diff options
-rw-r--r-- | docs/vpn/l2tp.rst | 176 |
1 files changed, 139 insertions, 37 deletions
diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst index 656da0ef..05496b46 100644 --- a/docs/vpn/l2tp.rst +++ b/docs/vpn/l2tp.rst @@ -1,10 +1,13 @@ .. _l2tp: -VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used +L2TP +---- + +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used with local authentication or a connected RADIUS server. L2TP over IPsec ---------------- +=============== Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN clients): @@ -15,25 +18,26 @@ with native Windows and Mac VPN clients): set vpn ipsec nat-traversal enable set vpn ipsec nat-networks allowed-network 0.0.0.0/0 - set vpn l2tp remote-access outside-address 203.0.113.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.1 + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access outside-nexthop 192.168.255.1 + set vpn l2tp remote-access client-ip-pool start 192.168.255.2 set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username <username> password <password> + set vpn l2tp remote-access authentication local-users username test password 'test' -In the example above an external IP of 203.0.113.2 is assumed. +In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address +192.168.255.1 uses as client tunnel termination point. If a local firewall policy is in place on your external interface you will need -to open: +to allow the ports below: * UDP port 500 (IKE) * IP protocol number 50 (ESP) * UDP port 1701 for IPsec -In addition when NAT is detected by the VPN client ESP is encapsulated in UDP -for NAT-traversal: +As well as the below to allow NAT-traversal: * UDP port 4500 (NAT-T) @@ -42,7 +46,6 @@ Example: .. code-block:: sh set firewall name OUTSIDE-LOCAL rule 40 action 'accept' - set firewall name OUTSIDE-LOCAL rule 40 destination port '50' set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' set firewall name OUTSIDE-LOCAL rule 41 action 'accept' set firewall name OUTSIDE-LOCAL rule 41 destination port '500' @@ -55,8 +58,8 @@ Example: set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp' -Also note that if you wish to allow the VPN to be used for external access you -will need to add the appropriate source NAT rules to your configuration. +To allow VPN-clients access via your external address, a NAT rule is required: + .. code-block:: sh @@ -64,8 +67,9 @@ will need to add the appropriate source NAT rules to your configuration. set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade -To be able to resolve when connected to the VPN, the following DNS rules are -needed as well. + +VPN-clients will request configuration parameters, optionally you can DNS +parameter to the client. .. code-block:: sh @@ -76,56 +80,153 @@ needed as well. public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1). Established sessions can be viewed using the **show vpn remote-access** -operational command. +operational command, or **show l2tp-server sessions** .. code-block:: sh vyos@vyos:~$ show vpn remote-access - Active remote access VPN sessions: - User Proto Iface Tunnel IP TX byte RX byte Time - ---- ----- ----- --------- ------- ------- ---- - vyos L2TP l2tp0 192.168.255.1 3.2K 8.0K 00h06m13s + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + --------+----------+--------------+---------------+------------+------+------+--------+---------- + ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13 + + +LNS (L2TP Network Server) +========================= + +LNS are often used to connect to a LAC (L2TP Access Concentrator). + +Below is an example to configure a LNS: + +.. code-block:: sh + + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access outside-nexthop 192.168.255.1 + set vpn l2tp remote-access client-ip-pool start 192.168.255.2 + set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access lns shared-secret 'secret' + set vpn l2tp remote-access ccp-disable + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password 'test' + +The example above uses 192.0.2.2 as external IP address, the nexthop is supposed +to be 192.168.255.1 and is used as client termination point. A LAC normally +requires an authentication password, which is set in the example configuration +to ``lns shared-secret 'secret'``. This setup requires the Compression Control +Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` +accomplishes that. -RADIUS authentication -^^^^^^^^^^^^^^^^^^^^^ -The above configuration made use of local accounts on the VyOS router for -authenticating L2TP/IPSec clients. In bigger environments usually something -like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used. +Bandwidth Shaping +================= -VyOS supports either `local` or `radius` user authentication: +Bandwidth rate limits can be set for local users or via RADIUS based attributes. + +Bandwidth Shaping for local users +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The rate-limit is set in kbit/sec. + +.. code-block:: sh + + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access outside-nexthop 192.168.255.1 + set vpn l2tp remote-access client-ip-pool start 192.168.255.2 + set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password test + set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 + set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 + + vyos@vyos:~$ show vpn remote-access + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + -------+----------+--------------+---------------+-------------+------+------+--------+----------- + ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30 + +RADIUS authentication +====================== + +To enable RADIUS based authentication, the authentication mode needs to be +changed withing the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. .. code-block:: sh set vpn l2tp remote-access authentication mode <local|radius> -In addition one or more RADIUS_ servers can be configured to server for user -authentication. This is done using the `radius server` and `radius server key` -nodes: +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. .. code-block:: sh - set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo' - set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo' + set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' -.. note:: Some RADIUS_ severs make use of an access control list who is allowed - to query the server. Please configure your VyOS router in the allowed client - list. +.. note:: Some RADIUS_ severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. RADIUS source address -********************* +^^^^^^^^^^^^^^^^^^^^^ -If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS +If you are using OSPF as IGP always the closets interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface. .. code-block:: sh - set vpn l2tp remote-access authentication radius source-address 3.3.3.3 + set vpn l2tp remote-access authentication radius source-address 10.0.0.3 -Above command will use `3.3.3.3` as source IPv4 address for all RADIUS queries +Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries on this NAS. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best proctice would be a loopback or dummy interface. + +RADIUS bandwidth shaping attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled. + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius rate-limit enable + +The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also +redefine it. + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client, which is the vyos router in our + example. + +The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/`` + +RADIUS advanced features +^^^^^^^^^^^^^^^^^^^^^^^^ + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +***************************************** + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ip-pool within the CLI +config is being ignored. + +Renaming clients interfaces by RADIUS +************************************* + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + .. _`Google Public DNS`: https://developers.google.com/speed/public-dns .. _Quad9: https://quad9.net @@ -133,3 +234,4 @@ on this NAS. .. _RADIUS: https://en.wikipedia.org/wiki/RADIUS .. _FreeRADIUS: https://freeradius.org .. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server +.. _accel-ppp: https://accel-ppp.org/ |