From d71c4607fa0c330a3c6269811b2126a25ceb91f7 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 29 Feb 2024 16:21:27 +0200 Subject: Rewritten the SSTP server documentation Fully rewritten SSTP server documentation. --- docs/configuration/vpn/sstp.rst | 595 +++++++++++++++++++++++++++------------- 1 file changed, 403 insertions(+), 192 deletions(-) (limited to 'docs/configuration/vpn') diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index a9def827..3749eb7b 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -19,50 +19,43 @@ local and RADIUS authentication. As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required. -.. note:: All certificates should be stored on VyOS under ``/config/auth``. If - certificates are not stored in the ``/config`` directory they will not be - migrated during a software update. +*********************** +Configuring SSTP Server +*********************** Certificates ============ -Self Signed CA --------------- - -To generate the CA, the server private key and certificates the following -commands can be used. +Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate .. code-block:: none - vyos@vyos:~$ mkdir -p /config/user-data/sstp - vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt - - Generating a 4096 bit RSA private key - .........................++ - ...............................................................++ - writing new private key to 'server.key' - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: + vyos@vyos:~$ generate pki ca install CA + +.. code-block:: none + vyos@vyos:~$ generate pki certificate sign CA install Server Configuration ============= +.. code-block:: none + + set vpn sstp authentication local-users username test password 'test' + set vpn sstp authentication mode 'local' + set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' + set vpn sstp default-pool 'SSTP-POOL' + set vpn sstp gateway-address '10.0.0.1' + set vpn sstp ssl ca-certificate 'CA1' + set vpn sstp ssl certificate 'Server' + +.. cfgcmd:: set vpn sstp authentication mode + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. .. cfgcmd:: set vpn sstp authentication local-users username password @@ -70,137 +63,185 @@ Configuration Create `` for local authentication on this system. The users password will be set to ``. -.. cfgcmd:: set vpn sstp authentication local-users username disable +.. cfgcmd:: set vpn sstp client-ip-pool range - Disable `` account. + Use this command to define the first IP address of a pool of + addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. -.. cfgcmd:: set vpn sstp authentication local-users username static-ip -
+.. cfgcmd:: set vpn sstp default-pool - Assign static IP address to `` account. + Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp authentication local-users username rate-limit - download +.. cfgcmd:: set vpn sstp gateway-address - Download bandwidth limit in kbit/s for ``. + Specifies single `` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set vpn sstp authentication local-users username rate-limit - upload +.. cfgcmd:: set vpn sstp ssl ca-certificate - Upload bandwidth limit in kbit/s for ``. + Name of installed certificate authority certificate. -.. cfgcmd:: set vpn sstp authentication protocols - +.. cfgcmd:: set vpn sstp ssl certificate - Require the peer to authenticate itself using one of the following protocols: - pap, chap, mschap, mschap-v2. + Name of installed server certificate. -.. cfgcmd:: set vpn sstp authentication mode +********************************* +Configuring RADIUS authentication +********************************* - Set authentication backend. The configured authentication backend is used - for all queries. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. - * **radius**: All authentication queries are handled by a configured RADIUS - server. - * **local**: All authentication queries are handled locally. +.. code-block:: none + set vpn sstp authentication mode radius -.. cfgcmd:: set vpn sstp gateway-address +.. cfgcmd:: set vpn sstp authentication radius server key - Specifies single `` IP address to be used as local address of PPP - interfaces. + Configure RADIUS `` and its required shared `` for + communicating with the RADIUS server. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: -.. cfgcmd:: set vpn sstp port +.. code-block:: none - Specifies the port `` that the SSTP port will listen on (default 443). + set vpn sstp authentication radius server 10.0.0.1 key 'foo' + set vpn sstp authentication radius server 10.0.0.2 key 'foo' +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set vpn sstp client-ip-pool range +RADIUS source address +===================== - Use this command to define the first IP address of a pool of - addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. cfgcmd:: set vpn sstp client-ip-pool next-pool +.. cfgcmd:: set vpn sstp authentication radius source-address
- Use this command to define the next address pool name. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp default-pool +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. - Use this command to define default address pool name. +RADIUS advanced options +======================= +.. cfgcmd:: set vpn sstp authentication radius server port -.. cfgcmd:: set vpn sstp client-ipv6-pool prefix
- mask + Configure RADIUS `` and its required port for authentication requests. - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. +.. cfgcmd:: set vpn sstp authentication radius server fail-time