP connections.

Tip: Use a certificate from Let’s Encrypt or your CA — self-signed certs work for lab tests but cause client warnings.

Client: Configure SSTP on a remote MikroTik

On the remote device, add an SSTP client to connect back to the hub.

/interface sstp-client add name=sstp-to-hq connect-to=vpn.yourdomain.com \
    user="usuario" password="senha123" profile=default-encryption add-default-route=no

/interface sstp-client print

Expected status output:

status: connected
uptime: 00:02:15
encoding: AES256-CBC/SHA1

Note: The encoding line shows the negotiated cipher. Modern RouterOS versions support stronger ciphers — verify your release notes.

Access an internal host across the tunnel

If you need to reach a device behind the remote MikroTik (for example 192.168.88.100), use dst-nat and port mapping.

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8081 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=80

From the hub or a client, access the device via the SSTP tunnel endpoint and mapped port:

https://vpn.yourdomain.com:8081

Traffic flows through the HTTPS tunnel and reaches the internal host.

Security and best practices

• Use valid, trusted TLS certificates.
• Prefer certificate or RADIUS authentication over plain passwords.
• Restrict allowed source IPs when possible.
• Keep RouterOS updated to get modern TLS stacks.
• Disable old SSL/TLS versions and weak ciphers.
• Monitor connection logs and rotate credentials periodically.

Tip: For many devices, authentication by certificate is more manageable and safer than shared passwords.

Alternative: SSTP server on a VPS

You can host an SSTP hub on a VPS instead of a MikroTik.

Options:

• Windows Server (native SSTP support).
• SoftEther VPN (multi-protocol, supports SSTP on Linux).

SoftEther is handy as a protocol bridge. It lets MikroTiks and Windows clients talk to the same hub without public IPs on each site.

Quick comparison

When to choose SSTP

Choose SSTP when you need a VPN that:

• Must work through corporate proxies or strict NAT.
• Should integrate easily with Windows clients.
• Needs to use port 443 to avoid port blocking.

If you value raw speed and minimal CPU usage, consider WireGuard instead.

Where MKController helps: If configuring certificates and tunnels feels like busywork, MKController’s NATCloud offers centralized remote access and monitoring — zero manual PKI per device and simpler onboarding.

Conclusion

SSTP is a pragmatic choice for hard-to-reach networks.

It leverages HTTPS to stay connected where other VPNs fail.

With a few RouterOS commands you can set up reliable remote access for branches, servers and user devices.

About MKController

Hope the insights above helped you navigate your MikroTik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.

With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.

👉 Start your free 7-day trial now at mkcontroller.com — and see what effortless network control really looks like.