docs/configuration/interfaces/sstp-client.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

:lastproofread: 2022-12-11

.. _sstp-client-interface:

###########
SSTP Client
###########

:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VTP (Virtual
Private Network)` tunnel that provides a mechanism to transport PPP traffic
through an SSL/TLS channel. SSL/TLS provides transport-level security with key
negotiation, encryption and traffic integrity checking. The use of SSL/TLS over
TCP port 443 (by default, port can be changed) allows SSTP to pass through
virtually all firewalls and proxy servers except for authenticated web proxies.

.. note:: VyOS also comes with a build in SSTP server, see :ref:`sstp`.

*************
Configuration
*************

Common interface configuration
==============================

.. cmdinclude:: /_include/interface-description.txt
   :var0: sstpc
   :var1: sstpc0

.. cmdinclude:: /_include/interface-disable.txt
   :var0: sstpc
   :var1: sstpc0

.. cmdinclude:: /_include/interface-mtu.txt
   :var0: sstpc
   :var1: sstpc0

.. cmdinclude:: /_include/interface-vrf.txt
   :var0: sstpc
   :var1: sstpc0

SSTP Client Options
===================

.. cfgcmd:: set interfaces sstpc <interface> no-default-route

   Only request an address from the SSTP server but do not install any default
   route.

   Example:

   .. code-block:: none

     set interfaces sstpc sstpc0 no-default-route

   .. note:: This command got added in VyOS 1.4 and inverts the logic from the old
     ``default-route`` CLI option.

.. cfgcmd:: set interfaces sstpc <interface> default-route-distance <distance>

   Set the distance for the default gateway sent by the SSTP server.

   Example:

   .. code-block:: none

     set interfaces sstpc sstpc0 default-route-distance 220

.. cfgcmd:: set interfaces sstpc <interface> no-peer-dns

   Use this command to not install advertised DNS nameservers into the local
   system.

.. cfgcmd:: set interfaces sstpc <interface> server <address>

   SSTP remote server to connect to. Can be either an IP address or FQDN.

.. cfgcmd:: set interfaces sstpc <interface> ip adjust-mss <mss | clamp-mss-to-pmtu>

  As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
  TCP MSS value to a specific value. This is a field in the TCP options part of
  a SYN packet. By setting the MSS value, you are telling the remote side
  unequivocally 'do not try to send me packets bigger than this value'.

  .. note:: This command was introduced in VyOS 1.4 - it was previously called:
    ``set firewall options interface <name> adjust-mss <value>``

  .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
    1452 bytes on a 1492 byte MTU.

  Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
  automatically set the proper value.

.. cfgcmd:: set interfaces sstpc <interface> ip disable-forwarding

  Configure interface-specific Host/Router behaviour. If set, the interface will
  switch to host mode and IPv6 forwarding will be disabled on this interface.

.. cfgcmd:: set interfaces sstpc <interface> ip source-validation <strict | loose | disable>

  Enable policy for source validation by reversed path, as specified in
  :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict
  mode to prevent IP spoofing from DDos attacks. If using asymmetric routing
  or other complicated routing, then loose mode is recommended.

  - strict: Each incoming packet is tested against the FIB and if the interface
    is not the best reverse path the packet check will fail. By default failed
    packets are discarded.

  - loose: Each incoming packet's source address is also tested against the FIB
    and if the source address is not reachable via any interface the packet
    check will fail.

  - disable: No source validation

*********
Operation
*********

.. opcmd:: show interfaces sstpc <interface>

   Show detailed information on given `<interface>`

   .. code-block:: none

     vyos@vyos:~$ show interfaces sstpc sstpc10
     sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
         link/ppp
         inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10
            valid_lft forever preferred_lft forever
         inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link
            valid_lft forever preferred_lft forever

         RX:  bytes  packets  errors  dropped  overrun       mcast
                215        9       0        0        0           0
         TX:  bytes  packets  errors  dropped  carrier  collisions
                539       14       0        0        0           0


Connect/Disconnect
==================

.. opcmd:: disconnect interface <interface>

   Test disconnecting given connection-oriented interface. `<interface>` can be
   ``sstpc0`` as the example.

.. opcmd:: connect interface <interface>

   Test connecting given connection-oriented interface. `<interface>` can be
   ``sstpc0`` as the example.