summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/l2tp.rst74
1 files changed, 46 insertions, 28 deletions
diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst
index 76268900..0dd5fe3e 100644
--- a/docs/vpn/l2tp.rst
+++ b/docs/vpn/l2tp.rst
@@ -3,7 +3,8 @@
L2TP
-----------
-VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used with local authentication or a connected RADIUS server.
+VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used
+with local authentication or a connected RADIUS server.
L2TP over IPsec
===============
@@ -26,7 +27,8 @@ with native Windows and Mac VPN clients):
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'
-In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address 192.168.255.1 uses as client tunnel termination point.
+In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address
+192.168.255.1 uses as client tunnel termination point.
If a local firewall policy is in place on your external interface you will need
to allow the ports below:
@@ -66,7 +68,8 @@ To allow VPN-clients access via your external address, a NAT rule is required:
set nat source rule 110 translation address masquerade
-VPN-clients will request configuration parameters, optionally you can DNS parameter to the client.
+VPN-clients will request configuration parameters, optionally you can DNS
+parameter to the client.
.. code-block:: sh
@@ -82,15 +85,15 @@ operational command, or **show l2tp-server sessions**
.. code-block:: sh
vyos@vyos:~$ show vpn remote-access
- ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
+ ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
--------+----------+--------------+---------------+------------+------+------+--------+----------
- ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13
+ ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13
LNS (L2TP Network Server)
=========================
-LNS are often used to connect to a LAC (L2TP Access Concentrator).
+LNS are often used to connect to a LAC (L2TP Access Concentrator).
Below is an example to configure a LNS:
@@ -101,13 +104,16 @@ Below is an example to configure a LNS:
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access lns shared-secret 'secret'
- set vpn l2tp remote-access ccp-disable
+ set vpn l2tp remote-access ccp-disable
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'
-The example above uses 192.0.2.2 as external IP address, the nexthop is supposed to be 192.168.255.1 and is used as client termination point.
-A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``.
-This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that.
+The example above uses 192.0.2.2 as external IP address, the nexthop is supposed
+to be 192.168.255.1 and is used as client termination point. A LAC normally
+requires an authentication password, which is set in the example configuration
+to ``lns shared-secret 'secret'``. This setup requires the Compression Control
+Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable``
+accomplishes that.
Bandwidth Shaping
@@ -115,7 +121,7 @@ Bandwidth Shaping
Bandwidth rate limits can be set for local users or via RADIUS based attributes.
-Bandwidth Shaping for local users
+Bandwidth Shaping for local users
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The rate-limit is set in kbit/sec.
@@ -131,31 +137,34 @@ The rate-limit is set in kbit/sec.
set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240
- vyos@vyos:~$ show vpn remote-access
- ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
+ vyos@vyos:~$ show vpn remote-access
+ ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
-------+----------+--------------+---------------+-------------+------+------+--------+-----------
- ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30
+ ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30
RADIUS authentication
======================
-To enable RADIUS based authentication, the authentication mode needs to be changed withing the configuration.
-Previous settings like the local users, still exists within the configuration, however they are not used if the mode
-has been changed from local to radius. Once changed back to local, it will use all local accounts again.
+To enable RADIUS based authentication, the authentication mode needs to be
+changed withing the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
.. code-block:: sh
set vpn l2tp remote-access authentication mode <local|radius>
-Since the RADIUS server would be a single point of failure, multiple RADIUS server can be setup and will be used subsequentially.
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
.. code-block:: sh
set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
-.. note:: Some RADIUS_ severs use an access control list which allows or denies queries,
- make sure to add your VyOS router to the allowed client list.
+.. note:: Some RADIUS_ severs use an access control list which allows or denies
+ queries, make sure to add your VyOS router to the allowed client list.
RADIUS source address
^^^^^^^^^^^^^^^^^^^^^
@@ -171,8 +180,8 @@ single source IP e.g. the loopback interface.
Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
on this NAS.
-.. note::
- The ``source-address`` must be configured on one of VyOS interface.
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+ Best proctice would be a loopback or dummy interface.
RADIUS bandwidth shaping attribute
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -183,31 +192,40 @@ To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enable
set vpn l2tp remote-access authentication radius rate-limit enable
-The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also redefine it.
+The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also
+redefine it.
.. code-block:: sh
set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
-.. note:: If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which is the vyos router in our example.
+.. note:: If you set a custom RADIUS attribute you must define it on both
+ dictionaries at RADIUS server and client, which is the vyos router in our
+ example.
The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/``
RADIUS advanced features
^^^^^^^^^^^^^^^^^^^^^^^^
-Received RADIUS attributes have a higher priority than parameters defined withm the cli configuration, refer to the explanation below.
+
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
Allocation clients ip addresses by RADIUS
*****************************************
-If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ip-pool within the cli config is being ignored.
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ip-pool within the CLI
+config is being ignored.
Renaming clients interfaces by RADIUS
*************************************
-If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed.
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
-.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed.
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+ characters, otherwise the interface won't be renamed.
.. _`Google Public DNS`: https://developers.google.com/speed/public-dns