diff options
-rw-r--r-- | docs/vpn/l2tp.rst | 74 |
1 files changed, 46 insertions, 28 deletions
diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst index 76268900..0dd5fe3e 100644 --- a/docs/vpn/l2tp.rst +++ b/docs/vpn/l2tp.rst @@ -3,7 +3,8 @@ L2TP ----------- -VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used with local authentication or a connected RADIUS server. +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used +with local authentication or a connected RADIUS server. L2TP over IPsec =============== @@ -26,7 +27,8 @@ with native Windows and Mac VPN clients): set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username test password 'test' -In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address 192.168.255.1 uses as client tunnel termination point. +In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address +192.168.255.1 uses as client tunnel termination point. If a local firewall policy is in place on your external interface you will need to allow the ports below: @@ -66,7 +68,8 @@ To allow VPN-clients access via your external address, a NAT rule is required: set nat source rule 110 translation address masquerade -VPN-clients will request configuration parameters, optionally you can DNS parameter to the client. +VPN-clients will request configuration parameters, optionally you can DNS +parameter to the client. .. code-block:: sh @@ -82,15 +85,15 @@ operational command, or **show l2tp-server sessions** .. code-block:: sh vyos@vyos:~$ show vpn remote-access - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime --------+----------+--------------+---------------+------------+------+------+--------+---------- - ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13 + ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13 LNS (L2TP Network Server) ========================= -LNS are often used to connect to a LAC (L2TP Access Concentrator). +LNS are often used to connect to a LAC (L2TP Access Concentrator). Below is an example to configure a LNS: @@ -101,13 +104,16 @@ Below is an example to configure a LNS: set vpn l2tp remote-access client-ip-pool start 192.168.255.2 set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 set vpn l2tp remote-access lns shared-secret 'secret' - set vpn l2tp remote-access ccp-disable + set vpn l2tp remote-access ccp-disable set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username test password 'test' -The example above uses 192.0.2.2 as external IP address, the nexthop is supposed to be 192.168.255.1 and is used as client termination point. -A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``. -This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that. +The example above uses 192.0.2.2 as external IP address, the nexthop is supposed +to be 192.168.255.1 and is used as client termination point. A LAC normally +requires an authentication password, which is set in the example configuration +to ``lns shared-secret 'secret'``. This setup requires the Compression Control +Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` +accomplishes that. Bandwidth Shaping @@ -115,7 +121,7 @@ Bandwidth Shaping Bandwidth rate limits can be set for local users or via RADIUS based attributes. -Bandwidth Shaping for local users +Bandwidth Shaping for local users ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The rate-limit is set in kbit/sec. @@ -131,31 +137,34 @@ The rate-limit is set in kbit/sec. set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 - vyos@vyos:~$ show vpn remote-access - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + vyos@vyos:~$ show vpn remote-access + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime -------+----------+--------------+---------------+-------------+------+------+--------+----------- - ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30 + ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30 RADIUS authentication ====================== -To enable RADIUS based authentication, the authentication mode needs to be changed withing the configuration. -Previous settings like the local users, still exists within the configuration, however they are not used if the mode -has been changed from local to radius. Once changed back to local, it will use all local accounts again. +To enable RADIUS based authentication, the authentication mode needs to be +changed withing the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. .. code-block:: sh set vpn l2tp remote-access authentication mode <local|radius> -Since the RADIUS server would be a single point of failure, multiple RADIUS server can be setup and will be used subsequentially. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. .. code-block:: sh set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' -.. note:: Some RADIUS_ severs use an access control list which allows or denies queries, - make sure to add your VyOS router to the allowed client list. +.. note:: Some RADIUS_ severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. RADIUS source address ^^^^^^^^^^^^^^^^^^^^^ @@ -171,8 +180,8 @@ single source IP e.g. the loopback interface. Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries on this NAS. -.. note:: - The ``source-address`` must be configured on one of VyOS interface. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best proctice would be a loopback or dummy interface. RADIUS bandwidth shaping attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -183,31 +192,40 @@ To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enable set vpn l2tp remote-access authentication radius rate-limit enable -The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also redefine it. +The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also +redefine it. .. code-block:: sh set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed -.. note:: If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which is the vyos router in our example. +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client, which is the vyos router in our + example. The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/`` RADIUS advanced features ^^^^^^^^^^^^^^^^^^^^^^^^ -Received RADIUS attributes have a higher priority than parameters defined withm the cli configuration, refer to the explanation below. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. Allocation clients ip addresses by RADIUS ***************************************** -If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ip-pool within the cli config is being ignored. +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ip-pool within the CLI +config is being ignored. Renaming clients interfaces by RADIUS ************************************* -If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed. +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. -.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed. +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. .. _`Google Public DNS`: https://developers.google.com/speed/public-dns |