summaryrefslogtreecommitdiff
path: root/docs/services/sstp-server.rst
blob: 6e311e19e43b29f3a346309f9bbdd8cd34cb19f7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
.. _sstp_server:

###########
SSTP Server
###########

:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
with key negotiation, encryption and traffic integrity checking. The use of
SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
and proxy servers except for authenticated web proxies.

SSTP is available for Linux, BSD, and Windows.

VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
local and RADIUS authentication.

As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
certificates as well as a private PKI is required.

.. note:: All certificates should be stored on VyOS under
  ``/config/user-data/sstp``. If certificates are not stored unt ``/config``
  they will not be migrated during a software update.

Self Signed CA and Certificates
===============================

To generate the CA, the server private key and certificates the following
commands can be used.

.. code-block:: none


  vyos@vyos:~$ mkdir -p /config/user-data/sstp
  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt

  Generating a 4096 bit RSA private key
  .........................++
  ...............................................................++
  writing new private key to 'server.key'
  [...]
  Country Name (2 letter code) [AU]:
  State or Province Name (full name) [Some-State]:
  Locality Name (eg, city) []:
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Organizational Unit Name (eg, section) []:
  Common Name (e.g. server FQDN or YOUR name) []:
  Email Address []:

  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
  [...]
  Country Name (2 letter code) [AU]:
  State or Province Name (full name) [Some-State]:
  Locality Name (eg, city) []:
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Organizational Unit Name (eg, section) []:
  Common Name (e.g. server FQDN or YOUR name) []:
  Email Address []:


Configuration
=============

.. cfgcmd:: set service sstp-server authentication local-users username <user> password <pass>

  Create `<user>` for local authentication on this system. The users password
  will be set to `<pass>`.

.. cfgcmd:: set service sstp-server authentication protocols <pap | chap | mschap | mschap-v2>

  Require the peer to authenticate itself using one of the following protocols:
  pap, chap, mschap, mschap-v2.

.. cfgcmd:: set service sstp-server authentication mode <local | radius>

  Set authentication backend. The configured authentication backend is used
  for all queries.

  * **radius**: All authentication queries are handled by a configured RADIUS
    server.
  * **local**: All authentication queries are handled locally.


.. cfgcmd:: set service sstp-server network-settings client-ip-settings gateway-address <gateway>

  Specifies single `<gateway>` IP address to be used as local address of PPP
  interfaces.


.. cfgcmd:: set service sstp-server network-settings client-ip-settings subnet <subnet>

  Use `<subnet>` as the IP pool for all connecting clients.


.. cfgcmd:: set service sstp-server network-settings dns-server primary-dns <address>

  Connected client should use `<address>` as their primary DNS server.


.. cfgcmd:: set service sstp-server network-settings dns-server secondary-dns <address>

  Connected client should use `<address>` as their secondary DNS server.

SSL Certificates
----------------

.. cfgcmd:: set service sstp-server sstp-settings ssl-certs ca <file>

  Path to `<file>` pointing to the certificate authority certificate.

.. cfgcmd:: set service sstp-server sstp-settings ssl-certs server-cert <file>

  Path to `<file>` pointing to the servers certificate (public portion).

.. cfgcmd:: set service sstp-server sstp-settings ssl-certs server-key <file>

  Path to `<file>` pointing to the servers certificate (private portion).

PPP Settings
------------

.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-failure <number>

  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
  value `<number>`, the session will be reset.

.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-interval <interval>

  If this option is specified and is greater than 0, then the PPP module will
  send LCP pings of the echo request every `<interval>` seconds.

.. cfgcmd:: set service sstp-server ppp-settings lcp-echo-timeout

  Specifies timeout in seconds to wait for any peer activity. If this option
  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
  is not used.

.. cfgcmd:: set service sstp-server ppp-settings mppe <require | prefer | deny>

  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
  preference.

  * **require** - ask client for mppe, if it rejects drop connection
  * **prefer** - ask client for mppe, if it rejects don't fail
  * **deny** - deny mppe

  Default behavior - don't ask client for mppe, but allow it if client wants.
  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
  attribute.


RADIUS
------

Server
^^^^^^

.. cfgcmd:: set service sstp-server authentication radius-server <server> secret <secret>

  Configure RADIUS `<server>` and its required shared `<secret>` for
  communicating with the RADIUS server.

.. cfgcmd:: set service sstp-server authentication radius-server <server> secret <secret>

  Configure RADIUS `<server>` and its required shared `<secret>` for
  communicating with the RADIUS server.

.. cfgcmd:: set service sstp-server authentication radius-server <server> fail-time <time>

  Mark RADIUS server as offline for this given `<time>` in seconds.

.. cfgcmd:: set service sstp-server authentication radius-server <server> req-limit <limit>

  Maximum number of simultaneous requests to RADIUS server, default is
  unlimited.

Options
^^^^^^^

.. cfgcmd:: set service sstp-server authentication radius-settings acct-timeout

  Timeout to wait reply for Interim-Update packets. (default 3 seconds)


.. cfgcmd:: set service sstp-server authentication radius-settings dae-server ip-address <address>

  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)


.. cfgcmd:: set service sstp-server authentication radius-settings dae-server port <port>

  Port for Dynamic Authorization Extension server (DM/CoA)


.. cfgcmd:: set service sstp-server authentication radius-settings dae-server secret <secret>

  Secret for Dynamic Authorization Extension server (DM/CoA)


.. cfgcmd:: set service sstp-server authentication radius-settings max-try <number>

  Maximum number of tries to send Access-Request/Accounting-Request queries


.. cfgcmd:: set service sstp-server authentication radius-settings timeout <timeout>

  Timeout to wait response from server (seconds)


.. cfgcmd:: set service sstp-server authentication radius-settings nas-identifier <identifier>

  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
  in DM/CoA requests.


.. cfgcmd:: set service sstp-server authentication radius-settings nas-ip-address <address>

  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
  in DM/CoA requests. Also DM/CoA server will bind to that address.


.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit attribute <attribute>

  Specifies which RADIUS server attribute contains the rate limit information.
  The default attribute is `Filter-Id`.


.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit enable

  Enables bandwidth shaping via RADIUS.


.. cfgcmd:: set service sstp-server authentication radius-settings rate-limit vendor

  Specifies the vendor dictionary, dictionary needs to be in
  /usr/share/accel-ppp/radius.



Example
=======

* Use local user `foo` with password `bar`
* Client IP addresses will be provided from pool `192.0.2.0/24`

Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically
looks for all files and directories in ``/config/user-data/sstp``.

.. code-block:: none

  set service sstp-server authentication local-users username foo password 'bar'
  set service sstp-server authentication mode 'local'
  set service sstp-server network-settings client-ip-settings gateway-address '192.0.2.0'
  set service sstp-server network-settings client-ip-settings subnet '192.0.2.0/24'
  set service sstp-server network-settings dns-server primary-dns '10.100.100.1'
  set service sstp-server network-settings dns-server secondary-dns '10.200.100.1'
  set service sstp-server sstp-settings ssl-certs ca 'ca.crt'
  set service sstp-server sstp-settings ssl-certs server-cert 'server.crt'
  set service sstp-server sstp-settings ssl-certs server-key 'server.key'

.. include:: ../common-references.rst