From 8cb0070b51edf550189a9ccf5f1a92bf537c3572 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 29 Feb 2024 17:51:57 +0200 Subject: Rewritten the PPTP server documentation Fully rewritten PPTP server documentation. --- docs/configuration/vpn/pptp.rst | 552 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 526 insertions(+), 26 deletions(-) (limited to 'docs') diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index fe536eec..2a5e7731 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -1,52 +1,552 @@ .. _pptp: +########### PPTP-Server ------------ +########### The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. PPTP has many well known security issues and you should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for -authentication and mppe 128-bit (stateless) for encryption. If no -gateway-address is set within the configuration, the lowest IP out of the /24 -client-ip-pool is being used. For instance, in the example below it would be -192.168.0.1. - -server example -^^^^^^^^^^^^^^ +*********************** +Configuring PPTP Server +*********************** .. code-block:: none + set vpn pptp remote-access authentication mode local set vpn pptp remote-access authentication local-users username test password 'test' - set vpn pptp remote-access authentication mode 'local' - set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 + set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254 set vpn pptp remote-access default-pool 'PPTP-POOL' - set vpn pptp remote-access gateway-address '10.100.100.1' - set vpn pptp remote-access outside-address '10.1.1.120' + set vpn pptp remote-access outside-address 192.0.2.2 + set vpn pptp remote-access gateway-address 192.168.255.1 + + +.. cfgcmd:: set vpn pptp remote-access authentication mode + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username password + + + Create `` for local authentication on this system. The users password + will be set to ``. + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool range + + Use this command to define the first IP address of a pool of + addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn pptp remote-access default-pool + + Use this command to define default address pool name. + +.. cfgcmd:: set vpn pptp remote-access gateway-address + + Specifies single `` IP address to be used as local address of PPP + interfaces. + +********************************* +Configuring RADIUS authentication +********************************* + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +.. code-block:: none + + set vpn pptp remote-access authentication mode radius + +.. cfgcmd:: set vpn pptp remote-access authentication radius server key + + Configure RADIUS `` and its required shared `` for + communicating with the RADIUS server. + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +.. code-block:: none + + set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo' + +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. + +RADIUS source address +===================== + +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address
+ + Source IPv4 address used in all RADIUS server queires. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. + +RADIUS advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access authentication radius server port + + Configure RADIUS `` and its required port for authentication requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server fail-time