From bf94e7dd7bcf7c01dcf5c4f90d9cfc9c116cb00c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 20 Mar 2020 23:42:43 +0100
Subject: sstp: move to VPN section

---
 docs/services/index.rst       |   1 -
 docs/services/sstp-server.rst | 262 -----------------------------------------
 docs/vpn/index.rst            |   9 +-
 docs/vpn/sstp.rst             | 266 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 271 insertions(+), 267 deletions(-)
 delete mode 100644 docs/services/sstp-server.rst
 create mode 100644 docs/vpn/sstp.rst

(limited to 'docs')

diff --git a/docs/services/index.rst b/docs/services/index.rst
index e0773090..ed00a29b 100644
--- a/docs/services/index.rst
+++ b/docs/services/index.rst
@@ -17,7 +17,6 @@ This chapter describes the available system/network services provided by VyOS.
    mdns-repeater
    ipoe-server
    pppoe-server
-   sstp-server
    udp-broadcast-relay
    snmp
    ssh
diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst
deleted file mode 100644
index 6e311e19..00000000
--- a/docs/services/sstp-server.rst
+++ /dev/null
@@ -1,262 +0,0 @@
-.. _sstp_server:
-
-###########
-SSTP Server
-###########
-
-:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
-(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
-traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
-with key negotiation, encryption and traffic integrity checking. The use of
-SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
-and proxy servers except for authenticated web proxies.
-
-SSTP is available for Linux, BSD, and Windows.
-
-VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
-local and RADIUS authentication.
-
-As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
-certificates as well as a private PKI is required.
-
-.. note:: All certificates should be stored on VyOS under
-  ``/config/user-data/sstp``. If certificates are not stored unt ``/config``
-  they will not be migrated during a software update.
-
-Self Signed CA and Certificates
-===============================
-
-To generate the CA, the server private key and certificates the following
-commands can be used.
-
-.. code-block:: none
-
-
-  vyos@vyos:~$ mkdir -p /config/user-data/sstp
-  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
-
-  Generating a 4096 bit RSA private key
-  .........................++
-  ...............................................................++
-  writing new private key to 'server.key'
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
-
-  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
-
-
-Configuration
-=============
-
-.. cfgcmd:: set service sstp-server authentication local-users username <user> password <pass>
-
-  Create `<user>` for local authentication on this system. The users password
-  will be set to `<pass>`.
-
-.. cfgcmd:: set service sstp-server authentication protocols <pap | chap | mschap | mschap-v2>
-
-  Require the peer to authenticate itself using one of the following protocols:
-  pap, chap, mschap, mschap-v2.
-
-.. cfgcmd:: set service sstp-server authentication mode <local | radius>
-
-  Set authentication backend. The configured authentication backend is used
-  for all queries.
-
-  * **radius**: All authentication queries are handled by a configured RADIUS
-    server.
-  * **local**: All authentication queries are handled locally.
-
-
-.. cfgcmd:: set service sstp-server network-settings client-ip-settings gateway-address <gateway>
-
-  Specifies single `<gateway>` IP address to be used as local address of PPP
-  interfaces.
-
-
-.. cfgcmd:: set service sstp-server network-settings client-ip-settings subnet <subnet>
-
-  Use `<subnet>` as the IP pool for all connecting clients.
-
-
-.. cfgcmd:: set service sstp-server network-settings dns-server primary-dns <address>
-
-  Connected client should use `<address>` as their primary DNS server.
-
-
-.. cfgcmd:: set service sstp-server network-settings dns-server secondary-dns <address>
-
-  Connected client should use `<address>` as their secondary DNS server.
-
-SSL Certificates
-----------------
-
-.. cfgcmd:: set service sstp-server sstp-settings ssl-certs ca <file>
-
-  Path to `<file>` pointing to the certificate authority certificate.
-
-.. cfgcmd:: set service sstp-server sstp-settings ssl-certs server-cert <file>
-
-  Path to `<file>` pointing to the servers certificate (public portion).
-
-.. cfgcmd:: set service sstp-server sstp-settings ssl-certs server-key <file>
-
-  Path to `<file>` pointing to the servers certificate (private portion).
-
-PPP Settings
-------------
-
-.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-failure <number>
-
-  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-  value `<number>`, the session will be reset.
-
-.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-interval <interval>
-
-  If this option is specified and is greater than 0, then the PPP module will
-  send LCP pings of the echo request every `<interval>` seconds.
-
-.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-timeout
-
-  Specifies timeout in seconds to wait for any peer activity. If this option
-  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-  is not used.
-
-.. cfgcmd:: set service sstp-server ppp-settings mppe <require | prefer | deny>
-
-  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
-  preference.
-
-  * **require** - ask client for mppe, if it rejects drop connection
-  * **prefer** - ask client for mppe, if it rejects don't fail
-  * **deny** - deny mppe
-
-  Default behavior - don't ask client for mppe, but allow it if client wants.
-  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
-  attribute.
-
-
-RADIUS
-------
-
-Server
-^^^^^^
-
-.. cfgcmd:: set service sstp-server authentication radius-server <server> secret <secret>
-
-  Configure RADIUS `<server>` and its required shared `<secret>` for
-  communicating with the RADIUS server.
-
-.. cfgcmd:: set service sstp-server authentication radius-server <server> secret <secret>
-
-  Configure RADIUS `<server>` and its required shared `<secret>` for
-  communicating with the RADIUS server.
-
-.. cfgcmd:: set service sstp-server authentication radius-server <server> fail-time <time>
-
-  Mark RADIUS server as offline for this given `<time>` in seconds.
-
-.. cfgcmd:: set service sstp-server authentication radius-server <server> req-limit <limit>
-
-  Maximum number of simultaneous requests to RADIUS server, default is
-  unlimited.
-
-Options
-^^^^^^^
-
-.. cfgcmd:: set service sstp-server authentication radius-settings acct-timeout
-
-  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings dae-server ip-address <address>
-
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings dae-server port <port>
-
-  Port for Dynamic Authorization Extension server (DM/CoA)
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings dae-server secret <secret>
-
-  Secret for Dynamic Authorization Extension server (DM/CoA)
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings max-try <number>
-
-  Maximum number of tries to send Access-Request/Accounting-Request queries
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings timeout <timeout>
-
-  Timeout to wait response from server (seconds)
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings nas-identifier <identifier>
-
-  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
-  in DM/CoA requests.
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings nas-ip-address <address>
-
-  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
-  in DM/CoA requests. Also DM/CoA server will bind to that address.
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit attribute <attribute>
-
-  Specifies which RADIUS server attribute contains the rate limit information.
-  The default attribute is `Filter-Id`.
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit enable
-
-  Enables bandwidth shaping via RADIUS.
-
-
-.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit vendor
-
-  Specifies the vendor dictionary, dictionary needs to be in
-  /usr/share/accel-ppp/radius.
-
-
-
-Example
-=======
-
-* Use local user `foo` with password `bar`
-* Client IP addresses will be provided from pool `192.0.2.0/24`
-
-Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically
-looks for all files and directories in ``/config/user-data/sstp``.
-
-.. code-block:: none
-
-  set service sstp-server authentication local-users username foo password 'bar'
-  set service sstp-server authentication mode 'local'
-  set service sstp-server network-settings client-ip-settings gateway-address '192.0.2.0'
-  set service sstp-server network-settings client-ip-settings subnet '192.0.2.0/24'
-  set service sstp-server network-settings dns-server primary-dns '10.100.100.1'
-  set service sstp-server network-settings dns-server secondary-dns '10.200.100.1'
-  set service sstp-server sstp-settings ssl-certs ca 'ca.crt'
-  set service sstp-server sstp-settings ssl-certs server-cert 'server.crt'
-  set service sstp-server sstp-settings ssl-certs server-key 'server.key'
-
-.. include:: ../common-references.rst
diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst
index d0e440b0..42a90a3f 100644
--- a/docs/vpn/index.rst
+++ b/docs/vpn/index.rst
@@ -7,10 +7,11 @@ VPN
 .. toctree::
    :maxdepth: 2
 
-   openvpn
-   l2tp
-   site2site_ipsec
-   gre-ipsec
    dmvpn
+   gre-ipsec
+   l2tp
+   openvpn
    pptp
+   site2site_ipsec
+   sstp
    wireguard
diff --git a/docs/vpn/sstp.rst b/docs/vpn/sstp.rst
new file mode 100644
index 00000000..c5eb5dbf
--- /dev/null
+++ b/docs/vpn/sstp.rst
@@ -0,0 +1,266 @@
+.. _sstp_server:
+
+###########
+SSTP Server
+###########
+
+:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
+(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
+traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
+with key negotiation, encryption and traffic integrity checking. The use of
+SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
+and proxy servers except for authenticated web proxies.
+
+SSTP is available for Linux, BSD, and Windows.
+
+VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
+local and RADIUS authentication.
+
+As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
+certificates as well as a private PKI is required.
+
+.. note:: All certificates should be stored on VyOS under
+  ``/config/user-data/sstp``. If certificates are not stored unt ``/config``
+  they will not be migrated during a software update.
+
+Self Signed CA and Certificates
+===============================
+
+To generate the CA, the server private key and certificates the following
+commands can be used.
+
+.. code-block:: none
+
+
+  vyos@vyos:~$ mkdir -p /config/user-data/sstp
+  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
+
+  Generating a 4096 bit RSA private key
+  .........................++
+  ...............................................................++
+  writing new private key to 'server.key'
+  [...]
+  Country Name (2 letter code) [AU]:
+  State or Province Name (full name) [Some-State]:
+  Locality Name (eg, city) []:
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+  Organizational Unit Name (eg, section) []:
+  Common Name (e.g. server FQDN or YOUR name) []:
+  Email Address []:
+
+  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
+  [...]
+  Country Name (2 letter code) [AU]:
+  State or Province Name (full name) [Some-State]:
+  Locality Name (eg, city) []:
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+  Organizational Unit Name (eg, section) []:
+  Common Name (e.g. server FQDN or YOUR name) []:
+  Email Address []:
+
+
+Configuration
+=============
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass>
+
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+
+  Set authentication backend. The configured authentication backend is used
+  for all queries.
+
+  * **radius**: All authentication queries are handled by a configured RADIUS
+    server.
+  * **local**: All authentication queries are handled locally.
+
+
+.. cfgcmd:: set vpn sstp network-settings client-ip-settings gateway-address <gateway>
+
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.
+
+
+.. cfgcmd:: set vpn sstp network-settings client-ip-settings subnet <subnet>
+
+  Use `<subnet>` as the IP pool for all connecting clients.
+
+
+.. cfgcmd:: set vpn sstp network-settings name-server <address>
+
+  Connected client should use `<address>` as their DNS server. Up to two IPv4
+  nameservers can be configured.
+
+
+SSL Certificates
+----------------
+
+.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
+
+  Path to `<file>` pointing to the certificate authority certificate.
+
+.. cfgcmd:: set vpn sstp ssl cert-file <file>
+
+  Path to `<file>` pointing to the servers certificate (public portion).
+
+.. cfgcmd:: set vpn sstp ssl key-file <file>
+
+  Path to `<file>` pointing to the servers certificate (private portion).
+
+PPP Settings
+------------
+
+.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset.
+
+.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+
+.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used.
+
+.. cfgcmd:: set vpn sstp ppp-settings mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+
+RADIUS
+------
+
+Server
+^^^^^^
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
+
+  Configure RADIUS `<server>` and its required port for authentication requests.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
+
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
+
+  Mark RADIUS server as offline for this given `<time>` in seconds.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> disable
+
+  Temporary disable this RADIUS server.
+
+Options
+^^^^^^^
+
+.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
+
+  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
+
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
+
+  Port for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
+
+  Secret for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius max-try <number>
+
+  Maximum number of tries to send Access-Request/Accounting-Request queries
+
+.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
+
+  Timeout to wait response from server (seconds)
+
+.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
+
+  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+  in DM/CoA requests.
+
+.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
+
+  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+  in DM/CoA requests. Also DM/CoA server will bind to that address.
+
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
+
+  Source IPv4 address used in all RADIUS server queires.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
+
+  Specifies which RADIUS server attribute contains the rate limit information.
+  The default attribute is `Filter-Id`.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+
+  Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+
+  Specifies the vendor dictionary, dictionary needs to be in
+  /usr/share/accel-ppp/radius.
+
+
+Example
+=======
+
+* Use local user `foo` with password `bar`
+* Client IP addresses will be provided from pool `192.0.2.0/25`
+
+Use <tab> to setup the ``set ssl...``, it automatically
+looks for all files and directories in ``/config/user-data/sstp``.
+
+.. code-block:: none
+
+  set vpn sstp authentication local-users username foo password 'bar'
+  set vpn sstp authentication mode 'local'
+  set vpn sstp network-settings client-ip-settings gateway-address '192.0.2.254'
+  set vpn sstp network-settings client-ip-settings subnet '192.0.2.0/25'
+  set vpn sstp network-settings name-server '10.0.0.1'
+  set vpn sstp network-settings name-server '10.0.0.2'
+  set vpn sstp ssl ca-cert-file 'ca.crt'
+  set vpn sstp ssl cert-file 'server.crt'
+  set vpn sstp ssl key-file 'server.key'
+
+.. include:: ../common-references.rst
-- 
cgit v1.2.3