How to install VPN with SSTP for RRAS on Windows Server?

1. Install IIS and RRAS

In Server Manager:

1. Go to Manage → Add Roles and Features.
2. Check Remote Access and Web Server (IIS).
3. In the Features pane, select Remote Server Administration Tools and all submodules.
4. In Remote Access Role Services, select DirectAccess and VPN (RAS) and Routing.

2. Install WACS for LetsEncrypt

Download WACS to generate your SSL certificate:

• Win-ACME Website
• GitHub Repository

3. Configure RRAS

1. Run rrasmgmt.msc.
2. Right click server → Configure and Enable Routing and Remote Access.
3. Select Custom Configuration → VPN Access & Demand-dial connections.
4. Start the service.

Properties Configuration

Right click the server → Properties:

• IPv4 Tab:
  • Select Static address pool.
  • Choose an appropriate IP range for VPN clients (e.g. 192.168.25.40 - 192.168.25.80).

4. SSTP & SNI Configuration

The Default Web Site host in IIS has an HTTPS binding. Important: The Require Server Name Indication (SNI) box must be UNTICKED! The host used for a SSTP VPN must NOT require SNI.

Remove Conflicting Certificates

To get rid of any existing certificates bindings that might conflict with the VPN host (vpn.company.com):

Run this in an Administrator PowerShell:

$hostname = "vpn.company.com"
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match $hostname} | Remove-Item