How SSTP VPN's Work

The flow to get VPN connection up looks like:

1) Client gets Internet connectivity and then establishes TCP connectivity to server over port 443. Let us say the IP address of client is and server is

2) Then on top of this TCP session, SSL negotiation takes place. Client gets the server certificate during SSL authentication phase and it validates the server certificate. If it is not valid, the connection is broken down. No client (or user) authentication happened on the server side at the SSL stage.

3) Client then sends HTTPS request on top of the encrypted SSL session to the server.

4) Client then sends SSTP control packets on top of the HTTPS session. Once SSTP state machine is up on either side, lower-link up indication is given to PPP layer on each ends.

5)  PPP negotiation (on top of SSTP over HTTPS) takes place at both ends. As part of PPP authentication phase, client is authenticated to server and optionally (depending upon the authentication algorithm) server is authenticated to client.

6)  Once PPP completes, it attaches as IP interface on both client and server side. Let us say the "inner IP" or the IP address given by VPN server to the client is and the IP address of VPN interface on VPN server is

7)   Now both ends are ready to send IP packets to each other.

Now let us try to understand how data path works: Lets say user does ping to VPN server IP address i.e. in this example

1) Ping (i.e. ICMP echo request) packet will go over IP (with source IP as and destination IP as over PPP over SSTP.

2) SSTP sends to SSL layer which does the encryption and sends over TCP over IP (with source IP as and destination IP as over Internet interface.

Hope this helps for you to understand SSTP based VPN tunnel in detail and how it differs from PPTP and L2TP. The main thing to note is: PPP and above remains same on the protocol stack and SSTP adds a layer to encapsulate PPP packets over HTTPS session.
  • Email, SSL
  • 3 Users Found This Useful
Was this answer helpful?