# SSTP 低レベル勉強会 20220821 前半 ## SSTP とは https を使うので proxy 超えできる SOFTETHER も SSTP を使っている。 Microsoft が作成して、Windowsとかにも標準では行っています。クライアントは Windows Vista 以降入っている なので正式名称は MS-SSTP SSTP サーバは SOFTETHER があるが Linuxではあまりメジャーなのは聞かないな・・・ ## 資料 https://docs.microsoft.com/ja-jp/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8 このpdf の 12ページ 1.4 Relationship to Other Protocolsを見ましょう PPP を SSTP でカプセリングして HTTPS を喋っています。 今回 PPP をしゃべる余裕がないので、EthernetFrameをしゃべります。 14ページ 2.2.1 SSTP Packet 4バイトがヘッダ。残りはPPPのパケットがそのまましゃべる。 すごい簡単。 ## 今回つなぐ先 https://www.vpngate.net/ja/ ファイアウォール超える用の 学術実験サービス あまりむちゃはできません。 ## 今回のプログラム https://github.com/tamx/gosstp clone して、接続先を書き換えて実行です。 ## step-to-step ``` $ git clone https://github.com/tamx/gosstp.git $ cd gosstp ``` エディターで main.go を編集しましょう ``` func main() { // https://www.vpngate.net/ja/ host := "public-vpn-43.opengw.net" conn, err := tls.Dial("tcp", host+":443", ``` ここの135行目のホストをここ https://www.vpngate.net/ja/ にある一覧から適当なサーバをピックアップしたものに変更 変更例： ``` func main() { // https://www.vpngate.net/ja/ host := "public-vpn-71.opengw.net" conn, err := tls.Dial("tcp", host+":443", ``` 変更したら実行 `$ go run main.go` 以下のように出ればOK ``` Send: 00 01 00 01 00 01 00 06 00 01 Version: 16 Length: 12 Recv: ff 03 c0 21 01 00 00 08 03 04 c0 23 Cannot receive ACK. ``` Cannot receive ACK. と返ってきているのですが、このサーバが何故か NACK が返ってきているので何か仕様があるのだと思います。 ## プログラム解説 main 関数の host 指定したあと TLS喋るというヘッダを送る。 ``` header := "SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1\n" + ``` その直後の for は改行が2つ( 0D 0A 0D 0A )来ると break しているだけです。 サーバの応答を待っています。 後は ``` sstp(conn) ``` でメッセージを組み立てます。 ACK が返ってきたら CONNECTED となります。あとは PPPのパケットを投げるだけでVPNができます。 なお、実験してみると main.go 117行目 これを待たずに ppp を投げるのでいいのではないかな。 ``` if read(conn)[1] != 0x02 { // SSTP_MSG_CALL_CONNECT_ACK fmt.Println("Cannot receive ACK.") return } ``` ### PPP PPP 内では MSCHAPとかCHAP認証を行う必要がある。 更に IPCP というプロトコルが定義されていてそこで IPが割り当てられていれば通信ができる。 https://milestone-of-se.nesuke.com/nw-basic/ppppppoe/ppp-summary/ RFC https://tex2e.github.io/rfc-translater/html/rfc3772.html https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc957992(v=technet.10)?redirectedfrom=MSDN https://www.ccjc-net.or.jp/~kouza/199811/ipcp.html http://www2s.biglobe.ne.jp/~hig/ppp/ppp.html これ突っ込んだら良さげ?https://github.com/google/gopacket/blob/master/layers/ppp.go ## SSTP の問題 以前SSHとかでカプセル化してVPN張るというようなことがあったが、それを https でやっているだけです。 TCP/IP over TCP なので それなりの問題がある。 パケットが多く流れる状態になるとこのタイプのVPNは破綻する。 伝送ロスが発生した番号から送り直す。同じパケットをえんえんと投げるような輻湊に陥る。転送量が少なければ機能するという感じです。 ## SSTP の接続パラメータ https://www.vpngate.net/ja/howto_sstp.aspx > Windows での SSTP の設定方法をすでにご存じの場合は、以下の接続パラメータを入力して L2TP/IPsec プロトコルで接続できます。 > > - ホスト名: 公開 VPN 中継サーバー一覧のページで入手できます > - ユーザー名: vpn, パスワード: vpn > - 注意: ホスト名は、「xxx.opengw.net」のような DDNS ホスト名を指定する必要があります。IP アドレスを指定することはできません。また、SSTP を受付ける TCP ポート番号が 443 以外の場合は、ホスト名の後に「:ポート番号」のようにポート番号を指定する必要があります。 ## SSTPサーバを作るには? 同じように作ったら おk ただし Windows付属のクライアントをつなぐ時は、 TLSの証明書がvalid のものを付けないといけません。 ## softether サーバに繋いでみる 「おまけ softether サーバ構築してみる」 で作った softether サーバに接続してみました。 ``` Recv: ff 03 c0 21 01 00 00 08 03 04 c0 23 ``` pppの認証用のパケットプロトコルがまんま流れてきました。 - ff03 pppのヘッダ - c021 LCPのパケット - 0100 認証リクエスト - c023 PAP認証 ## おまけ softether サーバ構築してみる @nanbuwks の机の上にあった raspberry pi に softether を入れてみました。 https://www.softether-download.com/en.aspx?product=softether こちらか RaspberryPi に合わせて以下のように選択。  これをダウンロード ``` $ wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.39-9772-beta/softether-vpnserver-v4.39-9772-beta-2022.04.26-linux-arm_eabi-32bit.tar.gz ``` して、展開 ``` $ tar xzvf softether-vpnserver-v4.39-9772-beta-2022.04.26-linux-arm_eabi-32bit.tar.gz vpnserver/ vpnserver/Makefile vpnserver/.install.sh vpnserver/ReadMeFirst_License.txt vpnserver/Authors.txt vpnserver/ReadMeFirst_Important_Notices_ja.txt vpnserver/ReadMeFirst_Important_Notices_en.txt vpnserver/ReadMeFirst_Important_Notices_cn.txt vpnserver/code/ vpnserver/code/vpnserver.a vpnserver/code/vpncmd.a vpnserver/lib/ vpnserver/lib/libcharset.a vpnserver/lib/libcrypto.a vpnserver/lib/libedit.a vpnserver/lib/libiconv.a vpnserver/lib/libncurses.a vpnserver/lib/libssl.a vpnserver/lib/libz.a vpnserver/lib/License.txt vpnserver/hamcore.se2 ``` ディレクトリ移って make ``` pi@raspberrypi:~ $ cd vpnserver pi@raspberrypi:~/vpnserver $ make ``` make は以下のようになりました ``` -------------------------------------------------------------------- SoftEther VPN Server (Ver 4.39, Build 9772, ARM EABI) for Linux Build Utility Copyright (c) SoftEther Project at University of Tsukuba, Japan. All Rights Reserved. -------------------------------------------------------------------- Copyright (c) all contributors on SoftEther VPN project in GitHub. Copyright (c) Daiyuu Nobori, SoftEther Project at University of Tsukuba, and SoftEther Corporation. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. DISCLAIMER ========== THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE. USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A STATEMENT FOR WARNING AND DISCLAIMER. READ AND UNDERSTAND THE 'src/WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'src/THIRD_PARTY.TXT' FILE. -------------------------------------------------------------------- make[1]: Entering directory '/home/pi/vpnserver' Preparing SoftEther VPN Server... ranlib lib/libcharset.a ranlib lib/libcrypto.a ranlib lib/libedit.a ranlib lib/libiconv.a ranlib lib/libncurses.a ranlib lib/libssl.a ranlib lib/libz.a ranlib code/vpnserver.a gcc code/vpnserver.a -fPIE -O2 -fsigned-char -pthread -lm -lrt -Wl,--no-warn-mismatch -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a -ldl -o vpnserver ranlib code/vpncmd.a gcc code/vpncmd.a -fPIE -O2 -fsigned-char -pthread -lm -lrt -Wl,--no-warn-mismatch -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a -ldl -o vpncmd ./vpncmd /tool /cmd:Check vpncmd command - SoftEther VPN Command Line Management Utility SoftEther VPN Command Line Management Utility (vpncmd command) Version 4.39 Build 9772 (English) Compiled 2022/04/26 18:00:50 by buildsan at crosswin Copyright (c) SoftEther VPN Project. All Rights Reserved. VPN Tools has been launched. By inputting HELP, you can view a list of the commands that can be used. VPN Tools>Check Check command - Check whether SoftEther VPN Operation is Possible --------------------------------------------------- SoftEther VPN Operation Environment Check Tool Copyright (c) SoftEther VPN Project. All Rights Reserved. If this operation environment check tool is run on a system and that system passes, it is most likely that SoftEther VPN software can operate on that system. This check may take a while. Please wait... Checking 'Kernel System'... Pass Checking 'Memory Operation System'... Pass Checking 'ANSI / Unicode string processing system'... Pass Checking 'File system'... Pass Checking 'Thread processing system'... Pass Checking 'Network system'... Pass All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system. The command completed successfully. -------------------------------------------------------------------- The preparation of SoftEther VPN Server is completed ! *** How to switch the display language of the SoftEther VPN Server Service *** SoftEther VPN Server supports the following languages: - Japanese - English - Simplified Chinese You can choose your prefered language of SoftEther VPN Server at any time. To switch the current language, open and edit the 'lang.config' file. Note: the administrative password is not set on the VPN Server. Please set your own administrative password as soon as possible by vpncmd or the GUI manager. *** How to start the SoftEther VPN Server Service *** Please execute './vpnserver start' to run the SoftEther VPN Server Background Service. And please execute './vpncmd' to run the SoftEther VPN Command-Line Utility to configure SoftEther VPN Server. Of course, you can use the VPN Server Manager GUI Application for Windows / Mac OS X on the other Windows / Mac OS X computers in order to configure the SoftEther VPN Server remotely. *** For Windows users *** You can download the SoftEther VPN Server Manager for Windows from the http://www.softether-download.com/ web site. This manager application helps you to completely and easily manage the VPN server services running in remote hosts. *** For Mac OS X users *** In April 2016 we released the SoftEther VPN Server Manager for Mac OS X. You can download it from the http://www.softether-download.com/ web site. VPN Server Manager for Mac OS X works perfectly as same as the traditional Windows versions. It helps you to completely and easily manage the VPN server services running in remote hosts. *** PacketiX VPN Server HTML5 Web Administration Console (NEW) *** This VPN Server / Bridge has the built-in HTML5 Web Administration Console. After you start the server daemon, you can open the HTML5 Web Administration Console is available at https://127.0.0.1:5555/ or https://ip_address_of_the_vpn_server:5555/ This HTML5 page is obviously under construction, and your HTML5 development contribution is very appreciated. -------------------------------------------------------------------- make[1]: Leaving directory '/home/pi/vpnserver' pi@raspberrypi:~/vpnserver $ ls Authors.txt hamcore.se2 Makefile ReadMeFirst_Important_Notices_ja.txt vpnserver chain_certs lang.config ReadMeFirst_Important_Notices_cn.txt ReadMeFirst_License.txt code lib ReadMeFirst_Important_Notices_en.txt vpncmd pi@raspberrypi:~/vpnserver $ ./vpn vpncmd vpnserver ``` あれ? 設定聞いてこなかったですね。スタートしてみます。 ``` pi@raspberrypi:~/vpnserver $ ./vpnserver start The SoftEther VPN Server service has been started. Warning: The current user context is non-root. It is recommended to run the VPN service by the root user. Although the VPN service may run under non-root users, some privilege-required functions (e.g. the local bridge function) need the root privilege. Let's get started by accessing to the following URL from your PC: https://192.168.42.3:5555/ or https://192.168.42.3/ Note: IP address may vary. Specify your server's IP address. A TLS certificate warning will appear because the server uses self signed certificate by default. That is natural. Continue with ignoring the TLS warning. ``` 実行ユーザーは root じゃなかったけど動いているみたいです。