summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhagbard <vyosdev@derith.de>2019-07-31 15:10:54 -0700
committerhagbard <vyosdev@derith.de>2019-07-31 15:10:54 -0700
commit259c959c6210248faecf982bcaf12904e0cf5c7a (patch)
tree6b27eb3391aa973cadd5f0d7c88387f1aba77e69
parent99e35bc31f748f9f260e54f6f9d612b42af57fad (diff)
downloadvyos-documentation-259c959c6210248faecf982bcaf12904e0cf5c7a.tar.gz
vyos-documentation-259c959c6210248faecf982bcaf12904e0cf5c7a.zip
[SSTP] - T1552: SSTP documentation
-rw-r--r--docs/services/index.rst3
-rw-r--r--docs/services/references.rst2
-rw-r--r--docs/services/sstp-server.rst76
3 files changed, 80 insertions, 1 deletions
diff --git a/docs/services/index.rst b/docs/services/index.rst
index 57471cf8..03fdc9c4 100644
--- a/docs/services/index.rst
+++ b/docs/services/index.rst
@@ -18,8 +18,9 @@ This chapter descriptes the available system/network services provided by VyOS.
dynamic-dns
lldp
mdns-repeater
- pppoe-server
ipoe-server
+ pppoe-server
+ sstp-server
udp-broadcast-relay
snmp
ssh
diff --git a/docs/services/references.rst b/docs/services/references.rst
index 3a2f4b74..257ffe11 100644
--- a/docs/services/references.rst
+++ b/docs/services/references.rst
@@ -11,3 +11,5 @@
.. _Squidguard: http://www.squidguard.org/
.. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
.. _`arbitrary extension commands`: http://net-snmp.sourceforge.net/docs/man/snmpd.conf.html#lbAZ
+.. _`accel-ppp`: https://accel-ppp.org/
+.. _`Secure Socket Tunneling Protocol`: https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol
diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst
new file mode 100644
index 00000000..8ee8ef45
--- /dev/null
+++ b/docs/services/sstp-server.rst
@@ -0,0 +1,76 @@
+
+SSTP server
+------------
+
+VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be
+used with local authentication or a connected RADIUS server.
+
+.. note:: **Please be aware, due to an upstream bug, config changes/commits
+ will restart the ppp daemon and will reset existing PPPoE connections from
+ connected users, in order to become effective.**
+
+Configuration
+^^^^^^^^^^^^^
+
+The `Secure Socket Tunneling Protocol`_ (SSTP), provides ppp via a SSL/TLS channel.
+Using publically signed certificates as well a by private PKI, is fully supported.
+All certficates should be stored on VyOS under ``/config/user-data/sstp``.
+
+
+Self Signed CA and server certificates
+======================================
+
+To generate the CA, the server private key and certificates the following commands can be used.
+
+.. code-block:: sh
+
+ vyos@vyos:~$ conf
+ [edit]
+ vyos@vyos# mkdir -p /config/user-data/sstp && cd /config/user-data/sstp
+ [edit]
+ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout server.key -out server.crt
+
+ Generating a 4096 bit RSA private key
+ .........................++
+ ...............................................................++
+ writing new private key to 'server.key'
+ [...]
+ Country Name (2 letter code) [AU]:
+ State or Province Name (full name) [Some-State]:
+ Locality Name (eg, city) []:
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+ Organizational Unit Name (eg, section) []:
+ Common Name (e.g. server FQDN or YOUR name) []:
+ Email Address []:
+
+ vyos@vyos# openssl req -new -x509 -key server.key -out ca.crt
+ [...]
+ Country Name (2 letter code) [AU]:
+ State or Province Name (full name) [Some-State]:
+ Locality Name (eg, city) []:
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+ Organizational Unit Name (eg, section) []:
+ Common Name (e.g. server FQDN or YOUR name) []:
+ Email Address []:
+ [edit]
+ vyos@vyos#
+
+
+The example below will answer configuration request for the user user ``foo``.
+
+Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically looks for all files and directories in ``/config/user-data/sstp``.
+
+.. code-block:: sh
+
+ set authentication local-users username foo password 'bar'
+ set authentication mode 'local'
+ set network-settings client-ip-settings gateway-address '10.100.100.1'
+ set network-settings client-ip-settings subnet '192.168.0.0/24'
+ set network-settings dns-server primary-dns '10.100.100.1'
+ set network-settings dns-server secondary-dns '10.200.100.1'
+ set sstp-settings ssl-certs ca 'ca.crt'
+ set sstp-settings ssl-certs server-cert 'server.crt'
+ set sstp-settings ssl-certs server-key 'server.key'
+
+
+.. include:: references.rst