SSTP Connect

SSTP / SoftEther VPN Client for iOS




Q: How to start?

To use SSTP Connect, you need to create a profile first.

These items are needed for a profile:

If you have an existing SSTP Connect configuration file or a connection setting file from SoftEther VPN Client Manager, you can import it by either:

Q: How to edit or delete a profile?

Swipe right to edit and swipe left to delete a profile.

You can also tap Edit to enter the edit mode. You will find edit and delete buttons at the bottom.

Q: What are the items in a profile and what do they mean?

Q: Can I connect or disconnect via system VPN settings?

Yes, you can. Your profiles are saved in the system with your credentials in the keychain. Therefore, you can connect and disconnect the VPN without opening the app.

Please turn on notifications so that in case there are errors you will be notified immediately when the app is not in the foreground. (Requiring iOS 10+)

TLS Server Verification

Q: What requirements should a server certificate meet in order to pass TLS server verification?

iOS has implemented more strict rules on server certificates since iOS 13. See below link for more information.

The most important requirements are:

Q: What should I do if I want to use certificates generated by SoftEther VPN Server?

Certificates automatically generated by SoftEther VPN Server do not meet the above requirements. Please follow this guide to regenerate.

Q: What should I do if the server uses a self-signed certificate or a certificate not signed by a public CA?

For security reasons, certificates signed by public CAs should be used. However if that’s not possible, you can ask your administrator for the root CA certificate and both install and trust it on your device.

Note that the certificate still needs to meet the above requirements.

Q: How to install and trust a certificate?

Email the certificate to yourself or download it from the web, then open it on your device. iOS should prompt you that a profile is now ready to install.

To install it:

To trust it:

Authentication with Certificates

Q: How to import my certificates?

The first step of using certificate-based authentication is importing your certificates. Currently the app only accepts certificates packed in PKCS #12 format (.p12 or .pfx files).

PKCS #12 is the default format on Windows platform and also supported by SoftEther VPN Server.

You need to obtain the P12 file from your administrator and place it on your device. This can be done in several ways:

When the certificate is on your device, import it into the app by tapping Import and navigate to the folder. You need to enter the password and give the certificate a distinct description.

The certificate (and its private key) will be saved in the keychain. For security reasons, please delete the file after import or keep it in a secure place.

A certificate can be used by multiple profiles.

Guide on using the Finder to share files from a computer

For macOS Catalina or later

Guide on using iTunes to share files from a computer

For macOS Mojave or earlier or a Windows PC

Q: How to remove a certificate?

In Select Certificate, you can swipe to remove certificates.

Note that under current iOS, if you remove the app without removing all the certificates, they may still be kept in the keychain (Don't worry. They are always protected by iOS). Once you reinstall the app, you can use them again.

Q: I want to import a new certificate but the app complains it's already in the keychain. How is that possible?

According to iOS policy, certificates with the same serial number from the same issuer are considered the same, even if the names are different. Please ask the administrator to generate the certificate with a new serial number.

Q: I have certificates installed in the system. Why can't I see them in the app?

As a third-party app, we can't access certificates installed in the system like built-in VPN does. You have to import them using the app.

VPN On Demand

Q: What is VPN On Demand and how to use it?

VPN On Demand is an advanced iOS feature that allows a VPN connection to be connected / disconnected if some rule matches.

You must first define a set of rules. iOS will try to match them in order and only the first matched rule will be applied. The matching process is completely handled by iOS and the app has no way to alter the behavior.

Important: Only the rules of the current enabled (selected) VPN profile are assessed.

Q: How to write an on demand rule?

A rule has one action and a number of conditions. If all conditions are met, the action is taken.

There are four types of actions:

You can specify these types of conditions:

If no condition is specified, the rule matches all situations and any rule after it will never be matched.

Q: If I want the VPN to be connected when I am away from a WiFi network but disconnected on that network, how should I setup the rules?

You need to create two rules in the following order.

  Action: Disconnect 
  Interface: Wi-Fi 
  SSID: (your Wi-Fi SSID)
  Action: Connect  
  No need to input any condition

Then, click Enable VPN On Demand and save the profile.

Note 1: Make sure the profile is selected (showing a checkmark). It will not work if the profile is not selected.

Note 2: The order is important. If you place Rule 2 before Rule 1, Rule 1 will never run because Rule 2 matches any condition. You can change the order by tapping Edit and drag rules into your desired order.

Q: What does the action type "Evaluate Connection" do?

Evaluate Connection is a special action that further assesses the action to take based on the current connection's destination.

If the destination can't be resolved on the current network, one of these actions can be taken.

For example, you can setup the following rule that if some internal website is being requested (not resolvable on the current network), VPN is automatically started.

Action: Connect If Needed
Domain Being Evaluated: (this will match *

Q: What kind of shortcuts do you support?

As of version 3.8, we support the following shortcuts via the Shortcuts app.

SSTP Questions

Q: Do you offer the same connectivity as the Windows built-in SSTP client?

In most cases we provide the same connectivity as the official client. All password and certificate-based authentication methods available in Windows 11 are supported.

In the case that you authenticate with a certificate installed on your Windows device, make sure you can export it including the private key.

If you think you might have a special case, please discuss with us.

SoftEther Questions

Q: If I can connect using the official SoftEther Client, does that mean I can use this app too?

In most cases we provide the same connectivity as the official client. Both direct (TCP) and NAT-T connections are supported.

However, connections via ICMP or DNS are not supported.

If you think you might have a special case, please discuss with us.

Q: What is UDP acceleration?

SoftEther by default connects via direct TCP and data packets are transferred over TCP as well. UDP acceleration enables sending and receiving data packets over UDP. Although it's called acceleration, the speed may or may not be better than TCP, depending heavily on your network condition.

Q: How do I know whether I am using UDP or TCP? Why is UDP not working sometimes?

"UDP" sign will be displayed in the status bar when UDP is used. You can also know it from the connection log.

UDP acceleration has two working mode:

IPv6 network does not use NAT and should be naturally supporting UDP acceleration.

Q: After I switch the network, UDP acceleration seems not working and why is that?

This is normal if the UDP acceleration works in NAT traversal mode, because according to the current SoftEther protocol there is no way to renegotiate a new endpoint for an existing session. Therefore the server has no way to know your new address and cannot reach the device after the network switch.

Once you switch back to the original network (provided that your IP address has not changed), the UDP will be probably working again.

You have two options to solve this problem:

Q: Can I connect to the VPN Azure service?

Yes, you can. Make sure that you use the hostname ( as the server address. It will not work if you enter an IP address.

Also please note that VPN Azure has two modes:

iOS version, server build and NAT types need to be satisfying the UDP acceleration requirements for direct mode to work.

Q: Can I connect to the VPN Gate service?

Yes. Use these information when you connnect to VPN Gate servers.

CAUTION: VPN Gate servers are provided by various contributors around the world. We do not have any affiliation with them or the project, nor do we ensure connectivity or security in any form.


Import & Export

Q: What are the file formats supported?

You can import from a SSTP Connect configuration file, or a SoftEther VPN connection setting file. They are both ended in .vpn but are not compatible with each other.

A SSTP Connect configuration file can contain multiple VPN profiles.

The export format is always SSTP Connect. We do not support exporting in SoftEther VPN format.

Q: Can I edit a SSTP Connect configuration file?

SSTP Connect configuration files use the JSON format. You are not encouraged to edit by hand but if you wish to, you can do it with a JSON editor at your own risk.

Q: How is my sensitive information saved in the configuration file if I do not add a password?

Passwords and private keys are saved in base64 encoding if not protected by passwords. Anyone can reveal the plain text by using a base64 decoder.

Q: How is my sensitive information encrypted if I add a password?

Passwords and private keys are encrypted using AEAD_AES_256_CBC_HMAC_SHA_384, as described in draft-mcgrew-aead-aes-cbc-hmac-sha2-05.

The base64-encoded AEAD ciphertexts ("C", as defined in 2.1) are saved in the corresponding fields.

AEAD_AES_256_CBC_HMAC_SHA_384 requires a key ("K") and associated data ("A") in order to work.

The associated data is the username to the password. If a username is not available for a private key, the certificate label is used instead.

Q: How is the encryption key ("K") derived?

Key derivation uses the PBKDF2 algorithm, with the following inputs:

The derived key is 56-octet in length, as required by AEAD_AES_256_CBC_HMAC_SHA_384.

A different key is generated for each export file. The random salt is included in the file.

With the above information, you can independently verify the encryption result.

Q: Is the encryption secure enough?

It depends. No encryption is secure unless your password is strong.


Q: Sometimes the WiFi icon goes off with the VPN icon for several seconds. What's going on?

This is an indication that VPN is reconnecting. You are not losing your WiFi connection. It's just how iOS responds to VPN reconnecting events.

Q: I want to make sure traffic is blocked during reconnecting events (called "Seamless Tunnel" by OpenVPN). How can I do it?

This feature is already enabled and we do not offer a way to disable it.

However, please note that some system traffic does not go through VPN at all, including push notifications and some DNS requests. This is controlled by iOS.

Q: Can you help with setting up a server?

We don't make server-side products, but we can provide general advice to you. If special assistance is needed, we will evaluate the situation and (in the case that we can help) may give you a quote.

Q: What if I have more questions?

Send an email to and we will look into it. If it's a connection issue, please set log level to "debug" and send the connection log along with your mail.