summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-03-20 23:42:43 +0100
committerChristian Poessinger <christian@poessinger.com>2020-03-20 23:42:55 +0100
commitbf94e7dd7bcf7c01dcf5c4f90d9cfc9c116cb00c (patch)
treeea5ef1f3025fe0ed6480ad9497bcee28a49b3434 /docs
parent638387d17e07f01d9ca64610a276329aa7f02792 (diff)
downloadvyos-documentation-bf94e7dd7bcf7c01dcf5c4f90d9cfc9c116cb00c.tar.gz
vyos-documentation-bf94e7dd7bcf7c01dcf5c4f90d9cfc9c116cb00c.zip
sstp: move to VPN section
Diffstat (limited to 'docs')
-rw-r--r--docs/services/index.rst1
-rw-r--r--docs/vpn/index.rst9
-rw-r--r--docs/vpn/sstp.rst (renamed from docs/services/sstp-server.rst)120
3 files changed, 67 insertions, 63 deletions
diff --git a/docs/services/index.rst b/docs/services/index.rst
index e0773090..ed00a29b 100644
--- a/docs/services/index.rst
+++ b/docs/services/index.rst
@@ -17,7 +17,6 @@ This chapter describes the available system/network services provided by VyOS.
mdns-repeater
ipoe-server
pppoe-server
- sstp-server
udp-broadcast-relay
snmp
ssh
diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst
index d0e440b0..42a90a3f 100644
--- a/docs/vpn/index.rst
+++ b/docs/vpn/index.rst
@@ -7,10 +7,11 @@ VPN
.. toctree::
:maxdepth: 2
- openvpn
- l2tp
- site2site_ipsec
- gre-ipsec
dmvpn
+ gre-ipsec
+ l2tp
+ openvpn
pptp
+ site2site_ipsec
+ sstp
wireguard
diff --git a/docs/services/sstp-server.rst b/docs/vpn/sstp.rst
index 6e311e19..c5eb5dbf 100644
--- a/docs/services/sstp-server.rst
+++ b/docs/vpn/sstp.rst
@@ -62,17 +62,33 @@ commands can be used.
Configuration
=============
-.. cfgcmd:: set service sstp-server authentication local-users username <user> password <pass>
+.. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass>
Create `<user>` for local authentication on this system. The users password
will be set to `<pass>`.
-.. cfgcmd:: set service sstp-server authentication protocols <pap | chap | mschap | mschap-v2>
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+ Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address>
+
+ Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth>
+
+ Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth>
+
+ Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2>
Require the peer to authenticate itself using one of the following protocols:
pap, chap, mschap, mschap-v2.
-.. cfgcmd:: set service sstp-server authentication mode <local | radius>
+.. cfgcmd:: set vpn sstp authentication mode <local | radius>
Set authentication backend. The configured authentication backend is used
for all queries.
@@ -82,61 +98,58 @@ Configuration
* **local**: All authentication queries are handled locally.
-.. cfgcmd:: set service sstp-server network-settings client-ip-settings gateway-address <gateway>
+.. cfgcmd:: set vpn sstp network-settings client-ip-settings gateway-address <gateway>
Specifies single `<gateway>` IP address to be used as local address of PPP
interfaces.
-.. cfgcmd:: set service sstp-server network-settings client-ip-settings subnet <subnet>
+.. cfgcmd:: set vpn sstp network-settings client-ip-settings subnet <subnet>
Use `<subnet>` as the IP pool for all connecting clients.
-.. cfgcmd:: set service sstp-server network-settings dns-server primary-dns <address>
-
- Connected client should use `<address>` as their primary DNS server.
+.. cfgcmd:: set vpn sstp network-settings name-server <address>
+ Connected client should use `<address>` as their DNS server. Up to two IPv4
+ nameservers can be configured.
-.. cfgcmd:: set service sstp-server network-settings dns-server secondary-dns <address>
-
- Connected client should use `<address>` as their secondary DNS server.
SSL Certificates
----------------
-.. cfgcmd:: set service sstp-server sstp-settings ssl-certs ca <file>
+.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
Path to `<file>` pointing to the certificate authority certificate.
-.. cfgcmd:: set service sstp-server sstp-settings ssl-certs server-cert <file>
+.. cfgcmd:: set vpn sstp ssl cert-file <file>
Path to `<file>` pointing to the servers certificate (public portion).
-.. cfgcmd:: set service sstp-server sstp-settings ssl-certs server-key <file>
+.. cfgcmd:: set vpn sstp ssl key-file <file>
Path to `<file>` pointing to the servers certificate (private portion).
PPP Settings
------------
-.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-failure <number>
+.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-failure <number>
Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
value `<number>`, the session will be reset.
-.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-interval <interval>
+.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-interval <interval>
If this option is specified and is greater than 0, then the PPP module will
send LCP pings of the echo request every `<interval>` seconds.
-.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-timeout
+.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-timeout
Specifies timeout in seconds to wait for any peer activity. If this option
specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
is not used.
-.. cfgcmd:: set service sstp-server ppp-settings mppe <require | prefer | deny>
+.. cfgcmd:: set vpn sstp ppp-settings mppe <require | prefer | deny>
Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
preference.
@@ -156,107 +169,98 @@ RADIUS
Server
^^^^^^
-.. cfgcmd:: set service sstp-server authentication radius-server <server> secret <secret>
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
- Configure RADIUS `<server>` and its required shared `<secret>` for
- communicating with the RADIUS server.
+ Configure RADIUS `<server>` and its required port for authentication requests.
-.. cfgcmd:: set service sstp-server authentication radius-server <server> secret <secret>
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
Configure RADIUS `<server>` and its required shared `<secret>` for
communicating with the RADIUS server.
-.. cfgcmd:: set service sstp-server authentication radius-server <server> fail-time <time>
+.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
Mark RADIUS server as offline for this given `<time>` in seconds.
-.. cfgcmd:: set service sstp-server authentication radius-server <server> req-limit <limit>
+.. cfgcmd:: set vpn sstp authentication radius server <server> disable
- Maximum number of simultaneous requests to RADIUS server, default is
- unlimited.
+ Temporary disable this RADIUS server.
Options
^^^^^^^
-.. cfgcmd:: set service sstp-server authentication radius-settings acct-timeout
+.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
Timeout to wait reply for Interim-Update packets. (default 3 seconds)
-
-.. cfgcmd:: set service sstp-server authentication radius-settings dae-server ip-address <address>
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set service sstp-server authentication radius-settings dae-server port <port>
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
Port for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set service sstp-server authentication radius-settings dae-server secret <secret>
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
Secret for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set service sstp-server authentication radius-settings max-try <number>
+.. cfgcmd:: set vpn sstp authentication radius max-try <number>
Maximum number of tries to send Access-Request/Accounting-Request queries
-
-.. cfgcmd:: set service sstp-server authentication radius-settings timeout <timeout>
+.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
Timeout to wait response from server (seconds)
-
-.. cfgcmd:: set service sstp-server authentication radius-settings nas-identifier <identifier>
+.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
Value to send to RADIUS server in NAS-Identifier attribute and to be matched
in DM/CoA requests.
-
-.. cfgcmd:: set service sstp-server authentication radius-settings nas-ip-address <address>
+.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
in DM/CoA requests. Also DM/CoA server will bind to that address.
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
+
+ Source IPv4 address used in all RADIUS server queires.
-.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit attribute <attribute>
+.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
Specifies which RADIUS server attribute contains the rate limit information.
The default attribute is `Filter-Id`.
-
-.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit enable
+.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
Enables bandwidth shaping via RADIUS.
-
-.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit vendor
+.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
Specifies the vendor dictionary, dictionary needs to be in
/usr/share/accel-ppp/radius.
-
Example
=======
* Use local user `foo` with password `bar`
-* Client IP addresses will be provided from pool `192.0.2.0/24`
+* Client IP addresses will be provided from pool `192.0.2.0/25`
-Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically
+Use <tab> to setup the ``set ssl...``, it automatically
looks for all files and directories in ``/config/user-data/sstp``.
.. code-block:: none
- set service sstp-server authentication local-users username foo password 'bar'
- set service sstp-server authentication mode 'local'
- set service sstp-server network-settings client-ip-settings gateway-address '192.0.2.0'
- set service sstp-server network-settings client-ip-settings subnet '192.0.2.0/24'
- set service sstp-server network-settings dns-server primary-dns '10.100.100.1'
- set service sstp-server network-settings dns-server secondary-dns '10.200.100.1'
- set service sstp-server sstp-settings ssl-certs ca 'ca.crt'
- set service sstp-server sstp-settings ssl-certs server-cert 'server.crt'
- set service sstp-server sstp-settings ssl-certs server-key 'server.key'
+ set vpn sstp authentication local-users username foo password 'bar'
+ set vpn sstp authentication mode 'local'
+ set vpn sstp network-settings client-ip-settings gateway-address '192.0.2.254'
+ set vpn sstp network-settings client-ip-settings subnet '192.0.2.0/25'
+ set vpn sstp network-settings name-server '10.0.0.1'
+ set vpn sstp network-settings name-server '10.0.0.2'
+ set vpn sstp ssl ca-cert-file 'ca.crt'
+ set vpn sstp ssl cert-file 'server.crt'
+ set vpn sstp ssl key-file 'server.key'
.. include:: ../common-references.rst