diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/appendix/examples/dmvpn.rst | 1 | ||||
| -rw-r--r-- | docs/configuration-overview.rst | 8 | ||||
| -rw-r--r-- | docs/contributing/index.rst | 1 | ||||
| -rw-r--r-- | docs/contributing/upstream-packages.rst | 2 | ||||
| -rw-r--r-- | docs/firewall.rst | 10 | ||||
| -rw-r--r-- | docs/services/index.rst | 3 | ||||
| -rw-r--r-- | docs/services/ipoe-server.rst | 6 | ||||
| -rw-r--r-- | docs/services/references.rst | 2 | ||||
| -rw-r--r-- | docs/services/sstp-server.rst | 76 | ||||
| -rw-r--r-- | docs/vpn/pptp.rst | 2 |
10 files changed, 95 insertions, 16 deletions
diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst index d3bf45c7..f247cade 100644 --- a/docs/appendix/examples/dmvpn.rst +++ b/docs/appendix/examples/dmvpn.rst @@ -88,6 +88,7 @@ Use this configuration on your Cisco device: crypto ipsec profile DMVPN set security-association idle-time 720 set transform-set DMVPN-AES256 + set isakmp-profile DMVPN ! interface Tunnel10 description Tunnel to DMVPN HUB diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst index 9031609f..ada7ab64 100644 --- a/docs/configuration-overview.rst +++ b/docs/configuration-overview.rst @@ -352,7 +352,7 @@ VyOS has built-in config archiving and versioning that renders tools like rancid This feature was available in Vyatta Core since 6.3 Local archive and revisions -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Revisions are stored on disk, you can view them, compare them, and rollback to previous revisions if anything goes wrong. To view existing revisions, use `show system commit` operational mode command. @@ -390,11 +390,13 @@ You can compare revisions with `compare X Y` command, where X and Y are revision You can rollback to a previous revision with `rollback X`, where X is a revision number. Your system will reboot and load the config from the archive. Configuring the archive size -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- + You can specify the number of revisions stored on disk with `set system config-management commit-revisions X`, where X is a number between 0 and 65535. When the number of revisions exceeds that number, the oldest revision is removed. Remote archive -~~~~~~~~~~~~~~ +-------------- + VyOS can copy the config to a remote location after each commit. TFTP, FTP, and SFTP servers are supported. You can specify the location with `set system config-management commit-archive location URL` command, e.g. `set system config-management commit-archive location tftp://10.0.0.1/vyos`. diff --git a/docs/contributing/index.rst b/docs/contributing/index.rst index 82d1b588..a7dd55ce 100644 --- a/docs/contributing/index.rst +++ b/docs/contributing/index.rst @@ -8,3 +8,4 @@ development vyos_cli coding_guidelines + upstream-packages diff --git a/docs/contributing/upstream-packages.rst b/docs/contributing/upstream-packages.rst index 55c7e5e2..4e602866 100644 --- a/docs/contributing/upstream-packages.rst +++ b/docs/contributing/upstream-packages.rst @@ -1,4 +1,4 @@ -.. _development: +.. _development_pkgs: Upstream packages ================= diff --git a/docs/firewall.rst b/docs/firewall.rst index fc6bf746..023898db 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -3,7 +3,7 @@ Firewall ======== -VyOS makes use of Linux [netfilter](http://netfilter.org/) for packet filtering. +VyOS makes use of Linux `netfilter <http://netfilter.org/>`_ for packet filtering. The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and the option of interface or zone based @@ -25,8 +25,7 @@ firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying to rulesets to interfaces they are applied to source zone-destination zone pairs. -An introduction to zone-based firewalls can be found [[A primer to Zone Based -Firewall|here]]. For an example see :ref:`examples-zone-policy`. +An example to zone-based firewalls can be found here: :ref:`examples-zone-policy`. Groups ------ @@ -172,7 +171,4 @@ Example Partial Config } } } - } - -[XFinity Blocked Port List](https://www.xfinity.com/support/internet/list-of-blocked-ports/) - + }
\ No newline at end of file diff --git a/docs/services/index.rst b/docs/services/index.rst index 57471cf8..03fdc9c4 100644 --- a/docs/services/index.rst +++ b/docs/services/index.rst @@ -18,8 +18,9 @@ This chapter descriptes the available system/network services provided by VyOS. dynamic-dns lldp mdns-repeater - pppoe-server ipoe-server + pppoe-server + sstp-server udp-broadcast-relay snmp ssh diff --git a/docs/services/ipoe-server.rst b/docs/services/ipoe-server.rst index 633de880..925ef373 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/services/ipoe-server.rst @@ -14,7 +14,7 @@ Configuration IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client. -The example comnfiguration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. +The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration. .. code-block:: sh @@ -26,7 +26,7 @@ Other DHCP discovery requests will be ignored, unless the client mac has been en set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' -The first address of the paramter ``client-subnet``, will be used as the default gateway. +The first address of the parameter ``client-subnet``, will be used as the default gateway. Connected sessions can be checked via the ``show ipoe-server sessions`` command. .. code-block:: sh @@ -72,7 +72,7 @@ globally communicate without the need of any NAT rules. Automatic VLAN creation ======================= -To create VLANs per user during runtime, the follwing settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. +To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. .. code-block:: sh diff --git a/docs/services/references.rst b/docs/services/references.rst index 3a2f4b74..257ffe11 100644 --- a/docs/services/references.rst +++ b/docs/services/references.rst @@ -11,3 +11,5 @@ .. _Squidguard: http://www.squidguard.org/ .. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol .. _`arbitrary extension commands`: http://net-snmp.sourceforge.net/docs/man/snmpd.conf.html#lbAZ +.. _`accel-ppp`: https://accel-ppp.org/ +.. _`Secure Socket Tunneling Protocol`: https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst new file mode 100644 index 00000000..8ee8ef45 --- /dev/null +++ b/docs/services/sstp-server.rst @@ -0,0 +1,76 @@ + +SSTP server +------------ + +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be +used with local authentication or a connected RADIUS server. + +.. note:: **Please be aware, due to an upstream bug, config changes/commits + will restart the ppp daemon and will reset existing PPPoE connections from + connected users, in order to become effective.** + +Configuration +^^^^^^^^^^^^^ + +The `Secure Socket Tunneling Protocol`_ (SSTP), provides ppp via a SSL/TLS channel. +Using publically signed certificates as well a by private PKI, is fully supported. +All certficates should be stored on VyOS under ``/config/user-data/sstp``. + + +Self Signed CA and server certificates +====================================== + +To generate the CA, the server private key and certificates the following commands can be used. + +.. code-block:: sh + + vyos@vyos:~$ conf + [edit] + vyos@vyos# mkdir -p /config/user-data/sstp && cd /config/user-data/sstp + [edit] + openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout server.key -out server.crt + + Generating a 4096 bit RSA private key + .........................++ + ...............................................................++ + writing new private key to 'server.key' + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + + vyos@vyos# openssl req -new -x509 -key server.key -out ca.crt + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + [edit] + vyos@vyos# + + +The example below will answer configuration request for the user user ``foo``. + +Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically looks for all files and directories in ``/config/user-data/sstp``. + +.. code-block:: sh + + set authentication local-users username foo password 'bar' + set authentication mode 'local' + set network-settings client-ip-settings gateway-address '10.100.100.1' + set network-settings client-ip-settings subnet '192.168.0.0/24' + set network-settings dns-server primary-dns '10.100.100.1' + set network-settings dns-server secondary-dns '10.200.100.1' + set sstp-settings ssl-certs ca 'ca.crt' + set sstp-settings ssl-certs server-cert 'server.crt' + set sstp-settings ssl-certs server-key 'server.key' + + +.. include:: references.rst diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst index 2d560919..ad8a37c4 100644 --- a/docs/vpn/pptp.rst +++ b/docs/vpn/pptp.rst @@ -4,7 +4,7 @@ PPTP-Server ----------- The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. -PPTP has many well known secrurity issues and you should use one of the many other new VPN implementations. +PPTP has many well known security issues and you should use one of the many other new VPN implementations. As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1. |