diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-08-06 09:51:09 +0200 | 
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-08-06 09:51:09 +0200 | 
| commit | 624c3cd42a15c72c367fce233dd9b429eed1e3e0 (patch) | |
| tree | 2a029844cc23880e80a4aa6e0efdc97b45e1758e | |
| parent | 7c6604f76aebaef588181d121e16b91d9c93d41b (diff) | |
| download | vyos-documentation-624c3cd42a15c72c367fce233dd9b429eed1e3e0.tar.gz vyos-documentation-624c3cd42a15c72c367fce233dd9b429eed1e3e0.zip | |
L2TP: change to 80 characters column width
| -rw-r--r-- | docs/vpn/l2tp.rst | 74 | 
1 files changed, 46 insertions, 28 deletions
| diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst index 76268900..0dd5fe3e 100644 --- a/docs/vpn/l2tp.rst +++ b/docs/vpn/l2tp.rst @@ -3,7 +3,8 @@  L2TP  ----------- -VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used with local authentication or a connected RADIUS server.  +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used +with local authentication or a connected RADIUS server.  L2TP over IPsec  =============== @@ -26,7 +27,8 @@ with native Windows and Mac VPN clients):    set vpn l2tp remote-access authentication mode local    set vpn l2tp remote-access authentication local-users username test password 'test' -In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address 192.168.255.1 uses as client tunnel termination point. +In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address +192.168.255.1 uses as client tunnel termination point.  If a local firewall policy is in place on your external interface you will need  to allow the ports below: @@ -66,7 +68,8 @@ To allow VPN-clients access via your external address, a NAT rule is required:    set nat source rule 110 translation address masquerade -VPN-clients will request configuration parameters, optionally you can DNS parameter to the client. +VPN-clients will request configuration parameters, optionally you can DNS +parameter to the client.  .. code-block:: sh @@ -82,15 +85,15 @@ operational command, or **show l2tp-server sessions**  .. code-block:: sh    vyos@vyos:~$ show vpn remote-access -   ifname | username | calling-sid  |      ip       | rate-limit | type | comp | state  |  uptime   +   ifname | username | calling-sid  |      ip       | rate-limit | type | comp | state  |  uptime    --------+----------+--------------+---------------+------------+------+------+--------+---------- -   ppp0   | vyos     | 192.168.0.36 | 192.168.255.1 |            | l2tp |      | active | 00:06:13  +   ppp0   | vyos     | 192.168.0.36 | 192.168.255.1 |            | l2tp |      | active | 00:06:13  LNS (L2TP Network Server)  ========================= -LNS are often used to connect to a LAC (L2TP Access Concentrator).  +LNS are often used to connect to a LAC (L2TP Access Concentrator).  Below is an example to configure a LNS: @@ -101,13 +104,16 @@ Below is an example to configure a LNS:    set vpn l2tp remote-access client-ip-pool start 192.168.255.2    set vpn l2tp remote-access client-ip-pool stop 192.168.255.254    set vpn l2tp remote-access lns shared-secret 'secret' -  set vpn l2tp remote-access ccp-disable  +  set vpn l2tp remote-access ccp-disable    set vpn l2tp remote-access authentication mode local    set vpn l2tp remote-access authentication local-users username test password 'test' -The example above uses 192.0.2.2 as external IP address, the nexthop is supposed to be 192.168.255.1 and is used as client termination point. -A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``. -This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that.  +The example above uses 192.0.2.2 as external IP address, the nexthop is supposed +to be 192.168.255.1 and is used as client termination point. A LAC normally +requires an authentication password, which is set in the example configuration +to ``lns shared-secret 'secret'``. This setup requires the Compression Control +Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` +accomplishes that.  Bandwidth Shaping @@ -115,7 +121,7 @@ Bandwidth Shaping  Bandwidth rate limits can be set for local users or via RADIUS based attributes. -Bandwidth Shaping for local users  +Bandwidth Shaping for local users  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  The rate-limit is set in kbit/sec. @@ -131,31 +137,34 @@ The rate-limit is set in kbit/sec.    set vpn l2tp remote-access authentication local-users username test rate-limit download 20480    set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 -  vyos@vyos:~$ show vpn remote-access  -  ifname | username | calling-sid  |      ip       | rate-limit  | type | comp | state  |  uptime    +  vyos@vyos:~$ show vpn remote-access +  ifname | username | calling-sid  |      ip       | rate-limit  | type | comp | state  |  uptime    -------+----------+--------------+---------------+-------------+------+------+--------+----------- -  ppp0   | test     | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp |      | active | 00:06:30   +  ppp0   | test     | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp |      | active | 00:06:30  RADIUS authentication  ====================== -To enable RADIUS based authentication, the authentication mode needs to be changed withing the configuration. -Previous settings like the local users, still exists within the configuration, however they are not used if the mode -has been changed from local to radius. Once changed back to local, it will use all local accounts again. +To enable RADIUS based authentication, the authentication mode needs to be +changed withing the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again.  .. code-block:: sh    set vpn l2tp remote-access authentication mode <local|radius> -Since the RADIUS server would be a single point of failure, multiple RADIUS server can be setup and will be used subsequentially.  +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially.  .. code-block:: sh    set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'    set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' -.. note:: Some RADIUS_ severs use an access control list which allows or denies queries,   -   make sure to add your VyOS router to the allowed client list. +.. note:: Some RADIUS_ severs use an access control list which allows or denies +   queries, make sure to add your VyOS router to the allowed client list.  RADIUS source address  ^^^^^^^^^^^^^^^^^^^^^ @@ -171,8 +180,8 @@ single source IP e.g. the loopback interface.  Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries  on this NAS. -.. note:: -  The ``source-address`` must be configured on one of VyOS interface. +.. note:: The ``source-address`` must be configured on one of VyOS interface. +   Best proctice would be a loopback or dummy interface.  RADIUS bandwidth shaping attribute  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -183,31 +192,40 @@ To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enable    set vpn l2tp remote-access authentication radius rate-limit enable -The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also redefine it. +The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also +redefine it.  .. code-block:: sh    set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed -.. note:: If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which is the vyos router in our example. +.. note:: If you set a custom RADIUS attribute you must define it on both +   dictionaries at RADIUS server and client, which is the vyos router in our +   example.  The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/``  RADIUS advanced features  ^^^^^^^^^^^^^^^^^^^^^^^^ -Received RADIUS attributes have a higher priority than parameters defined withm the cli configuration, refer to the explanation below. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below.  Allocation clients ip addresses by RADIUS  ***************************************** -If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ip-pool within the cli config is being ignored. +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ip-pool within the CLI +config is being ignored.  Renaming clients interfaces by RADIUS  ************************************* -If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed. +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. -.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed. +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 +   characters, otherwise the interface won't be renamed.  .. _`Google Public DNS`: https://developers.google.com/speed/public-dns | 
