Always On VPN and TLS 1.3

Secure Socket Tunneling Protocol (SSTP) is a Microsoft-proprietary VPN protocol with several advantages over Internet Key Exchange version 2 (IKEv2) for Always On VPN user tunnel connections. SSTP uses HTTP with Transport Layer Security (TLS) to encrypt communication between the Always On VPN client and the VPN gateway. SSTP is very firewall-friendly, with VPN connections operating on the commonly open TCP port 443, resulting in more consistent VPN availability. SSTP throughput is better compared to IKEv2 as well.

Learn more about TLS with Practical TLS, a comprehensive online video training course.

TLS and Windows Server

For versions of Windows Server before Windows Server 2022, the out-of-the-box security for TLS is not ideal. TLS is notoriously complex to configure, with myriad options for administrators to choose from. However, with the release of Windows Server 2022 and Windows 11, Microsoft has introduced support for the latest TLS specification, TLS 1.3, which eases much of this configuration pain.

TLS 1.3

TLS 1.3 provides significant advantages for Always On VPN SSTP user tunnel connections in security and performance.

Security

TLS 1.3 is greatly simplified and offers only five cipher suites, all considered secure by today’s standards. In addition, all TLS 1.3 ciphers support forward secrecy, ensuring the privacy of communication even in the event of a server private key compromise.

Performance

The TLS handshake in TLS 1.3 is streamlined and requires less back-and-forth (round trips) to establish a connection. TLS 1.3 speeds connection establishment for new Always On VPN user tunnel connections.

Caveat

Adding support for TLS 1.3 on the server-side is a compelling reason to consider upgrading existing Windows Server Routing and Remote Access Service (RRAS) servers to Windows Server 2022. However, TLS 1.3 support for SSTP also requires Windows 11 on the client-side. TLS 1.3 is not currently supported in Windows 10.

Summary

Realizing the performance benefits provided by TLS 1.3 will likely only occur in large environments supporting many thousands of concurrent connections per server. However, the security benefits apply to all deployments, regardless of size. Administrators should consider upgrading to Windows Server 2022 before proceeding with Windows 11 adoption.

Additional Information

Practical TLS: A Deep Dive into SSL and TLS Online Video Training Course

Always On VPN SSTP Security Configuration

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN TLS Certificate Requirements for SSTP

TLS Protocol Version Support in Windows

TLS Cipher Suites in Windows Server 2022

A Detailed Look at TLS 1.3

TLS Cipher Suite Reference

RFC8446 TLS 1.3

Leave a comment

7 Comments

  1. Arturas

     /  January 3, 2022

    Hi Richard, good stuff πŸ™‚ did you by any chance have already test in place upgrade of OS to 2022 for VPN server? Any additional steps required to enable tls 1.3 or reconfiguration of VPN needed?

    Reply
    • I don’t recommend performing in-place upgrades on Windows Server. It is much better to provision a new clean server and migrate the configuration. I have a blog post in the queue about this. Look for that later this month. πŸ™‚ Reach out to me directly if you need guidance before then.

      Also, TLS 1.3 is enabled by default and preferred when using Windows 11 with Windows Server 2022. You don’t have to do anything special. πŸ™‚

      Reply
      • Arturas

         /  January 3, 2022

        Thanks Richard, appreciate it πŸ™‚

  2. Michael L

     /  January 4, 2022

    Great news, but will they allow Device Tunnels to use SSTP with TLS 1.3, or will they stay with only allowing IKEv2 for DT?

    Reply
  3. JesseC

     /  March 31, 2022

    Hi Richard. I noticed that Windows 11 -> WinServer 2022 SSTP VPN handshakes with TLS 1.3, but I am seeing in wireshark that the server requests a cipher change to TLS 1.2. Are you seeing this?

    Reply
    • No. Can you share a network trace with me? If so, reach out to me via the contact page, and I’ll reply. I’d be happy to take a look and see what’s up.

      Reply

Leave a Reply

%d bloggers like this: