diff options
| -rw-r--r-- | .github/PULL_REQUEST_TEMPLATE.md | 22 | ||||
| -rw-r--r-- | docs/automation/index.rst | 5 | ||||
| -rw-r--r-- | docs/automation/terraform/index.rst | 12 | ||||
| -rw-r--r-- | docs/automation/terraform/terraformAWS.rst | 104 | ||||
| -rw-r--r-- | docs/automation/terraform/terraformAZ.rst | 488 | ||||
| -rw-r--r-- | docs/automation/terraform/terraformGoogle.rst | 0 | ||||
| -rw-r--r-- | docs/automation/terraform/terraformvSphere.rst | 400 | ||||
| -rw-r--r-- | docs/automation/terraform/terraformvyos.rst | 39 | ||||
| -rw-r--r-- | docs/automation/vyos-pyvyos.rst | 28 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 23 | ||||
| -rw-r--r-- | docs/configuration/highavailability/index.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 198 | ||||
| -rw-r--r-- | docs/configuration/vpn/pptp.rst | 552 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 39 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 595 | ||||
| -rw-r--r-- | docs/documentation.rst | 229 |
17 files changed, 2206 insertions, 542 deletions
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..2c8a9873 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,22 @@ +<!-- All PR should follow this template to allow a clean and transparent review --> +<!-- Text placed between these delimiters is considered a comment and is not rendered --> + +## Change Summary +<!--- Provide a general summary of your changes in the Title above --> + +## Related Task(s) +<!-- optional: Link related Tasks on Phabricator. --> +* https://vyos.dev/Txxxx + +## Related PR(s) +<!-- optional: Link here any PRs in other repositories that are related to this PR --> + +## Backport +<!-- optional: the PR should backport to this documentation branch --> + + + +## Checklist: +<!--- Go over all the following points, and put an `x` in all the boxes that apply. --> +<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> +- [ ] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-documentation/blob/master/CONTRIBUTING.md) document
\ No newline at end of file diff --git a/docs/automation/index.rst b/docs/automation/index.rst index 48e83a96..fe70acce 100644 --- a/docs/automation/index.rst +++ b/docs/automation/index.rst @@ -2,11 +2,6 @@ VyOS Automation ############### - - * Nornir - * startup scripts - - .. toctree:: :maxdepth: 2 diff --git a/docs/automation/terraform/index.rst b/docs/automation/terraform/index.rst index 9a51df91..42af58bd 100644 --- a/docs/automation/terraform/index.rst +++ b/docs/automation/terraform/index.rst @@ -2,17 +2,13 @@ VyOS Terraform ############## - - * Nornir - * startup scripts - - .. toctree:: :maxdepth: 1 :caption: Content + terraformvyos terraformAWS -# terraformAZ -# terraformvSphere -# terraformGoogle + terraformAZ + terraformvSphere + terraformGoogle diff --git a/docs/automation/terraform/terraformAWS.rst b/docs/automation/terraform/terraformAWS.rst index c81fe906..c705d55e 100644 --- a/docs/automation/terraform/terraformAWS.rst +++ b/docs/automation/terraform/terraformAWS.rst @@ -1,43 +1,11 @@ :lastproofread: 2024-01-11 -.. _vyos-terraform: +.. _terraformAWS: -Terraform for VyOS -================== +Deploying VyOS in the AWS cloud +=============================== -VyOS supports development infrastructure via Terraform and provisioning via Ansible. -Terraform allows you to automate the process of deploying instances on many cloud and virtual platforms. -In this article, we will look at using terraforms to deploy vyos on platforms - AWS, AZURE, and vSphere. -More detailed about what is Terraform you can write using the link_. - -Need to install_ Terraform - -Structure of files in the standard Terraform project: - -.. code-block:: none - - . - ├── main.tf # The main script - ├── version.tf # File for the changing version of Terraform. - ├── variables.tf # The file of all variables in "main.tf" - └── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on) - - -General commands that we will use for running Terraform scripts - - -.. code-block:: none - - #cd /<your folder> # go to the Terrafom project - #terraform init # install all addons and provider (aws az and so on) - #terraform plan # show wtah is changing - #terraform apply # run script - #yes # apply running - - -Deploying vyos in the AWS cloud -------------------------------- -With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the AWS cloud. If necessary, the infrastructure can be removed using terraform. +With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the AWS cloud. If necessary, the infrastructure can be removed using terraform. Also we will make provisioning using Ansible. @@ -58,16 +26,16 @@ Step by step: AWS -1.1 Create an account with AWS and get your "access_key", "secret key" + 1 Create an account with AWS and get your "access_key", "secret key" -1.2 Create a key pair_ and download your .pem key + 2 Create a key pair_ and download your .pem key .. image:: /_static/images/keypairs.png :width: 50% :align: center :alt: Network Topology Diagram -1.3 Create a security group_ for the new VyOS instance and open all traffic + 3 Create a security group_ for the new VyOS instance and open all traffic .. image:: /_static/images/sg.png :width: 50% @@ -83,36 +51,36 @@ AWS Terraform -2.1 Create a0 UNIX or Windows instance + 1 Create an UNIX or Windows instance -2.2 Download and install Terraform + 2 Download and install Terraform -2.3 Create the folder for example /root/awsterraform + 3 Create the folder for example /root/awsterraform .. code-block:: none mkdir /root/awsterraform -2.4 Copy all files into your Terraform project "/root/awsterraform" (vyos.tf, var.tf, terraform.tfvars,version.tf), more detailed see `Structure of files Terrafom for AWS`_ + 4 Copy all files into your Terraform project "/root/awsterraform" (vyos.tf, var.tf, terraform.tfvars,version.tf), more detailed see `Structure of files Terrafom for AWS`_ -2.5 Type the commands : + 5 Type the commands : .. code-block:: none - #cd /<your folder> - #terraform init + cd /<your folder> + terraform init Ansible -3.1 Create a UNIX instance whenever you want (local, cloud, and so on) + 1 Create an UNIX instance whenever you want (local, cloud, and so on) -3.2 Download and install Ansible + 2 Download and install Ansible -3.3 Create the folder for example /root/aws/ + 3 Create the folder for example /root/aws/ -3.4 Copy all files into your Ansible project "/root/aws/" (ansible.cfg, instance.yml, mykey.pem and "all"), more detailed see `Structure of files Ansible for AWS`_ + 4 Copy all files into your Ansible project "/root/aws/" (ansible.cfg, instance.yml, mykey.pem and "all"), more detailed see `Structure of files Ansible for AWS`_ mykey.pem you have to get using step 1.2 @@ -120,14 +88,14 @@ mykey.pem you have to get using step 1.2 Start -4.1 Type the commands on your Terrafom instance: +Type the commands on your Terrafom instance: .. code-block:: none - #cd /<your folder> - #terraform plan - #terraform apply - #yes + cd /<your folder> + terraform plan + terraform apply + yes Start creating an AWS instance and check the result @@ -265,14 +233,14 @@ Start creating an AWS instance and check the result null_resource.SSHconnection2: Still creating... [40s elapsed] null_resource.SSHconnection2: Still creating... [50s elapsed] null_resource.SSHconnection2: Still creating... [1m0s elapsed] - null_resource.SSHconnection2 (remote-exec): ok: [54.144.84.120] + null_resource.SSHconnection2 (remote-exec): ok: [54.xxx.xxx.xxx] null_resource.SSHconnection2 (remote-exec): TASK [Configure general settings for the vyos hosts group] ********************* null_resource.SSHconnection2: Still creating... [1m10s elapsed] - null_resource.SSHconnection2 (remote-exec): changed: [54.144.84.120] + null_resource.SSHconnection2 (remote-exec): changed: [54.xxx.xxx.xxx] null_resource.SSHconnection2 (remote-exec): PLAY RECAP ********************************************************************* - null_resource.SSHconnection2 (remote-exec): 54.144.84.120 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + null_resource.SSHconnection2 (remote-exec): 54.xxx.xxx.xxx : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 null_resource.SSHconnection2: Creation complete after 1m16s [id=4902256962410024771] @@ -280,7 +248,7 @@ Start creating an AWS instance and check the result Outputs: - my_IP = "54.144.84.120" + my_IP = "54.xxx.xxx.xxx" @@ -289,17 +257,17 @@ If you need to delete the instance please type the command: .. code-block:: none - #terraform destroy + terraform destroy Troubleshooting --------------- -1. Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/. + 1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/. Also, increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group. -2. Terraform doesn't connect via SSH to your Ansible instance: you have to check the correct login and password in the part of the file vyos. tf + 2 Terraform doesn't connect via SSH to your Ansible instance: you have to check the correct login and password in the part of the file VyOS. tf .. code-block:: none @@ -320,8 +288,8 @@ Structure of files Terrafom for AWS . ├── vyos.tf # The main script - ├── var.tf # File for the changing version of Terraform. - ├── versions.tf # The file of all variables in "vyos.tf" + ├── var.tf # The file of all variables in "vyos.tf" + ├── versions.tf # File for the changing version of Terraform. └── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on) @@ -533,7 +501,7 @@ instance.yml ############################################################################## # About tasks: # "Wait 300 seconds, but only start checking after 60 seconds" - try to make ssh connection every 60 seconds until 300 seconds - # "Configure general settings for the vyos hosts group" - make provisioning into AWS VyOS node + # "Configure general settings for the VyOS hosts group" - make provisioning into AWS VyOS node # You have to add all necessary cammans of VyOS under the block "lines:" ############################################################################## @@ -549,15 +517,15 @@ instance.yml delay: 60 timeout: 300 - - name: "Configure general settings for the vyos hosts group" + - name: "Configure general settings for the VyOS hosts group" vyos_config: lines: - - set system name-server 8.8.8.8 + - set system name-server xxx.xxx.xxx.xxx save: true -all +group_vars/all .. code-block:: none diff --git a/docs/automation/terraform/terraformAZ.rst b/docs/automation/terraform/terraformAZ.rst new file mode 100644 index 00000000..a0fea023 --- /dev/null +++ b/docs/automation/terraform/terraformAZ.rst @@ -0,0 +1,488 @@ +:lastproofread: 2024-03-03 + +.. _terraformAZ: + +Deploying VyOS in the Azure cloud +================================= + +With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the Azure cloud. If necessary, the infrastructure can be removed using terraform. +Also we will make provisioning using Ansible. + +In this case, we'll create the necessary files for Terraform and Ansible next using Terraform we'll create a single instance on the Azure cloud and make provisioning using Ansible. + +Preparation steps for deploying VyOS on Azure +--------------------------------------------- + +How to create a single instance and install your configuration using Terraform+Ansible+Azure +Step by step: + +Azure + + 1 Create an account with Azure + +Terraform + + + 1 Create an UNIX or Windows instance + + 2 Download and install Terraform + + 3 Create the folder for example /root/azvyos/ + +.. code-block:: none + + mkdir /root/azvyos + + 4 Copy all files into your Terraform project "/root/azvyos" (vyos.tf, var.tf, terraform.tfvars), more detailed see `Structure of files Terrafom for Azure`_ + + 5 Login with Azure using the command + +.. code-block:: none + + az login + +2.6 Type the commands : + +.. code-block:: none + + cd /<your folder> + terraform init + +Ansible + + + 1 Create an UNIX instance whenever you want (local, cloud, and so on) + + 2 Download and install Ansible + + 3 Create the folder for example /root/az/ + + 4 Copy all files into your Ansible project "/root/az/" (ansible.cfg, instance.yml,"all"), more detailed see `Structure of files Ansible for Azure`_ + + +Start + + +Type the commands on your Terrafom instance: + +.. code-block:: none + + cd /<your folder> + terraform plan + terraform apply + yes + +After executing all the commands you will have your VyOS instance on the Azure cloud with your configuration, it's a very convenient desition. +If you need to delete the instance please type the command: + +.. code-block:: none + + terraform destroy + +Structure of files Terrafom for Azure +------------------------------------- + +.. code-block:: none + + . + ├── vyos.tf # The main script + ├── var.tf # File for the changing version of Terraform. + └── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on) + +File contents of Terrafom for Azure +----------------------------------- + +vyos.tf + +.. code-block:: none + + + ############################################################################## + # HashiCorp Guide to Using Terraform on Azure + # This Terraform configuration will create the following: + # Resource group with a virtual network and subnet + # An VyOS server without ssh key (only login+password) + ############################################################################## + + # Chouse a provider + + provider "azurerm" { + features {} + } + + # Create a resource group. In Azure every resource belongs to a + # resource group. + + resource "azurerm_resource_group" "azure_vyos" { + name = "${var.resource_group}" + location = "${var.location}" + } + + # The next resource is a Virtual Network. + + resource "azurerm_virtual_network" "vnet" { + name = "${var.virtual_network_name}" + location = "${var.location}" + address_space = ["${var.address_space}"] + resource_group_name = "${var.resource_group}" + } + + # Build a subnet to run our VMs in. + + resource "azurerm_subnet" "subnet" { + name = "${var.prefix}subnet" + virtual_network_name = "${azurerm_virtual_network.vnet.name}" + resource_group_name = "${var.resource_group}" + address_prefixes = ["${var.subnet_prefix}"] + } + + ############################################################################## + # Build an VyOS VM from the Marketplace + # To finde nessesery image use the command: + # + # az vm image list --offer vyos --all + # + # Now that we have a network, we'll deploy an VyOS server. + # An Azure Virtual Machine has several components. In this example we'll build + # a security group, a network interface, a public ip address, a storage + # account and finally the VM itself. Terraform handles all the dependencies + # automatically, and each resource is named with user-defined variables. + ############################################################################## + + + # Security group to allow inbound access on port 22 (ssh) + + resource "azurerm_network_security_group" "vyos-sg" { + name = "${var.prefix}-sg" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + + security_rule { + name = "SSH" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "${var.source_network}" + destination_address_prefix = "*" + } + } + + # A network interface. + + resource "azurerm_network_interface" "vyos-nic" { + name = "${var.prefix}vyos-nic" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + + ip_configuration { + name = "${var.prefix}ipconfig" + subnet_id = "${azurerm_subnet.subnet.id}" + private_ip_address_allocation = "Dynamic" + public_ip_address_id = "${azurerm_public_ip.vyos-pip.id}" + } + } + + # Add a public IP address. + + resource "azurerm_public_ip" "vyos-pip" { + name = "${var.prefix}-ip" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + allocation_method = "Dynamic" + } + + # Build a virtual machine. This is a standard VyOS instance from Marketplace. + + resource "azurerm_virtual_machine" "vyos" { + name = "${var.hostname}-vyos" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + vm_size = "${var.vm_size}" + + network_interface_ids = ["${azurerm_network_interface.vyos-nic.id}"] + delete_os_disk_on_termination = "true" + + # To finde an information about the plan use the command: + # az vm image list --offer vyos --all + + plan { + publisher = "sentriumsl" + name = "vyos-1-3" + product = "vyos-1-2-lts-on-azure" + } + + storage_image_reference { + publisher = "${var.image_publisher}" + offer = "${var.image_offer}" + sku = "${var.image_sku}" + version = "${var.image_version}" + } + + storage_os_disk { + name = "${var.hostname}-osdisk" + managed_disk_type = "Standard_LRS" + caching = "ReadWrite" + create_option = "FromImage" + } + + os_profile { + computer_name = "${var.hostname}" + admin_username = "${var.admin_username}" + admin_password = "${var.admin_password}" + } + + os_profile_linux_config { + disable_password_authentication = false + } + } + + data "azurerm_public_ip" "example" { + depends_on = ["azurerm_virtual_machine.vyos"] + name = "vyos-ip" + resource_group_name = "${var.resource_group}" + } + output "public_ip_address" { + value = data.azurerm_public_ip.example.ip_address + } + + # IP of AZ instance copied to a file ip.txt in local system + + resource "local_file" "ip" { + content = data.azurerm_public_ip.example.ip_address + filename = "ip.txt" + } + + #Connecting to the Ansible control node using SSH connection + + resource "null_resource" "nullremote1" { + depends_on = ["azurerm_virtual_machine.vyos"] + connection { + type = "ssh" + user = "root" + password = var.password + host = var.host + } + + # Copying the ip.txt file to the Ansible control node from local system + + provisioner "file" { + source = "ip.txt" + destination = "/root/az/ip.txt" + } + } + + resource "null_resource" "nullremote2" { + depends_on = ["azurerm_virtual_machine.vyos"] + connection { + type = "ssh" + user = "root" + password = var.password + host = var.host + } + + # Command to run ansible playbook on remote Linux OS + + provisioner "remote-exec" { + + inline = [ + "cd /root/az/", + "ansible-playbook instance.yml" + ] + } + } + + +var.tf + +.. code-block:: none + + ############################################################################## + # Variables File + # + # Here is where we store the default values for all the variables used in our + # Terraform code. + ############################################################################## + + variable "resource_group" { + description = "The name of your Azure Resource Group." + default = "my_resource_group" + } + + variable "prefix" { + description = "This prefix will be included in the name of some resources." + default = "vyos" + } + + variable "hostname" { + description = "Virtual machine hostname. Used for local hostname, DNS, and storage-related names." + default = "vyos_terraform" + } + + variable "location" { + description = "The region where the virtual network is created." + default = "centralus" + } + + variable "virtual_network_name" { + description = "The name for your virtual network." + default = "vnet" + } + + variable "address_space" { + description = "The address space that is used by the virtual network. You can supply more than one address space. Changing this forces a new resource to be created." + default = "10.0.0.0/16" + } + + variable "subnet_prefix" { + description = "The address prefix to use for the subnet." + default = "10.0.10.0/24" + } + + variable "storage_account_tier" { + description = "Defines the storage tier. Valid options are Standard and Premium." + default = "Standard" + } + + variable "storage_replication_type" { + description = "Defines the replication type to use for this storage account. Valid options include LRS, GRS etc." + default = "LRS" + } + + # The most chippers size + + variable "vm_size" { + description = "Specifies the size of the virtual machine." + default = "Standard_B1s" + } + + variable "image_publisher" { + description = "Name of the publisher of the image (az vm image list)" + default = "sentriumsl" + } + + variable "image_offer" { + description = "Name of the offer (az vm image list)" + default = "vyos-1-2-lts-on-azure" + } + + variable "image_sku" { + description = "Image SKU to apply (az vm image list)" + default = "vyos-1-3" + } + + variable "image_version" { + description = "Version of the image to apply (az vm image list)" + default = "1.3.3" + } + + variable "admin_username" { + description = "Administrator user name" + default = "vyos" + } + + variable "admin_password" { + description = "Administrator password" + default = "Vyos0!" + } + + variable "source_network" { + description = "Allow access from this network prefix. Defaults to '*'." + default = "*" + } + + variable "password" { + description = "pass for Ansible" + type = string + sensitive = true + } + variable "host"{ + description = "IP of my Ansible" + } + +terraform.tfvars + +.. code-block:: none + + password = "" # password for Ansible SSH + host = "" # IP of my Ansible + + +Structure of files Ansible for Azure +------------------------------------ + +.. code-block:: none + + . + ├── group_vars + └── all + ├── ansible.cfg + └── instance.yml + + +File contents of Ansible for Azure +---------------------------------- + +ansible.cfg + +.. code-block:: none + + [defaults] + inventory = /root/az/ip.txt + host_key_checking= False + remote_user=vyos + + +instance.yml + + +.. code-block:: none + + ############################################################################## + # About tasks: + # "Wait 300 seconds, but only start checking after 60 seconds" - try to make ssh connection every 60 seconds until 300 seconds + # "Configure general settings for the VyOS hosts group" - make provisioning into Azure VyOS node + # You have to add all necessary cammans of VyOS under the block "lines:" + ############################################################################## + + + - name: integration of terraform and ansible + hosts: all + gather_facts: 'no' + + tasks: + + - name: "Wait 300 seconds, but only start checking after 60 seconds" + wait_for_connection: + delay: 60 + timeout: 300 + + - name: "Configure general settings for the VyOS hosts group" + vyos_config: + lines: + - set system name-server xxx.xxx.xxx.xxx + save: + true + + +group_vars/all + +.. code-block:: none + + ansible_connection: ansible.netcommon.network_cli + ansible_network_os: vyos.vyos.vyos + + # user and password gets from terraform variables "admin_username" and "admin_password" in the file /root/azvyos/var.tf + ansible_user: vyos + ansible_ssh_pass: Vyos0! + +Sourse files for Azure from GIT +------------------------------- + +All files about the article can be found here_ + +.. _here: https://github.com/vyos/vyos-automation/tree/main/TerraformCloud/Azure_terraform_ansible_single_vyos_instance-main + + diff --git a/docs/automation/terraform/terraformGoogle.rst b/docs/automation/terraform/terraformGoogle.rst new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/docs/automation/terraform/terraformGoogle.rst diff --git a/docs/automation/terraform/terraformvSphere.rst b/docs/automation/terraform/terraformvSphere.rst new file mode 100644 index 00000000..5d39261b --- /dev/null +++ b/docs/automation/terraform/terraformvSphere.rst @@ -0,0 +1,400 @@ +:lastproofread: 2024-03-03 + +.. _terraformvSphere: + +Deploying VyOS in the vSphere infrastructure +============================================ + +With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the vSphere. +Also we will make provisioning using Ansible. + +In this case, we'll create the necessary files for Terraform and Ansible next using Terraform we'll create a single instance on the vSphere cloud and make provisioning using Ansible. + +Preparation steps for deploying VyOS on vSphere +----------------------------------------------- + +How to create a single instance and install your configuration using Terraform+Ansible+vSphere +Step by step: + + +vSphere + + + 1 Collect all data in to file "terraform.tfvars" and create resources for example "terraform" + + +Terraform + + + 1 Create an UNIX or Windows instance + + 2 Download and install Terraform + + 3 Create the folder for example /root/vsphereterraform + +.. code-block:: none + + mkdir /root/vsphereterraform + + + 4 Copy all files into your Terraform project "/root/vsphereterraform" (vyos.tf, var.tf, terraform.tfvars,version.tf), more detailed see `Structure of files Terrafom for vSphere`_ + + 5 Type the commands : + +.. code-block:: none + + cd /<your folder> + terraform init + + +Ansible + + + 1 Create an UNIX instance whenever you want (local, cloud, and so on) + + 2 Download and install Ansible + + 3 Create the folder for example /root/vsphereterraform/ + + 4 Copy all files into your Ansible project "/root/vsphereterraform/" (ansible.cfg, instance.yml,"all"), more detailed see `Structure of files Ansible for vSphere`_ + + +Start + + +Type the commands on your Terrafom instance: + +.. code-block:: none + + cd /<your folder> + terraform plan + terraform apply + yes + + +After executing all the commands you will have your VyOS instance on the vSphere with your configuration, it's a very convenient desition. +If you need to delete the instance please type the command: + +.. code-block:: none + + terraform destroy + + +Structure of files Terrafom for vSphere +--------------------------------------- + +.. code-block:: none + + . + ├── vyos.tf # The main script + ├── versions.tf # File for the changing version of Terraform. + ├── var.tf # File for the changing version of Terraform. + └── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on) + + +File contents of Terrafom for vSphere +------------------------------------- + +vyos.tf + +.. code-block:: none + + provider "vsphere" { + user = var.vsphere_user + password = var.vsphere_password + vsphere_server = var.vsphere_server + allow_unverified_ssl = true + } + + data "vsphere_datacenter" "datacenter" { + name = var.datacenter + } + + data "vsphere_datastore" "datastore" { + name = var.datastore + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_compute_cluster" "cluster" { + name = var.cluster + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_resource_pool" "default" { + name = format("%s%s", data.vsphere_compute_cluster.cluster.name, "/Resources/terraform") # set as you need + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_host" "host" { + name = var.host + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_network" "network" { + name = var.network_name + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + # Deployment of VM from Remote OVF + resource "vsphere_virtual_machine" "vmFromRemoteOvf" { + name = var.remotename + datacenter_id = data.vsphere_datacenter.datacenter.id + datastore_id = data.vsphere_datastore.datastore.id + host_system_id = data.vsphere_host.host.id + resource_pool_id = data.vsphere_resource_pool.default.id + network_interface { + network_id = data.vsphere_network.network.id + } + wait_for_guest_net_timeout = 2 + wait_for_guest_ip_timeout = 2 + + ovf_deploy { + allow_unverified_ssl_cert = true + remote_ovf_url = var.url_ova + disk_provisioning = "thin" + ip_protocol = "IPv4" + ip_allocation_policy = "dhcpPolicy" + ovf_network_map = { + "Network 1" = data.vsphere_network.network.id + "Network 2" = data.vsphere_network.network.id + } + } + vapp { + properties = { + "password" = "12345678", + "local-hostname" = "terraform_vyos" + } + } + } + + output "ip" { + description = "default ip address of the deployed VM" + value = vsphere_virtual_machine.vmFromRemoteOvf.default_ip_address + } + + # IP of vSphere instance copied to a file ip.txt in local system + + resource "local_file" "ip" { + content = vsphere_virtual_machine.vmFromRemoteOvf.default_ip_address + filename = "ip.txt" + } + + #Connecting to the Ansible control node using SSH connection + + resource "null_resource" "nullremote1" { + depends_on = ["vsphere_virtual_machine.vmFromRemoteOvf"] + connection { + type = "ssh" + user = "root" + password = var.ansiblepassword + host = var.ansiblehost + + } + + # Copying the ip.txt file to the Ansible control node from local system + + provisioner "file" { + source = "ip.txt" + destination = "/root/vsphere/ip.txt" + } + } + + resource "null_resource" "nullremote2" { + depends_on = ["vsphere_virtual_machine.vmFromRemoteOvf"] + connection { + type = "ssh" + user = "root" + password = var.ansiblepassword + host = var.ansiblehost + } + + # Command to run ansible playbook on remote Linux OS + + provisioner "remote-exec" { + + inline = [ + "cd /root/vsphere/", + "ansible-playbook instance.yml" + ] + } + } + + +versions.tf + +.. code-block:: none + + # Copyright (c) HashiCorp, Inc. + # SPDX-License-Identifier: MPL-2.0 + + terraform { + required_providers { + vsphere = { + source = "hashicorp/vsphere" + version = "2.4.0" + } + } + } + +var.tf + +.. code-block:: none + + # Copyright (c) HashiCorp, Inc. + # SPDX-License-Identifier: MPL-2.0 + + variable "vsphere_server" { + description = "vSphere server" + type = string + } + + variable "vsphere_user" { + description = "vSphere username" + type = string + } + + variable "vsphere_password" { + description = "vSphere password" + type = string + sensitive = true + } + + variable "datacenter" { + description = "vSphere data center" + type = string + } + + variable "cluster" { + description = "vSphere cluster" + type = string + } + + variable "datastore" { + description = "vSphere datastore" + type = string + } + + variable "network_name" { + description = "vSphere network name" + type = string + } + + variable "host" { + description = "name if yor host" + type = string + } + + variable "remotename" { + description = "the name of you VM" + type = string + } + + variable "url_ova" { + description = "the URL to .OVA file or cloude store" + type = string + } + + variable "ansiblepassword" { + description = "Ansible password" + type = string + } + + variable "ansiblehost" { + description = "Ansible host name or IP" + type = string + } + +terraform.tfvars + +.. code-block:: none + + vsphere_user = "" + vsphere_password = "" + vsphere_server = "" + datacenter = "" + datastore = "" + cluster = "" + network_name = "" + host = "" + url_ova = "" + ansiblepassword = "" + ansiblehost = "" + remotename = "" + + +Structure of files Ansible for vSphere +-------------------------------------- + +.. code-block:: none + + . + ├── group_vars + └── all + ├── ansible.cfg + └── instance.yml + + +File contents of Ansible for vSphere +------------------------------------ + +ansible.cfg + +.. code-block:: none + + [defaults] + inventory = /root/vsphere/ip.txt + host_key_checking= False + remote_user=vyos + + +instance.yml + +.. code-block:: none + + ############################################################################## + # About tasks: + # "Wait 300 seconds, but only start checking after 60 seconds" - try to make ssh connection every 60 seconds until 300 seconds + # "Configure general settings for the VyOS hosts group" - make provisioning into vSphere VyOS node + # You have to add all necessary cammans of VyOS under the block "lines:" + ############################################################################## + + + - name: integration of terraform and ansible + hosts: all + gather_facts: 'no' + + tasks: + + - name: "Wait 300 seconds, but only start checking after 60 seconds" + wait_for_connection: + delay: 60 + timeout: 300 + + - name: "Configure general settings for the VyOS hosts group" + vyos_config: + lines: + - set system name-server 8.8.8.8 + save: + true + + +group_vars/all + +.. code-block:: none + + ansible_connection: ansible.netcommon.network_cli + ansible_network_os: vyos.vyos.vyos + + # user and password gets from terraform variables "admin_username" and "admin_password" + ansible_user: vyos + # get from vyos.tf "vapp" + ansible_ssh_pass: 12345678 + + +Sourse files for vSphere from GIT +--------------------------------- + +All files about the article can be found here_ + +.. _here: https://github.com/vyos/vyos-automation/tree/main/TerraformCloud/Vsphere_terraform_ansible_single_vyos_instance-main + diff --git a/docs/automation/terraform/terraformvyos.rst b/docs/automation/terraform/terraformvyos.rst new file mode 100644 index 00000000..42dc7492 --- /dev/null +++ b/docs/automation/terraform/terraformvyos.rst @@ -0,0 +1,39 @@ +:lastproofread: 2024-03-03 + +.. _terraformvyos: + +Terraform for VyOS +================== + +VyOS supports development infrastructure via Terraform and provisioning via Ansible. +Terraform allows you to automate the process of deploying instances on many cloud and virtual platforms. +In this article, we will look at using terraforms to deploy VyOS on platforms - AWS, Azure, and vSphere. +For more details about Terraform please have a look here link_. + +Need to install_ Terraform + +Structure of files in the standard Terraform project: + +.. code-block:: none + + . + ├── main.tf # The main script + ├── version.tf # File for the changing version of Terraform. + ├── variables.tf # The file of all variables in "main.tf" + └── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on) + + +General commands that we will use for running Terraform scripts + + +.. code-block:: none + + cd /<your folder> # go to the Terrafom project + terraform init # install all addons and provider (aws az and so on) + terraform plan # show what is changing + terraform apply # run script + yes # apply running + + +.. _link: https://developer.hashicorp.com/terraform/intro +.. _install: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
\ No newline at end of file diff --git a/docs/automation/vyos-pyvyos.rst b/docs/automation/vyos-pyvyos.rst index fba9b8b7..948534f8 100644 --- a/docs/automation/vyos-pyvyos.rst +++ b/docs/automation/vyos-pyvyos.rst @@ -1,20 +1,28 @@ -:lastproofread: 2023-12-15 +:lastproofread: 2024-03-10 .. _vyos-pyvyos: -PyVyOS +pyvyos ====== -PyVyOS is a Python library for interacting with VyOS devices via their API. -This documentation guides you on using PyVyOS to manage your VyOS devices programmatically. -The complete PyVyOS documentation is available on [Read the Docs](https://pyvyos.readthedocs.io/en/latest/), -and the library can be found on [GitHub](https://github.com/robertoberto/pyvyos) -and [PyPI](https://pypi.org/project/pyvyos/). +pyvyos is a Python library designed for interacting with VyOS devices through +their API. This documentation is intended to guide you in using pyvyos for +programmatic management of your VyOS devices. + +- `pyvyos Documentation on Read the Docs + <https://pyvyos.readthedocs.io/en/latest/>`_ provides detailed instructions + on the installation, configuration, and operation of the pyvyos library. +- `pyvyos Source Code on GitHub <https://github.com/robertoberto/pyvyos>`_ + allows you to access and contribute to the library's code. +- `pyvyos on PyPI <https://pypi.org/project/pyvyos/>`_ for easy installation + via pip, the Python package installer. Execute `pip install pyvyos` in your + terminal to install. + Installation ------------ -You can install PyVyOS using pip: +You can install pyvyos using pip: .. code-block:: bash @@ -61,7 +69,7 @@ Initializing a VyDevice Object device = VyDevice(hostname=hostname, apikey=apikey, port=port, protocol=protocol, verify=verify) -Using PyVyOS +Using pyvyos ------------ Configure, then Set @@ -145,4 +153,4 @@ Configure, then Load File response = device.config_file_load(file="/config/test300.config") -.. _pyvyos: https://github.com/robertoberto/pyvyos
\ No newline at end of file +.. _pyvyos: https://github.com/robertoberto/pyvyos diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index 9a683d22..ff739418 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -325,6 +325,29 @@ There are a lot of matching criteria against which the packet can be tested. Match criteria based on connection mark. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + conntrack-helper <module> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + conntrack-helper <module> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + conntrack-helper <module> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + conntrack-helper <module> + + Match based on connection tracking protocol helper module to secure use of + that helper module. See below for possible completions `<module>`. + + .. code-block:: none + + Possible completions: + ftp Related traffic from FTP helper + h323 Related traffic from H.323 helper + pptp Related traffic from PPTP helper + nfs Related traffic from NFS helper + sip Related traffic from SIP helper + tftp Related traffic from TFTP helper + sqlnet Related traffic from SQLNet helper + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source address [address | addressrange | CIDR] .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> source address [address | addressrange | CIDR] diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 7f06faa8..9158ac1d 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -318,6 +318,16 @@ times: set high-availability vrrp group Foo health-check interval 60 set high-availability vrrp group Foo health-check failure-count 3 +When the vrrp group is a member of the sync group will use only +the sync group health check script. +This example shows how to configure it for the sync group: + +.. code-block:: none + + set high-availability vrrp sync-group Bar health-check script /config/scripts/vrrp-check.sh + set high-availability vrrp sync-group Bar health-check interval 60 + set high-availability vrrp sync-group Bar health-check failure-count 3 + Transition scripts ^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 468b39d9..d43f2385 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -98,6 +98,10 @@ Configuration This diable the external cache and directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. +.. cfgcmd:: set service conntrack-sync disable-syslog + + Disable connection logging via Syslog. + ********* Operation ********* diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index e430dc73..c6deb179 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,33 +143,6 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. -.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> - - Maximum number of times an expired record’s TTL is extended by 30s when - serving stale. Extension only occurs if a record cannot be refreshed. A - value of 0 means the Serve Stale mechanism is not used. To allow records - becoming stale to be served for an hour, use a value of 120. - -.. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix> - - When an authoritative server does not answer a query or sends a reply the - recursor does not like, it is throttled. Any servers matching the supplied - netmasks will never be throttled. - -.. cfgcmd:: set service dns forwarding options ecs-add-for <address> - - The requestor netmask for which the requestor IP Address should be used as the - EDNS Client Subnet for outgoing queries. - -.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number> - - Number of bits of client IPv4 address to pass when sending EDNS Client Subnet - address information. - -.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain> - - The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. - Example ======= @@ -231,8 +204,8 @@ this only one purpose. ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You +one involves a third party service, like DynDNS.com or any other such +service provider. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS. .. _dns:dynmaic_config: @@ -243,46 +216,43 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> - Create new :rfc:`2136` DNS update configuration which will update the IP + Create new dynamic DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - key <keyfile> +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> key <filename> - File identified by `<keyfile>` containing the secret RNDC key shared with - remote DNS server. + File identified by `<filename>` containing the TSIG authentication key for RFC2136 + nsupdate on remote DNS server. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - zone <zone> +.. cfgcmd:: set service dns dynamic name <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - record <record> +.. cfgcmd:: set service dns dynamic name <service-name> host-name <record> - Configure DNS `<record>` which should be updated. This can be set multiple - times. + Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - ttl <ttl> +.. cfgcmd:: set service dns dynamic name <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. -.. cfgcmd:: set service dns dynamic timeout <60-3600> +.. cfgcmd:: set service dns dynamic interval <60-3600> - Specify timeout / update interval to check if IP address changed. - - This defaults to 300 seconds. + Specify interval in seconds to wait between Dynamic DNS updates. + The default is 300 seconds. .. _dns:dynmaic_example: @@ -295,32 +265,48 @@ Example .. code-block:: none + # Configuration commands entered: + # + set service dns dynamic name 'VyOS-DNS' address interface 'eth0' + set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' + set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' + set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' + set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' + set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' + set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' + set service dns dynamic name 'VyOS-DNS' ttl '300' + + # Resulting config: + # vyos@vyos# show service dns dynamic - interface eth0.7 { - rfc2136 VyOS-DNS { - key /config/auth/my.key - record example.vyos.io - server ns1.vyos.io - ttl 300 - zone vyos.io + name VyOS-DNS { + address { + interface eth0 } + description "RFC 2136 dynamic dns service" + host-name example.vyos.io + key /config/auth/my.key + protocol nsupdate + server ns1.vyos.io + ttl 300 + zone vyos.io } This will render the following ddclient_ configuration entry: .. code-block:: none + # ddclient configuration for interface "eth0": # - # ddclient configuration for interface "eth0.7": - # - use=if, if=eth0.7 - - # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io - server=ns1.vyos.io - protocol=nsupdate - password=/config/auth/my.key - ttl=300 - zone=vyos.io + + # Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] + use=if, \ + if=eth0, \ + protocol=nsupdate, \ + server=ns1.vyos.io, \ + zone=vyos.io, \ + password='/config/auth/my.key', \ + ttl=300 \ example.vyos.io .. note:: You can also keep different DNS zone updated. Just create a new @@ -335,40 +321,43 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - host-name <hostname> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> + + Create new dynamic DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. + +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on address - `<interface>` changes. + provider identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - username <username> +.. cfgcmd:: set service dns dynamic name <service-name> username <username> Configure `<username>` used when authenticating the update request for - DynDNS service identified by `<service>`. - For Namecheap, set the <domain> you wish to update. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - password <password> +.. cfgcmd:: set service dns dynamic name <service-name> password <password> Configure `<password>` used when authenticating the update request for - DynDNS service identified by `<service>`. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - protocol <protocol> +.. cfgcmd:: set service dns dynamic name <service-name> protocol <protocol> - When a ``custom`` DynDNS provider is used the protocol used for communicating + When a ``custom`` DynDNS provider is used, the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded - completion helper for available protocols. + completion helper when entering above command for available protocols. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic name <service-name> ip-version 'ipv6' Allow explicit IPv6 address for the interface. @@ -376,14 +365,17 @@ hostnames, protocol and server. Example: ^^^^^^^^ -Use DynDNS as your preferred provider: +Use deSEC (dedyn.io) as your preferred provider: .. code-block:: none - set service dns dynamic address eth0 service dyndns - set service dns dynamic address eth0 service dyndns username my-login - set service dns dynamic address eth0 service dyndns password my-password - set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic name dedyn description 'deSEC dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn server 'update.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -393,12 +385,14 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic address eth0 ipv6-enable - set service dns dynamic address eth0 service dyndns6 username my-login - set service dns dynamic address eth0 service dyndns6 password my-password - set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic address eth0 service dyndns6 protocol dyndns2 - set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn ip-version 'ipv6' + set service dns dynamic name dedyn server 'update6.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' Running Behind NAT @@ -408,21 +402,15 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. - -This functionality is controlled by adding the following configuration: +ddclient_ has another way to determine the WAN IP address. This is controlled +by: -.. cfgcmd:: set service dns dynamic address web web-options url <url> +.. cfgcmd:: set service dns dynamic name <service-name> address web <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> +.. cfgcmd:: set service dns dynamic name <service-name> address web skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index fe536eec..2a5e7731 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -1,52 +1,552 @@ .. _pptp: +########### PPTP-Server ------------ +########### The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. PPTP has many well known security issues and you should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for -authentication and mppe 128-bit (stateless) for encryption. If no -gateway-address is set within the configuration, the lowest IP out of the /24 -client-ip-pool is being used. For instance, in the example below it would be -192.168.0.1. - -server example -^^^^^^^^^^^^^^ +*********************** +Configuring PPTP Server +*********************** .. code-block:: none + set vpn pptp remote-access authentication mode local set vpn pptp remote-access authentication local-users username test password 'test' - set vpn pptp remote-access authentication mode 'local' - set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 + set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254 set vpn pptp remote-access default-pool 'PPTP-POOL' - set vpn pptp remote-access gateway-address '10.100.100.1' - set vpn pptp remote-access outside-address '10.1.1.120' + set vpn pptp remote-access outside-address 192.0.2.2 + set vpn pptp remote-access gateway-address 192.168.255.1 + + +.. cfgcmd:: set vpn pptp remote-access authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> password + <pass> + + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn pptp remote-access default-pool <POOL-NAME> + + Use this command to define default address pool name. + +.. cfgcmd:: set vpn pptp remote-access gateway-address <gateway> + + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. + +********************************* +Configuring RADIUS authentication +********************************* + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +.. code-block:: none + + set vpn pptp remote-access authentication mode radius + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> key <secret> + + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +.. code-block:: none + + set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo' + +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. + +RADIUS source address +===================== + +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. + +RADIUS advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> port <port> + + Configure RADIUS `<server>` and its required port for authentication requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> fail-time <time> + + Mark RADIUS server as offline for this given `<time>` in seconds. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> disable + + Temporary disable this RADIUS server. + +.. cfgcmd:: set vpn pptp remote-access authentication radius acct-timeout <timeout> + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author server <address> + + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author port <port> + + Port for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author key <secret> + + Secret for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius max-try <number> + + Maximum number of tries to send Access-Request/Accounting-Request queries + +.. cfgcmd:: set vpn pptp remote-access authentication radius timeout <timeout> + + Timeout to wait response from server (seconds) + +.. cfgcmd:: set vpn pptp remote-access authentication radius nas-identifier <identifier> + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + +**** +IPv6 +**** +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6 <require | prefer | allow | deny> + + Specifies IPv6 negotiation preference. + + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an PPTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + PPTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + PPTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn pptp remote-access default-ipv6-pool <IPv6-POOL-NAME> + Use this command to define default IPv6 address pool name. -client example (debian 9) -^^^^^^^^^^^^^^^^^^^^^^^^^ +.. code-block:: none + + set vpn pptp remote-access ppp-options ipv6 allow + set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn pptp remote-access client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn pptp remote-access default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn pptp remote-access authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn pptp remote-access ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn pptp remote-access ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. -Install the client software via apt and execute pptpsetup to generate the -configuration. + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set vpn pptp remote-access ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access description <description> + + Set description. + +.. cfgcmd:: set vpn pptp remote-access limits burst <value> + + Burst count + +.. cfgcmd:: set vpn pptp remote-access limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set vpn pptp remote-access limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set vpn pptp remote-access mtu + + Maximum Transmission Unit (MTU) (default: **1436**) + +.. cfgcmd:: set vpn pptp remote-access max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set vpn pptp remote-access name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set vpn pptp remote-access shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set vpn pptp remote-access snmp master-agent + + Enable SNMP + +.. cfgcmd:: set vpn pptp remote-access wins-server <address> + + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. opcmd:: show pptp-server sessions + + Use this command to locally check the active sessions in the PPTP + server. .. code-block:: none - apt-get install pptp-linux - pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt - pon TESTTUNNEL + vyos@vyos:~$ show pptp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + pptp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:01:26 | 6.9 KiB | 220 B -The command pon TESTUNNEL establishes the PPTP tunnel to the remote system. +.. code-block:: none + vyos@vyos:~$ show pptp-server statistics + uptime: 0.00:04:52 + cpu: 0% + mem(rss/virt): 5504/100176 kB + core: + mempool_allocated: 152007 + mempool_available: 149007 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 6 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + pptp: + starting: 0 + active: 1 -All tunnel sessions can be checked via: +*************** +Troubleshooting +*************** .. code-block:: none - run sh pptp-server sessions - ifname | username | calling-sid | ip | type | comp | state | uptime - --------+----------+-------------+--------------+------+------+--------+---------- - ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58 + vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0 + + Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100 + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing + Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9 + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>] + Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100) + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0' + Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started + +.. _accel-ppp: https://accel-ppp.org/ +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 78cadfb5..ab0f623f 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -16,7 +16,8 @@ special characters. It is purely informational. Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. - Suboptions: + If pre-shared-secret mode is used, the secret key must be defined in + ``set vpn ipsec authentication`` and suboptions: * ``psk`` - Preshared secret key name: @@ -36,8 +37,7 @@ Each site-to-site peer has the next options: * ``pre-shared-secret`` - use predefined shared secret phrase; - * ``rsa`` - use simple shared RSA key. The key must be defined in the - ``set vpn rsa-keys`` section; + * ``rsa`` - use simple shared RSA key. * ``x509`` - use certificates infrastructure for authentication. @@ -45,29 +45,26 @@ Each site-to-site peer has the next options: address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; - * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined - in the ``set vpn rsa-keys`` section; + * ``rsa`` - options for RSA authentication mode: - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when - ``id`` is defined; + * ``local-key`` - name of PKI key-pair with local private key - * ``x509`` - options for x509 authentication mode: + * ``remote-key`` - name of PKI key-pair with remote public key - * ``ca-cert-file`` - CA certificate file. Using for authenticating - remote peer; + * ``passphrase`` - local private key passphrase - * ``cert-file`` - certificate file, which will be used for authenticating - local router on remote peer; + * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when + ``id`` is defined; - * ``crl-file`` - file with the Certificate Revocation List. Using to check if - a certificate for the remote peer is valid or revoked; + * ``x509`` - options for x509 authentication mode: - * ``key`` - a private key, which will be used for authenticating local router - on remote peer: + * ``ca-certificate`` - CA certificate in PKI configuration. Using for + authenticating remote peer; - * ``file`` - path to the key file; + * ``certificate`` - certificate file in PKI configuration, which will be used + for authenticating local router on remote peer; - * ``password`` - passphrase private key, if needed. + * ``passphrase`` - private key passphrase, if needed. * ``connection-type`` - how to handle this connection process. Possible variants: @@ -113,6 +110,9 @@ Each site-to-site peer has the next options: Hostname is a DNS name which could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time. +* ``replay-window`` - IPsec replay window to configure for this CHILD_SA + (default: 32), a value of 0 disables IPsec replay protection + * ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: @@ -127,6 +127,9 @@ Each site-to-site peer has the next options: * ``prefix`` - IP network at local side. + * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value + more preferable) + * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer; diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index a9def827..3749eb7b 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -19,50 +19,43 @@ local and RADIUS authentication. As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required. -.. note:: All certificates should be stored on VyOS under ``/config/auth``. If - certificates are not stored in the ``/config`` directory they will not be - migrated during a software update. +*********************** +Configuring SSTP Server +*********************** Certificates ============ -Self Signed CA --------------- - -To generate the CA, the server private key and certificates the following -commands can be used. +Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate .. code-block:: none - vyos@vyos:~$ mkdir -p /config/user-data/sstp - vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt - - Generating a 4096 bit RSA private key - .........................++ - ...............................................................++ - writing new private key to 'server.key' - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: + vyos@vyos:~$ generate pki ca install CA + +.. code-block:: none + vyos@vyos:~$ generate pki certificate sign CA install Server Configuration ============= +.. code-block:: none + + set vpn sstp authentication local-users username test password 'test' + set vpn sstp authentication mode 'local' + set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' + set vpn sstp default-pool 'SSTP-POOL' + set vpn sstp gateway-address '10.0.0.1' + set vpn sstp ssl ca-certificate 'CA1' + set vpn sstp ssl certificate 'Server' + +.. cfgcmd:: set vpn sstp authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. .. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass> @@ -70,137 +63,185 @@ Configuration Create `<user>` for local authentication on this system. The users password will be set to `<pass>`. -.. cfgcmd:: set vpn sstp authentication local-users username <user> disable +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> - Disable `<user>` account. + Use this command to define the first IP address of a pool of + addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. -.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip - <address> +.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> - Assign static IP address to `<user>` account. + Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - download <bandwidth> +.. cfgcmd:: set vpn sstp gateway-address <gateway> - Download bandwidth limit in kbit/s for `<user>`. + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - upload <bandwidth> +.. cfgcmd:: set vpn sstp ssl ca-certificate <file> - Upload bandwidth limit in kbit/s for `<user>`. + Name of installed certificate authority certificate. -.. cfgcmd:: set vpn sstp authentication protocols - <pap | chap | mschap | mschap-v2> +.. cfgcmd:: set vpn sstp ssl certificate <file> - Require the peer to authenticate itself using one of the following protocols: - pap, chap, mschap, mschap-v2. + Name of installed server certificate. -.. cfgcmd:: set vpn sstp authentication mode <local | radius> +********************************* +Configuring RADIUS authentication +********************************* - Set authentication backend. The configured authentication backend is used - for all queries. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. - * **radius**: All authentication queries are handled by a configured RADIUS - server. - * **local**: All authentication queries are handled locally. +.. code-block:: none + set vpn sstp authentication mode radius -.. cfgcmd:: set vpn sstp gateway-address <gateway> +.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - Specifies single `<gateway>` IP address to be used as local address of PPP - interfaces. + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: -.. cfgcmd:: set vpn sstp port <port> +.. code-block:: none - Specifies the port `<port>` that the SSTP port will listen on (default 443). + set vpn sstp authentication radius server 10.0.0.1 key 'foo' + set vpn sstp authentication radius server 10.0.0.2 key 'foo' +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> +RADIUS source address +===================== - Use this command to define the first IP address of a pool of - addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> +.. cfgcmd:: set vpn sstp authentication radius source-address <address> - Use this command to define the next address pool name. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. - Use this command to define default address pool name. +RADIUS advanced options +======================= +.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> -.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> - mask <number-of-bits> + Configure RADIUS `<server>` and its required port for authentication requests. - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. +.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> + Mark RADIUS server as offline for this given `<time>` in seconds. -.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> - delegation-prefix <number-of-bits> +.. cfgcmd:: set vpn sstp authentication radius server <server> disable - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - SSTP. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Temporary disable this RADIUS server. +.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> -.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + Timeout to wait reply for Interim-Update packets. (default 3 seconds) - Use this command to define default IPv6 address pool name. +.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) -.. cfgcmd:: set vpn sstp name-server <address> +.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. + Port for Dynamic Authorization Extension server (DM/CoA) -Maximum number of IPv4 nameservers +.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> -SSL Certificates ----------------- + Secret for Dynamic Authorization Extension server (DM/CoA) -.. cfgcmd:: set vpn sstp ssl ca-cert-file <file> +.. cfgcmd:: set vpn sstp authentication radius max-try <number> - Path to `<file>` pointing to the certificate authority certificate. + Maximum number of tries to send Access-Request/Accounting-Request queries -.. cfgcmd:: set vpn sstp ssl cert-file <file> +.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - Path to `<file>` pointing to the servers certificate (public portion). + Timeout to wait response from server (seconds) +.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> -PPP Settings ------------- + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. cfgcmd:: set vpn sstp ppp-options disable-ccp +.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> - Disable Compression Control Protocol (CCP). - CCP is enabled by default. + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. -.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> +.. cfgcmd:: set vpn sstp authentication radius source-address <address> - Specifies number of interfaces to keep in cache. It means that don’t - destroy interface after corresponding session is destroyed, instead - place it to cache and use it later for new sessions repeatedly. - This should reduce kernel-level interface creation/deletion rate lack. - Default value is **0**. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> +.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> - Specifies IPv4 negotiation preference. + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. - * **require** - Require IPv4 negotiation - * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects - * **allow** - Negotiate IPv4 only if client requests (Default value) - * **deny** - Do not negotiate IPv4 +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set vpn sstp authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +**** +IPv6 +**** .. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny> Specifies IPv6 negotiation preference. @@ -210,6 +251,36 @@ PPP Settings * **allow** - Negotiate IPv6 only if client requests * **deny** - Do not negotiate IPv6 (default value) +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an SSTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + SSTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + SSTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. + +.. code-block:: none + + set vpn sstp ppp-options ipv6 allow + set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn sstp default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id Accept peer interface identifier. By default is not defined. @@ -231,6 +302,90 @@ PPP Settings * **ipv4-addr** - Calculate interface identifier from IPv4 address. * **calling-sid** - Calculate interface identifier from calling-station-id. +********* +Scripting +********* + +.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn sstp ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number> Defines the maximum `<number>` of unanswered echo requests. Upon reaching the @@ -271,112 +426,61 @@ PPP Settings Defines preferred MRU. By default is not defined. +Global Advanced options +======================= -RADIUS ------- - -Server -^^^^^^ - -.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> +.. cfgcmd:: set vpn sstp description <description> - Configure RADIUS `<server>` and its required port for authentication requests. + Set description. -.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - - Configure RADIUS `<server>` and its required shared `<secret>` for - communicating with the RADIUS server. +.. cfgcmd:: set vpn sstp limits burst <value> -.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> + Burst count - Mark RADIUS server as offline for this given `<time>` in seconds. +.. cfgcmd:: set vpn sstp limits connection-limit <value> -.. cfgcmd:: set vpn sstp authentication radius server <server> disable + Acceptable rate of connections (e.g. 1/min, 60/sec) - Temporary disable this RADIUS server. +.. cfgcmd:: set vpn sstp limits timeout <value> -Options -^^^^^^^ + Timeout in seconds -.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> +.. cfgcmd:: set vpn sstp mtu - Timeout to wait reply for Interim-Update packets. (default 3 seconds) + Maximum Transmission Unit (MTU) (default: **1500**) -.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> +.. cfgcmd:: set vpn sstp max-concurrent-sessions - Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + Maximum number of concurrent session start attempts -.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - - Port for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> - - Secret for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius max-try <number> - - Maximum number of tries to send Access-Request/Accounting-Request queries - -.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - - Timeout to wait response from server (seconds) - -.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched - in DM/CoA requests. - -.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> - - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched - in DM/CoA requests. Also DM/CoA server will bind to that address. - -.. cfgcmd:: set vpn sstp authentication radius source-address <address> - - Source IPv4 address used in all RADIUS server queires. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> - - Specifies which RADIUS server attribute contains the rate limit information. - The default attribute is `Filter-Id`. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit enable +.. cfgcmd:: set vpn sstp name-server <address> - Enables bandwidth shaping via RADIUS. + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. -.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor +.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647> - Specifies the vendor dictionary, dictionary needs to be in - /usr/share/accel-ppp/radius. + Match firewall mark value +.. cfgcmd:: set vpn sstp snmp master-agent -Example -======= + Enable SNMP -* Use local user `foo` with password `bar` -* Client IP addresses will be provided from pool `192.0.2.0/25` +.. cfgcmd:: set vpn sstp wins-server <address> -.. code-block:: none + Windows Internet Name Service (WINS) servers propagated to client - set vpn sstp authentication local-users username vyos password vyos - set vpn sstp authentication mode local - set vpn sstp gateway-address 192.0.2.254 - set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25 - set vpn sstp default-pool 'SSTP-POOL' - set vpn sstp name-server 10.0.0.1 - set vpn sstp name-server 10.0.0.2 - set vpn sstp ssl ca-cert-file /config/auth/ca.crt - set vpn sstp ssl cert-file /config/auth/server.crt - set vpn sstp ssl key-file /config/auth/server.key - -Testing SSTP -============ +*********************** +Configuring SSTP client +*********************** Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file. +If you use a self-signed certificate, do not forget to install CA on the client side. + The following PPP configuration tests MSCHAP-v2: .. code-block:: none @@ -429,8 +533,115 @@ A connection attempt will be shown as: inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 valid_lft forever preferred_lft forever +********** +Monitoring +********** +.. opcmd:: show sstp-server sessions -.. _sstpc: https://github.com/reliablehosting/sstp-client + Use this command to locally check the active sessions in the SSTP + server. +.. code-block:: none + + vyos@vyos:~$ show sstp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B + +.. code-block:: none + + vyos@vyos:~$ show sstp-server statistics + uptime: 0.01:21:54 + cpu: 0% + mem(rss/virt): 6688/100464 kB + core: + mempool_allocated: 149420 + mempool_available: 146092 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 7 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + sstp: + starting: 0 + active: 1 + +*************** +Troubleshooting +*************** + +.. code-block:: none + + vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0 + + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852 + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9 + Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>] + Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852) + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0' + Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started + +.. _sstpc: https://github.com/reliablehosting/sstp-client +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel .. include:: /_include/common-references.txt diff --git a/docs/documentation.rst b/docs/documentation.rst index 91f0e42b..61487f57 100644 --- a/docs/documentation.rst +++ b/docs/documentation.rst @@ -18,16 +18,16 @@ guide how to do so. documentation. VyOS documentation is written in reStructuredText and generated to Read the Docs -pages with Sphinx, as per the Python tradition, as well as PDF files for offline -use through LaTeX. We welcome all sorts of contributions to the documentation. +pages with Sphinx, as per the Python tradition. We welcome all sorts of +contributions to the documentation. Not just new additions but also corrections to existing documentation. The documentation source is kept in the Git repository at https://github.com/vyos/vyos-documentation and you can follow the instructions in the README.md_ to build and test your changes. -You can either install Sphinx (and TeX Live for PDF output) and build the -documentation locally, or use the Dockerfile_ to build it in a container. +You can either install Sphinx and build the documentation locally, +or use the Dockerfile_ to build it in a container. Guidelines ========== @@ -35,8 +35,6 @@ Guidelines There are a few things to keep in mind when contributing to the documentation, for the sake of consistency and readability. -Take a look at the :doc:`/documentation` page for an intricate explanation -of the documentation process. The following is a quick summary of the rules: @@ -54,94 +52,73 @@ And finally, remember that the reStructuredText files aren't exclusively for generating HTML and PDF. They should be human-readable and easily perused from a console. -Forking Workflow -================ +Page content +============ -The Forking Workflow is fundamentally different from other popular Git -workflows. Instead of using a single server-side repository to act as the -"central" codebase, it gives every developer their own server-side repository. -This means that each contributor has not one, but two Git repositories: a -private local one and a public server-side one. +All RST files must follow the same TOC Level syntax and have to start with -The main advantage of the Forking Workflow is that contributions can be -integrated without the need for everybody to push to a single central -repository. Developers push to their own server-side repositories, and only the -project maintainer can push to the official repository. This allows the -maintainer to accept commits from any developer without giving them write -access to the official codebase. +.. code-block:: -.. note:: Updates to our documentation should be delivered by a GitHub - pull-request. This requires you already have a GitHub account. + ##### + Title + ##### -* Fork this project on GitHub https://github.com/vyos/vyos-documentation/fork +The configuration mode folder and the articles cover the specific level of +the commands. The exact level depends on the command. This should provide +stability for URLs used in the forum or blogpost. -* Clone fork to local machine, then change to that directory - ``$ cd vyos-documentation`` +For example: -* Install the requirements ``$ pip install -r requirements.txt`` - (or something similar) + * ``set firewall zone`` is written in ``firewall/zone.rst`` + * ``set interfaces ethernet`` is written in ``interfaces/ethernet.rst`` -* Create a new branch for your work, use a descriptive name of your work: - ``$ git checkout -b <branch-name>`` +In the configuration part of the page, all possible configuration options +should be documented. Use ``.. cfgcmd::`` described above. -* Make all your changes - please keep our commit rules in mind - (:ref:`prepare_commit`). This mainly applies to proper commit messages - describing your change (how and why). Please check out the documentation of - Sphinx-doc_ or reStructuredText_ if you are not familiar with it. This is used - for writing our docs. Additional directives how to write in RST can be - obtained from reStructuredTextDirectives_. +Related operation command must be documented in the next part of the article. +Use ``::opcmd..`` for these commands. -* Check your changes by locally building the documentation ``$ make livehtml``. - Sphinx will build the html files in the ``docs/_build`` folder. We provide - you with a Docker container for an easy-to-use user experience. Check the - README.md_ file of this repository. +Each page must contain the following parts: -* View modified files by calling ``$ git status``. You will get an overview of - all files modified by you. You can add individual files to the Git Index in - the next step. +1. Theoretical information +-------------------------- -* Add modified files to Git index ``$ git add path/to/filename`` or add all - unstaged files ``$ git add .``. All files added to the Git index will be part - of you following Git commit. +Theoretical information required for users to understand the next document sections: -* Commit your changes with the message, ``$ git commit -m "<commit message>"`` - or use ``$ git commit -v`` to have your configured editor launched. You can - type in a commit message. Again please make yourself comfortable without - rules (:ref:`prepare_commit`). + - a simple explanation of what is this page about, why or when it is required to be used + - references to standards, RFCs -* Push commits to your GitHub project: ``$ git push -u origin <branch-name>`` +2. Configuration description +---------------------------- -* Submit pull-request. In GitHub visit the main repository and you should - see a banner suggesting to make a pull request. Fill out the form and - describe what you do. + Describe CLI items related to the service or use case. Each config line + or section must be explained, using information provided in the 1st part + of the page. -* Once pull requests have been approved, you may want to locally update - your forked repository too. First you'll have to add a second remote - called `upstream` which points to our main repository. ``$ git remote add - upstream https://github.com/vyos/vyos-documentation.git`` +3. Configuration examples +------------------------- - Check your configured remote repositories: + Practical examples of the service or use case configuration. They must + contain topology maps (if applicable) and short descriptions. - .. code-block:: none +4. Known issues +--------------- - $ git remote -v - origin https://github.com/<username>/vyos-documentation.git (fetch) - origin https://github.com/<username>/vyos.documentation.git (push) - upstream https://github.com/vyos/vyos-documentation.git (fetch) - upstream https://github.com/vyos/vyos-documentation.git (push) +This section must contain a list of: - Your remote repo on Github is called ``origin``, while the original repo you - have forked is called ``upstream``. Now you can locally update your forked - repo. + - known issues or potential problems for the service or use case + - workarounds for known issues (if any exist) - .. code-block:: none +5. Debugging +------------ + +Described procedures for debugging a service: + + - how to collect logs or other debugging information (like `show` commands output) + - how to read and what to search for in logs and collected information + - what are indicators of good and bad states in debugging outputs - $ git fetch upstream - $ git checkout master - $ git merge upstream/master -* If you also want to update your fork on GitHub, use the following: ``$ git - push origin master`` Style Guide =========== @@ -381,63 +358,95 @@ URL. This is heavily used in the :ref:`release-notes` section. * :vytask:`T1605` Fixed regression in L2TP/IPsec server * :vytask:`T1613` Netflow/sFlow captures IPv6 traffic correctly -Page content ------------- -The documentation has 3 different types of pages. The same kind of pages must -have the same structure to achieve a recognition factor. +Forking Workflow +================ -All RST files must follow the same TOC Level syntax and have to start with +The Forking Workflow is fundamentally different from other popular Git +workflows. Instead of using a single server-side repository to act as the +"central" codebase, it gives every developer their own server-side repository. +This means that each contributor has not one, but two Git repositories: a +private local one and a public server-side one. -.. code-block:: +The main advantage of the Forking Workflow is that contributions can be +integrated without the need for everybody to push to a single central +repository. Developers push to their own server-side repositories, and only the +project maintainer can push to the official repository. This allows the +maintainer to accept commits from any developer without giving them write +access to the official codebase. - ##### - Title - ##### +.. note:: Updates to our documentation should be delivered by a GitHub + pull-request. This requires you already have a GitHub account. -Configuration mode pages -^^^^^^^^^^^^^^^^^^^^^^^^ +* Fork this project on GitHub https://github.com/vyos/vyos-documentation/fork -The configuration mode folder and the articles cover the specific level of -the commands. The exact level depends on the command. This should provide -stability for URLs used in the forum or blogpost. +* Clone fork to local machine, then change to that directory + ``$ cd vyos-documentation`` -For example: +* Install the requirements ``$ pip install -r requirements.txt`` + (or something similar) - * ``set firewall zone`` is written in ``firewall/zone.rst`` - * ``set interfaces ethernet`` is written in ``interfaces/ethernet.rst`` +* Create a new branch for your work, use a descriptive name of your work: + ``$ git checkout -b <branch-name>`` -The article starts with a short introduction about the command or the -technology. Please include some helpful links or background information. +* Make all your changes - please keep our commit rules in mind + (:ref:`prepare_commit`). This mainly applies to proper commit messages + describing your change (how and why). Please check out the documentation of + Sphinx-doc_ or reStructuredText_ if you are not familiar with it. This is used + for writing our docs. Additional directives how to write in RST can be + obtained from reStructuredTextDirectives_. -An optional section follows. Some commands have requirements like compatible -hardware (e.g. Wifi) or some commands you have to set before. For -example, it is recommended to set a route-map before configuring BGP. +* Check your changes by locally building the documentation ``$ make livehtml``. + Sphinx will build the html files in the ``docs/_build`` folder. We provide + you with a Docker container for an easy-to-use user experience. Check the + README.md_ file of this repository. -In the configuration part of the page, all possible configuration options -should be documented. Use ``.. cfgcmd::`` described above. +* View modified files by calling ``$ git status``. You will get an overview of + all files modified by you. You can add individual files to the Git Index in + the next step. -Related operation command must be documented in the next part of the article. -Use ``::opcmd..`` for these commands. +* Add modified files to Git index ``$ git add path/to/filename`` or add all + unstaged files ``$ git add .``. All files added to the Git index will be part + of you following Git commit. -If there some troubleshooting guides related to the commands. Explain it in the -next optional part. +* Commit your changes with the message, ``$ git commit -m "<commit message>"`` + or use ``$ git commit -v`` to have your configured editor launched. You can + type in a commit message. Again please make yourself comfortable without + rules (:ref:`prepare_commit`). -Operation mode pages -^^^^^^^^^^^^^^^^^^^^ +* Push commits to your GitHub project: ``$ git push -u origin <branch-name>`` -Operation mode commands that do not fit in a related configuration mode command -must be documented in this part of the documentation. +* Submit pull-request. In GitHub visit the main repository and you should + see a banner suggesting to make a pull request. Fill out the form and + describe what you do. -General concepts for troubleshooting and detailed process descriptions belong -here. +* Once pull requests have been approved, you may want to locally update + your forked repository too. First you'll have to add a second remote + called `upstream` which points to our main repository. ``$ git remote add + upstream https://github.com/vyos/vyos-documentation.git`` -Anything else -^^^^^^^^^^^^^ + Check your configured remote repositories: -Anything else that is not a configuration or an operation command has no -predefined structure. + .. code-block:: none + $ git remote -v + origin https://github.com/<username>/vyos-documentation.git (fetch) + origin https://github.com/<username>/vyos.documentation.git (push) + upstream https://github.com/vyos/vyos-documentation.git (fetch) + upstream https://github.com/vyos/vyos-documentation.git (push) + + Your remote repo on Github is called ``origin``, while the original repo you + have forked is called ``upstream``. Now you can locally update your forked + repo. + + .. code-block:: none + + $ git fetch upstream + $ git checkout master + $ git merge upstream/master + +* If you also want to update your fork on GitHub, use the following: ``$ git + push origin master`` .. stop_vyoslinter |