diff options
Diffstat (limited to 'docs/services')
-rw-r--r-- | docs/services/index.rst | 3 | ||||
-rw-r--r-- | docs/services/ipoe-server.rst | 6 | ||||
-rw-r--r-- | docs/services/references.rst | 2 | ||||
-rw-r--r-- | docs/services/sstp-server.rst | 76 |
4 files changed, 83 insertions, 4 deletions
diff --git a/docs/services/index.rst b/docs/services/index.rst index 57471cf8..03fdc9c4 100644 --- a/docs/services/index.rst +++ b/docs/services/index.rst @@ -18,8 +18,9 @@ This chapter descriptes the available system/network services provided by VyOS. dynamic-dns lldp mdns-repeater - pppoe-server ipoe-server + pppoe-server + sstp-server udp-broadcast-relay snmp ssh diff --git a/docs/services/ipoe-server.rst b/docs/services/ipoe-server.rst index 633de880..925ef373 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/services/ipoe-server.rst @@ -14,7 +14,7 @@ Configuration IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client. -The example comnfiguration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. +The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration. .. code-block:: sh @@ -26,7 +26,7 @@ Other DHCP discovery requests will be ignored, unless the client mac has been en set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' -The first address of the paramter ``client-subnet``, will be used as the default gateway. +The first address of the parameter ``client-subnet``, will be used as the default gateway. Connected sessions can be checked via the ``show ipoe-server sessions`` command. .. code-block:: sh @@ -72,7 +72,7 @@ globally communicate without the need of any NAT rules. Automatic VLAN creation ======================= -To create VLANs per user during runtime, the follwing settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. +To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. .. code-block:: sh diff --git a/docs/services/references.rst b/docs/services/references.rst index 3a2f4b74..257ffe11 100644 --- a/docs/services/references.rst +++ b/docs/services/references.rst @@ -11,3 +11,5 @@ .. _Squidguard: http://www.squidguard.org/ .. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol .. _`arbitrary extension commands`: http://net-snmp.sourceforge.net/docs/man/snmpd.conf.html#lbAZ +.. _`accel-ppp`: https://accel-ppp.org/ +.. _`Secure Socket Tunneling Protocol`: https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst new file mode 100644 index 00000000..8ee8ef45 --- /dev/null +++ b/docs/services/sstp-server.rst @@ -0,0 +1,76 @@ + +SSTP server +------------ + +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be +used with local authentication or a connected RADIUS server. + +.. note:: **Please be aware, due to an upstream bug, config changes/commits + will restart the ppp daemon and will reset existing PPPoE connections from + connected users, in order to become effective.** + +Configuration +^^^^^^^^^^^^^ + +The `Secure Socket Tunneling Protocol`_ (SSTP), provides ppp via a SSL/TLS channel. +Using publically signed certificates as well a by private PKI, is fully supported. +All certficates should be stored on VyOS under ``/config/user-data/sstp``. + + +Self Signed CA and server certificates +====================================== + +To generate the CA, the server private key and certificates the following commands can be used. + +.. code-block:: sh + + vyos@vyos:~$ conf + [edit] + vyos@vyos# mkdir -p /config/user-data/sstp && cd /config/user-data/sstp + [edit] + openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout server.key -out server.crt + + Generating a 4096 bit RSA private key + .........................++ + ...............................................................++ + writing new private key to 'server.key' + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + + vyos@vyos# openssl req -new -x509 -key server.key -out ca.crt + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + [edit] + vyos@vyos# + + +The example below will answer configuration request for the user user ``foo``. + +Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically looks for all files and directories in ``/config/user-data/sstp``. + +.. code-block:: sh + + set authentication local-users username foo password 'bar' + set authentication mode 'local' + set network-settings client-ip-settings gateway-address '10.100.100.1' + set network-settings client-ip-settings subnet '192.168.0.0/24' + set network-settings dns-server primary-dns '10.100.100.1' + set network-settings dns-server secondary-dns '10.200.100.1' + set sstp-settings ssl-certs ca 'ca.crt' + set sstp-settings ssl-certs server-cert 'server.crt' + set sstp-settings ssl-certs server-key 'server.key' + + +.. include:: references.rst |