diff options
| author | Roberto Bertó <roberto.berto@gmail.com> | 2024-03-10 12:42:31 -0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-10 12:42:31 -0300 |
| commit | 95878ef8c96e276a8bc09b0326878a654ce2ee58 (patch) | |
| tree | ae6fe96cedca2ab2a48f4387cc3aaecc71cb0285 /docs/configuration | |
| parent | 0993a91255cad0dd893b7a60e05fd2120a343407 (diff) | |
| parent | 8d410c0843f7d8b88a5a20ccb778ae149c6fc098 (diff) | |
| download | vyos-documentation-95878ef8c96e276a8bc09b0326878a654ce2ee58.tar.gz vyos-documentation-95878ef8c96e276a8bc09b0326878a654ce2ee58.zip | |
Merge pull request #2 from vyos/master
import 2024-03
Diffstat (limited to 'docs/configuration')
42 files changed, 3734 insertions, 1052 deletions
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index c23a6184..e63ac2c9 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -11,16 +11,16 @@ a deamonless container engine. Configuration ************* -.. cfgcmd:: set container name <name> image - +.. cfgcmd:: set container name <name> image + Sets the image name in the hub registry .. code-block:: none set container name mysql-server image mysql:8.0 - If a registry is not specified, Docker.io will be used as the container - registry unless an alternative registry is specified using + If a registry is not specified, Docker.io will be used as the container + registry unless an alternative registry is specified using **set container registry <name>** or the registry is included in the image name .. code-block:: none @@ -28,21 +28,21 @@ Configuration set container name mysql-server image quay.io/mysql:8.0 .. cfgcmd:: set container name <name> allow-host-networks - - Allow host networking in a container. The network stack of the container is + + Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP. The following commands translate to "--net host" when the container - is created + is created .. note:: **allow-host-networks** cannot be used with **network** -.. cfgcmd:: set container name <name> network <networkname> +.. cfgcmd:: set container name <name> network <networkname> Attaches user-defined network to a container. Only one network must be specified and must already exist. -.. cfgcmd:: set container name <name> network <networkname> address <address> +.. cfgcmd:: set container name <name> network <networkname> address <address> Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix. @@ -58,7 +58,7 @@ Configuration Add custom environment variables. Multiple environment variables are allowed. The following commands translate to "-e key=value" when the container - is created. + is created. .. code-block:: none @@ -88,11 +88,16 @@ Configuration set container name coredns volume 'corefile' source /config/coredns/Corefile set container name coredns volume 'corefile' destination /etc/Corefile - + .. cfgcmd:: set container name <name> volume <volumename> mode <ro | rw> Volume is either mounted as rw (read-write - default) or ro (read-only) +.. cfgcmd:: set container name <name> uid <number> +.. cfgcmd:: set container name <name> gid <number> + + Set the User ID or Group ID of the container + .. cfgcmd:: set container name <name> restart [no | on-failure | always] Set the restart behavior of the container. @@ -102,9 +107,9 @@ Configuration - **always**: Restart containers when they exit, regardless of status, retrying indefinitely .. cfgcmd:: set container name <name> memory <MB> - + Constrain the memory available to the container. - + Default is 512 MB. Use 0 MB for unlimited memory. .. cfgcmd:: set container name <name> device <devicename> source <path> @@ -112,7 +117,7 @@ Configuration Add a host device to the container. -.. cfgcmd:: container name <name> cap-add <text> +.. cfgcmd:: set container name <name> cap-add <text> Set container capabilities or permissions. @@ -124,18 +129,49 @@ Configuration - **sys-time**: Permission to set system clock .. cfgcmd:: set container name <name> disable - + Disable a container. -.. cfgcmd:: set container network <networkname> +Container Networks +================== + +.. cfgcmd:: set container network <name> Creates a named container network +.. cfgcmd:: set container network <name> description + + A brief description what this network is all about. + +.. cfgcmd:: set container network <name> prefix <ipv4|ipv6> + + Define IPv4 or IPv6 prefix for a given network name. Only one IPv4 and + one IPv6 prefix can be used per network name. + +.. cfgcmd:: set container network <name> vrf <nme> + + Bind container network to a given VRF instance. + +Container Registry +================== + .. cfgcmd:: set container registry <name> Adds registry to list of unqualified-search-registries. By default, for any - image that does not include the registry in the image name, Vyos will use - docker.io as the container registry. + image that does not include the registry in the image name, VyOS will use + docker.io and quay.io as the container registry. + +.. cfgcmd:: set container registry <name> disable + + Disable a given container registry + +.. cfgcmd:: set container registry <name> authentication username +.. cfgcmd:: set container registry <name> authentication password + + Some container registries require credentials to be used. + + Credentials can be defined here and will only be used when adding a + container image to the system. ****************** @@ -143,7 +179,7 @@ Operation Commands ****************** .. opcmd:: add container image <containername> - + Pull a new image for container .. opcmd:: show container @@ -151,7 +187,7 @@ Operation Commands Show the list of all active containers. .. opcmd:: show container image - + Show the local container images. .. opcmd:: show container log <containername> @@ -170,7 +206,10 @@ Operation Commands Update container image +.. opcmd:: delete container image [image id|all] + Delete a particular container image based on it's image ID. + You can also delete all container images at once. ********************* Example Configuration @@ -182,22 +221,22 @@ Example Configuration .. code-block:: none - set container network zabbix-net prefix 172.20.0.0/16 - set container network zabbix-net description 'Network for Zabbix component containers' + set container network zabbix prefix 172.20.0.0/16 + set container network zabbix description 'Network for Zabbix component containers' set container name mysql-server image mysql:8.0 - set container name mysql-server network zabbix-net + set container name mysql-server network zabbix set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix' set container name mysql-server environment 'MYSQL_USER' value 'zabbix' set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd' - set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' + set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest - set container name zabbix-java-gateway network zabbix-net + set container name zabbix-java-gateway network zabbix set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest - set container name zabbix-server-mysql network zabbix-net + set container name zabbix-server-mysql network zabbix set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server' set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix' @@ -210,7 +249,7 @@ Example Configuration set container name zabbix-server-mysql port zabbix destination 10051 set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest - set container name zabbix-web-nginx-mysql network zabbix-net + set container name zabbix-web-nginx-mysql network zabbix set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix' set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql' diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index 8b44a9b9..bc7b9212 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2023-12-26 .. _firewall-flowtables-configuration: @@ -13,7 +13,7 @@ Overview ******** In this section there's useful information of all firewall configuration that -can be done regarding flowtables +can be done regarding flowtables. .. cfgcmd:: set firewall flowtables ... @@ -50,3 +50,139 @@ flowtable (flowtable miss), the packet follows the classic IP forwarding path. .. note:: **Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html + + +*********************** +Flowtable Configuration +*********************** + +In order to use flowtables, the minimal configuration needed includes: + + * Create flowtable: create flowtable, which includes the interfaces + that are going to be used by the flowtable. + + * Create firewall rule: create a firewall rule, setting action to + ``offload`` and using desired flowtable for ``offload-target``. + +Creating a flow table: + +.. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface> + + Define interfaces to be used in the flowtable. + +.. cfgcmd:: set firewall flowtable <flow_table_name> description <text> + +Provide a description to the flow table. + +.. cfgcmd:: set firewall flowtable <flow_table_name> offload + <hardware | software> + + Define type of offload to be used by the flowtable: ``hardware`` or + ``software``. By default, ``software`` offload is used. + +.. note:: **Hardware offload:** should be supported by the NICs used. + +Creating rules for using flow tables: + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + action offload + + Create firewall rule in forward chain, and set action to ``offload``. + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + offload-target <flowtable> + + Create firewall rule in forward chain, and define which flowtbale + should be used. Only applicable if action is ``offload``. + +********************* +Configuration Example +********************* + +Things to be considred in this setup: + + * Two interfaces are going to be used in the flowtables: eth0 and eth1 + + * Minumum firewall ruleset is provided, which includes some filtering rules, + and appropiate rules for using flowtable offload capabilities. + +As described, first packet will be evaluated by all the firewall path, so +desired connection should be explicitely accepted. Same thing should be taken +into account for traffic in reverse order. In most cases state policies are +used in order to accept connection in reverse patch. + +We will only accept traffic comming from interface eth0, protocol tcp and +destination port 1122. All other traffic traspassing the router should be +blocked. + +Commands +-------- + +.. code-block:: none + + set firewall flowtable FT01 interface 'eth0' + set firewall flowtable FT01 interface 'eth1' + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter rule 10 action 'offload' + set firewall ipv4 forward filter rule 10 offload-target 'FT01' + set firewall ipv4 forward filter rule 10 state 'established' + set firewall ipv4 forward filter rule 10 state 'related' + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 state 'established' + set firewall ipv4 forward filter rule 20 state 'related' + set firewall ipv4 forward filter rule 110 action 'accept' + set firewall ipv4 forward filter rule 110 destination address '192.0.2.100' + set firewall ipv4 forward filter rule 110 destination port '1122' + set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0' + set firewall ipv4 forward filter rule 110 protocol 'tcp' + +Explanation +----------- + +Analysis on what happens for desired connection: + + 1. First packet is received on eht0, with destination address 192.0.2.100, + protocol tcp and destination port 1122. Assume such destination address is + reachable through interface eth1. + + 2. Since this is the first packet, connection status of this connection, + so far is **new**. So neither rule 10 nor 20 are valid. + + 3. Rule 110 is hit, so connection is accepted. + + 4. Once answer from server 192.0.2.100 is seen in opposite direction, + connection state will be triggered to **established**, so this reply is + accepted in rule 10. + + 5. Second packet for this connection is received by the router. Since + connection state is **established**, then rule 10 is hit, and a new entry + in the flowtable FT01 is added for this connection. + + 6. All subsecuent packets will skip traditional path, and will be offloaded + and will use the **Fast Path**. + +Checks +------ + +It's time to check conntrack table, to see if any connection was accepted, +and if was properly offloaded + +.. code-block:: none + + vyos@FlowTables:~$ show firewall ipv4 forward filter + Ruleset Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------------------------- + 10 offload all 8 468 ct state { established, related } flow add @VYOS_FLOWTABLE_FT01 + 20 accept all 8 468 ct state { established, related } accept + 110 accept tcp 2 120 ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0" accept + default drop all 7 420 + + vyos@FlowTables:~$ sudo conntrack -L | grep tcp + conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown. + tcp 6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2 + vyos@FlowTables:~$ diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 316e0802..b3f311aa 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-07 +:lastproofread: 2023-12-26 .. _firewall-global-options-configuration: @@ -114,4 +114,34 @@ Configuration Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered: - * ``net.ipv4.tcp_rfc1337``
\ No newline at end of file + * ``net.ipv4.tcp_rfc1337`` + +.. cfgcmd:: set firewall global-options state-policy established action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy established log + +.. cfgcmd:: set firewall global-options state-policy established log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for an established connection. + +.. cfgcmd:: set firewall global-options state-policy invalid action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy invalid log + +.. cfgcmd:: set firewall global-options state-policy invalid log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for invalid packets. + +.. cfgcmd:: set firewall global-options state-policy related action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy related log + +.. cfgcmd:: set firewall global-options state-policy related log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for related connections. diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 3887e26a..5d9190d6 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -4,31 +4,32 @@ Firewall ######## -With VyOS being based on top of Linux and its kernel, the Netfilter project -created the iptables and now the successor nftables for the Linux kernel to -work directly on the data flows. This now extends the concept of zone-based -security to allow for manipulating the data at multiple stages once accepted -by the network interface and the driver before being handed off to the -destination (e.g. a web server OR another device). +As VyOS is based on Linux it leverages its firewall. The Netfilter project +created iptables and its successor nftables for the Linux kernel to +work directly on packet data flows. This now extends the concept of +zone-based security to allow for manipulating the data at multiple stages once +accepted by the network interface and the driver before being handed off to +the destination (e.g., a web server OR another device). -A simplified traffic flow, based on Netfilter packet flow, is shown next, in -order to have a full view and understanding of how packets are processed, and -what possible paths can take. +A simplified traffic flow diagram, based on Netfilter packet flow, is shown +next, in order to have a full view and understanding of how packets are +processed, and what possible paths traffic can take. .. figure:: /_static/images/firewall-gral-packet-flow.png -Main notes regarding this packet flow and terminology used in VyOS firewall: +The main points regarding this packet flow and terminology used in VyOS +firewall are covered below: - * **Bridge Port?**: choose appropiate path based on if interface were the - packet was received is part of a bridge, or not. + * **Bridge Port?**: choose appropriate path based on whether interface + where the packet was received is part of a bridge, or not. -If interface were the packet was received isn't part of a bridge, then packet -is processed at the **IP Layer**: +If the interface where the packet was received isn't part of a bridge, then +packetis processed at the **IP Layer**: * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in vyos configuration. Order + these actions are defined in different parts in VyOS configuration. Order is important, and all these actions are performed before any actions - define under ``firewall`` section. Relevant configuration that acts in + defined under ``firewall`` section. Relevant configuration that acts in this stage are: * **Conntrack Ignore**: rules defined under ``set system conntrack ignore @@ -40,12 +41,12 @@ is processed at the **IP Layer**: * **Destination NAT**: rules defined under ``set [nat | nat66] destination...``. - * **Destination is the router?**: choose appropiate path based on - destination IP address. Transit forward continunes to **forward**, + * **Destination is the router?**: choose appropriate path based on + destination IP address. Transit forward continues to **forward**, while traffic that destination IP address is configured on the router continues to **input**. - * **Input**: stage where traffic destinated to the router itself can be + * **Input**: stage where traffic destined for the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in: @@ -61,14 +62,14 @@ is processed at the **IP Layer**: * ``set firewall ipv6 forward filter ...``. - * **Output**: stage where traffic that is originated by the router itself - can be filtered and controlled. Bare in mind that this traffic can be a - new connection originted by a internal process running on VyOS router, - such as NTP, or can be a response to traffic received externaly through - **inputt** (for example response to an ssh login attempt to the router). + * **Output**: stage where traffic that originates from the router itself + can be filtered and controlled. Bear in mind that this traffic can be a + new connection originated by a internal process running on VyOS router, + such as NTP, or a response to traffic received externaly through + **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in: - * ``set firewall ipv4 input filter ...``. + * ``set firewall ipv4 output filter ...``. * ``set firewall ipv6 output filter ...``. @@ -79,16 +80,16 @@ is processed at the **IP Layer**: * **Source NAT**: rules defined under ``set [nat | nat66] destination...``. -If interface were the packet was received is part of a bridge, then packet -is processed at the **Bridge Layer**, which contains a ver basic setup where -for bridge filtering: +If the interface where the packet was received is part of a bridge, then +the packet is processed at the **Bridge Layer**, which contains a basic setup for +bridge filtering: - * **Forward (Bridge)**: stage where traffic that is trasspasing through the + * **Forward (Bridge)**: stage where traffic that is trespasing through the bridge is filtered and controlled: * ``set firewall bridge forward filter ...``. -Main structure VyOS firewall cli is shown next: +The main structure of the VyOS firewall CLI is shown next: .. code-block:: none @@ -134,7 +135,7 @@ Main structure VyOS firewall cli is shown next: - custom_zone_name + ... -Please, refer to appropiate section for more information about firewall +Please, refer to appropriate section for more information about firewall configuration: .. toctree:: diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 1ab9c630..059b029d 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone* set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4 set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 +************** +Operation-mode +************** + +.. opcmd:: show firewall zone-policy + + This will show you a basic summary of zones configuration. + + .. code-block:: none + + vyos@vyos:~$ show firewall zone-policy + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + LAN eth1 WAN WAN_to_LAN + eth2 + LOCAL LOCAL LAN LAN_to_LOCAL + WAN WAN_to_LOCAL WAN_to_LOCAL_v6 + WAN eth3 LAN LAN_to_WAN + eth0 LOCAL LOCAL_to_WAN + vyos@vyos:~$ + +.. opcmd:: show firewall zone-policy zone <zone> + + This will show you a basic summary of a particular zone. + + .. code-block:: none + + vyos@vyos:~$ show firewall zone-policy zone WAN + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + WAN eth3 LAN LAN_to_WAN + eth0 LOCAL LOCAL_to_WAN + vyos@vyos:~$ show firewall zone-policy zone LOCAL + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + LOCAL LOCAL LAN LAN_to_LOCAL + WAN WAN_to_LOCAL WAN_to_LOCAL_v6 + vyos@vyos:~$ diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 7f06faa8..9158ac1d 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -318,6 +318,16 @@ times: set high-availability vrrp group Foo health-check interval 60 set high-availability vrrp group Foo health-check failure-count 3 +When the vrrp group is a member of the sync group will use only +the sync group health check script. +This example shows how to configure it for the sync group: + +.. code-block:: none + + set high-availability vrrp sync-group Bar health-check script /config/scripts/vrrp-check.sh + set high-availability vrrp sync-group Bar health-check interval 60 + set high-availability vrrp sync-group Bar health-check failure-count 3 + Transition scripts ^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index b37e95a2..65081e1c 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -380,9 +380,13 @@ IPv6 DHCPv6-PD Example .. stop_vyoslinter -The following configuration will assign a /64 prefix out of a /56 delegation -to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64. -If you do not know the prefix size delegated to you, start with sla-len 0. +The following configuration will setup a PPPoE session source from eth1 and +assign a /64 prefix out of a /56 delegation (requested from the ISP) to eth0. +The IPv6 address assigned to eth0 will be <prefix>::1/64. If you do not know +the prefix size delegated to you, start with sla-len 0. + +In addition we setup IPv6 :abbr:`RA (Router Advertisements)` to make the +prefix known on the eth0 link. .. start_vyoslinter @@ -395,3 +399,5 @@ If you do not know the prefix size delegated to you, start with sla-len 0. set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56' set interfaces pppoe pppoe0 ipv6 address autoconf set interfaces pppoe pppoe0 source-interface eth1 + + set service router-advert interface eth0 prefix ::/64 diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 04b612f5..19ef3773 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -105,7 +105,7 @@ Backend of the client * ``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line - * ``least-connection`` Distributes requests tp tje server wotj the fewest + * ``least-connection`` Distributes requests to the server with the fewest active connections .. cfgcmd:: set load-balancing reverse-proxy backend <name> mode diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 66cceb0a..9345e708 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -137,3 +137,100 @@ R2: set interfaces bridge br1 member interface eth1 set protocols static route6 ::/0 next-hop fc01::1 set service router-advert interface br1 prefix ::/0 + + +Use the following topology to translate internal user local addresses (``fc::/7``) +to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair. + +.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png + :alt: VyOS NAT66 DHCPv6 using a dummy interface + +Configure both routers (a and b) for DHCPv6-PD via dummy interface: + +.. code-block:: none + + set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit + commit + +Get the DHCPv6-PD prefixes from both routers: + +.. code-block:: none + + trae@cr01a-vyos# run show interfaces dummy dum1 br + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + dum1 2001:db8:123:b008::/64 u/u DHCPv6-PD NPT dummy + 2001:db8:123:b00a::/64 + 2001:db8:123:b00b::/64 + 2001:db8:123:b009::/64 + + trae@cr01b-vyos# run show int dummy dum1 brief + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + dum1 2001:db8:123:b00d::/64 u/u DHCPv6-PD NPT dummy + 2001:db8:123:b00c::/64 + 2001:db8:123:b00e::/64 + 2001:db8:123:b00f::/64 + +Configure the A-side router for NPTv6 using the prefixes above: + +.. code-block:: none + + set nat66 source rule 10 description 'NPT to VLAN 10' + set nat66 source rule 10 outbound-interface name 'bond0.20' + set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' + set nat66 source rule 10 translation address '2001:db8:123:b008::/64' + set nat66 source rule 20 description 'NPT to VLAN 70' + set nat66 source rule 20 outbound-interface name 'bond0.20' + set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' + set nat66 source rule 20 translation address '2001:db8:123:b009::/64' + set nat66 source rule 30 description 'NPT to VLAN 200' + set nat66 source rule 30 outbound-interface name 'bond0.20' + set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' + set nat66 source rule 30 translation address '2001:db8:123:b00a::/64' + set nat66 source rule 40 description 'NPT to VLAN 240' + set nat66 source rule 40 outbound-interface name 'bond0.20' + set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' + set nat66 source rule 40 translation address '2001:db8:123:b00b::/64' + commit + +Configure the B-side router for NPTv6 using the prefixes above: + +.. code-block:: none + + set nat66 source rule 10 description 'NPT to VLAN 10' + set nat66 source rule 10 outbound-interface name 'bond0.20' + set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' + set nat66 source rule 10 translation address '2001:db8:123:b00c::/64' + set nat66 source rule 20 description 'NPT to VLAN 70' + set nat66 source rule 20 outbound-interface name 'bond0.20' + set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' + set nat66 source rule 20 translation address '2001:db8:123:b00d::/64' + set nat66 source rule 30 description 'NPT to VLAN 200' + set nat66 source rule 30 outbound-interface name 'bond0.20' + set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' + set nat66 source rule 30 translation address '2001:db8:123:b00e::/64' + set nat66 source rule 40 description 'NPT to VLAN 240' + set nat66 source rule 40 outbound-interface name 'bond0.20' + set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' + set nat66 source rule 40 translation address '2001:db8:123:b00f::/64' + commit + +Verify that connections are hitting the rule on both sides: + +.. code-block:: none + + trae@cr01a-vyos# run show nat66 source statistics + Rule Packets Bytes Interface + ------ --------- ------- ----------- + 10 1 104 bond0.20 + 20 1 104 bond0.20 + 30 8093 669445 bond0.20 + 40 2446 216912 bond0.20 diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 66ad84a3..8fd6fbe8 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -1,7 +1,9 @@ -:lastproofread: 2021-09-01 +:lastproofread: 2024-01-05 .. include:: /_include/need_improvement.txt +.. _pki: + ### PKI ### @@ -118,12 +120,12 @@ OpenVPN .. opcmd:: generate pki openvpn shared-secret - Genearate a new OpenVPN shared secret. The generated secred is the output to + Genearate a new OpenVPN shared secret. The generated secret is the output to the console. .. opcmd:: generate pki openvpn shared-secret install <name> - Genearate a new OpenVPN shared secret. The generated secred is the output to + Genearate a new OpenVPN shared secret. The generated secret is the output to the console. .. include:: pki_cli_import_help.txt @@ -248,6 +250,73 @@ certificates used by services on this router. If CA is present, this certificate will be included in generated CRLs +Import files to PKI format +-------------------------- +VyOS provides this utility to import existing certificates/key files directly +into PKI from op-mode. Previous to VyOS 1.4, certificates were stored under the +/config folder permanently and will be retained post upgrade. + +.. opcmd:: import pki ca <name> file <Path to CA certificate file> + + Import the public CA certificate from the defined file to VyOS CLI. + +.. opcmd:: import pki ca <name> key-file <Path to private key file> + + Import the CAs private key portion to the CLI. This should never leave the + system as it is used to decrypt the data. The key is required if you use + VyOS as your certificate generator. + +.. opcmd:: import pki certificate <name> file <path to certificate> + + Import the certificate from the file to VyOS CLI. + +.. opcmd:: import pki certificate <name> key-file <path to private key> + + Import the private key of the certificate to the VyOS CLI. This should never + leave the system as it is used to decrypt the data. + +.. opcmd:: import pki openvpn shared-secret <name> file <path to OpenVPN secret key> + + Import the OpenVPN shared secret stored in file to the VyOS CLI. + +ACME +^^^^ + +The VyOS PKI subsystem can also be used to automatically retrieve Certificates +using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. + +.. cfgcmd:: set pki certificate <name> acme domain-name <name> + + Domain names to apply, multiple domain-names can be specified. + + This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme email <address> + + Email used for registration and recovery contact. + + This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme listen-address <address> + + The address the server listens to during http-01 challenge + +.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096> + + Size of the RSA key. + + This options defaults to 2048 + +.. cfgcmd:: set pki certificate <name> acme url <url> + + ACME Directory Resource URI. + + This defaults to https://acme-v02.api.letsencrypt.org/directory + + .. note:: During initial deployment we recommend using the staging API + of LetsEncrypt to prevent and blacklisting of your system. The API + endpoint is https://acme-staging-v02.api.letsencrypt.org/directory + Operation ========= @@ -292,3 +361,7 @@ also to display them. .. opcmd:: show pki crl Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. + +.. opcmd:: renew certbot + + Manually trigger certificate renewal. This will be done twice a day. diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index 496c0cf9..30876efc 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -56,6 +56,13 @@ Configure BFD Disable a BFD peer +.. cfgcmd:: set protocols bfd peer <address> minimum-ttl <1-254> + + For multi hop sessions only. Configure the minimum expected TTL for an + incoming BFD control packet. + + This feature serves the purpose of thightening the packet validation + requirements to avoid receiving BFD control packets from other sessions. Enable BFD in BGP ----------------- diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 8fc69111..3c983aae 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -209,35 +209,35 @@ Defining Peers .. cfgcmd:: set protocols bgp neighbor <address|interface> local-role <role> [strict] - BGP roles are defined in RFC :rfc:`9234` and provide an easy way to - add route leak prevention, detection and mitigation. The local Role - value is negotiated with the new BGP Role capability which has a - built-in check of the corresponding value. In case of a mismatch the + BGP roles are defined in RFC :rfc:`9234` and provide an easy way to + add route leak prevention, detection and mitigation. The local Role + value is negotiated with the new BGP Role capability which has a + built-in check of the corresponding value. In case of a mismatch the new OPEN Roles Mismatch Notification <2, 11> would be sent. The correct Role pairs are: - + Provider - Customer Peer - Peer RS-Server - RS-Client - If :cfgcmd:`strict` is set the BGP session won’t become established - until the BGP neighbor sets local Role on its side. This + If :cfgcmd:`strict` is set the BGP session won’t become established + until the BGP neighbor sets local Role on its side. This configuration parameter is defined in RFC :rfc:`9234` and is used to enforce the corresponding configuration at your counter-parts side. - - Routes that are sent from provider, rs-server, or the peer local-role - (or if received by customer, rs-client, or the peer local-role) will + + Routes that are sent from provider, rs-server, or the peer local-role + (or if received by customer, rs-client, or the peer local-role) will be marked with a new Only to Customer (OTC) attribute. - + Routes with this attribute can only be sent to your neighbor if your local-role is provider or rs-server. Routes with this attribute can - be received only if your local-role is customer or rs-client. - + be received only if your local-role is customer or rs-client. + In case of peer-peer relationship routes can be received only if OTC value is equal to your neighbor AS number. - + All these rules with OTC will help to detect and mitigate route leaks and happen automatically if local-role is set. @@ -584,6 +584,12 @@ General Configuration Common parameters ^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop + + When a peer receives a martian nexthop as part of the NLRI for a route + permit the nexthop to be used as such, instead of rejecting and resetting + the connection. + .. cfgcmd:: set protocols bgp parameters router-id <id> This command specifies the router-ID. If router ID is not specified it will @@ -598,6 +604,12 @@ Common parameters Path (both AS number and AS path length), Origin code, MED, IGP metric. Also, the next hop address for each path must be different. +.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset + + Do not send Hard Reset CEASE Notification for "Administrative Reset" + events. When set and Graceful Restart Notification capability is exchanged + between the peers, Graceful Restart procedures apply, and routes will be retained. + .. cfgcmd:: set protocols bgp parameters log-neighbor-changes This command enable logging neighbor up/down changes and reset reason. @@ -643,6 +655,16 @@ Common parameters compatibility with older versions of VyOS. With this option one can enable :rfc:`8212` functionality to operate. +.. cfgcmd:: set protocols bgp parameters labeled-unicast <explicit-null | + ipv4-explicit-null | ipv6-explicit-null> + + By default, locally advertised prefixes use the implicit-null label to + encode in the outgoing NLRI. + + The following command uses the explicit-null label value for all the + BGP instances. + + Administrative Distance ^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst index 827bfe1a..aeb2941b 100644 --- a/docs/configuration/protocols/rpki.rst +++ b/docs/configuration/protocols/rpki.rst @@ -30,8 +30,8 @@ in :rfc:`8210`. If you are new to these routing security technologies then there is an `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed very quickly. Their documentation explains everything from what RPKI is to - deploying it in production. It also has some - `help and operational guidance`_ including "What can I do about my route + deploying it in production. It also has some + `help and operational guidance`_ including "What can I do about my route having an Invalid state?" *************** @@ -109,6 +109,20 @@ Configuration The default value is 300 seconds. +.. cfgcmd:: set protocols rpki expire-interval <600-172800> + + Set the number of seconds the router waits until the router + expires the cache. + + The default value is 7200 seconds. + +.. cfgcmd:: set protocols rpki retry-interval <1-7200> + + Set the number of seconds the router waits until retrying to connect + to the cache server. + + The default value is 600 seconds. + .. cfgcmd:: set protocols rpki cache <address> port <port> Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching @@ -136,10 +150,6 @@ the connection. SSH username to establish an SSH connection to the cache server. -.. cfgcmd:: set protocols rpki cache <address> ssh known-hosts-file <filepath> - - Local path that includes the known hosts file. - .. cfgcmd:: set protocols rpki cache <address> ssh private-key-file <filepath> Local path that includes the private key file of the router. @@ -148,7 +158,7 @@ the connection. Local path that includes the public key file of the router. -.. note:: When using SSH, known-hosts-file, private-key-file and public-key-file +.. note:: When using SSH, private-key-file and public-key-file are mandatory options. ******* diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst index 1ad252e7..bfc25201 100644 --- a/docs/configuration/protocols/static.rst +++ b/docs/configuration/protocols/static.rst @@ -59,6 +59,29 @@ Static Routes .. note:: Routes with a distance of 255 are effectively disabled and not installed into the kernel. +.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> segments <segments> + + It is possible to specify a static route for ipv6 prefixes using an SRv6 segments + instruction. The `/` separator can be used to specify multiple segment instructions. + + Example: + + .. code-block:: none + + set protocols static route6 2001:db8:1000::/36 next-hop 2001:db8:201::ffff segments '2001:db8:aaaa::7/2002::4/2002::3/2002::2' + + .. code-block:: none + + vyos@vyos:~$ show ipv6 route + Codes: K - kernel route, C - connected, S - static, R - RIPng, + O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table, + v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + C>* 2001:db8:201::/64 is directly connected, eth0.201, 00:00:46 + S>* 2001:db8:1000::/36 [1/0] via 2001:db8:201::ffff, eth0.201, seg6 2001:db8:aaaa::7,2002::4,2002::3,2002::2, weight 1, 00:00:08 + Interface Routes ================ @@ -103,6 +126,17 @@ Interface Routes Range is 1 to 255, default is 1. +.. cfgcmd:: set protocols static route6 <subnet> interface + <interface> segments <segments> + + It is possible to specify a static route for ipv6 prefixes using an SRv6 segments + instruction. The `/` separator can be used to specify multiple segment instructions. + + Example: + + .. code-block:: none + + set protocols static route6 2001:db8:1000::/36 interface eth0 segments '2001:db8:aaaa::7/2002::4/2002::3/2002::2' Blackhole ========= @@ -133,7 +167,6 @@ Blackhole Defines blackhole distance for this route, routes with smaller administrative distance are elected prior to those with a higher distance. - Alternate Routing Tables ======================== diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 468b39d9..d43f2385 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -98,6 +98,10 @@ Configuration This diable the external cache and directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. +.. cfgcmd:: set service conntrack-sync disable-syslog + + Disable connection logging via Syslog. + ********* Operation ********* diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index b5b12a5b..6813d2c0 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -4,7 +4,7 @@ DHCP Server ########### -VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. +VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment. *********** IPv4 server @@ -26,12 +26,7 @@ Configuration Create DNS record per client lease, by adding clients to /etc/hosts file. Entry will have format: `<shared-network-name>_<hostname>.<domain-name>` -.. cfgcmd:: set service dhcp-server host-decl-name - - Will drop `<shared-network-name>_` from client DNS record, using only the - host declaration name and domain: `<hostname>.<domain-name>` - -.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-name <domain-name> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-name <domain-name> The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP @@ -40,7 +35,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-search <domain-name> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-search <domain-name> The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times @@ -49,7 +44,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name <name> name-server <address> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option name-server <address> Inform client that the DNS server can be found at `<address>`. @@ -58,21 +53,6 @@ Configuration Multiple DNS servers can be defined. -.. cfgcmd:: set service dhcp-server shared-network-name <name> ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - .. cfgcmd:: set service dhcp-server listen-address <address> This configuration parameter lets the DHCP server to listen for DHCP @@ -91,14 +71,20 @@ Individual Client Subnet network. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - default-router <address> + subnet-id <id> + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + +.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> + option default-router <address> This is a configuration parameter for the `<subnet>`, saying that as part of the response, tell the client that the default gateway can be reached at `<address>`. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - name-server <address> + option name-server <address> This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS server can be found at `<address>`. @@ -133,40 +119,19 @@ Individual Client Subnet This option can be specified multiple times. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - domain-name <domain-name> + option domain-name <domain-name> The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP Option 015). .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - domain-search <domain-name> + option domain-search <domain-name> The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119). -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If a there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - enable-failover - - Enable DHCP failover configuration for this address pool. - Failover -------- @@ -213,12 +178,18 @@ MAC address of the station and your desired IP address. The address must be inside the subnet definition but can be outside of the range statement. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet - <subnet> static-mapping <description> mac-address <address> + <subnet> static-mapping <description> mac <address> Create a new DHCP static mapping named `<description>` which is valid for the host identified by its MAC `<address>`. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet + <subnet> static-mapping <description> duid <identifier> + + Create a new DHCP static mapping named `<description>` which is valid for + the host identified by its DHCP unique identifier (DUID) `<identifier>`. + +.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> ip-address <address> Static DHCP IP address assign to host identified by `<description>`. IP @@ -238,8 +209,9 @@ inside the subnet definition but can be outside of the range statement. .. code-block:: none + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 - set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac aa:bb:11:22:33:00 The configuration will look as follows: @@ -249,8 +221,9 @@ The configuration will look as follows: subnet 192.168.1.0/24 { static-mapping client1 { ip-address 192.168.1.100 - mac-address aa:bb:11:22:33:00 + mac aa:bb:11:22:33:00 } + subnet-id 1 } Options @@ -391,32 +364,6 @@ Options Multi: can be specified multiple times. -Raw Parameters -============== - -Raw parameters can be passed to shared-network-name, subnet and static-mapping: - -.. code-block:: none - - set service dhcp-server shared-network-name <name> shared-network-parameters - <text> Additional shared-network parameters for DHCP server. - set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters - <text> Additional subnet parameters for DHCP server. - set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> static-mapping-parameters - <text> Additional static-mapping parameters for DHCP server. - Will be placed inside the "host" block of the mapping. - -These parameters are passed as-is to isc-dhcp's dhcpd.conf under the -configuration node they are defined in. They are not validated so an error in -the raw parameters won't be caught by vyos's scripts and will cause dhcpd to -fail to start. Always verify that the parameters are correct before committing -the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information: -https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf - -Quotes can be used inside parameter values by replacing all quote characters -with the string ``"``. They will be replaced with literal quote characters -when generating dhcpd.conf. - Example ======= @@ -439,12 +386,12 @@ Common configuration, valid for both primary and secondary node. .. code-block:: none - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1' **Primary** @@ -467,47 +414,6 @@ Common configuration, valid for both primary and secondary node. .. _dhcp-server:v4_example_raw: -Raw Parameters --------------- - -* Override static-mapping's name-server with a custom one that will be sent only - to this host. -* An option that takes a quoted string is set by replacing all quote characters - with the string ``"`` inside the static-mapping-parameters value. - The resulting line in dhcpd.conf will be - ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``. - - -.. code-block:: none - - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" - -Option 43 for UniFI -------------------- - -* These parameters need to be part of the DHCP global options. - They stay unchanged. - - -.. code-block:: none - - set service dhcp-server global-parameters 'option space ubnt;' - set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;' - set service dhcp-server global-parameters 'class "ubnt" {' - set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = "ubnt";' - set service dhcp-server global-parameters 'option vendor-class-identifier "ubnt";' - set service dhcp-server global-parameters 'vendor-option-space ubnt;' - set service dhcp-server global-parameters '}' - -* Now we add the option to the scope, adapt to your setup - - -.. code-block:: none - - set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;' - - Operation Mode ============== @@ -549,18 +455,43 @@ Operation Mode .. code-block:: none vyos@vyos:~$ show dhcp server leases - IP address Hardware address State Lease start Lease expiration Remaining Pool Hostname - -------------- ------------------ ------- ------------------- ------------------- ---------- ----------- --------- - 192.0.2.104 00:53:01:dd:ee:ff active 2019/12/05 14:24:23 2019/12/06 02:24:23 6:05:35 dhcpexample test1 - 192.0.2.115 00:53:01:ae:af:bf active 2019/12/05 18:02:37 2019/12/06 06:02:37 9:43:49 dhcpexample test2 + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- + 192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:24:10 LAN VPCS1 local + 192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:43 LAN VYOS-6 local + 10.11.11.108 50:00:00:05:00:00 active 2023/11/29 09:51:43 2023/11/29 10:21:43 0:24:48 VIF-1001 VYOS5 local + 192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote + vyos@vyos:~$ .. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``. +.. opcmd:: show dhcp server leases origin [local | remote] + + Show statuses of all active leases granted by local (this server) or + remote (failover server): + +.. code-block:: none + + vyos@vyos:~$ show dhcp server leases origin remote + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- + 192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote + vyos@vyos:~$ + .. opcmd:: show dhcp server leases pool <pool> Show only leases in the specified pool. +.. code-block:: none + + vyos@vyos:~$ show dhcp server leases pool LAN + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- ------ ---------- -------- + 192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:23:55 LAN VPCS1 local + 192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:28 LAN VYOS-6 local + vyos@vyos:~$ + .. opcmd:: show dhcp server leases sort <key> Sort the output by the specified key. Possible keys: ip, hardware_address, @@ -572,7 +503,6 @@ Operation Mode free, expired, released, abandoned, reset, backup (default = active) - *********** IPv6 server *********** @@ -590,6 +520,12 @@ Configuration Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``. +.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <subnet> + subnet-id <id> + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <prefix> lease-time {default | maximum | minimum} @@ -598,35 +534,35 @@ Configuration values need to be supplied in seconds. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nis-domain <domain-name> + <prefix> option nis-domain <domain-name> A :abbr:`NIS (Network Information Service)` domain can be set to be used for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nisplus-domain <domain-name> + <prefix> option nisplus-domain <domain-name> The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one: .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nis-server <address> + <prefix> option nis-server <address> Specify a NIS server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nisplus-server <address> + <prefix> option nisplus-server <address> Specify a NIS+ server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> sip-server <address | fqdn> + <prefix> option sip-server <address | fqdn> Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address of Fully Qualified Domain Name for all DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> sntp-server-address <address> + <prefix> option sntp-server-address <address> A SNTP server address can be specified for DHCPv6 clients. @@ -664,8 +600,10 @@ server. The following example describes a common scenario. .. code-block:: none - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 start 2001:db8::100 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 option name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -674,12 +612,14 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 { subnet 2001:db8::/64 { - address-range { - start 2001:db8::100 { - stop 2001:db8::199 - } + range 1 { + start 2001:db8::100 + stop 2001:db8::199 + } + option { + name-server 2001:db8::ffff } - name-server 2001:db8::ffff + subnet-id 1 } } @@ -707,7 +647,7 @@ be created. The following example explains the process. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff The configuration will look as follows: @@ -718,7 +658,7 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 subnet 2001:db8::/64 { static-mapping client1 { - identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff ipv6-address 2001:db8::101 ipv6-prefix 2001:db8:0:101::/64 } diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 2caeb22d..c6deb179 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -204,8 +204,8 @@ this only one purpose. ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You +one involves a third party service, like DynDNS.com or any other such +service provider. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS. .. _dns:dynmaic_config: @@ -216,46 +216,43 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> - Create new :rfc:`2136` DNS update configuration which will update the IP + Create new dynamic DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - key <keyfile> +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. - File identified by `<keyfile>` containing the secret RNDC key shared with - remote DNS server. +.. cfgcmd:: set service dns dynamic name <service-name> key <filename> -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - server <server> + File identified by `<filename>` containing the TSIG authentication key for RFC2136 + nsupdate on remote DNS server. + +.. cfgcmd:: set service dns dynamic name <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - zone <zone> +.. cfgcmd:: set service dns dynamic name <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - record <record> +.. cfgcmd:: set service dns dynamic name <service-name> host-name <record> - Configure DNS `<record>` which should be updated. This can be set multiple - times. + Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - ttl <ttl> +.. cfgcmd:: set service dns dynamic name <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. -.. cfgcmd:: set service dns dynamic timeout <60-3600> - - Specify timeout / update interval to check if IP address changed. +.. cfgcmd:: set service dns dynamic interval <60-3600> - This defaults to 300 seconds. + Specify interval in seconds to wait between Dynamic DNS updates. + The default is 300 seconds. .. _dns:dynmaic_example: @@ -268,32 +265,48 @@ Example .. code-block:: none + # Configuration commands entered: + # + set service dns dynamic name 'VyOS-DNS' address interface 'eth0' + set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' + set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' + set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' + set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' + set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' + set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' + set service dns dynamic name 'VyOS-DNS' ttl '300' + + # Resulting config: + # vyos@vyos# show service dns dynamic - interface eth0.7 { - rfc2136 VyOS-DNS { - key /config/auth/my.key - record example.vyos.io - server ns1.vyos.io - ttl 300 - zone vyos.io + name VyOS-DNS { + address { + interface eth0 } + description "RFC 2136 dynamic dns service" + host-name example.vyos.io + key /config/auth/my.key + protocol nsupdate + server ns1.vyos.io + ttl 300 + zone vyos.io } This will render the following ddclient_ configuration entry: .. code-block:: none + # ddclient configuration for interface "eth0": # - # ddclient configuration for interface "eth0.7": - # - use=if, if=eth0.7 - - # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io - server=ns1.vyos.io - protocol=nsupdate - password=/config/auth/my.key - ttl=300 - zone=vyos.io + + # Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] + use=if, \ + if=eth0, \ + protocol=nsupdate, \ + server=ns1.vyos.io, \ + zone=vyos.io, \ + password='/config/auth/my.key', \ + ttl=300 \ example.vyos.io .. note:: You can also keep different DNS zone updated. Just create a new @@ -308,40 +321,43 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - host-name <hostname> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> + + Create new dynamic DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. + +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on address - `<interface>` changes. + provider identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - username <username> +.. cfgcmd:: set service dns dynamic name <service-name> username <username> Configure `<username>` used when authenticating the update request for - DynDNS service identified by `<service>`. - For Namecheap, set the <domain> you wish to update. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - password <password> +.. cfgcmd:: set service dns dynamic name <service-name> password <password> Configure `<password>` used when authenticating the update request for - DynDNS service identified by `<service>`. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - protocol <protocol> +.. cfgcmd:: set service dns dynamic name <service-name> protocol <protocol> - When a ``custom`` DynDNS provider is used the protocol used for communicating + When a ``custom`` DynDNS provider is used, the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded - completion helper for available protocols. + completion helper when entering above command for available protocols. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic name <service-name> ip-version 'ipv6' Allow explicit IPv6 address for the interface. @@ -349,14 +365,17 @@ hostnames, protocol and server. Example: ^^^^^^^^ -Use DynDNS as your preferred provider: +Use deSEC (dedyn.io) as your preferred provider: .. code-block:: none - set service dns dynamic address eth0 service dyndns - set service dns dynamic address eth0 service dyndns username my-login - set service dns dynamic address eth0 service dyndns password my-password - set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic name dedyn description 'deSEC dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn server 'update.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -366,12 +385,14 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic address eth0 ipv6-enable - set service dns dynamic address eth0 service dyndns6 username my-login - set service dns dynamic address eth0 service dyndns6 password my-password - set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic address eth0 service dyndns6 protocol dyndns2 - set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn ip-version 'ipv6' + set service dns dynamic name dedyn server 'update6.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' Running Behind NAT @@ -381,21 +402,15 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. - -This functionality is controlled by adding the following configuration: +ddclient_ has another way to determine the WAN IP address. This is controlled +by: -.. cfgcmd:: set service dns dynamic address web web-options url <url> +.. cfgcmd:: set service dns dynamic name <service-name> address web <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> +.. cfgcmd:: set service dns dynamic name <service-name> address web skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index eb2e30eb..973c5355 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -1,7 +1,7 @@ .. _http-api: ######## -HTTP-API +HTTP API ######## VyOS provide an HTTP API. You can use it to execute op-mode commands, @@ -13,75 +13,71 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to. Configuration ************* -.. cfgcmd:: set service https api keys id <name> key <apikey> +.. cfgcmd:: set service https allow-client address <address> - Set a named api key. Every key has the same, full permissions - on the system. + Only allow certain IP addresses or prefixes to access the https + webserver. -.. cfgcmd:: set service https api debug +.. cfgcmd:: set service https certificates ca-certificate <name> - To enable debug messages. Available via :opcmd:`show log` or - :opcmd:`monitor log` + Use CA certificate from PKI subsystem -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https certificates certificate <name> - Enforce strict path checking + Use certificate from PKI subsystem -.. cfgcmd:: set service https virtual-host <vhost> listen-address - <ipv4 or ipv6 address> +.. cfgcmd:: set service https certificates dh-params <name> - Address to listen for HTTPS requests + Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. + Must be at least 2048 bits in length. -.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> +.. cfgcmd:: set service https listen-address <address> - Port to listen for HTTPS requests; default 443 + Webserver should only listen on specified IP address -.. cfgcmd:: set service https virtual-host <vhost> server-name <text> +.. cfgcmd:: set service https port <number> - Server names for virtual hosts it can be exact, wildcard or regex. + Webserver should listen on specified port. -.. cfgcmd:: set service https api-restrict virtual-host <vhost> + Default: 443 - By default, nginx exposes the local API on all virtual servers. - Use this to restrict nginx to one or more virtual hosts. +.. cfgcmd:: set service https enable-http-redirect -.. cfgcmd:: set service https certificates certbot domain-name <text> + Enable automatic redirect from http to https. - Domain name(s) for which to obtain certificate +.. cfgcmd:: set service https tls-version <1.2 | 1.3> -.. cfgcmd:: set service https certificates certbot email + Select TLS version used. - Email address to associate with certificate + This defaults to both 1.2 and 1.3. -.. cfgcmd:: set service https certificates system-generated-certificate +.. cfgcmd:: set service https vrf <name> - Use an automatically generated self-signed certificate + Start Webserver in given VRF. -.. cfgcmd:: set service https certificates system-generated-certificate - lifetime <days> +API +=== - Lifetime in days; default is 365 +.. cfgcmd:: set service https api keys id <name> key <apikey> + Set a named api key. Every key has the same, full permissions + on the system. -********************* -Example Configuration -********************* +.. cfgcmd:: set service https api debug -Set an API-KEY is the minimal configuration to get a working API Endpoint. + To enable debug messages. Available via :opcmd:`show log` or + :opcmd:`monitor log` -.. code-block:: none +.. cfgcmd:: set service https api strict - set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY + Enforce strict path checking +********************* +Example Configuration +********************* -To use this full configuration we asume a public accessible hostname. +Set an API-KEY is the minimal configuration to get a working API Endpoint. .. code-block:: none set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY - set service https certificates certbot domain-name rtr01.example.com - set service https certificates certbot email mail@example.com - set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 port 11443 - set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst new file mode 100644 index 00000000..3e508d50 --- /dev/null +++ b/docs/configuration/service/ids.rst @@ -0,0 +1,179 @@ +.. _ids: + +############### +DDoS Protection +############### + +********** +FastNetMon +********** + +FastNetMon is a high-performance DDoS detector/sensor built on top of multiple +packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can +detect hosts in the deployed network sending or receiving large volumes of +traffic, packets/bytes/flows per second and perform a configurable action to +handle that event, such as calling a custom script. + +VyOS includes the FastNetMon Community Edition. + +Configuration +============= + +.. cfgcmd:: set service ids ddos-protection alert-script <text> + + Configure alert script that will be executed when an attack is detected. + +.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294> + + Configure how long an IP (attacker) should be kept in blocked state. + Default value is 1900. + +.. cfgcmd:: set service ids ddos-protection direction [in | out] + + Configure direction for processing traffic. + +.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x> +.. cfgcmd:: set service ids ddos-protection exlude-network <h:h:h:h:h:h:h:h/x> + + Specify IPv4 and/or IPv6 networks which are going to be excluded. + +.. cfgcmd:: set service ids ddos-protection listen-interface <text> + + Configure listen interface for mirroring traffic. + +.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow] + + Configure traffic capture mode. + +.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x> +.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x> + + Specify IPv4 and/or IPv6 networks that should be protected/monitored. + +.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x> + + Configure local IPv4 address to listen for sflow. + +.. cfgcmd:: set service ids ddos-protection sflow port <1-65535> + + Configure port number to be used for sflow conection. Default port is 6343. + +.. cfgcmd:: set service ids ddos-protection threshold general + [fps | mbps | pps] <0-4294967294> + + Configure general threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold icmp + [fps | mbps | pps] <0-4294967294> + + Configure ICMP threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold tcp + [fps | mbps | pps] <0-4294967294> + + Configure TCP threshold parameters + +.. cfgcmd:: set service ids ddos-protection threshold udp + [fps | mbps | pps] <0-4294967294> + + Configure UDP threshold parameters + +Example +======= + +A configuration example can be found in this section. +In this simplified scenario, main things to be considered are: + + * Network to be protected: 192.0.2.0/24 (public IPs use by + customers) + + * **ban-time** and **threshold**: these values are kept very low in order + to easily identify and generate and attack. + + * Direction: **in** and **out**. Protect public network from external + attacks, and identify internal attacks towards internet. + + * Interface **eth0** used to connect to upstream. + +Since we are analyzing attacks to and from our internal network, two types +of attacks can be identified, and differents actions are needed: + + * External attack: an attack from the internet towards an internal IP + is identify. In this case, all connections towards such IP will be + blocked + + * Internal attack: an attack from the internal network (generated by a + customer) towards the internet is identify. In this case, all connections + from this particular IP/Customer will be blocked. + + +So, firewall configuration needed for this setup: + +.. code-block:: none + + set firewall group address-group FNMS-DST-Block + set firewall group address-group FNMS-SRC-Block + + set firewall ipv4 forward filter rule 10 action 'drop' + set firewall ipv4 forward filter rule 10 description 'FNMS - block destination' + set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block' + + set firewall ipv4 forward filter rule 20 action 'drop' + set firewall ipv4 forward filter rule 20 description 'FNMS - Block source' + set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block' + +Then, FastNetMon configuration: + +.. code-block:: none + + set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh' + set service ids ddos-protection ban-time '10' + set service ids ddos-protection direction 'in' + set service ids ddos-protection direction 'out' + set service ids ddos-protection listen-interface 'eth0' + set service ids ddos-protection mode 'mirror' + set service ids ddos-protection network '192.0.2.0/24' + set service ids ddos-protection threshold general pps '100' + +And content of the script: + +.. code-block:: none + + #!/bin/bash + + # alert-script is called twice. + # When an attack occurs, the program calls a bash script twice: + # 1st time when threshold exceed + # 2nd when we collect 100 packets for detailed audit of what happened. + + # Do nothing if “attack_details” is passed as an argument + if [ "${4}" == "attack_details" ]; then + # Do nothing + exit + fi + # Arguments: + ip=$1 + direction=$2 + pps_rate=$3 + action=$4 + + logger -t FNMS "** Start - Running alert script **" + + if [ "${direction}" == "incoming" ] ; then + group="FNMS-DST-Block" + origin="external" + else + group="FNMS-SRC-Block" + origin="internal" + fi + + if [ "${action}" == "ban" ] ; then + logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address." + logger -t FNMS "Adding IP address ${ip} to firewall group ${group}." + sudo nft add element ip vyos_filter A_${group} { ${ip} } + else + logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}." + sudo nft delete element ip vyos_filter A_${group} { ${ip} } + fi + logger -t FNMS "** End - Running alert script **" + exit diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 1195348f..56ce55eb 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -13,7 +13,9 @@ Service dhcp-relay dhcp-server dns + eventhandler https + ids ipoe-server lldp mdns @@ -26,4 +28,4 @@ Service ssh tftp-server webproxy - eventhandler + diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index c219a063..64048552 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -1,5 +1,3 @@ -.. include:: /_include/need_improvement.txt - .. _ipoe_server: ########### @@ -24,8 +22,9 @@ functionality as PPPoE, but in a less robust manner. will restart the ppp daemon and will reset existing IPoE sessions, in order to become effective. -Configuration -============= +*********************** +Configuring IPoE Server +*********************** IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address @@ -39,156 +38,413 @@ the configuration. .. code-block:: none - set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 - set service ipoe-server authentication mode 'local' - set service ipoe-server name-server '10.10.1.1' - set service ipoe-server name-server '10.10.1.2' - set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' + set interfaces ethernet eth1 address '192.168.0.1/24' + set service ipoe-server authentication interface eth1.100 mac 00:50:79:66:68:00 + set service ipoe-server authentication interface eth1.101 mac 00:50:79:66:68:01 + set service ipoe-server authentication mode 'local' + set service ipoe-server client-ip-pool IPOE-POOL range '192.168.0.2-192.168.0.254' + set service ipoe-server default-pool 'IPOE-POOL' + set service ipoe-server gateway-address '192.168.0.1/24' + set service ipoe-server interface eth1 mode 'l2' + set service ipoe-server interface eth1 network 'vlan' + set service ipoe-server interface eth1 vlan '100-200' -The first address of the parameter ``client-subnet``, will be used as the -default gateway. Connected sessions can be checked via the ``show ipoe-server -sessions`` command. +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> -.. code-block:: none + Creates local IPoE user with username=**<interface>** and + password=**<MAC>** (mac-address) - vyos@vyos:~$ show ipoe-server sessions +.. cfgcmd:: set service ipoe-server authentication mode <local | radius> - ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid - -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ - ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | | active | 00:45:05 | dccc870fd3134612 + Set authentication backend. The configured authentication backend is used + for all queries. + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled -IPv6 SLAAC and IA-PD --------------------- +.. cfgcmd:: set service ipoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> -To configure IPv6 assignments for clients, two options need to be configured. -A global prefix which is terminated on the clients cpe and a delegated prefix, -the client can use for devices routed via the clients cpe. + Use this command to define the first IP address of a pool of + addresses to be given to IPoE clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. -IPv6 DNS addresses are optional. +.. cfgcmd:: set service ipoe-server default-pool <POOL-NAME> -.. code-block:: none + Use this command to define default address pool name. + +.. cfgcmd:: set service ipoe-server gateway-address <x.x.x.x/x> + + Specifies address to be used as server ip address if radius can assign + only client address. In such case if client address is matched network + and mask then specified address and mask will be used. You can specify + multiple such options. + +.. cfgcmd:: set service ipoe-server interface <interface> mode <l2 | l3> - set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 - set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' - set service ipoe-server name-server '2001:db8::' - set service ipoe-server name-server '2001:db8:aaa::' - set service ipoe-server name-server '2001:db8:bbb::' - set service ipoe-server interface eth3 client-subnet '192.168.1.0/24' + Set authentication backend. The configured authentication backend is used + for all queries. + + * **l2**: It means that clients are on same network where interface + is.**(default)** + * **local**: It means that client are behind some router. + +.. cfgcmd:: set service ipoe-server interface <interface> network <shared | vlan> + + Specify where interface is shared by multiple users or it is vlan-per-user. + + * **shared**: Multiple clients share the same network. **(default)** + * **vlan**: One VLAN per client. .. code-block:: none - vyos@ipoe-server# run sh ipoe-server sessions - ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid - -------+------------+-------------------+-------------+---------------------------------+-----------------+------------+--------+----------+------------------ - ipoe0 | eth3 | 08:00:27:2f:d8:06 | 192.168.1.2 | 2001:db8::a00:27ff:fe2f:d806/64 | 2001:db8:1::/56 | | active | 01:02:59 | 4626faf71b12cc25 + vyos@vyos:~$ show ipoe-server sessions + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + --------+----------+-------------------+-------------+------------+------+------+--------+---------- + ipoe0 | eth1.100 | 00:50:79:66:68:00 | 192.168.0.2 | | ipoe | | active | 00:04:55 + ipoe1 | eth1.101 | 00:50:79:66:68:01 | 192.168.0.3 | | ipoe | | active | 00:04:44 -The clients :abbr:`CPE (Customer Premises Equipment)` can now communicate via -IPv4 or IPv6. All devices behind ``2001:db8::a00:27ff:fe2f:d806/64`` can use -addresses from ``2001:db8:1::/56`` and can globally communicate without the -need of any NAT rules. -Automatic VLAN creation ------------------------ +********************************* +Configuring RADIUS authentication +********************************* -To create VLANs per user during runtime, the following settings are required on -a per interface basis. VLAN ID and VLAN range can be present in the -configuration at the same time. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. .. code-block:: none - set service ipoe-server interface eth2 network vlan - set service ipoe-server interface eth2 vlan-id 100 - set service ipoe-server interface eth2 vlan-id 200 - set service ipoe-server interface eth2 vlan-range 1000-2000 - set service ipoe-server interface eth2 vlan-range 2500-2700 + set service ipoe-server authentication mode radius -RADIUS Setup ------------- +.. cfgcmd:: set service ipoe-server authentication radius server <server> key <secret> -To use a RADIUS server for authentication and bandwidth-shaping, the following -example configuration can be used. + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: .. code-block:: none - set service ipoe-server authentication mode 'radius' - set service ipoe-server authentication radius server 10.100.100.1 key 'password' + set service ipoe-server authentication radius server 10.0.0.1 key 'foo' + set service ipoe-server authentication radius server 10.0.0.2 key 'foo' -Bandwidth Shaping -================= +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -Bandwidth rate limits can be set for local users within the configuration or -via RADIUS based attributes. +RADIUS source address +===================== -Bandwidth Shaping for local users ---------------------------------- +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -The rate-limit is set in kbit/sec. +.. cfgcmd:: set service ipoe-server authentication radius source-address <address> -.. code-block:: none + Source IPv4 address used in all RADIUS server queires. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. + +RADIUS advanced options +======================= + +.. cfgcmd:: set service ipoe-server authentication radius server <server> port <port> + + Configure RADIUS `<server>` and its required port for authentication requests. + +.. cfgcmd:: set service ipoe-server authentication radius server <server> fail-time <time> + + Mark RADIUS server as offline for this given `<time>` in seconds. + +.. cfgcmd:: set service ipoe-server authentication radius server <server> disable + + Temporary disable this RADIUS server. + +.. cfgcmd:: set service ipoe-server authentication radius acct-timeout <timeout> + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + +.. cfgcmd:: set service ipoe-server authentication radius dynamic-author server <address> + + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set service ipoe-server authentication radius dynamic-author port <port> + + Port for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set service ipoe-server authentication radius dynamic-author key <secret> + + Secret for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set service ipoe-server authentication radius max-try <number> + + Maximum number of tries to send Access-Request/Accounting-Request queries + +.. cfgcmd:: set service ipoe-server authentication radius timeout <timeout> + + Timeout to wait response from server (seconds) + +.. cfgcmd:: set service ipoe-server authentication radius nas-identifier <identifier> + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. + +.. cfgcmd:: set service ipoe-server authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set service ipoe-server authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set service ipoe-server authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set service ipoe-server authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set service ipoe-server authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. - set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit download '500' - set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit upload '500' - set service ipoe-server authentication mode 'local' - set service ipoe-server name-server '10.10.1.1' - set service ipoe-server name-server '10.10.1.2' - set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +**** +IPv6 +**** + +.. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an IPoE client + will get an IPv6 prefix of your defined length (mask) to terminate the + IPoE endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + IPoE. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set service ipoe-server default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. .. code-block:: none - vyos@vyos# run show ipoe-server sessions + set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL + +********* +Scripting +********* + +.. cfgcmd:: set service ipoe-server extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set service ipoe-server extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set service ipoe-server extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set service ipoe-server extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> vlan + <vlan-id> + + VLAN monitor for automatic creation of VLAN interfaces for specific user on specific <interface> + +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for user on interface `<interface>`. + +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for for user on interface `<interface>`. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set service ipoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. - ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid - -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ - ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb +Advanced Interface Options +============================== -Example -======= +.. cfgcmd:: set service ipoe-server interface <interface> client-subnet <x.x.x.x/x> -* IPoE server will listen on interfaces eth1.50 and eth1.51 -* There are rate-limited and non rate-limited users (MACs) + Specify local range of ip address to give to dhcp clients. First IP in range is router IP. + If you need more customization use `client-ip-pool` -Server configuration --------------------- +.. cfgcmd:: set service ipoe-server interface <interface> external-dhcp dhcp-relay <x.x.x.x> + + Specify DHCPv4 relay IP address to pass requests to. If specified giaddr is also needed. + +.. cfgcmd:: set service ipoe-server interface <interface> external-dhcp giaddr <x.x.x.x> + + Specifies relay agent IP addre + + +Global Advanced options +======================= + +.. cfgcmd:: set service ipoe-server description <description> + + Set description. + +.. cfgcmd:: set service ipoe-server limits burst <value> + + Burst count + +.. cfgcmd:: set service ipoe-server limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set service ipoe-server limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set service ipoe-server max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set service ipoe-server name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set service ipoe-server shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set service ipoe-server snmp master-agent + + Enable SNMP + +********** +Monitoring +********** + +.. opcmd:: show ipoe-server sessions + + Use this command to locally check the active sessions in the IPoE + server. .. code-block:: none - set interfaces dummy dum1000 address 100.64.0.1/32 - set interfaces dummy dum1000 address 2001:db8::1/128 + vyos@vyos:~$ show ipoe-server sessions + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + ----------+----------+-------------------+-------------+------------+------+------+--------+---------- + eth1.100 | eth1.100 | 0c:98:bd:b8:00:01 | 192.168.0.3 | | ipoe | | active | 03:03:58 - set interfaces ethernet eth1 description 'IPoE' - set interfaces ethernet eth1 vif 50 - set interfaces ethernet eth1 vif 51 +.. code-block:: none - set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7 - set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000' - set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000' - set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000' - set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' - set service ipoe-server authentication mode 'local' - - set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' - set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' - set service ipoe-server interface eth1.50 mode 'l2' - set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' - set service ipoe-server interface eth1.51 mode 'l2' - set service ipoe-server name-server '100.64.0.1' - set service ipoe-server name-server '2001:db8::1' - -Client configuration --------------------- + vyos@vyos:~$ show ipoe-server statistics + uptime: 0.03:31:36 + cpu: 0% + mem(rss/virt): 6044/101360 kB + core: + mempool_allocated: 148628 + mempool_available: 144748 + thread_count: 1 + thread_active: 1 + context_count: 10 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 6 + md_handler_pending: 0 + timer_count: 1 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + ipoe: + starting: 0 + active: 1 + delayed: 0 + +************** +Toubleshooting +************** .. code-block:: none - set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7' + vyos@vyos:~$sudo journalctl -u accel-ppp@ipoe -b 0 - set interfaces ethernet eth0 vif 50 address 'dhcp' - set interfaces ethernet eth0 vif 50 address 'dhcpv6' - set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1' + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:: recv [DHCPv4 Discover xid=55df9228 chaddr=0c:98:bd:b8:00:01 <Message-Type Discover> <Request-IP 192.168.0.3> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Classless-Route,Domain-Name,MTU>] + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: eth1.100: authentication succeeded + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: send [DHCPv4 Offer xid=55df9228 yiaddr=192.168.0.4 chaddr=0c:98:bd:b8:00:01 <Message-Type Offer> <Server-ID 192.168.0.1> <Lease-Time 600> <T1 300> <T2 525> <Router 192.168.0.1> <Subnet 255.255.255.0>] + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: recv [DHCPv4 Request xid=55df9228 chaddr=0c:98:bd:b8:00:01 <Message-Type Request> <Server-ID 192.168.0.1> <Request-IP 192.168.0.4> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Classless-Route,Domain-Name,MTU>] + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: activate session + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: no free IPv6 address + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: session started + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: send [DHCPv4 Ack xid=55df9228 yiaddr=192.168.0.4 chaddr=0c:98:bd:b8:00:01 <Message-Type Ack> <Server-ID 192.168.0.1> <Lease-Time 600> <T1 300> <T2 525> <Router 192.168.0.1> <Subnet 255.255.255.0>] .. include:: /_include/common-references.txt +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file diff --git a/docs/configuration/service/lldp.rst b/docs/configuration/service/lldp.rst index aa357211..12a9e0b6 100644 --- a/docs/configuration/service/lldp.rst +++ b/docs/configuration/service/lldp.rst @@ -54,7 +54,7 @@ Configuration Disable transmit of LLDP frames on given `<interface>`. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled. -.. cfgcmd:: set service lldp snmp enable +.. cfgcmd:: set service lldp snmp Enable SNMP queries of the LLDP database diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 0aa93e71..245af067 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -109,11 +109,11 @@ Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. Telegraf is the open source server agent to help you collect metrics, events and logs from your routers. -.. cfgcmd:: set service monitoring telegraf authentication organization <organization> +.. cfgcmd:: set service monitoring telegraf influxdb authentication organization <organization> Authentication organization name -.. cfgcmd:: set service monitoring telegraf authentication token <token> +.. cfgcmd:: set service monitoring telegraf influxdb authentication token <token> Authentication token @@ -121,11 +121,11 @@ and logs from your routers. Remote ``InfluxDB`` bucket name -.. cfgcmd:: set service monitoring port <port> +.. cfgcmd:: set service monitoring telegraf influxdb port <port> Remote port -.. cfgcmd:: set service monitoring telegraf url <url> +.. cfgcmd:: set service monitoring telegraf influxdb url <url> Remote URL @@ -138,12 +138,11 @@ An example of a configuration that sends ``telegraf`` metrics to remote .. code-block:: none - set service monitoring telegraf authentication organization 'vyos' - set service monitoring telegraf authentication token 'ZAml9Uy5wrhA...==' - set service monitoring telegraf bucket 'bucket_vyos' - set service monitoring telegraf port '8086' - set service monitoring telegraf source 'all' - set service monitoring telegraf url 'http://r1.influxdb2.local' + set service monitoring telegraf influxdb authentication organization 'vyos' + set service monitoring telegraf influxdb authentication token 'ZAml9Uy5wrhA...==' + set service monitoring telegraf influxdb bucket 'bucket_vyos' + set service monitoring telegraf influxdb port '8086' + set service monitoring telegraf influxdb url 'http://r1.influxdb2.local' .. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer .. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst index 08be047c..e7ee392b 100644 --- a/docs/configuration/service/ntp.rst +++ b/docs/configuration/service/ntp.rst @@ -81,4 +81,33 @@ Configuration .. cfgcmd:: set service ntp vrf <name> - Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + +.. cfgcmd:: set service ntp leap-second [ignore|smear|system|timezone] + + Define how to handle leaf-seonds. + + * `ignore`: No correction is applied to the clock for the leap second. The + clock will be corrected later in normal operation when new measurements are + made and the estimated offset includes the one second error. + + * `smear`: When smearing a leap second, the leap status is suppressed on the + server and the served time is corrected slowly by slewing instead of + stepping. The clients do not need any special configuration as they do not + know there is any leap second and they follow the server time which + eventually brings them back to UTC. Care must be taken to ensure they use + only NTP servers which smear the leap second in exactly the same way for + synchronisation. + + * `system`: When inserting a leap second, the kernel steps the system clock + backwards by one second when the clock gets to 00:00:00 UTC. When deleting + a leap second, it steps forward by one second when the clock gets to + 23:59:59 UTC. + + * `timezone`: This directive specifies a timezone in the system timezone + database which chronyd can use to determine when will the next leap second + occur and what is the current offset between TAI and UTC. It will + periodically check if 23:59:59 and 23:59:60 are valid times in the + timezone. This normally works with the right/UTC timezone which is the + default + diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index a230d9fe..99b3fbb5 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -13,13 +13,20 @@ be used with local authentication or a connected RADIUS server. changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective. -Configuration -============= +************************ +Configuring PPPoE Server +************************ +.. code-block:: none -First steps ------------ - + set service pppoe-server access-concentrator PPPoE-Server + set service pppoe-server authentication mode local + set service pppoe-server authentication local-users username test password 'test' + set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254 + set service pppoe-server default-pool 'PPPOE-POOL' + set service pppoe-server outside-address 192.0.2.2 + set service pppoe-server gateway-address 192.168.255.1 + set service pppoe-server interface eth0 .. cfgcmd:: set service pppoe-server access-concentrator <name> @@ -28,14 +35,30 @@ First steps .. cfgcmd:: set service pppoe-server authentication mode <local | radius> - Use this command to define whether your PPPoE clients will locally - authenticate in your VyOS system or in RADIUS server. + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. .. cfgcmd:: set service pppoe-server authentication local-users username <name> password <password> - Use this command to configure the username and the password of a - locally configured user. + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to pppoe clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> + + Use this command to define default address pool name. .. cfgcmd:: set service pppoe-server interface <interface> @@ -44,124 +67,170 @@ First steps .. cfgcmd:: set service pppoe-server gateway-address <address> - Use this command to configure the local gateway IP address. + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set service pppoe-server name-server <address> - Use this command to set the IPv4 or IPv6 address of every Doman Name - Server you want to configure. They will be propagated to PPPoE - clients. +********************************* +Configuring RADIUS authentication +********************************* +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. -Client Address Pools --------------------- +.. code-block:: none -To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a -named pool. There is possibility to create multiple named pools. -Each named pool can include only one address range. To use multiple -address ranges configure ``next-pool`` option. + set service pppoe-server authentication mode radius +.. cfgcmd:: set service pppoe-server authentication radius server <server> key <secret> -**Client IP address via IP range definition** + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. -.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: - Use this command to define the IP address range to be given - to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +.. code-block:: none -.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + set service pppoe-server authentication radius server 10.0.0.1 key 'foo' + set service pppoe-server authentication radius server 10.0.0.2 key 'foo' - Use this command to define the next address pool name. +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> +RADIUS source address +===================== - Use this command to define default address pool name. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius source-address <address> - set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' - set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' - set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' - set service pppoe-server default-pool 'IP-POOL' + Source IPv4 address used in all RADIUS server queires. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -**RADIUS based IP pools (Framed-IP-Address)** +RADIUS advanced options +======================= -To use a radius server, you need to switch to authentication mode RADIUS -and then configure it. +.. cfgcmd:: set service pppoe-server authentication radius server <server> port <port> -.. cfgcmd:: set service pppoe-server authentication radius server <address> - key <secret> + Configure RADIUS `<server>` and its required port for authentication requests. - Use this command to configure the IP address and the shared secret - key of your RADIUS server. You can have multiple RADIUS servers - configured if you wish to achieve redundancy. +.. cfgcmd:: set service pppoe-server authentication radius server <server> fail-time <time> + Mark RADIUS server as offline for this given `<time>` in seconds. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius server <server> disable - set service pppoe-server access-concentrator 'ACN' - set service pppoe-server authentication mode 'radius' - set service pppoe-server authentication radius server 10.1.100.1 key 'secret' - set service pppoe-server interface 'eth1' - set service pppoe-server gateway-address '10.1.1.2' + Temporary disable this RADIUS server. -RADIUS provides the IP addresses in the example above via -Framed-IP-Address. +.. cfgcmd:: set service pppoe-server authentication radius acct-timeout <timeout> -**RADIUS sessions management DM/CoA** + Timeout to wait reply for Interim-Update packets. (default 3 seconds) -.. cfgcmd:: set service pppoe-server authentication radius dynamic-author - <key | port | server> +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author server <address> - Use this command to configure Dynamic Authorization Extensions to - RADIUS so that you can remotely disconnect sessions and change some - authentication parameters. + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author port <port> - set service pppoe-server authentication radius dynamic-author key 'secret123' - set service pppoe-server authentication radius dynamic-author port '3799' - set service pppoe-server authentication radius dynamic-author server '10.1.1.2' + Port for Dynamic Authorization Extension server (DM/CoA) +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author key <secret> -Example, from radius-server send command for disconnect client with -username test + Secret for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius max-try <number> - root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 - disconnect secret123 + Maximum number of tries to send Access-Request/Accounting-Request queries -You can also use another attributes for identify client for disconnect, -like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in -log. +.. cfgcmd:: set service pppoe-server authentication radius timeout <timeout> -.. code-block:: none + Timeout to wait response from server (seconds) - show log | match Disconnect* +.. cfgcmd:: set service pppoe-server authentication radius nas-identifier <identifier> -Example for changing rate-limit via RADIUS CoA. + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set service pppoe-server authentication radius source-address <address> - echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa - secret123 + Source IPv4 address used in all RADIUS server queires. -Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit -up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS -CoA request. +.. cfgcmd:: set service pppoe-server authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is ``Filter-Id``. + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +*********************** Automatic VLAN Creation ------------------------ +*********************** .. cfgcmd:: set service pppoe-server interface <interface> vlan <id | range> VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module - named `vlan_mon`, which is monitoring incoming vlans and creates the + named ``vlan_mon``, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface. @@ -177,21 +246,26 @@ Automatic VLAN Creation set service pppoe-server interface eth3 vlan 500-1000 set service pppoe-server interface eth3 vlan 2000-3000 - +***************** Bandwidth Shaping ------------------ +***************** Bandwidth rate limits can be set for local users or RADIUS based attributes. For Local Users -^^^^^^^^^^^^^^^ +=============== + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit + upload <bandwidth> -.. cfgcmd:: set service pppoe-server authentication local-users username <name> - rate-limit <download | upload> + Upload bandwidth limit in kbit/s for `<user>`. - Use this command to configure a data-rate limit to PPPOoE clients for - traffic download or upload. The rate-limit is set in kbit/sec. .. code-block:: none @@ -209,7 +283,7 @@ For Local Users Once the user is connected, the user session is using the set limits and -can be displayed via 'show pppoe-server sessions'. +can be displayed via ``show pppoe-server sessions``. .. code-block:: none @@ -220,9 +294,9 @@ can be displayed via 'show pppoe-server sessions'. For RADIUS users -^^^^^^^^^^^^^^^^ +================ -The current attribute 'Filter-Id' is being used as default and can be +The current attribute ``Filter-Id`` is being used as default and can be setup within RADIUS: Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit @@ -238,9 +312,9 @@ setup and is working. Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*. - +************** Load Balancing --------------- +************** .. cfgcmd:: set service pppoe-server pado-delay <number-of-ms> @@ -262,63 +336,222 @@ allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients. - +**** IPv6 ----- +**** -IPv6 client's prefix assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set service pppoe-server ppp-options ipv6 <require | prefer | allow | deny> -.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix <address> - mask <number-of-bits> + Specifies IPv6 negotiation preference. - Use this comand to set the IPv6 address pool from which a PPPoE - client will get an IPv6 prefix of your defined length (mask) to - terminate the PPPoE endpoint at their side. The mask length can be - set from 48 to 128 bit long, the default value is 64. + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> -IPv6 Prefix Delegation -^^^^^^^^^^^^^^^^^^^^^^ + Use this comand to set the IPv6 address pool from which an PPPoE client + will get an IPv6 prefix of your defined length (mask) to terminate the + PPPoE endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. -.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate <address> +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> delegation-prefix <number-of-bits> - Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You - will have to set your IPv6 pool and the length of the delegation - prefix. From the defined IPv6 pool you will be handing out networks - of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + PPPoE. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. +.. cfgcmd:: set service pppoe-server default-ipv6-pool <IPv6-POOL-NAME> -Maintenance mode -================ + Use this command to define default IPv6 address pool name. + +.. code-block:: none + + set service pppoe-server ppp-options ipv6 allow + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== +.. cfgcmd:: set service pppoe-server ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* -.. opcmd:: set pppoe-server maintenance-mode <enable | disable> +.. cfgcmd:: set service pppoe-server extended-scripts on-change <path_to_script> - For network maintenance, it's a good idea to direct users to a backup - server so that the primary server can be safely taken out of service. - It's possible to switch your PPPoE server to maintenance mode where - it maintains already established connections, but refuses new - connection attempts. + Script to run when session interface changed by RADIUS CoA handling +.. cfgcmd:: set service pppoe-server extended-scripts on-down <path_to_script> -Checking connections + Script to run when session interface going to terminate + +.. cfgcmd:: set service pppoe-server extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set service pppoe-server extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set service pppoe-server authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options ==================== -.. opcmd:: show pppoe-server sessions +.. cfgcmd:: set service pppoe-server ppp-options disable-ccp - Use this command to locally check the active sessions in the PPPoE - server. + Disable Compression Control Protocol (CCP). + CCP is enabled by default. +.. cfgcmd:: set service pppoe-server ppp-options interface-cache <number> -.. code-block:: none + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. - show pppoe-server sessions - ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- - ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +.. cfgcmd:: set service pppoe-server ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set service pppoe-server ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set service pppoe-server ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set service pppoe-server ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set service pppoe-server description <description> + + Set description. + +.. cfgcmd:: set service pppoe-server limits burst <value> + + Burst count + +.. cfgcmd:: set service pppoe-server limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set service pppoe-server limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set service pppoe-server mtu + + Maximum Transmission Unit (MTU) (default: **1492**) + +.. cfgcmd:: set service pppoe-server max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set service pppoe-server name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set service pppoe-server service-name <names> + + Specifies Service-Name to respond. If absent any Service-Name is + acceptable and client’s Service-Name will be sent back. Also possible + set multiple service-names: `sn1,sn2,sn3` Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either @@ -327,23 +560,48 @@ user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again. -.. code-block:: none +.. cfgcmd:: set service pppoe-server session-control + + * **disable**: Disables session control. + * **deny**: Deny second session authorization. + * **replace**: Terminate first session when second is authorized **(default)** + +.. cfgcmd:: set service pppoe-server shaper fwmark <1-2147483647> - vyos@# set service pppoe-server session-control - Possible completions: - disable Disables session control - deny Deny second session authorization + Match firewall mark value +.. cfgcmd:: set service pppoe-server snmp master-agent + Enable SNMP +.. cfgcmd:: set service pppoe-server wins-server <address> + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. opcmd:: show pppoe-server sessions + + Use this command to locally check the active sessions in the PPPoE + server. + + +.. code-block:: none + + show pppoe-server sessions + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +******** Examples -======== +******** IPv4 ----- +==== The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint @@ -364,9 +622,9 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation --------------------------------------------------------- +======================================================== -The example below covers a dual-stack configuration via pppoe-server. +The example below covers a dual-stack configuration. .. code-block:: none @@ -374,8 +632,9 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server authentication mode 'local' set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' set service pppoe-server default-pool 'IP-POOL' - set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' - set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL set service pppoe-server ppp-options ipv6 allow set service pppoe-server name-server '10.1.1.1' set service pppoe-server name-server '2001:db8:4860::8888' @@ -383,7 +642,7 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server gateway-address '10.100.100.1' The client, once successfully authenticated, will receive an IPv4 and an -IPv6 /64 address to terminate the pppoe endpoint on the client side and +IPv6 /64 address to terminate the PPPoE endpoint on the client side and a /56 subnet for the clients internal use. .. code-block:: none @@ -394,3 +653,5 @@ a /56 subnet for the clients internal use. ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB .. include:: /_include/common-references.txt +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index eb1a6844..f179153a 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -26,7 +26,7 @@ Supported interface types: Enabling Advertisments ~~~~~~~~~~~~~~~~~~~~~~~ -.. cfgcmd:: set service router-advert interface <interface> .... +.. cfgcmd:: set service router-advert interface <interface> ... .. stop_vyoslinter @@ -52,7 +52,11 @@ Enabling Advertisments Advertising a Prefix '''''''''''''''''''' -.. cfgcmd:: set service router-advert interface <interface> prefix 2001:DB8::/32 +.. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask> + + .. note:: You can also opt for using `::/64` as prefix for your :abbr:`RAs (Router + Advertisements)`. This will take the IPv6 GUA prefix assigned to the interface, + which comes in handy when using DHCPv6-PD. .. stop_vyoslinter diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 68a4f2b8..6ed5fef7 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -46,9 +46,23 @@ Configure | Use `delete system conntrack modules` to deactive all modules. | Or, for example ftp, `delete system conntrack modules ftp`. +.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> + :defaultvalue: -Define Conection Timeouts -========================= + Set the maximum number of TCP half-open connections. + +.. cfgcmd:: set system conntrack tcp loose <enable | disable> + :defaultvalue: + + Policy to track previously established connections. + +.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> + :defaultvalue: + + Set the number of TCP maximum retransmit attempts. + +Contrack Timeouts +================= VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP @@ -82,34 +96,48 @@ states. Set the timeout in secounds for a protocol or state. - You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector. -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + description <test> Set a rule description. +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination address <ip-address> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source address <ip-address> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address> - - set a destination and/or source address. Accepted input: + Set a destination and/or source address. Accepted input for ipv4: .. code-block:: none - <x.x.x.x> IP address to match - <x.x.x.x/x> Subnet to match - <x.x.x.x>-<x.x.x.x> - IP range to match - !<x.x.x.x> Match everything except the specified address - !<x.x.x.x/x> Match everything except the specified subnet - !<x.x.x.x>-<x.x.x.x> - Match everything except the specified range - -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value> + set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address + Possible completions: + <x.x.x.x> IPv4 address to match + <x.x.x.x/x> IPv4 prefix to match + <x.x.x.x>-<x.x.x.x> IPv4 address range to match + !<x.x.x.x> Match everything except the specified address + !<x.x.x.x/x> Match everything except the specified prefix + !<x.x.x.x>-<x.x.x.x> Match everything except the specified range + + set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address + Possible completions: + <h:h:h:h:h:h:h:h> IP address to match + <h:h:h:h:h:h:h:h/x> Subnet to match + <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> + IP range to match + !<h:h:h:h:h:h:h:h> Match everything except the specified address + !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix + !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> + Match everything except the specified range + +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination port <value> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source port <value> Set a destination and/or source port. Accepted input: @@ -123,49 +151,58 @@ create a rule defining the packet and flow selector. The whole list can also be "negated" using '!'. For example: `!22,telnet,http,123,1001-1005`` - - -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp established <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp fin-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp last-ack <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-recv <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-sent <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp time-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp replied <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp unreplied <1-21474836> Set the timeout in secounds for a protocol or state in a custom rule. - -.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> - :defaultvalue: - - Set the maximum number of TCP half-open connections. - -.. cfgcmd:: set system conntrack tcp loose <enable | disable> - :defaultvalue: - - Policy to track previously established connections. - -.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> - :defaultvalue: - - Set the number of TCP maximum retransmit attempts. - -.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text> -.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address> -.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port> -.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface> -.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol> -.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address> -.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port> +Conntrack ignore rules +====================== Customized ignore rules, based on a packet and flow selector. +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + description <text> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination address <ip-address> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination port <port> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + inbound-interface <interface> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + protocol <protocol> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source address <ip-address> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source port <port> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + +Conntrack log +============= + .. cfgcmd:: set system conntrack log icmp destroy .. cfgcmd:: set system conntrack log icmp new .. cfgcmd:: set system conntrack log icmp update diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index bfda7747..dbb63d09 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -25,6 +25,7 @@ System sysctl task-scheduler time-zone + updates .. toctree:: diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index 0f45b7ca..279630e2 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -43,6 +43,19 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +^^^^^^^^^^^^^^^^ + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set system ip nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Operational commands -------------------- diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst index c7308f9d..d8d3c4c9 100644 --- a/docs/configuration/system/ipv6.rst +++ b/docs/configuration/system/ipv6.rst @@ -39,6 +39,19 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +^^^^^^^^^^^^^^^^ + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set system ipv6 nht no-resolve-via-default + + Do not allow IPv6 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Operational commands -------------------- diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 98e05cdd..09e27c53 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -34,6 +34,10 @@ Local Setup encrypted password for given username. This is useful for transferring a hashed password from system to system. +.. cfgcmd:: set system login user <name> disable + + Disable (lock) account. User will not be able to log in. + .. _ssh_key_based_authentication: Key Based Authentication diff --git a/docs/configuration/system/name-server.rst b/docs/configuration/system/name-server.rst index f18cb5a3..5d08dbc5 100644 --- a/docs/configuration/system/name-server.rst +++ b/docs/configuration/system/name-server.rst @@ -48,7 +48,7 @@ In order for the system to use and complete unqualified host names, a list can be defined which will be used for domain searches. -.. cfgcmd:: set system domain-search domain <domain> +.. cfgcmd:: set system domain-search <domain> Use this command to define domains, one at a time, so that the system uses them to complete unqualified host names. Maximum: 6 entries. @@ -68,7 +68,7 @@ order: vyos.io (first), vyos.net (second) and vyos.network (last): .. code-block:: none - set system domain-search domain vyos.io - set system domain-search domain vyos.net - set system domain-search domain vyos.network + set system domain-search vyos.io + set system domain-search vyos.net + set system domain-search vyos.network diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index c9c9bfb1..02c889dd 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -22,6 +22,36 @@ General Play an audible beep to the system speaker when system is ready. +.. cfgcmd:: set system option root-partition-auto-resize + + Enables the root partition auto-extension and resizes to the maximum + available space on system boot. + +Kernel +====== + +.. cfgcmd:: set system option kernel disable-mitigations + + Disable all optional CPU mitigations. This improves system performance, + but it may also expose users to several CPU vulnerabilities. + + This will add the following option to the Kernel commandline: + + * ``mitigations=off`` + + .. note:: Setting will only become active with the next reboot! + +.. cfgcmd:: set system option kernel disable-power-saving + + Disable CPU power saving mechanisms also known as C states. + + This will add the following two options to the Kernel commandline: + + * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle + * ``processor.max_cstate=1`` Limit processor to maximum C-state 1 + + .. note:: Setting will only become active with the next reboot! + *********** HTTP client *********** diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst new file mode 100644 index 00000000..505d9318 --- /dev/null +++ b/docs/configuration/system/updates.rst @@ -0,0 +1,39 @@ +####### +Updates +####### + +VyOS supports online checking for updates + +Configuration +============= + +.. cfgcmd:: set system update-check auto-check + + Configure auto-checking for new images + + +.. cfgcmd:: set system update-check url <url> + + Configure a URL that contains information about images. + + +Example +======= + +.. code-block:: none + + set system update-check auto-check + set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' + +Check: + +.. code-block:: none + + vyos@r4:~$ show system updates + Current version: 1.5-rolling-202312220023 + + Update available: 1.5-rolling-202312250024 + Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso + vyos@r4:~$ + + vyos@r4:~$ add system image latest diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst index 93f69f80..3463592f 100644 --- a/docs/configuration/trafficpolicy/index.rst +++ b/docs/configuration/trafficpolicy/index.rst @@ -1203,6 +1203,8 @@ That is how it is possible to do the so-called "ingress shaping". set qos interface ifb0 egress MY-INGRESS-SHAPING set interfaces ethernet eth0 redirect ifb0 + set interfaces input ifb0 + .. warning:: Do not configure IFB as the first step. First create everything else diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index b6ee86af..172b3c64 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -32,10 +32,10 @@ for the cipher and hash. Adjust this as necessary. ************************************** IKE (Internet Key Exchange) Attributes ************************************** -IKE performs mutual authentication between two parties and establishes -an IKE security association (SA) that includes shared secret information -that can be used to efficiently establish SAs for Encapsulating Security -Payload (ESP) or Authentication Header (AH) and a set of cryptographic +IKE performs mutual authentication between two parties and establishes +an IKE security association (SA) that includes shared secret information +that can be used to efficiently establish SAs for Encapsulating Security +Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry. https://datatracker.ietf.org/doc/html/rfc5996 @@ -44,62 +44,64 @@ Multiple proposals can be specified in a single group. VyOS IKE group has the next options: -* ``close-action`` defines the action to take if the remote peer unexpectedly +* ``close-action`` defines the action to take if the remote peer unexpectedly closes a CHILD_SA: * ``none`` set action to none (default); - - * ``hold`` set action to hold; - - * ``restart`` set action to restart; - -* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol - (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty - INFORMATIONAL messages (IKEv2) are periodically sent in order to check the + + * ``trap`` installs a trap policy for the CHILD_SA; + + * ``start`` tries to immediately re-create the CHILD_SA; + +* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol + (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty + INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer: - + * ``action`` keep-alive failure action: - - * ``hold`` set action to hold (default) - - * ``clear`` set action to clear; - - * ``restart`` set action to restart; - + + * ``trap`` installs a trap policy, which will catch matching traffic + and tries to re-negotiate the tunnel on-demand; + + * ``clear`` closes the CHILD_SA and does not take further action (default); + + * ``restart`` immediately tries to re-negotiate the CHILD_SA + under a fresh IKE_SA; + * ``interval`` keep-alive interval in seconds <2-86400> (default 30); - + * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only - -* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate + +* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. - Setting this parameter enables remote host re-authentication during an IKE + Setting this parameter enables remote host re-authentication during an IKE rekey. - + * ``key-exchange`` which protocol should be used to initialize the connection - If not set both protocols are handled and connections will use IKEv2 when + If not set both protocols are handled and connections will use IKEv2 when initiating, but accept any protocol version when responding: - + * ``ikev1`` use IKEv1 for Key Exchange; - + * ``ikev2`` use IKEv2 for Key Exchange; - + * ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800); * ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default. - + * ``mode`` IKEv1 Phase 1 Mode Selection: - * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol + * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default); - - * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol + + * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol aggressive mode is much more insecure compared to Main mode; - + * ``proposal`` the list of proposals and their parameters: * ``dh-group`` dh-group; - + * ``encryption`` encryption algorithm; * ``hash`` hash algorithm. @@ -109,8 +111,9 @@ VyOS IKE group has the next options: *********************************************** ESP (Encapsulating Security Payload) Attributes *********************************************** -ESP is used to provide confidentiality, data origin authentication, -connectionless integrity, an anti-replay service (a form of partial sequence + +ESP is used to provide confidentiality, data origin authentication, +connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. https://datatracker.ietf.org/doc/html/rfc4303 @@ -120,26 +123,26 @@ Multiple proposals can be specified in a single group. VyOS ESP group has the next options: * ``compression`` Enables the IPComp(IP Payload Compression) protocol which - allows compressing the content of IP packets. - -* ``life-bytes`` ESP life in bytes <1024-26843545600000>. + allows compressing the content of IP packets. + +* ``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires; - -* ``life-packets`` ESP life in packets <1000-26843545600000>. - Number of packets transmitted over an IPsec SA before it expires; - -* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). - How long a particular instance of a connection (a set of - encryption/authentication keys for user packets) should last, + +* ``life-packets`` ESP life in packets <1000-26843545600000>. + Number of packets transmitted over an IPsec SA before it expires; + +* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). + How long a particular instance of a connection (a set of + encryption/authentication keys for user packets) should last, from successful negotiation to expiry; - + * ``mode`` the type of the connection: - + * ``tunnel`` tunnel mode (default); * ``transport`` transport mode; -* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the +* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the connection's keying channel and defines a Diffie-Hellman group for PFS: * ``enable`` Inherit Diffie-Hellman group from IKE group (default); @@ -153,20 +156,21 @@ VyOS ESP group has the next options: * ``encryption`` encryption algorithm (default 128 bit AES-CBC); * ``hash`` hash algorithm (default sha1). - + *********************************************** Options (Global IPsec settings) Attributes -*********************************************** +*********************************************** + * ``options`` * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; - + * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; - + * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - + * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy. - + ************************* IPsec policy matching GRE ************************* @@ -264,7 +268,7 @@ However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys. -First, on both routers run the operational command "generate pki key-pair +First, on both routers run the operational command "generate pki key-pair install <key-pair name>". You may choose different length than 2048 of course. .. code-block:: none @@ -281,18 +285,18 @@ install <key-pair name>". You may choose different length than 2048 of course. set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' [edit] -Configuration commands for the private and public key will be displayed on the +Configuration commands for the private and public key will be displayed on the screen which needs to be set on the router first. -Note the command with the public key -(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). +Note the command with the public key +(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router: .. code-block:: none vyos@left# run generate pki key-pair install ipsec-RIGHT -Note the command with the public key -(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). +Note the command with the public key +(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). Now the noted public keys should be entered on the opposite routers. @@ -361,3 +365,205 @@ On the RIGHT (dynamic address): set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote + + +******************************************* +IKEv2 IPSec road-warriors remote-access VPN +******************************************* + +Internet Key Exchange version 2, IKEv2 for short, is a request/response +protocol developed by both Cisco and Microsoft. It is used to establish +and secure IPv4/IPv6 connections, be it a site-to-site VPN or from a +road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint, +or remote-access/road-warrior mode, secures the server-side with another layer +by using an x509 signed server certificate. + +Key exchange and payload encryption is still done using IKE and ESP proposals +as known from IKEv1 but the connections are faster to establish, more reliable, +and also support roaming from IP to IP (called MOBIKE which makes sure your +connection does not drop when changing networks from e.g. WIFI to LTE and back). + +This feature closely works together with :ref:`pki` subsystem as you required +a x509 certificate. + +Example +======= + +This example uses CACert as certificate authority. + +.. code-block:: + + set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8=' + set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc=' + +After you obtained your server certificate you can import it from a file +on the local filesystem, or paste it into the CLI. Please note that +when entering the certificate manually you need to strip the +``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate +or key needs to be presented in a single line without line breaks (``\n``). + +To import it from the filesystem use: + +.. code-block:: + + import pki certificate <name> file /path/to/cert.pem + +In our example the certificate name is called vyos: + +.. code-block:: + + set pki certificate vyos certificate 'MIIE45s...' + set pki certificate vyos private key 'MIIEvgI...' + +After the PKI certs are all set up we can start configuring our IPSec/IKE +proposals used for key-exchange end data encryption. The used encryption +ciphers and integrity algorithms vary from operating system to operating +system. The ones used in this post are validated to work on both Windows 10 +and iOS/iPadOS 14 to 17. + +.. code-block:: + + set vpn ipsec esp-group ESP-RW compression 'disable' + set vpn ipsec esp-group ESP-RW lifetime '3600' + set vpn ipsec esp-group ESP-RW pfs 'disable' + set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' + set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' + + set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' + set vpn ipsec ike-group IKE-RW lifetime '7200' + set vpn ipsec ike-group IKE-RW mobike 'enable' + set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' + set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' + +Every connection/remote-access pool we configure also needs a pool where +we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. +Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix +and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some +DNS nameservers down to our clients used on their connection. + +.. code-block:: + + set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' + set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' + set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' + set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' + +VyOS supports multiple IKEv2 remote-access connections. Every connection can +have its dedicated IKE/ESP ciphers, certificates or local listen address for +e.g. inbound load balancing. + +We configure a new connection named ``rw`` for road-warrior, that identifies +itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate +signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously +specified IKE/ESP groups and also link the IP address pool to draw addresses +from. + +.. code-block:: + + set vpn ipsec remote-access connection rw authentication id '192.0.2.1' + set vpn ipsec remote-access connection rw authentication server-mode 'x509' + set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' + set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' + set vpn ipsec remote-access connection rw esp-group 'ESP-RW' + set vpn ipsec remote-access connection rw ike-group 'IKE-RW' + set vpn ipsec remote-access connection rw local-address '192.0.2.1' + set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' + set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' + +VyOS also supports (currently) two different modes of authentication, local and +RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the +following commands. + +.. code-block:: + + set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' + set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' + +If you feel better forwarding all authentication requests to your enterprises +RADIUS server, use the commands below. + +.. code-block:: + + set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' + set vpn ipsec remote-access radius server 192.0.2.2 key 'secret' + +Client Configuration +==================== + +Configuring VyOS to act as your IPSec access concentrator is one thing, but +you probably need to setup your client connecting to the server so they can +talk to the IPSec gateway. + +Microsoft Windows (10+) +----------------------- + +Windows 10 does not allow a user to choose the integrity and encryption ciphers +using the GUI and it uses some older proposals by default. A user can only +change the proposals on the client side by configuring the IPSec connection +profile via PowerShell. + +We generate a connection profile used by Windows clients that will connect to +the "rw" connection on our VyOS server on the VPN servers IP address/fqdn +`vpn.vyos.net`. + +.. note:: Microsoft Windows expects the server name to be also used in the + server's certificate common name, so it's best to use this DNS name for + your VPN connection. + +.. code-block:: + + vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net + + ==== <snip> ==== + Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" + Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force + ==== </snip> ==== + +As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of +encryption ciphers and integrity algorithms we will validate the configured +IKE/ESP proposals and only list the compatible ones to the user — if multiple +are defined. If there are no matching proposals found — we can not generate a +profile for you. + +When first connecting to the new VPN the user is prompted to enter proper +credentials. + +Apple iOS/iPadOS (14.2+) +------------------------ + +Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose +all available VPN options via the device GUI. + +If you want, need, and should use more advanced encryption ciphers (default +is still 3DES) you need to provision your device using a so-called "Device +Profile". A profile is a simple text file containing XML nodes with a +``.mobileconfig`` file extension that can be sent and opened on any device +from an E-Mail. + +Profile generation happens from the operational level and is as simple as +issuing the following command to create a profile to connect to the IKEv2 +access server at ``vpn.vyos.net`` with the configuration for the ``rw`` +remote-access connection group. + +.. note:: Apple iOS/iPadOS expects the server name to be also used in the + server's certificate common name, so it's best to use this DNS name for + your VPN connection. + +.. code-block:: + + vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net + + ==== <snip> ==== + <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> + <plist version="1.0"> + ... + </plist> + ==== </snip> ==== + +In the end, an XML structure is generated which can be saved as +``vyos.mobileconfig`` and sent to the device by E-Mail where it later can +be imported. + +During profile import, the user is asked to enter its IPSec credentials +(username and password) which is stored on the mobile. diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 4a7657e7..f0c60ec1 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -1,30 +1,80 @@ .. _l2tp: +#### L2TP ----- +#### VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used with local authentication or a connected RADIUS server. -L2TP over IPsec -=============== - -Example for configuring a simple L2TP over IPsec VPN for remote access (works -with native Windows and Mac VPN clients): +*********************** +Configuring L2TP Server +*********************** .. code-block:: none - set vpn ipsec interface eth0 - - set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password 'test' set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 set vpn l2tp remote-access default-pool 'L2TP-POOL' + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access gateway-address 192.168.255.1 + + +.. cfgcmd:: set vpn l2tp remote-access authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + +.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> password + <pass> + + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set vpn l2tp remote-access client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn l2tp remote-access default-pool <POOL-NAME> + + Use this command to define default address pool name. + +.. cfgcmd:: set vpn l2tp remote-access gateway-address <gateway> + + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. + +***************** +Configuring IPsec +***************** + +.. code-block:: none + + set vpn ipsec interface eth0 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password 'test' -In the above example, an external IP of 192.0.2.2 is assumed. + +.. cfgcmd:: set vpn ipsec interface <INTERFACE> + + Use this command to define IPsec interface. + +.. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode <pre-shared-secret | x509> + + Set mode for IPsec authentication between VyOS and L2TP clients. + +.. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode <pre-shared-secret | x509> + + Set predefined shared secret phrase. + If a local firewall policy is in place on your external interface you will need to allow the ports below: @@ -64,156 +114,150 @@ To allow VPN-clients access via your external address, a NAT rule is required: set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade +********************************* +Configuring RADIUS authentication +********************************* -VPN-clients will request configuration parameters, optionally you can DNS -parameter to the client. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. .. code-block:: none - set vpn l2tp remote-access name-server '198.51.100.8' - set vpn l2tp remote-access name-server '198.51.100.4' - -Established sessions can be viewed using the **show l2tp-server sessions** -operational command + set vpn l2tp remote-access authentication mode radius -.. code-block:: none +.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> key <secret> - vyos@vyos:~$ show l2tp-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- - l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: +.. code-block:: none -LNS (L2TP Network Server) -========================= + set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' -LNS are often used to connect to a LAC (L2TP Access Concentrator). +.. note:: Some RADIUS_ severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -Below is an example to configure a LNS: +RADIUS source address +===================== -.. code-block:: none +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. - set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 - set vpn l2tp remote-access default-pool 'L2TP-POOL' - set vpn l2tp remote-access lns shared-secret 'secret' - set vpn l2tp remote-access ccp-disable - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password 'test' +.. cfgcmd:: set vpn l2tp remote-access authentication radius source-address <address> -The example above uses 192.0.2.2 as external IP address. A LAC normally requires -an authentication password, which is set in the example configuration to -``lns shared-secret 'secret'``. This setup requires the Compression Control -Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access -ccp-disable`` accomplishes that. + Source IPv4 address used in all RADIUS server queires. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -Bandwidth Shaping -================= +RADIUS advanced options +======================= -Bandwidth rate limits can be set for local users or via RADIUS based attributes. +.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> port <port> -Bandwidth Shaping for local users -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Configure RADIUS `<server>` and its required port for authentication requests. -The rate-limit is set in kbit/sec. +.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> fail-time <time> -.. code-block:: none + Mark RADIUS server as offline for this given `<time>` in seconds. - set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 - set vpn l2tp remote-access default-pool 'L2TP-POOL' - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password test - set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 - set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 +.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> disable - vyos@vyos:~$ show l2tp-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- - l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB + Temporary disable this RADIUS server. +.. cfgcmd:: set vpn l2tp remote-access authentication radius acct-timeout <timeout> -RADIUS authentication -====================== + Timeout to wait reply for Interim-Update packets. (default 3 seconds) -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. +.. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author server <address> -.. code-block:: none + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) - set vpn l2tp remote-access authentication mode <local|radius> +.. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author port <port> -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. + Port for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author key <secret> - set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' - set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' + Secret for Dynamic Authorization Extension server (DM/CoA) -.. note:: Some RADIUS_ severs use an access control list which allows or denies - queries, make sure to add your VyOS router to the allowed client list. +.. cfgcmd:: set vpn l2tp remote-access authentication radius max-try <number> -RADIUS source address -^^^^^^^^^^^^^^^^^^^^^ + Maximum number of tries to send Access-Request/Accounting-Request queries -If you are using OSPF as IGP, always the closest interface connected to the -RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests -to a single source IP e.g. the loopback interface. +.. cfgcmd:: set vpn l2tp remote-access authentication radius timeout <timeout> -.. code-block:: none + Timeout to wait response from server (seconds) - set vpn l2tp remote-access authentication radius source-address 10.0.0.3 +.. cfgcmd:: set vpn l2tp remote-access authentication radius nas-identifier <identifier> -Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries -on this NAS. + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. note:: The ``source-address`` must be configured on one of VyOS interface. - Best practice would be a loopback or dummy interface. +.. cfgcmd:: set vpn l2tp remote-access authentication radius nas-ip-address <address> -RADIUS bandwidth shaping attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. -To enable bandwidth shaping via RADIUS, the option rate-limit needs to be -enabled. +.. cfgcmd:: set vpn l2tp remote-access authentication radius source-address <address> -.. code-block:: none + Source IPv4 address used in all RADIUS server queires. - set vpn l2tp remote-access authentication radius rate-limit enable +.. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit attribute <attribute> -The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may -also redefine it. + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. -.. code-block:: none +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. - set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed +.. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit enable -.. note:: If you set a custom RADIUS attribute you must define it on both - dictionaries at RADIUS server and client, which is the vyos router in our - example. + Enables bandwidth shaping via RADIUS. -The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/`` +.. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit vendor -RADIUS advanced features -^^^^^^^^^^^^^^^^^^^^^^^^ + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. Received RADIUS attributes have a higher priority than parameters defined within the CLI configuration, refer to the explanation below. Allocation clients ip addresses by RADIUS -***************************************** +========================================= If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP -address will be allocated to the client and the option ip-pool within the CLI +address will be allocated to the client and the option ``default-pool`` within the CLI config is being ignored. +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + Renaming clients interfaces by RADIUS -************************************* +===================================== If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed. @@ -221,6 +265,301 @@ renamed. .. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed. +************************************* +Configuring LNS (L2TP Network Server) +************************************* + +LNS are often used to connect to a LAC (L2TP Access Concentrator). + +.. cfgcmd:: set vpn l2tp remote-access lns host-name <hostname> + + Sent to the client (LAC) in the Host-Name attribute + +.. cfgcmd:: set vpn l2tp remote-access lns shared-secret <secret> + + Tunnel password used to authenticate the client (LAC) + +To explain the usage of LNS follow our blueprint :ref:`examples-lac-lns`. + +**** +IPv6 +**** +.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6 <require | prefer | allow | deny> + + Specifies IPv6 negotiation preference. + + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an l2tp client + will get an IPv6 prefix of your defined length (mask) to terminate the + l2tp endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + l2tp. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn l2tp remote-access default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. + +.. code-block:: none + + set vpn l2tp remote-access ppp-options ipv6 allow + set vpn l2tp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn l2tp remote-access client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn l2tp remote-access default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== +.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* + +.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn l2tp remote-access authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn l2tp remote-access client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn l2tp remote-access ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set vpn l2tp remote-access ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set vpn l2tp remote-access description <description> + + Set description. + +.. cfgcmd:: set vpn l2tp remote-access limits burst <value> + + Burst count + +.. cfgcmd:: set vpn l2tp remote-access limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set vpn l2tp remote-access limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set vpn l2tp remote-access mtu + + Maximum Transmission Unit (MTU) (default: **1436**) + +.. cfgcmd:: set vpn l2tp remote-access max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set vpn l2tp remote-access name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set vpn l2tp remote-access shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set vpn l2tp remote-access snmp master-agent + + Enable SNMP + +.. cfgcmd:: set vpn l2tp remote-access wins-server <address> + + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. code-block:: none + + vyos@vyos:~$ show l2tp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- + l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB + +.. code-block:: none + + vyos@vyos:~$ show l2tp-server statistics + uptime: 0.02:49:49 + cpu: 0% + mem(rss/virt): 5920/100892 kB + core: + mempool_allocated: 133202 + mempool_available: 131770 + thread_count: 1 + thread_active: 1 + context_count: 5 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 3 + md_handler_pending: 0 + timer_count: 0 + timer_pending: 0 + sessions: + starting: 0 + active: 0 + finishing: 0 + l2tp: + tunnels: + starting: 0 + active: 0 + finishing: 0 + sessions (control channels): + starting: 0 + active: 0 + finishing: 0 + sessions (data channels): + starting: 0 + active: 0 + finishing: 0 + .. _`Google Public DNS`: https://developers.google.com/speed/public-dns .. _Quad9: https://quad9.net @@ -230,3 +569,5 @@ renamed. .. _FreeRADIUS: https://freeradius.org .. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server .. _accel-ppp: https://accel-ppp.org/ +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1cc197e9..845d9196 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -165,6 +165,13 @@ Simple setup with one user added and password authentication: set vpn openconnect ssl ca-certificate 'ca-ocserv' set vpn openconnect ssl certificate 'srv-ocserv' +To enable the HTTP security headers in the configuration file, use the command: + +.. code-block:: none + + set vpn openconnect http-security-headers + + Adding a 2FA with an OTP-key ============================ diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index fe536eec..2a5e7731 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -1,52 +1,552 @@ .. _pptp: +########### PPTP-Server ------------ +########### The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. PPTP has many well known security issues and you should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for -authentication and mppe 128-bit (stateless) for encryption. If no -gateway-address is set within the configuration, the lowest IP out of the /24 -client-ip-pool is being used. For instance, in the example below it would be -192.168.0.1. - -server example -^^^^^^^^^^^^^^ +*********************** +Configuring PPTP Server +*********************** .. code-block:: none + set vpn pptp remote-access authentication mode local set vpn pptp remote-access authentication local-users username test password 'test' - set vpn pptp remote-access authentication mode 'local' - set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 + set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254 set vpn pptp remote-access default-pool 'PPTP-POOL' - set vpn pptp remote-access gateway-address '10.100.100.1' - set vpn pptp remote-access outside-address '10.1.1.120' + set vpn pptp remote-access outside-address 192.0.2.2 + set vpn pptp remote-access gateway-address 192.168.255.1 + + +.. cfgcmd:: set vpn pptp remote-access authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> password + <pass> + + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn pptp remote-access default-pool <POOL-NAME> + + Use this command to define default address pool name. + +.. cfgcmd:: set vpn pptp remote-access gateway-address <gateway> + + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. + +********************************* +Configuring RADIUS authentication +********************************* + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +.. code-block:: none + + set vpn pptp remote-access authentication mode radius + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> key <secret> + + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +.. code-block:: none + + set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo' + +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. + +RADIUS source address +===================== + +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. + +RADIUS advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> port <port> + + Configure RADIUS `<server>` and its required port for authentication requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> fail-time <time> + + Mark RADIUS server as offline for this given `<time>` in seconds. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> disable + + Temporary disable this RADIUS server. + +.. cfgcmd:: set vpn pptp remote-access authentication radius acct-timeout <timeout> + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author server <address> + + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author port <port> + + Port for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author key <secret> + + Secret for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius max-try <number> + + Maximum number of tries to send Access-Request/Accounting-Request queries + +.. cfgcmd:: set vpn pptp remote-access authentication radius timeout <timeout> + + Timeout to wait response from server (seconds) + +.. cfgcmd:: set vpn pptp remote-access authentication radius nas-identifier <identifier> + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + +**** +IPv6 +**** +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6 <require | prefer | allow | deny> + + Specifies IPv6 negotiation preference. + + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an PPTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + PPTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + PPTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn pptp remote-access default-ipv6-pool <IPv6-POOL-NAME> + Use this command to define default IPv6 address pool name. -client example (debian 9) -^^^^^^^^^^^^^^^^^^^^^^^^^ +.. code-block:: none + + set vpn pptp remote-access ppp-options ipv6 allow + set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn pptp remote-access client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn pptp remote-access default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn pptp remote-access authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn pptp remote-access ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn pptp remote-access ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. -Install the client software via apt and execute pptpsetup to generate the -configuration. + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set vpn pptp remote-access ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access description <description> + + Set description. + +.. cfgcmd:: set vpn pptp remote-access limits burst <value> + + Burst count + +.. cfgcmd:: set vpn pptp remote-access limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set vpn pptp remote-access limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set vpn pptp remote-access mtu + + Maximum Transmission Unit (MTU) (default: **1436**) + +.. cfgcmd:: set vpn pptp remote-access max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set vpn pptp remote-access name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set vpn pptp remote-access shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set vpn pptp remote-access snmp master-agent + + Enable SNMP + +.. cfgcmd:: set vpn pptp remote-access wins-server <address> + + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. opcmd:: show pptp-server sessions + + Use this command to locally check the active sessions in the PPTP + server. .. code-block:: none - apt-get install pptp-linux - pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt - pon TESTTUNNEL + vyos@vyos:~$ show pptp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + pptp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:01:26 | 6.9 KiB | 220 B -The command pon TESTUNNEL establishes the PPTP tunnel to the remote system. +.. code-block:: none + vyos@vyos:~$ show pptp-server statistics + uptime: 0.00:04:52 + cpu: 0% + mem(rss/virt): 5504/100176 kB + core: + mempool_allocated: 152007 + mempool_available: 149007 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 6 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + pptp: + starting: 0 + active: 1 -All tunnel sessions can be checked via: +*************** +Troubleshooting +*************** .. code-block:: none - run sh pptp-server sessions - ifname | username | calling-sid | ip | type | comp | state | uptime - --------+----------+-------------+--------------+------+------+--------+---------- - ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58 + vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0 + + Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100 + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing + Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9 + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>] + Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100) + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0' + Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started + +.. _accel-ppp: https://accel-ppp.org/ +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 23df1b76..ab0f623f 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -16,7 +16,8 @@ special characters. It is purely informational. Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. - Suboptions: + If pre-shared-secret mode is used, the secret key must be defined in + ``set vpn ipsec authentication`` and suboptions: * ``psk`` - Preshared secret key name: @@ -36,8 +37,7 @@ Each site-to-site peer has the next options: * ``pre-shared-secret`` - use predefined shared secret phrase; - * ``rsa`` - use simple shared RSA key. The key must be defined in the - ``set vpn rsa-keys`` section; + * ``rsa`` - use simple shared RSA key. * ``x509`` - use certificates infrastructure for authentication. @@ -45,29 +45,26 @@ Each site-to-site peer has the next options: address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; - * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined - in the ``set vpn rsa-keys`` section; + * ``rsa`` - options for RSA authentication mode: - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when - ``id`` is defined; + * ``local-key`` - name of PKI key-pair with local private key - * ``x509`` - options for x509 authentication mode: + * ``remote-key`` - name of PKI key-pair with remote public key - * ``ca-cert-file`` - CA certificate file. Using for authenticating - remote peer; + * ``passphrase`` - local private key passphrase - * ``cert-file`` - certificate file, which will be used for authenticating - local router on remote peer; + * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when + ``id`` is defined; - * ``crl-file`` - file with the Certificate Revocation List. Using to check if - a certificate for the remote peer is valid or revoked; + * ``x509`` - options for x509 authentication mode: - * ``key`` - a private key, which will be used for authenticating local router - on remote peer: + * ``ca-certificate`` - CA certificate in PKI configuration. Using for + authenticating remote peer; - * ``file`` - path to the key file; + * ``certificate`` - certificate file in PKI configuration, which will be used + for authenticating local router on remote peer; - * ``password`` - passphrase private key, if needed. + * ``passphrase`` - private key passphrase, if needed. * ``connection-type`` - how to handle this connection process. Possible variants: @@ -113,6 +110,9 @@ Each site-to-site peer has the next options: Hostname is a DNS name which could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time. +* ``replay-window`` - IPsec replay window to configure for this CHILD_SA + (default: 32), a value of 0 disables IPsec replay protection + * ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: @@ -127,6 +127,9 @@ Each site-to-site peer has the next options: * ``prefix`` - IP network at local side. + * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value + more preferable) + * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer; @@ -317,7 +320,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -357,7 +360,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -397,18 +400,18 @@ Key Parameters: routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE +* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to + values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries + ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take +* ``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index d9bb4353..3749eb7b 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -19,81 +19,34 @@ local and RADIUS authentication. As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required. -.. note:: All certificates should be stored on VyOS under ``/config/auth``. If - certificates are not stored in the ``/config`` directory they will not be - migrated during a software update. +*********************** +Configuring SSTP Server +*********************** Certificates ============ -Self Signed CA --------------- - -To generate the CA, the server private key and certificates the following -commands can be used. +Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate .. code-block:: none - vyos@vyos:~$ mkdir -p /config/user-data/sstp - vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt - - Generating a 4096 bit RSA private key - .........................++ - ...............................................................++ - writing new private key to 'server.key' - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: + vyos@vyos:~$ generate pki ca install CA + +.. code-block:: none + vyos@vyos:~$ generate pki certificate sign CA install Server Configuration ============= +.. code-block:: none -.. cfgcmd:: set vpn sstp authentication local-users username <user> password - <pass> - - Create `<user>` for local authentication on this system. The users password - will be set to `<pass>`. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> disable - - Disable `<user>` account. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip - <address> - - Assign static IP address to `<user>` account. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - download <bandwidth> - - Download bandwidth limit in kbit/s for `<user>`. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - upload <bandwidth> - - Upload bandwidth limit in kbit/s for `<user>`. - -.. cfgcmd:: set vpn sstp authentication protocols - <pap | chap | mschap | mschap-v2> - - Require the peer to authenticate itself using one of the following protocols: - pap, chap, mschap, mschap-v2. + set vpn sstp authentication local-users username test password 'test' + set vpn sstp authentication mode 'local' + set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' + set vpn sstp default-pool 'SSTP-POOL' + set vpn sstp gateway-address '10.0.0.1' + set vpn sstp ssl ca-certificate 'CA1' + set vpn sstp ssl certificate 'Server' .. cfgcmd:: set vpn sstp authentication mode <local | radius> @@ -104,17 +57,11 @@ Configuration server. * **local**: All authentication queries are handled locally. +.. cfgcmd:: set vpn sstp authentication local-users username <user> password + <pass> -.. cfgcmd:: set vpn sstp gateway-address <gateway> - - Specifies single `<gateway>` IP address to be used as local address of PPP - interfaces. - - -.. cfgcmd:: set vpn sstp port <port> - - Specifies the port `<port>` that the SSTP port will listen on (default 443). - + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. .. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> @@ -123,101 +70,75 @@ Configuration it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> - - Use this command to define the next address pool name. - .. cfgcmd:: set vpn sstp default-pool <POOL-NAME> Use this command to define default address pool name. +.. cfgcmd:: set vpn sstp gateway-address <gateway> -.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits> - - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. - - -.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix - <number-of-bits> - - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - SSTP. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. - - -.. cfgcmd:: set vpn sstp name-server <address> - - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. - -Maximum number of IPv4 nameservers + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -SSL Certificates ----------------- +.. cfgcmd:: set vpn sstp ssl ca-certificate <file> -.. cfgcmd:: set vpn sstp ssl ca-cert-file <file> + Name of installed certificate authority certificate. - Path to `<file>` pointing to the certificate authority certificate. +.. cfgcmd:: set vpn sstp ssl certificate <file> -.. cfgcmd:: set vpn sstp ssl cert-file <file> + Name of installed server certificate. - Path to `<file>` pointing to the servers certificate (public portion). +********************************* +Configuring RADIUS authentication +********************************* +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. -PPP Settings ------------- +.. code-block:: none -.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number> + set vpn sstp authentication mode radius - Defines the maximum `<number>` of unanswered echo requests. Upon reaching the - value `<number>`, the session will be reset. +.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> -.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval> + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. - If this option is specified and is greater than 0, then the PPP module will - send LCP pings of the echo request every `<interval>` seconds. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: -.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout +.. code-block:: none - Specifies timeout in seconds to wait for any peer activity. If this option - specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" - is not used. + set vpn sstp authentication radius server 10.0.0.1 key 'foo' + set vpn sstp authentication radius server 10.0.0.2 key 'foo' -.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny> +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. - Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation - preference. +RADIUS source address +===================== - * **require** - ask client for mppe, if it rejects drop connection - * **prefer** - ask client for mppe, if it rejects don't fail - * **deny** - deny mppe +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. - Default behavior - don't ask client for mppe, but allow it if client wants. - Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy - attribute. +.. cfgcmd:: set vpn sstp authentication radius source-address <address> + Source IPv4 address used in all RADIUS server queires. -RADIUS ------- +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -Server -^^^^^^ +RADIUS advanced options +======================= .. cfgcmd:: set vpn sstp authentication radius server <server> port <port> Configure RADIUS `<server>` and its required port for authentication requests. -.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - - Configure RADIUS `<server>` and its required shared `<secret>` for - communicating with the RADIUS server. - .. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> Mark RADIUS server as offline for this given `<time>` in seconds. @@ -226,9 +147,6 @@ Server Temporary disable this RADIUS server. -Options -^^^^^^^ - .. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> Timeout to wait reply for Interim-Update packets. (default 3 seconds) @@ -272,6 +190,9 @@ Options Specifies which RADIUS server attribute contains the rate limit information. The default attribute is `Filter-Id`. +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + .. cfgcmd:: set vpn sstp authentication radius rate-limit enable Enables bandwidth shaping via RADIUS. @@ -281,33 +202,285 @@ Options Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius. +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. -Example -======= +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. -* Use local user `foo` with password `bar` -* Client IP addresses will be provided from pool `192.0.2.0/25` + +**** +IPv6 +**** +.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny> + + Specifies IPv6 negotiation preference. + + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an SSTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + SSTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + SSTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. .. code-block:: none - set vpn sstp authentication local-users username vyos password vyos - set vpn sstp authentication mode local - set vpn sstp gateway-address 192.0.2.254 - set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25 - set vpn sstp default-pool 'SSTP-POOL' - set vpn sstp name-server 10.0.0.1 - set vpn sstp name-server 10.0.0.2 - set vpn sstp ssl ca-cert-file /config/auth/ca.crt - set vpn sstp ssl cert-file /config/auth/server.crt - set vpn sstp ssl key-file /config/auth/server.key - -Testing SSTP -============ + set vpn sstp ppp-options ipv6 allow + set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn sstp default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== +.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* + +.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn sstp ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set vpn sstp ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set vpn sstp description <description> + + Set description. + +.. cfgcmd:: set vpn sstp limits burst <value> + + Burst count + +.. cfgcmd:: set vpn sstp limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set vpn sstp limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set vpn sstp mtu + + Maximum Transmission Unit (MTU) (default: **1500**) + +.. cfgcmd:: set vpn sstp max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set vpn sstp name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set vpn sstp snmp master-agent + + Enable SNMP + +.. cfgcmd:: set vpn sstp wins-server <address> + + Windows Internet Name Service (WINS) servers propagated to client + +*********************** +Configuring SSTP client +*********************** Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file. +If you use a self-signed certificate, do not forget to install CA on the client side. + The following PPP configuration tests MSCHAP-v2: .. code-block:: none @@ -360,8 +533,115 @@ A connection attempt will be shown as: inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 valid_lft forever preferred_lft forever +********** +Monitoring +********** +.. opcmd:: show sstp-server sessions -.. _sstpc: https://github.com/reliablehosting/sstp-client + Use this command to locally check the active sessions in the SSTP + server. + +.. code-block:: none + + vyos@vyos:~$ show sstp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B +.. code-block:: none + + vyos@vyos:~$ show sstp-server statistics + uptime: 0.01:21:54 + cpu: 0% + mem(rss/virt): 6688/100464 kB + core: + mempool_allocated: 149420 + mempool_available: 146092 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 7 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + sstp: + starting: 0 + active: 1 + +*************** +Troubleshooting +*************** + +.. code-block:: none + + vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0 + + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852 + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9 + Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>] + Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852) + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0' + Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started + +.. _sstpc: https://github.com/reliablehosting/sstp-client +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel .. include:: /_include/common-references.txt diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index bd482cd9..67eba886 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -67,6 +67,25 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +---------------- + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set vrf name <name> ip nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + +.. cfgcmd:: set vrf name <name> ipv6 nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Interfaces ---------- |