.. _sstp: ########### SSTP Server ########### :abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN (Virtual Private Network)` tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies. SSTP is available for Linux, BSD, and Windows. VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both local and RADIUS authentication. As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required. .. note:: All certificates should be stored on VyOS under ``/config/auth``. If certificates are not stored in the ``/config`` directory they will not be migrated during a software update. Certificates ============ Self Signed CA -------------- To generate the CA, the server private key and certificates the following commands can be used. .. code-block:: none vyos@vyos:~$ mkdir -p /config/user-data/sstp vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt Generating a 4096 bit RSA private key .........................++ ...............................................................++ writing new private key to 'server.key' [...] Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt [...] Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Configuration ============= .. cfgcmd:: set vpn sstp authentication local-users username password Create `` for local authentication on this system. The users password will be set to ``. .. cfgcmd:: set vpn sstp authentication local-users username disable Disable `` account. .. cfgcmd:: set vpn sstp authentication local-users username static-ip
Assign static IP address to `` account. .. cfgcmd:: set vpn sstp authentication local-users username rate-limit download Download bandwidth limit in kbit/s for ``. .. cfgcmd:: set vpn sstp authentication local-users username rate-limit upload Upload bandwidth limit in kbit/s for ``. .. cfgcmd:: set vpn sstp authentication protocols Require the peer to authenticate itself using one of the following protocols: pap, chap, mschap, mschap-v2. .. cfgcmd:: set vpn sstp authentication mode Set authentication backend. The configured authentication backend is used for all queries. * **radius**: All authentication queries are handled by a configured RADIUS server. * **local**: All authentication queries are handled locally. .. cfgcmd:: set vpn sstp gateway-address Specifies single `` IP address to be used as local address of PPP interfaces. .. cfgcmd:: set vpn sstp port Specifies the port `` that the SSTP port will listen on (default 443). .. cfgcmd:: set vpn sstp client-ip-pool range Use this command to define the first IP address of a pool of addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask. .. cfgcmd:: set vpn sstp client-ip-pool next-pool Use this command to define the next address pool name. .. cfgcmd:: set vpn sstp default-pool Use this command to define default address pool name. .. cfgcmd:: set vpn sstp client-ipv6-pool prefix
mask Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64. .. cfgcmd:: set vpn sstp client-ipv6-pool delegate
delegation-prefix Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long. .. cfgcmd:: set vpn sstp default-ipv6-pool Use this command to define default IPv6 address pool name. .. cfgcmd:: set vpn sstp name-server
Connected client should use `
` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6. Maximum number of IPv4 nameservers SSL Certificates ---------------- .. cfgcmd:: set vpn sstp ssl ca-cert-file Path to `` pointing to the certificate authority certificate. .. cfgcmd:: set vpn sstp ssl cert-file Path to `` pointing to the servers certificate (public portion). PPP Settings ------------ .. cfgcmd:: set vpn sstp ppp-options disable-ccp Disable Compression Control Protocol (CCP). CCP is enabled by default. .. cfgcmd:: set vpn sstp ppp-options interface-cache Specifies number of interfaces to keep in cache. It means that don’t destroy interface after corresponding session is destroyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack. Default value is **0**. .. cfgcmd:: set vpn sstp ppp-options ipv4 Specifies IPv4 negotiation preference. * **require** - Require IPv4 negotiation * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects * **allow** - Negotiate IPv4 only if client requests (Default value) * **deny** - Do not negotiate IPv4 .. cfgcmd:: set vpn sstp ppp-options ipv6 Specifies IPv6 negotiation preference. * **require** - Require IPv6 negotiation * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects * **allow** - Negotiate IPv6 only if client requests * **deny** - Do not negotiate IPv6 (default value) .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id Accept peer interface identifier. By default is not defined. .. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id Specifies fixed or random interface identifier for IPv6. By default is fixed. * **random** - Random interface identifier for IPv6 * **x:x:x:x** - Specify interface identifier for IPv6 .. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id Specifies peer interface identifier for IPv6. By default is fixed. * **random** - Random interface identifier for IPv6 * **x:x:x:x** - Specify interface identifier for IPv6 * **ipv4-addr** - Calculate interface identifier from IPv4 address. * **calling-sid** - Calculate interface identifier from calling-station-id. .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure Defines the maximum `` of unanswered echo requests. Upon reaching the value ``, the session will be reset. Default value is **3**. .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `` seconds. Default value is **30**. .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. Default value is **0**. .. cfgcmd:: set vpn sstp ppp-options min-mtu Defines minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU. Default value is **100**. .. cfgcmd:: set vpn sstp ppp-options mppe Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation preference. * **require** - ask client for mppe, if it rejects drop connection * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) * **deny** - deny mppe Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute. .. cfgcmd:: set vpn sstp ppp-options mru Defines preferred MRU. By default is not defined. RADIUS ------ Server ^^^^^^ .. cfgcmd:: set vpn sstp authentication radius server port Configure RADIUS `` and its required port for authentication requests. .. cfgcmd:: set vpn sstp authentication radius server key Configure RADIUS `` and its required shared `` for communicating with the RADIUS server. .. cfgcmd:: set vpn sstp authentication radius server fail-time