From 91e7d86a27814ff35a4cc9630585572082ce4138 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 11 Dec 2022 20:32:46 +0100 Subject: T4792: add initial documentation for SSTP client --- docs/configuration/interfaces/index.rst | 1 + docs/configuration/interfaces/sstp-client.rst | 150 ++++++++++++++++++++++++++ docs/configuration/vpn/sstp.rst | 6 +- 3 files changed, 154 insertions(+), 3 deletions(-) create mode 100644 docs/configuration/interfaces/sstp-client.rst (limited to 'docs/configuration') diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst index 97ad709e..0f02d1e3 100644 --- a/docs/configuration/interfaces/index.rst +++ b/docs/configuration/interfaces/index.rst @@ -19,6 +19,7 @@ Interfaces wireguard pppoe pseudo-ethernet + sstp-client tunnel virtual-ethernet vti diff --git a/docs/configuration/interfaces/sstp-client.rst b/docs/configuration/interfaces/sstp-client.rst new file mode 100644 index 00000000..27eb9c39 --- /dev/null +++ b/docs/configuration/interfaces/sstp-client.rst @@ -0,0 +1,150 @@ +:lastproofread: 2022-12-11 + +.. _sstp-client-interface: + +########### +SSTP Client +########### + +:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VTP (Virtual +Private Network)` tunnel that provides a mechanism to transport PPP traffic +through an SSL/TLS channel. SSL/TLS provides transport-level security with key +negotiation, encryption and traffic integrity checking. The use of SSL/TLS over +TCP port 443 (by default, port can be changed) allows SSTP to pass through +virtually all firewalls and proxy servers except for authenticated web proxies. + +.. note:: VyOS also comes with a build in SSTP server, see :ref:`sstp`. + +************* +Configuration +************* + +Common interface configuration +============================== + +.. cmdinclude:: /_include/interface-description.txt + :var0: sstpc + :var1: sstpc0 + +.. cmdinclude:: /_include/interface-disable.txt + :var0: sstpc + :var1: sstpc0 + +.. cmdinclude:: /_include/interface-mtu.txt + :var0: sstpc + :var1: sstpc0 + +.. cmdinclude:: /_include/interface-vrf.txt + :var0: sstpc + :var1: sstpc0 + +SSTP Client Options +=================== + +.. cfgcmd:: set interfaces sstpc no-default-route + + Only request an address from the SSTP server but do not install any default + route. + + Example: + + .. code-block:: none + + set interfaces sstpc sstpc0 no-default-route + + .. note:: This command got added in VyOS 1.4 and inverts the logic from the old + ``default-route`` CLI option. + +.. cfgcmd:: set interfaces sstpc default-route-distance + + Set the distance for the default gateway sent by the SSTP server. + + Example: + + .. code-block:: none + + set interfaces sstpc sstpc0 default-route-distance 220 + +.. cfgcmd:: set interfaces sstpc no-peer-dns + + Use this command to not install advertised DNS nameservers into the local + system. + +.. cfgcmd:: set interfaces sstpc server
+ + SSTP remote server to connect to. Can be either an IP address or FQDN. + +.. cfgcmd:: set interfaces sstpc ip adjust-mss + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface adjust-mss `` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + + Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to + automatically set the proper value. + +.. cfgcmd:: set interfaces sstpc ip disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces sstpc ip source-validation + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + +********* +Operation +********* + +.. opcmd:: show interfaces sstpc + + Show detailed information on given `` + + .. code-block:: none + + vyos@vyos:~$ show interfaces sstpc sstpc10 + sstpc10: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 + link/ppp + inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 + valid_lft forever preferred_lft forever + inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link + valid_lft forever preferred_lft forever + + RX: bytes packets errors dropped overrun mcast + 215 9 0 0 0 0 + TX: bytes packets errors dropped carrier collisions + 539 14 0 0 0 0 + + +Connect/Disconnect +================== + +.. opcmd:: disconnect interface + + Test disconnecting given connection-oriented interface. `` can be + ``sstpc0`` as the example. + +.. opcmd:: connect interface + + Test connecting given connection-oriented interface. `` can be + ``sstpc0`` as the example. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index 4f90260e..f3e062fe 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -1,8 +1,8 @@ .. _sstp: -#### -SSTP -#### +########### +SSTP Server +########### :abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN (Virtual Private Network)` tunnel that provides a mechanism to transport PPP -- cgit v1.2.3