:lastproofread: 2022-12-11 .. _sstp-client-interface: ########### SSTP Client ########### :abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VTP (Virtual Private Network)` tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default, port can be changed) allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies. .. note:: VyOS also comes with a build in SSTP server, see :ref:`sstp`. ************* Configuration ************* Common interface configuration ============================== .. cmdinclude:: /_include/interface-description.txt :var0: sstpc :var1: sstpc0 .. cmdinclude:: /_include/interface-disable.txt :var0: sstpc :var1: sstpc0 .. cmdinclude:: /_include/interface-mtu.txt :var0: sstpc :var1: sstpc0 .. cmdinclude:: /_include/interface-vrf.txt :var0: sstpc :var1: sstpc0 SSTP Client Options =================== .. cfgcmd:: set interfaces sstpc <interface> no-default-route Only request an address from the SSTP server but do not install any default route. Example: .. code-block:: none set interfaces sstpc sstpc0 no-default-route .. note:: This command got added in VyOS 1.4 and inverts the logic from the old ``default-route`` CLI option. .. cfgcmd:: set interfaces sstpc <interface> default-route-distance <distance> Set the distance for the default gateway sent by the SSTP server. Example: .. code-block:: none set interfaces sstpc sstpc0 default-route-distance 220 .. cfgcmd:: set interfaces sstpc <interface> no-peer-dns Use this command to not install advertised DNS nameservers into the local system. .. cfgcmd:: set interfaces sstpc <interface> server <address> SSTP remote server to connect to. Can be either an IP address or FQDN. .. cfgcmd:: set interfaces sstpc <interface> ip adjust-mss <mss | clamp-mss-to-pmtu> As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally 'do not try to send me packets bigger than this value'. .. note:: This command was introduced in VyOS 1.4 - it was previously called: ``set firewall options interface <name> adjust-mss <value>`` .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to automatically set the proper value. .. cfgcmd:: set interfaces sstpc <interface> ip disable-forwarding Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface. .. cfgcmd:: set interfaces sstpc <interface> ip source-validation <strict | loose | disable> Enable policy for source validation by reversed path, as specified in :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. - strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. - loose: Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. - disable: No source validation ********* Operation ********* .. opcmd:: show interfaces sstpc <interface> Show detailed information on given `<interface>` .. code-block:: none vyos@vyos:~$ show interfaces sstpc sstpc10 sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 link/ppp inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 valid_lft forever preferred_lft forever inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 215 9 0 0 0 0 TX: bytes packets errors dropped carrier collisions 539 14 0 0 0 0 Connect/Disconnect ================== .. opcmd:: disconnect interface <interface> Test disconnecting given connection-oriented interface. `<interface>` can be ``sstpc0`` as the example. .. opcmd:: connect interface <interface> Test connecting given connection-oriented interface. `<interface>` can be ``sstpc0`` as the example.