Skip to main content


SSTP (Secure Socket Tunneling Protocol) is a protocol of secure traffic tunneling based on SSL/TLS. It is supported by Windows OS Vista and above, as well as Mikrotik, Keenetic routers, and others.

If possible, do not use this type of connection. This connection method passes through NAT better than others, but with unstable communication quality, it works much worse than other VPNs (especially when transmitting audio/video), since it encapsulates all data inside TCP. It is recommended to use IPsec-IKEv2 instead of SSTP.
UTM does not support Mikrotik connection over SSTP because Mikrotik uses an old and insecure SHA-1 algorithm.

Setting up SafeUTM

It is not recommended to use SSTP for VPN connections from the local network.

1. To enable SSTP, check the box SSTP connection in the web interface in Users -> VPN connections.
2. Connection is possible only by DNS name, so the IP address of SafeUTM external interface should resolve to one of the names of your external domain zone. In the Domain field, you need to specify this DNS name (use the real name with the correct A-record, because it is necessary for issuing a Let's Encrypt certificate).
3. Port - select the suggested port (from the options: 1443, 2443, 3443, 4443).
1. SSTP.png4. For users who need to connect from outside via VPN, check the box Allow remote access via VPN in the user tree. The specified username and password will be used for the connection.

VPN setup instructions for different operating systems can be found here.

If a VPN connection is established but it is not possible to access local network resources


Follow the recommendations in the article Features of Routing and Access Organization.