Route SSTP through a Traefik instance


This is my personal setup and configuration and I can verify this setup works in my environment so I can not ensure everything in this post is going to work out for you! In this post we’re going to tunnel an Softether SSTP VPN through a Traefik docker instance. I’m specifically going to use the TCP router function with an SNI and my https entrypoint as I want to be able to host my websites and route my VPN traffic on port 443 as HTTPS traffic so my school can’t filter it with a Layer3 or Layer4 firewall.


  • VPN Server which supports SSTP
  • A running traefik instance
  • Probably DNS/DDNS
  • Port Forwarding on your router


Two ways to go on this step:

  1. You use a self-signed root certificate on your VPN server which you install on all your devices on which you would like to use the VPN Service.
  2. You let your traefik instance create a Let’s Encrypt certificate which you import onto your VPN Server (the export and import process of a traefik certificate isn’t that easy, I’ll create a blog post about that seperately). Then you disable your certResolver function on the traefik instance and enable TLS passthrough.
  3. I didn’t do this yet but maybe you could create a reverse proxy on your traefik and then use some Let’s Encrypt CLI commands so the VPN server creates its certificate itself.

Personally I’m using Number two as this is pretty easy to do but you’ll have to go through the certificate refresh process every three months.

Traefik configuration

First I’m going to configure my tcp service. I use the @File configuration for my traefik instance as my VPN doesn’t run in a Docker container. You’ll have to put this into your traefik.toml configuration or your dynamic_configuration.toml file. This depends on your existing traefik instance.

      address = ""


Now this configuration depends on which step you chose in the certificate part. If you chose number 2 and this is the first time just enable the certResolver and disable passthrough, export your certificate and comment your certResolver and set your passthrough back to true.

This whole things goes as well into your traefik.toml or dynamic_configuration.toml file.

    entryPoints = ["https"]
    rule = "HostSNI(`domain`)"
    service = "softether"
      # certResolver = "certResolver"
      passthrough = true

Leave a Comment