Orchid VPN Shared IP SSTP Configuration Explained
Orchid VPN Shared IP SSTP Configuration Explained
Orchid VPN, like many VPN services, can operate in either a dedicated IP or shared IP configuration. A shared IP configuration means multiple users egress traffic from the VPN server using the same public IP address. For SSTP (Secure Socket Tunneling Protocol), this presents unique considerations. SSTP encapsulates PPP (Point-to-Point Protocol) traffic within an HTTPS session. Because multiple clients share the same IP, careful configuration is required to route traffic correctly to the appropriate tunnel. This configuration focuses on identifying tunnels based on the internal IP address assigned to each client by the Orchid VPN server.
On the Orchid VPN server (typically a Windows Server in the case of SSTP), Routing and Remote Access Service (RRAS) handles SSTP connections. For shared IP scenarios, the IP address assignment is crucial. RRAS should be configured to assign IP addresses from a specific pool. Within RRAS, under IPv4 properties, ensure "Enable IPv4 forwarding" is checked. A key configuration element is the PPP settings. Under the PPP tab, configure authentication methods. MS-CHAP v2 is common, but consider more secure options like EAP-TLS where feasible. The "Configure IPv4 address assignment" section is critical. Define a static IP address pool for VPN clients. For example:
Start address: 10.10.10.100
End address: 10.10.10.200
This pool will be used to assign internal IP addresses to connecting clients. The SSTP binding to the public IP address is handled automatically by RRAS. No specific configuration is needed for SSTP itself regarding shared IP, but the underlying routing and firewall rules are essential.
With a shared IP SSTP configuration, routing is primarily handled by RRAS based on the assigned internal IP addresses. Clients will receive a default gateway pointing to the RRAS server's internal IP. For example, if the RRAS server's internal IP on the VPN subnet is 10.10.10.1, clients will have a gateway of 10.10.10.1. DNS configuration is also important. Clients should be configured to use a DNS server accessible through the VPN tunnel. This can be a public DNS server (e.g., 8.8.8.8 or 1.1.1.1), or a private DNS server within the Orchid VPN infrastructure. The DNS server IP is configured within the RRAS PPP settings under the "DNS" tab. Setting the DNS server on the client side is possible, but less manageable in a large deployment.
The Windows Firewall on the RRAS server must allow SSTP traffic (TCP port 443) to reach the RRAS service. In Windows Firewall with Advanced Security, create an inbound rule:
Protocol: TCP
Port: 443
Action: Allow the connection
For traffic isolation, if required, Windows Firewall can be configured to restrict communication between VPN clients. By default, clients on the same subnet can communicate. To prevent this, create outbound rules blocking traffic from the VPN subnet (e.g., 10.10.10.0/24) to the VPN subnet. This enhances security by preventing lateral movement between compromised clients.
SSTP's performance can be affected by encryption overhead. CPU usage on the RRAS server is a key factor. For high-volume Orchid VPN shared IP SSTP configurations, consider using a server with sufficient CPU cores and RAM. Network bandwidth is also critical. Monitor network utilization to ensure the server's uplink is not saturated. SSTP is generally less CPU intensive than OpenVPN, but can still be a bottleneck with many concurrent users. Consider load balancing across multiple RRAS servers if scalability becomes an issue.
To verify the shared IP SSTP configuration, connect a client to the VPN and check the assigned IP address. Use ipconfig /all on Windows or ifconfig on Linux/macOS. Ensure the assigned IP address falls within the configured IP address pool. Verify internet connectivity by pinging a public IP address (e.g., 8.8.8.8). Use tracert (Windows) or traceroute (Linux/macOS) to trace the route of traffic and confirm it is flowing through the VPN server's public IP address. If connectivity issues arise, check the Windows Event Viewer for RRAS-related errors. Common issues include authentication failures, IP address conflicts, and firewall blocking.